Summary of the CALEA NPRM's Private Intercept Management Provider Proposal

August 9, 2004. The Federal Communications Commission's (FCC) CALEA NPRM [100 pages in PDF], released on August 9, 2004, contains a proposal regarding the processing of court orders, the installation of surveillance equipment, the operation of surveillance activities, and other activities related to carrying out surveillance and intercepts. The NPRM suggests that carriers and service providers rely upon a new category of service provider to perform these functions. The NPRM seeks comment on this, but does not indicate how the rules contained in a final order might implement this proposal.

Summary of NPRM Proposal. The NPRM includes a section that suggests that it will not be the telecommunications carriers and information services providers who will intercept the calls and data for which the law enforcement agencies (LEAs) have obtained court orders. Rather, third party providers will access the calls and data, analyze it, process it, and deliver it to the LEAs. (See, NPRM at Paragraphs 1 and 69-76.)

The NPRM states that "We seek comment on ... the feasibility of carriers relying on a trusted third party to manage their CALEA obligations and to provide to law enforcement agencies (``LEAs´´) the electronic surveillance information they require in an acceptable format." (See, NPRM at Paragraph 1.) The NPRM further states that this provider "manages the intercept process", and that this provider would "analyze the data and provide a LEA with only that information to which it is entitled". (See, NPRM at Paragraph 69.)

The NPRM also offers a rationale for the use of these private intercept management providers. They "would be an efficient method to extract information from packets" and they "might provide economies of scale for small carriers". (See, NPRM at Paragraph 72.)

This is a point that both VeriSign and Fiducianet make in their filings with the FCC. They have not made public any significant financial data regarding costs and prices. Nevertheless, their argument is that a small service provider could spend hundreds of thousands of dollars on purchasing and installing equipment, and more for employee training and time, even though it might only rarely be called upon by LEAs to conduct intercepts.

Alternatively, a company that specializes in intercepts, and is familiar with LEA procedure, could install equipment on a service provider's premises, that the company would access remotely, to manage the interception requested by LEAs. The capacity would be scaled to that service provider's size. These private intercept management providers would bill the information service providers (and especially small providers) much less than they would spend if they were to manage their own intercepts. See for example, VeriSign's original comment [15 pages in PDF], ex parte paper [22 pages in PDF], and reply comments [8 pages in PDF] and Fiducianet's ex parte notice [PDF].

Also, while the proponents of this proposal are private companies, the NPRM adds that these private intercept management providers "could be owned by the packet service provider or Law Enforcement, or it could be an independent surveillance service provider who contracts with individual carriers." (See, NPRM at Paragraph 75.)

The NPRM uses the term "trusted third party" repeatedly in this section. Although, it once uses the term "independent surveillance service provider". The companies that have ambitions to develop this industry, such as VeriSign and Fiducianet, tend to use the term "service bureau". Neither the term "trusted third party" nor the term "service bureau" carries much descriptive content. This series of articles uses the term "private intercept management provider" because it is descriptive of the entities that would perform this function.

The DOJ Petition Did Not Make This Request. Most of what is in the NPRM is a reaction to requests included in the DOJ's petition for rulemaking. The NPRM gave the DOJ some of what it requested. It gave it alternative or similar relief in some instances. It also denied some DOJ requests. This item in the NPRM is notable because the DOJ did not ask for this section in its original petition for rulemaking [83 pages in PDF] or reply comments [61 pages in PDF].

Moreover, while the DOJ has been holding ex parte meetings with FCC personnel since last summer, its ex parte notices in this and other proceedings do not reflect that the DOJ has asked for this. Finally, to the limited extent that TLJ has spoken with FCC personnel who have been present at various of these meetings, they have stated either that they will not discuss ex parte meetings, or that the DOJ has not taken a position on the use of private intercept management providers at these meetings.

On the one hand, the DOJ could simply be relying upon these companies, and their profit motive, to conduct the lobbying of the FCC on this issue. Moreover, it may be significant that Mike Warren, the President of Fiducianet, was until recently a long time employee of the DOJ's Federal Bureau of Investigation (FBI) who worked in its CALEA unit.

In addition, these private intercept management providers could turn out to be more supportive of the LEAs than the carriers' and information service providers' internal staff would be. This would give the DOJ cause for supporting this item in the NPRM.

Also, the financial incentives could work in favor of the DOJ. While carriers currently receive payment for intercepts, it costs them more than they receive. Intercepts are a money losing proposition for carriers. Hence, they have no financial incentive to do more of them, or any of them. But, if the intercept management function were separated from the provision of information services, with the intercept management provider being paid by the information services provider at a market based price, the intercept management provider would benefit from performing more intercepts. It would have a financial incentive to conduct more intercepts. This could result in LEAs encountering less resistance from private intercept management providers than from the carriers and information services providers.

On the other hand, these private intercept management providers, in order to win clients, may have to be responsive to their interests. They could develop as more effective counterweights to overzealous LEAs than would small information service providers acting individually.

This Proposal Could Change the Structure of Surveillance. This proposal to use private intercept management providers, if implemented, could change the structure of surveillance.

There are now two types of entities involved in the wiretap process -- LEAs and telecommunications carriers. LEAs seek information, get court orders, and then serve them upon the telecommunications carriers that maintain the networks.

This NPRM proposes a third category of entity in the surveillance process. It add private companies, such as VeriSign and Fiducianet, that would provide "intercept management".

Also, as more criminals and terrorists adopt new information services, surveillance of these activities will increase, thus making information services providers a fourth major category of entity active in the surveillance system.

Data on wiretaps suggest that there is still very little interception involving information services. For example, on April 30, 2004, the Administrative Office of the United States Courts released its 2003 annual report [10 pages in PDF] on interception of phone, oral and electronic communications. This report only addressed Title III wiretaps, which also include accessing the content of e-mail transmissions. It states that "1,442 intercepts authorized by federal and state courts were completed in 2003". It further states that 49 authorizations pertained to "Electronic wiretaps". It adds that "32 of these involved electronic pagers, 12 involved computers, and 5 involved other electronic devices such as fax machines". The report also addresses encryption. It states that "In 2003, no instances were reported of encryption being encountered on federal wiretaps. One state jurisdiction reported that encryption was encountered in a wiretap terminated in 2003; however, the encryption was reported to have not prevented law enforcement officials from obtaining the plain text of communications intercepted."

Law enforcement, including investigation, surveillance, and collection of evidence of crimes, is one of the core governmental functions of any nation or state, regardless of how market oriented it might be. This NPRM proposes to shift functions that are essentially governmental to private companies.

Some groups have argued that there is a larger trend in the structure of surveillance towards privatization, and that it has potentially harmful consequences. For example, the ACLU just released a paper [38 pages in PDF] titled "The Surveillance-Industrial Complex: How the American Government is Conscripting Businesses and Individuals in the Construction of a Surveillance Society" that cautions about an ongoing trend of privatization of surveillance. It was written just before the FCC released its CALEA NPRM, and hence, does not include a section on the NPRM.

The ACLU may or may not be on point in all of its arguments.

Nevertheless, there is currently a broad array or statutory rules, regulations, and caselaw that define, for the LEAs and telecommunications carriers what their roles in the surveillance process are, what they are allowed to do, what they are prohibited from doing, and how they can be penalized for breaking the rules. This legal framework is constructed with LEAs and telecommunications carriers in mind. In contrast, there is currently no legal framework that would apply to these new private intercept management providers. Nor does the NPRM propose to construct such a framework.

The NPRM, at the very end of its section on intercept management adds a single sentence that asks for comments, but only about the "privacy and security" related implications of using these new  private intercept management providers" (See, NPRM at Paragraph 76.)

Abuse of Surveillance Powers. The legal regime regulating the searches, seizures, wiretaps and other surveillance, of which the CALEA is just one part, builds in safeguards to decrease the likelihood that surveillance powers will be abused.

The interception of communications can entail the acquisition of very private information. Abuse of interception authority, and illegal interception can cause substantial harm to the persons whose conversations are intercepted, and the business or organizations for which they work.

To date, almost all interception has involved merely the content of two person conversations, and acquiring phone numbers. Moreover, the content of calls is acquired as voice in analog format. Someone can listen to it, transcribe it, and read it.

In contrast, the development of new information services means that far more than voice conversations are traveling over networks. There is also substantial data -- financial data, proprietary information of business, medical records, and other things not previously contained within phone conversations. Moreover, much data is stored, and hence available for seizure for a long time. Finally, the data is digital, and often in formats that make it readily searchable, and easily merged with other collections of data. This means that the amount of information that is becoming available through searches and seizures is growing rapidly, that the uses to which it can be put is growing rapidly, and hence, that the extent of the potential harm that could result form improper or illegal searches and seizures is growing rapidly.

One might speculate that this development may lead the Congress to create increased protections and safeguards against abuse of search, seizure, surveillance, and intercept powers. However, the NPRM's suggestions regarding private intercept management providers would tend to have just the opposite affect -- decreasing the protections and safeguards.

There are several checks upon LEAs. First, LEAs are staffed by career sworn law enforcement officers who tend to take the laws that they are sworn to uphold very seriously. Second, laws limit who within LEAs may seek orders for wiretaps. In this case of the DOJ, 18 U.S.C. § 2516 limits this authority to a small group of ranking officials. Third, laws limit the crimes which may serve as a predicate offense for issuance of a wiretap order. For the DOJ, this is codified at 18 U.S.C. § 2516. Fourth, the request to conduct a wiretap must be approved by an impartial federal judge.

Fifth, there is the principle of suppression of evidence. LEA personnel are largely motivated by a desire to catch criminals and put them in jail. They need evidence that can be admitted at a trial to do this. However, evidence that is illegally obtained, such as by an illegal wiretap, can be suppressed, and thereby rendered inadmissible at trial. Moreover, evidence collected as a result of an illegal search can also be suppressed. In the case of wiretaps, this is codified at 18 U.S.C. § 2515. Perhaps nothing upsets prosecutors and law enforcement officers more than watching a criminal whom they have caught and charged walk out the front door of the courthouse as a result of the suppression of critical evidence.

These checks are largely effective in keeping LEAs in line. However, they would not apply in the same manner to private intercept management providers. The employees of these companies will not be sworn law enforcement officers with the esprit of these professionals. Nor will they be motivated by worries about the suppression of evidence. The companies will be paid regardless of whether the fruits of the surveillance are used or are useable in court. Their motive is profit maximization.

There are also checks upon telecommunications carriers. First, they have no profit motive in conducting intercepts because they loose money on intercepts. In contrast, the private intercept management providers will make more money the more intercepts there are.

Second, telecommunications carriers have a stronger incentive to protect the privacy and security of their own customers than the private intercept management providers would.

Third, there are statutory restrictions on what telecommunications carriers can do. There is, for example, 47 U.S.C. § 605, which prohibits the unauthorized publication or use of communications. This applies to entities that are telecommunications carriers within the meaning of the Communications Act. However, the FCC's analysis in the substantial replacement section of the NPRM tentatively concludes that certain information services providers are telecommunications carriers within the meaning of the CALEA, but not within the meaning of the Communications Act. The consequence of such a distinction could be that these information services providers (and their agents, the private intercept management providers) are regulated by the CALEA, but not by Section 605.

Fourth, there is 18 U.S.C. § 2511, which criminalizes illegal wiretaps. This section applies equally to LEAs, telecommunications carriers, information services providers, and private intercept management providers. However, with the increasing use of services that provide for storage of communications and other electronic data held by a third party, the utility of Section 2511 in constraining abuse of electronic surveillance powers is decreasing.

For example, in the case of e-mail, Section 2511 appears to cover electronic transmission of e-mail, but not the electronic storage of e-mail. Thus, an e-mail service provider or private intercept management provider that improperly accesses stored e-mail could not be sued or prosecuted under Section 2511.

This is what the U.S. Court of Appeals (1stCir) held in USA v. Bradford Councilman. On June 29, 2004 the Court of Appeals issued its split opinion that there was no violation of Section 2511 when stored e-mail is accessed, because, since it was in storage, there is no interception within the meaning of the statute. See, story titled "1st Circuit Holds Wiretap Act Does Not Apply to E-Mail in Storage" in TLJ Daily E-Mail Alert No. 930, July 1, 2004.

Also, bills have already been introduced in the Congress that would address the holding in Councilman. See, stories titled "Rep. Nadler Introduces Bill to Criminalize Accessing Stored E-Mail" and "Rep. Inslee Introduces E-mail Privacy Act" in TLJ Daily E-Mail Alert No. 950, August 2, 2004.

There is also the sections of the Criminal Code pertaining to stored communications. However, these are more effective as a restraint on third parties, than as a restraint on LEAs and the entities that store the data. For example, the prohibitions of 18 U.S.C. § 2701 exempt the service provider. The provisions of 18 U.S.C. § 2702 contain exemptions for LEA related activities.

In conclusion, by promoting the development of private intercept management providers, the FCC is shifting a core governmental law enforcement activity to a new category of entity that is largely unconstrained by the factors that keep the LEAs in check. It is also shifting authority to entities that lack the same incentives as the telecommunications carriers and information services providers to protect the privacy and security of the customer.

Moreover, in the case of stored communications and stored data, the law arguably provides insufficient checks upon the activities of not only private intercept management providers, but also of the telecommunications carriers and information services providers.

The consequence of all this is that, perhaps, inevitably, the legal regime regulating electronic surveillance will have to be substantially updated. This would require amendment of criminal provisions of Titles 18 and 50. Only the Congress can do this.