Politech mailing list archives
FC: ACLU asks IETF not to build wiretapping into the Net
From: Declan McCullagh <declan () well com>
Date: Fri, 05 Nov 1999 09:39:33 -0800
******** Date: Fri, 05 Nov 1999 12:22:08 -0500 To: Declan McCullagh <declan () well com> From: Barry Steinhardt <Barrys () aclu org> Subject: ACLU Letter on Wiretapping and the Internet : : : Declan, The ACLU sent the following letter to the IETF regarding the Internet Wiretapping issue they will debate next week. The essence of the letter is CALEA does not require the Internet to be made wiretap ready and that it would be a blow to both civil liberties and the security of the Net for the IETF to engineer back door surveillance mechanisms into its architecture. Barry Steinhardt November 5, 1999 Mr. Fred Baker Internet Engineering Task Force Secretariat c/o Corporation for National Research Initiatives 1895 Preston White Drive Suite 100 Reston VA 20191-5434 Re: Wiretapping and the Internet Dear Mr. Baker: I am writing on behalf of the American Civil Liberties Union (ACLU) and its approximately 300,000 members. The Internet Engineering Task Force(IETF) has been studying whether to conform network technology with the requirements of the Communications Assistance to Law Enforcement Act (CALEA). The proponents of this move, including the Federal Bureau of Investigation argue that law enforcement needs built in surveillance capacities and that CALEA may require this compliance. The ACLU urges the IETF to reject these calls, and to emphasize that the plain language of CALEA, as well as the legislative history, make it quite clear that the Federal government cannot require Internet architecture to be CALEA compliant. CALEA was originally enacted in 1994. Its proponents argued that the Act was necessary to help law enforcement keep pace with technology. The FBI claimed that it sought no new powers, but only to preserve their existing communications surveillance capabilities. Under its provisions, telecommunications companies must build wiretap capabilities into their systems. Among other things, the Act states that telecommunications carriers generally shall ensure that the government can intercept communications and get caller identification information (see 47 U.S.C. § 1002(a)). The Act also applies to telecommunications equipment manufacturers, who are to consult and cooperate with carriers to ensure compliance with the needs of law enforcement (see 47 U.S.C. § 1005). CALEA contains a number of exemptions. The statute explicitly provides that the general compliance requirements ^Ódo not apply to - · (A) information services; or · (B) equipment, facilities, or services that support the transport or switching of communications for private networks or for the sole purpose of interconnecting telecommunications carriers.^Ô (See 47 U.S.C. § 1002(b)(2).) In addition, the statute contains a definition of ^Ótelecommunications carrier^Ô which ^Ódoes not include persons or entities insofar as they are engaged in providing information services^Ô (see 47 U.S.C. § 1001(8)(C)). This definition has the effect of excluding ^Óinformation services^Ô providers from having to submit to CALEA^Òs conditions. The question that then arises is: what are ^Óinformation services^Ô? According to the Act, ^ÓThe term ^Ñinformation services^Ò - · (A) means the offering of a capability for generating, acquiring, storing, transforming, processing, retrieving, utilizing, or making available information via telecommunications; and · (B) includes - · (i) a service that permits a customer to retrieve stored information from, or file information for storage in, information storage facilities; · (ii) electronic publishing; and · (iii) electronic messaging services; but · (C) does not include any capability for a telecommunications carrier's internal management, control, or operation of its telecommunications network.^Ô (See 47 U.S.C. § 1001(6).) This portion of the statute essentially describes the key functions of the Internet, which allows individuals to retrieve stored information (e.g. FTP or Gopher), as well as engage in electronic publishing (such as the World Wide Web) or send electronic messages (including e-mail). Furthermore, the Act^Òs definition of ^Óelectronic messaging services^Ô leaves no doubt that this exemption was meant for the computing world; under this definition, ''electronic messaging services'' are ^Ósoftware-based services that enable the sharing of data, images, sound, writing, or other information among computing devices controlled by the senders or recipients of the messages.^Ô (See 47 U.S.C. § 1001(4).) This close similarity between the CALEA^Òs description of ^Óinformation services^Ô and the functions of the Internet is not just a coincidence. It is a clear indication that CALEA exempts the Internet and its constituents from having to comply with statute^Òs stringent wiretapping requirements. The legislative history of CALEA also bears out the fact that Congress never intended the statute to apply to the Internet. When Congress discussed the bill, it was noted that: ^ÓThe term ^Ñinformation services^Ò encompasses both electronic publishing...and electronic messaging services, which is a term broadly defined to encompass electronic mail, electronic forms transfer, electronic document interchange, and electronic data interchange.^Ô (See 140 CONG. REC. H10780 (daily ed. October 4, 1994) (statement of Rep. Markey).) (Emphasis added.) These discussions also show that Congress intended the bill to apply, not to the Internet, but to: ^Ósuch service providers as local exchange carriers, interexchange carriers, competitive access providers [CAPs], cellular carriers, providers of personal communications services(PCS), satellite-based service providers, cable operators and electric and other utilities ...^Ô (See 140 CONG. REC. H10779 (daily ed. October 4, 1994) (statement of Rep. Hyde).) In addition, it should be noted that CALEA has been amended (see General Accounting Office Act of 1996, Pub. L. 104-316, § 126(b), 110 Stat. 3826, 3840 (1996)). However, Congress did not remove or otherwise change the exemption for ^Óinformation services^Ô when it added the amendments. If Congress intended the Internet to comply with CALEA^Òs requirements, it surely would have taken the opportunity to say so. The fact that this opportunity was not taken is further evidence that Congress did not intend the Act to apply to cyberspace. In short, the providers of Internet services are not required to comply with CALEA and the IETF is under no obligation to assist law enforcement in bringing Internet services into compliance with CALEA. As Rep. Bob Barr^Òs letter to you indicated, there is also substantial opposition in the Congress to any extension of CALEA to the Internet and, in fact, I am not aware of any bills which have been introduced that would remove the exemption for ^Óinformation service providers^Ô or that purport to require Internet services to become CALEA compliant. It also seems evident that built in surveillance capabilities would violate the terms of the European Privacy Directive (97/66/EC of 15 December 1997), which provides that telecommunications services "must take appropriate technical and organizational measures to safeguard security of its services." Beyond question of law, it would be a serious mistake to alter the very architecture of the Internet to make it wiretap or surveillance ready. What law enforcement is asking you to do is the equivalent of requiring the home building industry to place a ^Ósecret^Ô door in all new homes to which only it would have the key. That is a frightening extension of the proposition that an industry is required to cooperate with law enforcement when it has obtained a proper judicial order. Just as a secret door would add a new level of insecurity to our homes that could be exploited by criminals, so too would built-in law enforcement access add new levels of insecurity that could be exploited by information pirates and thieves. I also urge you to consider the FBI^Òs broken promises about CALEA before you jump to accommodate them. The FBI has repeatedly violated its promises to Congress and the telephone industry that it would not seek expanded surveillance powers, but only sought to preserve its existing surveillance capabilities. For example, the FBI has sought the capability to use cellular telephones as tracking devices. In its so-called ^Ópunch list^Ô, the FBI sought expanded access to post connection digits dialed by telephone customer. It demanded the right to stay on conference call even after the subject of its wiretap order is off the call and sought a whole series of expensive signaling requirements. Most extraordinarily, the FBI has proposed a series of capacity notices, that, in their most extreme form, would have required the telephone industry to provide it with the capacity to simultaneously tap in every telephone line in major urban areas like New York. Once you begin the process of building surveillance features into the Internet, you will open Pandora^Òs box to an ever increasing demand for services from law enforcement, and you will be consigning service providers to a future of unknown, but undoubtedly significant, costs. The ultimate irony for service providers would be that, since they do not come under the terms of CALEA, they would not even be eligible for limited cost reimbursements offered by the law to the telecommunications carriers. I hope you will find this material of interest, and I am happy to answer any questions you might have. Sincerely, Barry Steinhardt Associate Director Cc: Dr. Scott Bradner--Transport Area Director--<sob () harvard edu> Barry Steinhardt Associate Director American Civil Liberties Union 125 Broad St NY,NY 10004 212 549 2508 (v) Barrys () aclu org -------------------------------------------------------------------------- POLITECH -- the moderated mailing list of politics and technology To subscribe: send a message to majordomo () vorlon mit edu with this text: subscribe politech More information is at http://www.well.com/~declan/politech/ --------------------------------------------------------------------------
Current thread:
- FC: ACLU asks IETF not to build wiretapping into the Net Declan McCullagh (Nov 05)