FC: ACLU asks IETF not to build wiretapping into the Net

[Declan McCullagh <declan () well com>]

********

Date: Fri, 05 Nov 1999 12:22:08 -0500
To: Declan McCullagh <declan () well com>
From: Barry Steinhardt <Barrys () aclu org>
Subject: ACLU Letter on Wiretapping and the Internet
:
:
        
:

Declan,

The ACLU sent the following letter to the IETF regarding the Internet
Wiretapping issue they will debate next week. The essence of the letter is
CALEA does not require the Internet to be made wiretap ready and that it would
be a blow to both civil liberties and the security of the Net for the IETF to
engineer back door surveillance mechanisms into its architecture.

Barry Steinhardt


November 5, 1999

Mr. Fred Baker
Internet Engineering Task Force Secretariat
c/o Corporation for National Research Initiatives
1895 Preston White Drive
Suite 100
Reston VA 20191-5434

        Re: Wiretapping and the Internet 

Dear Mr. Baker:

I am writing on behalf of the American Civil Liberties Union (ACLU) and its
approximately 300,000 members.

The Internet Engineering  Task Force(IETF) has been studying whether to
conform
network technology with the requirements of the Communications Assistance to
Law Enforcement Act (CALEA). The proponents of this move, including the
Federal
Bureau of Investigation argue that law enforcement needs built in surveillance
capacities and that CALEA may require this compliance.

The ACLU urges the IETF to reject these calls, and to emphasize that the plain
language of CALEA, as well as the legislative history, make it quite clear
that
the Federal government cannot require Internet architecture to be CALEA
compliant.

CALEA was originally enacted in 1994. Its proponents argued that the Act was
necessary to help law enforcement keep pace with technology. The FBI claimed
that it sought no new powers, but only to preserve their existing
communications surveillance capabilities.
 
        Under its provisions, telecommunications companies must build wiretap
capabilities into their systems. Among other things, the Act states that
telecommunications carriers generally shall ensure that the government can
intercept communications and get caller identification information (see 47
U.S.C. § 1002(a)). The Act also applies to telecommunications equipment
manufacturers, who are to consult and cooperate with carriers to ensure
compliance with the needs of law enforcement (see 47 U.S.C. § 1005).

        CALEA contains a number of exemptions. The statute explicitly provides
that the general compliance requirements ^Ódo not apply to -   
·       (A) information services; or 

·       (B) equipment, facilities, or services that support the 
transport or switching of communications for private networks 
or for the sole purpose of interconnecting telecommunications 
carriers.^Ô (See 47 U.S.C. § 1002(b)(2).)

        In addition, the statute contains a definition of ^Ótelecommunications
carrier^Ô which ^Ódoes not include persons or entities insofar as they are
engaged in providing information services^Ô (see 47 U.S.C. § 1001(8)(C)). This
definition has the effect of excluding ^Óinformation services^Ô providers from
having to submit to CALEA^Òs conditions.

        The question that then arises is: what are ^Óinformation services^Ô?
According to the Act, ^ÓThe term ^Ñinformation services^Ò - 

·       (A) means the offering of a capability for generating, 
acquiring, storing, transforming, processing, retrieving, 
utilizing, or making available information via  
telecommunications; and 

·       (B) includes - 
·       (i) a service that permits a customer to retrieve stored 
information from, or file information for storage in,   
information storage facilities; 

·       (ii) electronic publishing; and 
·       (iii) electronic messaging services; but 
·       (C) does not include any capability for a telecommunications 
carrier's internal management, control, or operation of its  
telecommunications network.^Ô (See 47 U.S.C. § 1001(6).) 

 
        This portion of the statute essentially describes the key functions of
the Internet, which allows individuals to retrieve stored information (e.g.
FTP
or Gopher), as well as engage in electronic publishing (such as the World Wide
Web) or send electronic messages (including e-mail). Furthermore, the Act^Òs
definition of ^Óelectronic messaging services^Ô leaves no doubt that this
exemption was meant for the computing world; under this definition,
''electronic messaging services'' are ^Ósoftware-based services that enable the
sharing of data, images, sound, writing, or other information among computing
devices controlled by the senders or recipients of the messages.^Ô  (See 47
U.S.C. § 1001(4).) This close similarity between the CALEA^Òs description of
^Óinformation services^Ô and the functions of the Internet is not just a
coincidence. It is a clear indication that CALEA exempts the Internet and its
constituents from having to comply with statute^Òs stringent wiretapping
requirements.

        The legislative history of CALEA also bears out the fact that Congress
never intended the statute to apply to the Internet. When Congress discussed
the bill, it was noted that: 

^ÓThe term ^Ñinformation services^Ò encompasses both electronic publishing...and
electronic messaging services, which is a term broadly defined to encompass
electronic mail, electronic forms transfer, electronic document interchange,
and electronic data interchange.^Ô (See 140 CONG. REC. H10780 (daily ed.
October
4, 1994) (statement of Rep. Markey).) (Emphasis added.)

These discussions also show that Congress intended the bill to apply, not to
the Internet, but to:

^Ósuch service providers as local exchange carriers, interexchange carriers,
competitive access providers [CAPs], cellular carriers, providers of personal
communications services(PCS), satellite-based service providers, cable
operators and electric and other utilities ...^Ô (See 140 CONG. REC. H10779
(daily ed. October 4, 1994) (statement of Rep. Hyde).)

        In addition, it should be noted that CALEA has been amended (see
General Accounting Office Act of 1996, Pub. L. 104-316, § 126(b), 110 Stat.
3826, 3840 (1996)). However, Congress did not remove or otherwise change the
exemption for ^Óinformation services^Ô when it added the amendments. If Congress
intended the Internet to comply with CALEA^Òs requirements, it surely would
have
taken the opportunity to say so. The fact that this opportunity was not taken
is further evidence that Congress did not intend the Act to apply to
cyberspace. 

In short, the providers of Internet services are not required to comply with
CALEA and the IETF is under no obligation to assist law enforcement in
bringing
Internet services into compliance with CALEA.  As Rep. Bob Barr^Òs letter to
you
indicated, there is also substantial opposition in the Congress to any
extension of CALEA to the Internet and, in fact, I am not aware of any bills
which have been introduced that would remove the exemption for ^Óinformation
service providers^Ô or that purport to require Internet services to become
CALEA
compliant. 

It also seems evident that built in surveillance capabilities would violate
the
terms of the European Privacy Directive (97/66/EC of 15 December 1997), which
provides that telecommunications services "must take appropriate technical
and 
organizational measures to safeguard security of its services."

Beyond question of law, it would be a serious mistake to alter the very
architecture of the Internet to make it wiretap or surveillance ready. What
law
enforcement is asking you to do is the equivalent of requiring the home
building industry to place a ^Ósecret^Ô door in all new homes to which only it
would have the key. That is a frightening extension of the proposition that an
industry is required to cooperate with law enforcement when it has obtained a
proper judicial order.

        Just as a secret door would add a new level of insecurity to our homes
that could be exploited by criminals, so too would built-in law enforcement
access add new levels of insecurity that could be exploited by information
pirates and thieves.

        I also urge you to consider the FBI^Òs broken promises about CALEA
before you jump to accommodate them.  The FBI has repeatedly violated its
promises to Congress and the telephone industry that it would not seek
expanded
surveillance powers, but only sought to preserve its existing surveillance
capabilities. 

        For example, the FBI has sought the capability to use cellular
telephones as tracking devices. In its so-called ^Ópunch list^Ô, the FBI sought
expanded access to post connection digits dialed by telephone customer. It
demanded the right to stay on conference call even after the subject of its
wiretap order is off the call and  sought a whole series of expensive
signaling
requirements. Most extraordinarily, the FBI has proposed a series of capacity
notices, that, in their most extreme form, would have required the telephone
industry to provide it with the capacity to simultaneously tap in every
telephone line in major urban areas like New York. 

        Once you begin the process of building surveillance features into the
Internet, you will open Pandora^Òs box to an ever increasing demand for
services  from law enforcement, and you will be consigning service
providers to
a future of unknown, but undoubtedly significant, costs. The ultimate irony
for
service providers would be that, since they do not come under the terms of
CALEA, they would not even be eligible for limited cost reimbursements offered
by the law to the telecommunications carriers.

        I hope you will find this material of interest, and I am happy to
answer any questions you might have.

Sincerely,


Barry Steinhardt
Associate Director


Cc: Dr. Scott Bradner--Transport Area Director--<sob () harvard edu>

Barry Steinhardt
Associate Director
American Civil Liberties Union
125 Broad St
NY,NY 10004
212 549 2508 (v)
Barrys () aclu org 



--------------------------------------------------------------------------
POLITECH -- the moderated mailing list of politics and technology
To subscribe: send a message to majordomo () vorlon mit edu with this text:
subscribe politech
More information is at http://www.well.com/~declan/politech/
--------------------------------------------------------------------------