November 5, 2005
New Law Fuels Technology-Government Clash
BOSTON -- A new method of communicating is creating intriguing services that beat old ways of sending information. But law enforcement makes a somber claim: These new networks will become a boon to criminals and terrorists unless the government can easily listen in.
This was the story line in the mid-1990s when the Clinton administration sought to have electronic communications encrypted only by a National Security Agency-developed "Clipper Chip," for which the feds would have a key.The Clipper Chip eventually went the way of clipper ships after industry balked and researchers showed its cryptographic approach was flawed anyway. But while the Clipper Chip died, the dilemma it illuminated remains.
With each new advance in communications, the government wants the same level of snooping power that authorities have exercised over phone conversations for a century. Technologists recoil, accusing the government of micromanaging - and potentially limiting - innovation.
Today, this tug of war is playing out over the Federal Communications Commission's demands that a phone-wiretapping law be extended to voice-over-Internet services and broadband networks.
Opponents are trying to block the ruling on various grounds: that it goes beyond the original scope of the law, that it will force network owners to make complicated changes at their own expense, or that it will have questionable value in improving security.
No matter who wins the battle over this law - the Communications Assistance for Law Enforcement Act, known as CALEA - this probably won't be the last time authorities raise hackles by seeking a bird's eye view over the freewheeling information flow created by new technology.
Authorities are justified in trying to reduce the ways that technology helps dangerous people operate in the shadows, said Daniel Solove, author of "The Digital Person." But a parallel concern is that technology can end up increasing the government's surveillance power rather than just maintaining it.
"We have to ask ourselves anew the larger question: What surveillance power should the government have?" said Solove, an assistant professor at George Washington University Law School. "And to what extent should the government be allowed to manage the development of technology to embody its surveillance capability?"
Wiretapping - so named because eavesdropping police placed metal clips on the analog wires that carried conversations - has a complex legal history.
A 1928 case, Olmstead v. United States, legitimized the practice, when the Supreme Court ruled it was acceptable for police to monitor the private calls of a suspected bootlegger.
Behind that 5-4 ruling, however, a seminal debate was raging. The dissenting opinion by Justice Louis Brandeis argued, among other things, that the government had no right to open someone's mail, so why should a phone - or other technologies that might emerge - carry different expectations about privacy?
In 1967, as the dawn of the digital age was fulfilling Brandeis' fears that other forms of technological eavesdropping would become possible, the Supreme Court reversed Olmstead. After that, authorities had to get a search warrant before setting wiretaps, even on public payphones.
That apparently hasn't been much of a hindrance.
State and federal authorities have had 30,975 wiretap requests authorized since 1968, with only 30 rejections, according to the Electronic Privacy Information Center. Some 1,710 wiretaps were authorized last year, the most ever, with zero denied.
Since 1980, authorities also have been able to set secret wiretaps with the approval of the Foreign Intelligence Surveillance Court, which privacy watchdogs say requires a lower standard of evidence than the general warrant process. For the first two decades FISA orders numbered less than 1,000 annually; 2003 and 2004 each saw more than 1,700. Only four FISA applications have been rejected, all in 2003.
But technology began to pose obstacles in the 1980s, as old-fashioned telephone networks were giving way to digital switching systems that could also transmit information. Suddenly some wiretaps had to become virtual, using "packet sniffing" programs that spy on the splintered packets of data that make up network traffic.
Congress passed CALEA in 1994, requiring telecom carriers to ensure that their networks left it relatively easy for law enforcement to set wiretaps. The law applied to landline and cell phone networks but essentially exempted the Internet.
Of course, at the time, federal officials were advocating use of the Clipper Chip to ensure that bad guys couldn't hide by encrypting their online traffic.
The FBI also was developing Carnivore, a program that agents could tailor to grab specific e-mails and other Internet communications defined in a court order. (The FBI eventually dropped Carnivore in favor of commercial software; frequent cooperation from Internet service providers often made the technology unnecessary anyway.)
And all the while the NSA was harvesting the fruits of a system called Echelon, intercepting millions of international telephone calls and feeding them into the agency's humungous maw for analysis.
Justifiably or not, each of these steps unsettled privacy activists. And it is that unease that colors the current fight over expanding CALEA's reach to new services such as Voice over Internet Protocol (VoIP) by 2007. The FCC says the move is critical because converting voice calls into data packets essentially replaces the old phone system. VoIP services are expected to attain some 4 million U.S. subscribers by the end of this year.
"CALEA in a sense is the culmination of where we've been," said Barry Steinhardt, director of the technology and liberty program at the American Civil Liberties Union. "Now the communications network is built to be wiretap-ready, so you don't need Carnivore anymore. It's just intrinsic to the system."
Clipper Chip objectors a decade ago contended that in addition to being an onerous demand, the technology could be foiled, rendering it pointless.
Similarly, critics of expanding CALEA to broadband networks say the cost of rewiring - estimated as high as $7 billion for universities alone - is excessive. Those against expanding it to VoIP say it leaves too many holes to be effective.
For example, Internet phone services such as Vonage that can route calls to regular phones will be expected to support CALEA. But "peer-to-peer" VoIP services and instant-messaging programs that carry voice conversations from one computer to another are exempt - at least for now.
"If you take the argument to its extreme, every kind of Internet application, including (file-transfer programs) and Web browsing, is capable of transmitting communications. So where does it end?" said Glenn Manishin, an attorney with Kelley Drye & Warren LLP who has handled telecom regulation cases for companies and consumer groups. "Do they now have to have a back door into every Web browser?"
Plus, overseas services aren't covered by the U.S. law. Nor can it touch any home-grown Internet voice programs that serious criminals could develop.
"For the past two years, law enforcement has been saying, 'If we just had CALEA we'd catch all the terrorists,'" said John Morris, director of Internet standards, technology and policy at the Center for Democracy and Technology. "Well, if they're sophisticated enough to evade all of our intelligence capabilities, they'll be sophisticated enough not to use a CALEA-compliant phone service."
CALEA critics also say authorities haven't shown that existing monitoring methods are so weak as to justify costly new back doors for government.
Indeed, while they are not nearly as common as phone surveillance, computer wiretaps have been successful even without the extra assistance CALEA might provide. For example, a 2003 report by the Administrative Office of U.S. Courts explained how surveillance on a DSL high-speed Internet line in Minnesota intercepted 141,420 "computer messages" in three weeks, aiding a racketeering investigation.
If there's one thing widely agreed upon in this debate, it's that Congress could do well to step in.
Not only could lawmakers clarify how much of CALEA ought to apply to the Internet, but they might also reconsider the overarching Electronic Communications Privacy Act. That was passed in 1986, well before the Internet became the vast commercial and personal medium that redefined our categories of information.
"That pervades CALEA and everything we talk about," Solove said. "This is something that Congress has been very derelict in addressing."
On the Net:
FBI page on CALEA: http://www.askcalea.com