Summary of the CALEA NPRM's Tentative Conclusion Regarding Broadband Internet Access Services
August 9, 2004. The Federal Communications Commission's (FCC) CALEA NPRM [100 pages in PDF], released on August 9, 2004, tentatively concludes that "facilities-based providers of any type of broadband Internet access service, whether provided on a wholesale or retail basis, are subject to CALEA". (See, NPRM at Paragraph 1.)
The notice of proposed rulemaking (NPRM) elaborates that "we tentatively conclude that facilities-based providers of any type of broadband Internet access, including but not limited to wireline, cable modem, satellite, wireless, and broadband access via the powerline, whether provided on a wholesale or retail basis, are subject to CALEA ... because they provide replacement for a substantial portion of the local telephone exchange service used for dial-up Internet access service and such treatment is in the public interest. We base this belief on our reading of CALEA and its legislative history as well as the record thus far." (Footnotes omitted. See, NPRM at Paragraph 47.)
The NPRM also suggests, and seeks public comment on, the position that certain providers of broadband internet access services (BIAS) should not be subject to Communications Assistance for Law Enforcement Act (CALEA) requirements. The NPRM states that "There may exist discrete groups of entities for which the public interest may not be served by including them under the Substantial Replacement Provision. ... For example, entities that deploy broadband capability to consumers in underserved areas may fall in this category because of the potential deterrent effect it could have on deployment in particular circumstances (negatively impacting the first and second factors, i.e., protecting competition and encouraging the development of new technologies). Small businesses that provide wireless broadband Internet access to rural areas may be one example". (Footnotes omitted. Parentheses in original. See, NPRM at Paragraph 49.)
Thus, the NPRM addresses the threshold question of whether providers of BIAS, with certain possible exceptions for providers in underserved and rural areas, are subject to the requirements imposed by the CALEA.
Beyond this, the NPRM does not provide, or propose, details regarding what technologies will be included within the CALEA regime. It asks for comments on these details.
The NPRM states briefly that it "does not propose attaching CALEA obligations to services or applications that ``ride over´´ the underlying broadband transmission, such as e-mail storage, web browsing capabilities, and Internet gaming." (See, NPRM at Paragraph 51.) The NPRM does not define or discuss the meaning of the term "ride over".
Almost all current internet based services and applications that might be construed to "ride over" the broadband transmissions are not addressed in the NPRM. The NPRM makes no mention of online shopping, e-commerce, auction web sites, interactive computer services, and other services and applications.
On the other hand, the NPRM does tentatively conclude that certain VOIP services are subject to CALEA requirements. VOIP services are an application that "rides over" the broadband transmissions. Similarly, the NPRM declares that push to talk is subject to CALEA requirements. Currently, push to talk is being provided by cellular phone companies. However, it is likely at some point that push to talk functionality will be provided as an internet protocol service. The NPRM is written broadly to cover this application that "rides over".
The NPRM mentions e-mail in the above quoted Paragraph 51. There are other mentions of e-mail in this paragraph. There is also a reference to e-mail in the NPRM's section on VOIP. It reads, "We make clear that we do not, however, solicit comment on packet-based or broadband services that are clearly excluded from CALEA such as electronic mail." (See, NPRM at Footnote 168.)
Thus, e-mail is barely discussed. And, to the extent that it is, the NPRM states that it is "excluded from CALEA", and that the NPRM "does not propose attaching CALEA obligations to ... e-mail storage".
The Department of Justice (DOJ) has made clear in the hearings before the Congress, and in the context of pending legislation, that it is very concerned about intercepting e-mail. Indeed, at the request of the DOJ, the Congress included in the USA PATRIOT Act a section that amended the pen register and trap and trace language of Title 18. (See, § 216 of HR 3162 in the 107th Congress.) It previously allowed law enforcement agencies (LEAs) to obtain incoming and outgoing phone numbers dialed or punched by phone users. The PATRIOT Act broadened the provision to include addressing and routing information in electronic communications, such as e-mail TO: and WROM: FVWRKJVZCMHVIBGDADRZFSQHYUC Carnivore was designed with e-mail in mind.
The DOJ also wrote in its petition for rulemaking [83 pages in PDF] to the FCC that the 1986 Electronic Communications Privacy Act (ECPA) expanded the scope of lawful intercepts to include electronic communications including e-mail, and that the 1994 CALEA was intended to enable LEAs to conduct their lawful intercepts. (See, DOJ Petition at Pages 2-3.) In addition, the DOJ wrote that the legislative history of the CALEA makes clear that Congress intended that e-mail in transit is subject to CALEA requirements. (See, DOJ Petition at Page 27.)
Hence, it is clear that the DOJ is interested in intercepting e-mail communications -- both content and addressing information -- and believes that this is subject to CALEA requirements.
Perhaps it is important to note both that the NPRM's brief treatment of e-mail includes the qualification of "storage", and the DOJ treatment of e-mail includes the word "transmission". Perhaps the direction that the FCC intends to take is that the interception of e-mail in transit is subject to the requirements of the CALEA, but that e-mail in storage is not. But then, accessing stored e-mail does not present the technological problems that intercepting e-mail does. The DOJ does not need the CALEA to make accessing stored e-mail easier. Whatever the case, the NPRM is vague, and seeks comments.
In conclusion, if the NPRM contemplates that certain VOIP, IP based push to talk, and e-mail in transit will all be subject to CALEA requirements, just what does the NPRM mean when it states that CALEA obligations do not extend to "applications that ``ride over´´ the underlying broadband transmission"? The NPRM does not explain. The NPRM concludes its discussion of this subject with the following: "We seek comment on this analysis."
Finally, there is a key footnote in this section, that states that schools, libraries, hotels and coffee shops may not be subject to CALEA requirements. It states that "We note that establishments acquiring broadband Internet access to permit their patrons to access the Internet do not appear to be covered by CALEA (assuming they were otherwise ``telecommunications carriers´´ under CALEA). Examples of these entities include schools, libraries, hotels, coffee shops, etc." (Parentheses in original. See, NPRM at Footnote 133.)
This footnote continues that "The underlying facilities-based broadband
transmission providers that sell the broadband access service to these establishments
to enable Internet access for their patrons would, however, be responsible for CALEA
obligations under our tentative conclusion and thus Law Enforcement's needs would be
addressed through these providers." (See, NPRM at Footnote 133.)