 |
|
|
Alexander the Great was told that anyone who undid the complicated knot that held the cart of Gordius, King of the Phrygians, would reign over the whole East. Alexander solved the problem in a way that no others had tried – he sliced it in two with his sword. The FCC was handed a Gordian knot when they accepted the challenge of ruling on telecom industry compliance with U.S. CALEA (Communications Assistance for Law Enforcement Agencies) legislation. What they appear to have done is to start unraveling the knot, and have asked the telecommunications industry to finish the job.
CALEA is controversial because there are at least three radically different constituencies that want three different solutions. Law enforcement wants electronic surveillance (i.e. wiretapping) to be as easy in the digital age as it was in the analog. Civil Liberties organizations want to ensure that no personal rights are infringed. The telecommunications industry wants a clear definition of what they must do to be in compliance, and they want it either to be cheap or for someone else to pay for it.
The FCC decision appears to have largely sided with law enforcement, which creates some significant technical problems. These are compounded by the aggressive schedule that the FCC has ruled that the telecommunications industry must adhere to.
One victory for the telecommunications industry is that the FCC has explicitly recognized the J-STD-025 standard as ‘safe harbor,’ after it has been modified to conform to their order. The legal term ‘safe harbor’ means that a company that implements J-STD-025 will be considered to be in compliance with CALEA, even if there are discrepancies between the standard and the law (or the FCC Order).
What is J-STD-025, anyway?
|
The FCC ruling largely recognizes the current contents of the J-STD-025 standard. This is based on a model that adds Intercept Access Points (IAPs) to existing telecommunications equipment, which are connected to both data facilities (known as Call Data Channels or CDCs) and voice facilities (known as Call Content Channels). The CDCs are used to transmit information about all calls being monitored, while the CCCs are only used to transmit voice information if the type of court order allows it (e.g. Title III).
|
Two of the questionable items were the location of a wireless phone and support for packet data. The problem with location is that it can be interpreted to be call identifying information (especially the location at the beginning and end of a call). Current landline call monitoring may provide the phone number of both the calling and called party, which (in a landline system) usually indicates the location of both parties. An alternate interpretation is that it is location tracking information, which is excluded. The FCC chose the middle road, ruling that the location of a phone at the beginning and end of a call should be provided, but not during a call. It also excluded the more accurate positioning that may be provided by commercial or E911 location services.
Packet data is a problem because the call identifying information (e.g. the address of the sender of the packet and its intended recipient) is often mixed in with the user’s data. The telecommunications system may not normally segregate these types of data. The FCC ruled that all packet information must be provided by September 2001, even when the court order does not allow access to call content, leaving law enforcement with the responsibility for ‘minimization’ – separating what they are allowed to monitor from what they are not. At the same time, the TIA has been told to study the issue and report back in a year.
The FBI, representing law enforcement agencies, developed a ‘punch list’ of areas where they felt that J-STD-025 was deficient. The FCC has ruled that most of these should be included. These capabilities do not have to be provided by the June 2000 deadline for basic J-STD-025 features, but by September 2001.
Conference calls and other multi-party calls were contentious because there are situations where the intercept subject has placed a party on hold, and is not in conversation with them. Should this be monitored? The FCC answer is “Yes,” even, presumably, when the held party is talking only to themselves. Another question is whether law enforcement agencies should be provided with an indication in the change in status of a conference call. The FCC ruled that, Yes, law enforcement should be informed, via a message on the CDC, every time a party is added to a multi-party call, placed on hold, or dropped from the call.
There is a lot of information that may be conveyed during a call – in a variety of ways. Phones are rung, callers hear ringback and busy tone, and parties to a call may generate DTMF tones to access services from a long distance carrier, bank or voice mail system. The FCC has ruled that all of these must be provided. The most problematical of these is subject-generated DTMF tones, which are currently not monitored during a call. This will require DTMF receiver hardware to be attached to all calls being monitored, even though the information they obtain is (imho) of limited use.
A relatively minor issue was whether timing information should be provided to help correlate call-related information transmitted on the CDC with call content on a CCC. Again, the FCC answer was Yes.
Three ‘punch list’ capabilities were left out: Surveillance status, Continuity check tone and Feature status.
The first two of these capabilities would have helped to ensure the reliability of the monitoring. Surveillance status would regularly report the list of subjects that are being monitored, and Continuity check tone would automatically check whether CCCs are functioning before allocating them to a call.
Feature status would have reported (from the HLR) whenever a feature was activated, deactivated, or modified in any way. This information is already available through monitoring of the digits that are dialed by a subject, or other actions initiated from their telephone. This decision lets HLR manufacturers off the hook as far as CALEA compliance.
The FCC decision on CALEA has finally established what compliance with CALEA means, and when it is required. The current version of J-STD-025 must be implemented by telecom companies by June 2000, and the enhanced version by September 2001. Perhaps the hardest deadline to meet will be to have the standard completed by March 2000. Even if completion is interpreted to mean ‘ready for ballot,’ it would be extraordinary for such complex and controversial modifications to be ready by then. Just as with software development or kitchen renovations, you can usually choose to have the work done on time, or done right – not often both. Hopefully, this extraordinary pressure will not create a standard that fails to meet the legitimate needs of law enforcement and telecommunications carriers, or that fails to protect the rights of ordinary Americans.
© – Copyright