 |
|
|
CALEA legislation gives U.S. law enforcement agencies the right to monitor (“wiretap”) telephone calls handled by wireless and landline carriers with appropriate legal authorization. Other countries are following these developments closely, hoping to obtain similar laws and equipment in their countries. The bulk of the legislation is not controversial. The devil is in the details, and the wireless industry is caught in the middle of a tug-of-war between personal privacy versus effective crime-fighting versus cost-effectiveness.
The telecom standard that can be used to provide compliance with CALEA is J-STD-025, which currently comes in two flavors (J-STD-025 and J-STD-025 Revision A) and may eventually come in a third to handle packet data issues. The use of the standard is voluntary, but as it will be considered ‘safe harbor,’ widespread implementations can be expected. ‘Safe harbor’ is a legal term that means that implementing the standard will be considered conformance with the legislation.
When lawfully authorized electronic surveillance is discussed, most people envision a scene from a movie with agents wearing earphones listening to a nasty criminal from within a parked, windowless van. While this does occur, much monitoring does not include listening to the conversation at all. It is usually more efficient to just find out who the subject was talking to and when, rather than filtering through hours of tape-recorded and largely irrelevant conversations. Perhaps surprisingly, it is this more mundane part of surveillance that is the most controversial.
In traditional landline systems, the information associated with a phone call is simple, straightforward and easily interpreted. The phone number of the calling and called parties will likely be available (with one of them being the subject of the order) along with the time of the call, and its duration. The location of the callers can be precisely determined from the phone numbers. With advanced services (such as conference calling and call waiting) and with wireless communications, the amount of information available is greater, but is less easily interpreted. Furthermore, telecommunications legislation has grown around historical landline concepts, and these are not always translatable to wireless concepts without ambiguity. And, with ambiguity one can be sure that civil liberties organizations, law enforcement and telecom carriers will all have different interpretations.
The telecommunications industry’s first try at addressing CALEA was in a joint TIA/ATIS standard J-STD-025, published in December, 1997. It addressed what the telecommunications industry thought were the requirements of the law, but law enforcement strongly disagreed. To emphasize their dislike for this proposal. About 35 law enforcement agencies each submitted the 70 page FBI ballot comments, with their own cover letter attached to it. The controversial items became known as the ‘Punch List,’ which were eventually referred to the FCC for a decision. When this came, it was a solid jab to the wireless industry, because it ruled that most of the punch list items should be implemented.
The wireless industry had no choice but to implement the punch list as quickly as possible. This they did early in 2000, including a variety of new messages in the protocol to handle the additional requirements.
One of the new capabilities is to notify law enforcement whenever parties in a conference call (or other multi-party call) are added to the call, dropped from the call, or placed on hold. This is intended to enable them to determine, with greater accuracy, who was talking to whom, and when.
If a call is being recorded, any DTMF (Touch Tone) digits dialed by the caller can easily be obtained. However, law enforcement argued successfully that even if they were not recording the call, these should be sent to them. It is not clear that this makes any sense because obtaining this information is difficult, but interpreting it is even more difficult. Systems will vary in their tolerance for the length, amplitude and frequency of these digits, plus in one call these digits could be destined for multiple different systems – a long-distance carrier to enter a calling card number and access a speed-dial code, a PBX to dial through to another system, followed by access to a bank machine. Without obtaining the feedback received after sending each digit, it is not clear how you could determine what they mean. The cost implication for carriers is that for every call that is being monitored, but not recorded, a DTMF tone receiver will have to be reserved, significantly increasing the number that are provisioned in a system.
Other signals that are initiated by a caller must also be reported, such as pressing keys on a phone that might be programmed to initiate special features. This is particularly important on GSM systems which do not initiate features using strings of digits. The technical and interpretation problems are less because the destination of these signals is usually the originating system and not an unknown device further down the call path.
Another capability in J-STD-025-A is the reporting of signals sent to a phone, including various types of ringing, strings of letters and digits sent to a display (particularly applicable to wireless phones) and any tones or other signals that might be provided.
One of the most vexing issues with surveillance is how to handle packet data (e.g. WAP phones). If law enforcement has access to the complete call content (although the term ‘call’ does not really apply to packet data) there is no problem, but if they are only legally allowed to have access to ‘call identifying information’, a major difficulty arises. Carriers can either provide the entire packet and trust law enforcement agencies to only look at what they are legally entitled to, or heavily process the packet to separate call content from call identifying information. And this is ignoring the difficulty of defining ‘call identifying information’ in the context of packet data transmissions.
A Joint Experts Meeting was held on this subject in May. They concluded (apart from the need for another meeting) that it is only feasible to examine the outermost protocol layer, but that this would often not contain the required call identifying information. If call identifying information cannot be extracted from packets, then not only will packets be sent to law enforcement that contain data beyond what they are legally entitled to, but entire packets may be sent that are not even relevant to the subject being monitored.
As packet data protocols become more sophisticated, law enforcement may become the victim of “Be careful what you wish for...you may get it”. They could end up monitoring virtually all packet traffic in order to segregate out small portions of the small fraction of packets that they are legally entitled to monitor.
New telecommunications technologies are creating increasing challenges for society to deal with legal surveillance of communication. Every law enforcement agency can cite cases where crimes could have been prevented if better monitoring was routinely available, and every civil liberties organization can quote cases where rogue law enforcement agents abused their powers to further a personal agenda, or when entire law enforcement agencies have unfairly targeted certain people or groups. Governments are left in the position of trying to find a balance. Yet, by the time the FCC and other U.S. government agencies have finished considering these issues and making decisions, strong encryption technology may mean that smart criminals cannot be monitored at all.
© – Copyright