In July 2003, the United States was four months into the war in Iraq and nearly two years removed from the Sept. 11 attacks. Squashing the enemy was high on the government's priority list, and surveillance initiatives, like the controversial USA PATRIOT Act, were seen as elemental to the task.
Against this backdrop, the FBI's Electronic Surveillance Technology Section met with FCC officials on July 10, 2003, to lobby for broadened wiretapping capabilities. The Communications Assistance for Law Enforcement Act, a 1994 phone wiretap law, is what they talked about. CALEA, as the law is known, requires phone companies to reengineer their systems so that law enforcement can more easily install wiretaps. The FBI wanted to expand the law to include online communications, and talking with the FCC, the agency that determines the scope of the law, was the first step.
The FBI noted that traditional phone services might someday be replaced by Internet phone service, which would not be covered by CALEA.
"This trend offers increasing opportunities for terrorists, spies and criminals to evade lawful electronic surveillance," the summary stated. It continued a few lines later, "The need for CALEA-standardized broadband intercept capabilities is especially urgent in light of today's heightened threats to homeland security and the ongoing tendency of criminals to use the most clandestine modes of communication."
Two years later, on Sept. 23, the FCC released a notice of the new proposed rule broadening CALEA to include web interaction. Affected institutions, called facilities-based networks, must comply by spring of 2007.
The definition would seem to cover any entity that owns and runs equipment connecting users to the Internet. But it isn't that simple. Organizations that have public Internet access but do not own their own servers most libraries for example are not covered under CALEA.
The University of Central Florida is covered under the law, and UCF could be forced to retool their computer network to the tune of millions. Other institutions such as regional non-profit groups and even some city municipalities that offer Internet to their residents fall under the rule. Locally, though, UCF is the biggest player affected.
In the days after the FCC proposed rule change everyone from education groups, to technology companies, to Vermont Sen. Patrick Leahy voiced opposition. It appears that even the FCC is worried about the legality of the rule. The complaints (and court appeals) are mounting, and central in all cases is the issue of the regulation's necessity (or lack thereof). Overkill is the word of the day.
But this isn't a privacy issue. The FBI and other law enforcement agencies already have the ability to tap your phone lines and monitor your computer; all they need is a court order. The original CALEA only mandated that telephone carriers configure their systems to make them easier to tap.
In the age of the Internet, however, more people are using providers, like Vonage, that offer phone service over the web instead of a phone line. Phone service on the web isn't covered under CALEA, however a small clause in the original law states that anything acting as a "replacement for a substantial portion of the local telephone exchange service" also falls under CALEA. That's where the FBI found its opening.
"Broadband telephony is increasingly replacing traditional circuit-mode telephone service, and the public interest in ensuring that law enforcement continues to be able to perform lawful electronic surveillance … is manifest," the FBI stated in its official petition to the FCC on March 10, 2004.
Problem is, when the FCC reworked the law, they broadened the net to include online communications like e-mail and instant messaging originating from facilities-based networks. According to Sen. Leahy, one of the two primary sponsors of the 1994 law, this new interpretation flies in the face of the original intent.
"Congress recognized the unique architecture of the Internet and explicitly excluded it from the scope of CALEA's surveillance design mandates," Leahy said in an Oct. 26 statement. "And we did that to allow Congress to re-visit the appropriateness of such an extension as the Internet developed. Any extension of CALEA a law written for the telephone system in 1994 to the Internet in 2005 would be inconsistent with congressional intent."
And then there's the fact that even the FCC has doubts about the legality of its own ruling. Commissioner Kathleen Abernathy released a statement that said the expanded law is "not without legal risk." And commissioner Michael Copps called the rule "undeniably stretched."
Just like in 1994, current-day law enforcement agencies face no barriers to monitoring e-mail or other online communications. The FBI isn't asking for permission to wiretap the Internet; they've already got that. By obtaining a court order for a specific computer, they can send someone out to spy on anything sent from it. What the FBI wants is for facilities-based network providers to overhaul their computer network so that online wiretaps are accomplished with the flip of a switch.
In late October EDUCAUSE, a national non-profit group that deals with technology issues in higher education, held its annual conference at the Orange County Convention Center. Bob Yanckello, director of computer services and telecommunications at the University of Central Florida, sat in on a session titled, "CALEA: What Could It Mean for Your Network?" The speaker flipped through a PowerPoint presentation. One screen in the middle of the presentation read, "Cost to become CALEA compliant could be HUGE!!!"
"This type of equipment, engineering switches, it's not inexpensive stuff," he says. He is waiting to see how the law is interpreted before deciding what the university will have to do. Jenny Hatter, spokeswoman for Rollins College, says that school's information technology department is also holding out on any overhaul until they see how the law shakes out.
Universities around the country that have recently retooled computer networks give a sense of the impending costs for schools to become CALEA-compliant. The University of Chicago spent $7 million on its network update. The University of Wisconsin spent more $17 million to improve its computer network. Although Yanckello is hesitant about estimating UCF's cost, Terry Hartle, a senior vice-president at the American Council on Education, a consortium of universities, isn't shy. Hartle says a university like UCF can expect to pay in the millions to reconfigure their network. Nationwide, ACE estimates colleges and universities could have to spend a total of $7 billion to comply with CALEA.
"This is just another unfunded mandate, albeit a pretty big one," Hartle says.
ACE filed an appeal in federal court in late October, questioning the legality of the rule. In a second appeal, COMPTEL and Sun Microsystems joined the Center for Democracy and Technology in opposition. For these technology businesses, the issue is innovation.
"Part of the success of the Internet has been innovators testing and retesting new technologies without regulation," says David McGuire, director of communications for the CDT. "This rule stifles that atmosphere of development."
In addition to the cost, there is the matter of network security. The Electronic Frontier Foundation, a group defending digital rights, says when networks are reconfigured to be wiretap-friendly, they also have more points of vulnerability. McGuire agrees, saying that requiring tech companies to build tappable networks creates a backdoor to get into the system.
So why does the government want this? Yanckello says there hasn't been a wiretap request at UCF in at least the past 10 years, and other facilities-based networks around the country have similar stories. Is a broadened CALEA worth all the fuss?
According to a report issued by the federal judiciary, in 2004 the state and federal governments reported 1,710 wiretaps, 72 here in Florida. Wiretaps include any variation of wire, oral or electronic interception. Electronic surveillance paging devices, fax machines and computer transmissions accounted for 38 of the 1,710 wiretaps. Out of those 38, only 12 were issued for computer surveillance, or less than 1 percent of the total. There was no indication of how many of those 12 were installed on university networks.
The total cost to the government for these wiretaps was $1.1 million, far less than the potential cost to each individual institution. And the government doesn't seem to have a hard time when it does install wiretaps now, critics add.
"There really hasn't been any showing by the government, the Justice Department or the FBI that they're having trouble getting info they're seeking," McGuire with the Center for Democracy and Technology says.
While the appeals snake through the court system, nervous tech companies and educational institutions are waiting to see how they'll be affected. The FCC is itself still considering whether to exempt educational institutions from the new mandate. Yanckello notes, however, that the FCC has not extended the spring 2007 deadline.
"If in 18 months nothing has changed, we'll have to be compliant."[email protected]