Slashdot Mirror

← Back to Stories (view on slashdot.org)

FCC Reinstates CALEA Surveillance Capabilities

Posted by michael on from the another-brick-in-the-wall dept.

tekneeq writes "According to this article on Yahoo, the FCC will require all US wireline, cellular, and broadband PCS carriers to provide law enforcement with surveillance capabilities by June 30th. Carriers will have to supply a multitude of information upon request, such as numbers dialed after a call is connected, call forwarding signals, and signals pertaining to voice mail services." Although it's hard to tell from the Reuters story, this is a continuation of a lawsuit filed against CALEA a few years ago. Read on for more.

This is a complex issue that we don't cover very often, so it requires some background. CALEA is the Communications Assistance for Law Enforcement Act. EPIC has a set of pages about CALEA, a law enacted in 1994 to require telephone companies to build "tap-ability" into their communications equipment. This is voice traffic, not data - don't get this confused with Carnivore, the FBI's tool for slurping down internet traffic. At the time, carriers were transitioning from analog networks to digital ones, and there was some concern that the new digital network would not permit the FBI to listen in easily. Due to the possible expenses incurred by the telephone companies in implementing this, Congress greased the skids with a $500,000,000 (yes, that's half a billion dollars) grant to the companies. Congress granted the FCC the power to decide exactly how to implement this, and the FCC asked for comments. The FBI suggested that the rules should make sure lots of information was available to the FBI, the civil liberties groups suggested that the rules should make sure little information (or at least no more than was available in the old analog system) was available to the FBI, and the phone companies suggested that the rules be inexpensive.

Let's go back in time a moment to look at the old, analog way of doing things. In a nutshell, there are two different ways to conduct a government search on someone's telephone calls: you can search to see who was calling who, or you can search to get the actual content of a telephone call. The first type of search is called a pen register or trap and trace. The pen register is the list of phone numbers you've called. Trap and trace gets the numbers of people who call you. These were (at one time) literal devices which would be physically attached to your phone line. Both of these have been seen by the courts and Congress as much less private (after all, you're "giving" the information to the phone company with every call) than the actual content of your calls, which can only be obtained with a wiretap. Under the old rules, getting pen register or trap and trace information requires only a simple warrant, issued by any judge. Under the law, the judge does not even have the discretion to refuse to issue the order! Nor should you get the impression that this is solely the FBI. Many states allow similar telecommunications searches, and in fact state law enforcement does the bulk of them.

The open question was, with many new digital phone services becoming available, what information would be obtainable with the (non-refusable) pen register or trap and trace-type order, and what would require a real search warrant where a judge is supposed to exercise his discretion in deciding whether to grant it or not? That is, in what cases would "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized." be applied, and in what cases would the government be allowed to simply take the information without meeting those requirements?

Eventually the FCC released its interpretation of what the phone companies should do to implement CALEA. The FCC required several things that were "new" and expanded law enforcement's surveillance abilities. One requirement was that all the digits you dial after the call is put through be recorded and provided. So if you dial your bank to transfer funds to checking, or dial your voicemail to retrieve it, or send a message to someone's pager, your bank account number and PIN, your voicemail password, whatever you sent to the pager - all that can be retrieved without a search warrant by any law enforcement official. The FCC also required that if you were using a cell phone, that your physical location be provided as well. They required that if more than two people were on the line, complete information about who joined or dropped out of the conference call be made available. Similarly, data about call waiting or call forwarding was to be provided if these were used. And finally, if you were using VOIP, the government could get all the headers of all your packets sent during the call.

Cue the lawsuits. Civil liberties groups were concerned that the rules were too broad, the FBI was happy (the FCC had given them all they could want), and the telephone companies were concerned that the changes would be too expensive. The civil liberties groups and the telecom industry filed suits to force the FCC to revise its order.

In the case at hand, the telecom industry sued, claiming various things but attempting, in general, to reduce the cost of compliance. The lawsuit was partially successful. The court rejected certain aspects of the FCC's order, and accepted the cell-location and packet-headers parts. The reason for rejecting the other parts was basically that the FCC did not justify itself sufficiently - there are various requirements, created by previous courts, that when an agency creates rules like this that will have the force of law, that they do so in a reasonable and justified manner. The court felt that the stricken requirements did not meet this standard, and chucked the ball back into the FCC's court.

Fast-forward to today. The FCC has reinstated all of the four requirements that were stricken by the courts, and this time it took pains to justify itself. That's what the Reuters article linked above is talking about, and you can read the order yourself in text or in PDF.

There are other lawsuits filed against CALEA that have not yet concluded. Rulings in those may be expected this summer.

As a sidenote, a great many other laws have passed since then expanding other surveillance activities. Under them, the government can now record your internet-browsing activities in much the same way as they can can trace your phone calls - without judicial supervision. If you haven't already, you might wish to read more about the PATRIOT Act.

5 of 113 comments (clear)

  1. Who didn't see this coming? by kwishot · · Score: 2, Interesting

    Yet another way to hurt the good guys.

    I wonder when the word "privacy" will altogether disappear from English dictionaries....

    -kwishot

  2. Just more proof. by tcd004 · · Score: 1, Interesting

    That pagers are safer than cellphones.

    tcd004

  3. Wording... by kwishot · · Score: 3, Interesting

    From the text:

    Although we understand "call- identifying information" to consist of both dialing and signaling information that may or may not be described in terms of telephone numbers, we emphasize that not all dialing and signaling information is "call-identifying information." For example, parties using bank- by- phone systems, automated prescription renewal services, and voicemail systems often enter account numbers, prescription numbers and passcodes that do not affect how the network processes the ongoing call. To reach this distinction, we look at the definition of "call- identifying information":
    "dialing or signaling information that identifies the origin, direction, destination, or termination of each communication generated or received by a subscriber by means of any equipment, facility, or service of a
    telecommunications carrier." 81 While some dialing or signaling information identifies the origin, direction, destination, or termination of a communication, 82 other dialing or signaling information - such as a bank account number - clearly does not. Again, an analysis of traditional pen register surveillance supports this distinction. During a traditional pen register surveillance, a LEA receives all signals that are
    sent from the intercept subject to the carrier, including 'off- hook' and 'on- hook' signals, hook flashes, ringing tones and busy signals. 83 Because special equipment is used to identify and record those audio
    signals used in call processing, the traditional model recognizes that there is a distinction between audio signals that are call content and audio signals that are call- identifying. 84 This model also supports a broad interpretation of what "identifies" the origin, direction, destination, or termination of a communication.
    ------
    I've been briefly looking over the document, and I can't seem to find where they specifically say that they want access to the call *content*. In fact, they seem to be saying that their original intent (to get call-identifying information) was misinterpreted to mean call-content.
    Maybe I just haven't found it yet, but does anyone know which part specifically says that they need access to call *content*?

    -kwishot

  4. You don't need GPS in the phone. by Ungrounded+Lightning · · Score: 3, Interesting
    Isn't there supposed to be GPS chips installed in all cell phones as of last year anyways under the guise of being able to home in on accident victims more precisely than the current system?

    The network doesn't need GPSes in the phone to locate the phone:

    The existing base stations already locate the phone by relative signal strength, at a minimum, to decide which station is the best one to contact it. They do this as a separate transaction before actually ringing the phone. If you don't have a monitor on the phone to let you know every time it transmits you won't know if they're pinging it.

    With a very small software upgrade the phone companies can trivially locate the phone to the resolution of the nearest cell tower whenever it is being used, and with a very slightly more extensive software upgrade they can ping it but not ring it, and tell the police the results.

    The base stations can also measure the round-trip delay to the phone, thus obtaining the radius of a sphere centered on the cell antenna. The phone will be on the surface of that sphere if the path is direct, slightly inside it if the path takes a bounce. (The intersection of the sphere with the earth's surface is a circle if the ground is level.) With two base stations the phone is located to the intersection of two spheres - a vertical circle intersecting the ground at two points. With three base stations (that aren't on a straight line but are at the same altitude) you typically get one or two points in space, and if it's two they're one above the other. Bingo.

    Of course this also works just pinging the phone without ringing it. There's a variant that lets the one handling the call or pinging the phone provide timing info to others that are passively monitoring.

    This capability is already deployed in some cell systems. In at least one city it is used to create traffic condition reports by measuring the speed of active cell phones in traffic on major routes.

    These capabilities make it possible to "tail" anyone with a cell phone, any time the phone is powered up.

    Once you're being tailed the location data can be archived, then data-mined to to create a dossier of your typical behavior, then call for a cop's attention if you deviate from your normal travel habits.

    One of the reasons the mandate is so expensive is it requires enough equipment to simultaneously monitor an ENORMOUS number of phones. (Something like a third of all of them or a third of the calls in progress, if I recall old news items correctly.) It's not enough to continuously monitor everybody all the time. But I seem to recall thinking that it IS enough to monitor everybody with a criminal record or a green card, even in "high-crime" residential areas, plus all the pay phones. (Am I confused on this?) Of course cell-phone location monitoring, rather than call content monitoring, isn't a big load once the software is in place to do it at all. So that can be done to ALL the cellphones ALL the time.

    Let's see, with GPS installed and phone taps readily available now, doesn't that make anyone else here just a wee bit uneasy about using a cell phone?

    Yep.

    Makes me want to turn off my phone (and remove the battery) whenever I'm not actually making a call, and to use a vending-machine calling card in payphones when on vacation.

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  5. CALEA infrastructure compromised by Nonesuch · · Score: 3, Interesting
    As reported by Fox News, the Isreali secret service (Mossad) has penetrated the CALEA infrastructure and uses it to their own ends.

    What I have found particularly striking is the extensive effort made to suppress this story.

    CARL CAMERON, FOX NEWS CORRESPONDENT (voice-over): The company is Comverse Infosys, a subsidiary of an Israeli-run private telecommunications firm,with offices throughout the U.S. It provides wiretapping equipment for law enforcement. Here's how wiretapping works in the U.S.

    Every time you make a call, it passes through the nation's elaborate network of switchers and routers run by the phone companies. Custom computers and software,made by companies like Comverse, are tied into that network to intercept, record and store the wiretapped calls, and at the same time transmit them to investigators.

    The manufacturers have continuing access to the computers so they can service them and keep them free of glitches.

    This process was authorized by the 1994 Communications Assistance for Law Enforcement Act, or CALEA.

    Senior government officials have now told Fox News that while CALEA made wiretapping easier, it has led to a system that is seriously vulnerable to compromise,and may have undermined the whole wiretapping system. Indeed, Fox News has learned that Attorney General John Ashcroftand FBI Director Robert Mueller were both warned October 18th in a hand-delivered letter from 15 local, state and federal law enforcement officials, who complained that -quote - "law enforcement's current electronic surveillance capabilities are less effective today than they were at the time CALEA was enacted."

    Congress insists the equipment it installs is secure. But the complaint about this system is that the wiretap computer programs made by Comverse have, in effect,a back door through which wiretaps themselves can be intercepted by unauthorized parties. Adding to the suspicions is the fact that in Israel,

    Comverse works closely with the Israeli government, and under special programs,gets reimbursed for up to 50 percent of its research and development costs by the Israeli Ministry of Industry and Trade.

    But investigators within the DEA, INS and FBI have all told Fox News that to pursue or even suggest Israeli spying through Comverse is considered career suicide.

    And sources say that while various F.B.I. inquiries into Comverse have been conducted over the years,they've been halted before the actual equipment has ever been thoroughly tested for leaks.

    A 1999 F.C.C. document indicates several government agencies expressed deep concernsthat too many unauthorized non-law enforcement personnel can access the wiretap system.

    I'm not sure how much of this story I believe, here are some other (mostly right-wing) sites that covered this:

    --

    I do not deploy Linux. Ever.