 |
|
|
The horrific attacks of September 11th have left people around the world clamoring for assurance that they can be prevented in the future. Obviously, there was a massive failure of intelligence gathering, which includes the collection and analysis of information gleaned from wiretapping (more correctly known as lawfully authorized electronic surveillance or LAES). Although it is not clear whether surveillance would have been more effective if there was more of it or if there had been more people to review what was being obtained law enforcement agencies are certain to ask for more capabilities and for full implementation of what they believe they already have a legal right to.
An essential part of LAES is the controversial 1994 US legislation known as CALEA (Communications Assistance for Law Enforcement Act) which describes how US carriers (both wireless and landline) should provide surveillance information to a law enforcement monitoring center.
What has so far been written in the never-ending story that is CALEA is a standard jointly produced by the TIA (www.tiaonline.org) and ATIS T1 (www.t1.org) known as J-STD-025. Initial drafts were based on a view that law enforcement was the customer, and they should be given what they were willing to pay for. This proved troublesome when the telecommunications industry realized that some of what was being defined (such as location information) was outside the scope of CALEA. Consequently, the standard was scaled back to adhere to what the industry felt was “The law, and nothing but the law”. The standard specifically did not include the list of nine requirements known as the ‘punch list’. After it was published, law enforcement appealed to the FCC, the FCC later ruled that six of the punch list items should be supported, following which the US Court of Appeals vacated four of them ruling that justification by the FCC was inadequate. Partly due to the change of administration, there has not yet been a further rulemaking from the FCC.
J-STD-025 Revision 0 provides core eavesdropping capabilities for all voice-based telecommunications systems (not just wireless), with Revision A representing probably more than can be justified under CALEA. It is quite likely that if law enforcement cannot get what they want under CALEA, they will lobby heavily for changes in legislation, particularly enhancements to their ability to monitor wireless communications and internet traffic. Since 1994 these have become critical methods of communications, yet law enforcement’s ability to monitor them is less than for landline communications, due to their more complex and less predictable nature.
Even in the shadow of September 11th, the telecommunications industry cannot enhance J-STD-025 too much. No matter how much they want to help law enforcement, they cannot put requirements into a standard that they believe are outside the law. Being too restrictive will not allow law enforcement to adequately protect Americans from terrorists and criminals, while being too liberal with its contents will only result in it being held up in court by people who are concerned that it violates Americans’ civil liberties. Furthermore, the industry has to be fiscally responsible, not spending limited funds on capabilities that provide much cost and little benefit, or that perhaps cannot even be deployed because of legal challenges to the standard they are based on.
Some aspects of J-STD-025 and related standards being produced by 3GPP (TS 33.106, 107 and 108) are outside the scope of CALEA and appear to have no legal ramifications. For example, the standard does not define a single transport interface, meaning that carriers could implement it with a bewildering array of connection types, significantly increasing implementation costs. It would help if the industry and law enforcement could agree on a single interface, but the industry leans towards TCP/IP and law enforcement towards X.25, meaning that the standard can give no direction.
Another area where the industry could help is by trying to be more unified. 3GPP has a heavy European influence, and has developed a set of standards designed to be used within a network. Now there is a proposal to extend their standards to the law enforcement interface, increasing implementation costs without adding any real value. This is one area where it is unclear that the high level of competition between 3GPP and 3GPP2 is really in the public interest.
A large area that is still under study is packet data, particularly the issue of how to separate packet identifying information from packet content. Voice communications are well understood by lawmakers, and the distinction between call identifying information (who’s calling who, when and where) and call content (the voice) is well defined. This is critically important because most court orders only have the legal authority to obtain call identifying information. With packet mode communications these traditional distinctions are more difficult to make. Internet packets usually contain multiple layers of identifying information (e.g. various headers with address, times and intervening servers) surrounding the packet content. Combine this with a bewildering array of different message formats that are used to transmit different types of information (e.g. email, web services, file transfers) and it becomes almost impossible to draw the dividing line with legal exactness.
The simplest approach for the industry is to send the entire packet to law enforcement, trusting them to determine the protocol, extract the identifying information and throw the content away for court orders not allowing its collection. This is currently being treated as a technical problem, but in reality it is a failure of legislators to provide laws attuned to packet-based methods of communications. Since the distinction between packet identifying information and content does not make much sense, this leaves them with the problem of defining a new legal standard for obtaining combined packet information, which presumably must be higher than required to obtain call identifying information, but lower than required to obtain call content.
The combined efforts of the telecommunications industry, law enforcement, regulators, legislators, the courts and, yes, also the sometimes maligned civil libertarians are required to write the concluding chapters on the CALEA story. Hopefully, the story will end with Americans secure both from terrorist attacks and from unnecessary intrusions into their privacy.
© – Copyright