Slashdot Mirror
FCC Reinstates CALEA Surveillance Capabilities
This is a complex issue that we don't cover very often, so it requires some background. CALEA is the Communications Assistance for Law Enforcement Act. EPIC has a set of pages about CALEA, a law enacted in 1994 to require telephone companies to build "tap-ability" into their communications equipment. This is voice traffic, not data - don't get this confused with Carnivore, the FBI's tool for slurping down internet traffic. At the time, carriers were transitioning from analog networks to digital ones, and there was some concern that the new digital network would not permit the FBI to listen in easily. Due to the possible expenses incurred by the telephone companies in implementing this, Congress greased the skids with a $500,000,000 (yes, that's half a billion dollars) grant to the companies. Congress granted the FCC the power to decide exactly how to implement this, and the FCC asked for comments. The FBI suggested that the rules should make sure lots of information was available to the FBI, the civil liberties groups suggested that the rules should make sure little information (or at least no more than was available in the old analog system) was available to the FBI, and the phone companies suggested that the rules be inexpensive.
Let's go back in time a moment to look at the old, analog way of doing things. In a nutshell, there are two different ways to conduct a government search on someone's telephone calls: you can search to see who was calling who, or you can search to get the actual content of a telephone call. The first type of search is called a pen register or trap and trace. The pen register is the list of phone numbers you've called. Trap and trace gets the numbers of people who call you. These were (at one time) literal devices which would be physically attached to your phone line. Both of these have been seen by the courts and Congress as much less private (after all, you're "giving" the information to the phone company with every call) than the actual content of your calls, which can only be obtained with a wiretap. Under the old rules, getting pen register or trap and trace information requires only a simple warrant, issued by any judge. Under the law, the judge does not even have the discretion to refuse to issue the order! Nor should you get the impression that this is solely the FBI. Many states allow similar telecommunications searches, and in fact state law enforcement does the bulk of them.
The open question was, with many new digital phone services becoming available, what information would be obtainable with the (non-refusable) pen register or trap and trace-type order, and what would require a real search warrant where a judge is supposed to exercise his discretion in deciding whether to grant it or not? That is, in what cases would "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized." be applied, and in what cases would the government be allowed to simply take the information without meeting those requirements?
Eventually the FCC released its interpretation of what the phone companies should do to implement CALEA. The FCC required several things that were "new" and expanded law enforcement's surveillance abilities. One requirement was that all the digits you dial after the call is put through be recorded and provided. So if you dial your bank to transfer funds to checking, or dial your voicemail to retrieve it, or send a message to someone's pager, your bank account number and PIN, your voicemail password, whatever you sent to the pager - all that can be retrieved without a search warrant by any law enforcement official. The FCC also required that if you were using a cell phone, that your physical location be provided as well. They required that if more than two people were on the line, complete information about who joined or dropped out of the conference call be made available. Similarly, data about call waiting or call forwarding was to be provided if these were used. And finally, if you were using VOIP, the government could get all the headers of all your packets sent during the call.
Cue the lawsuits. Civil liberties groups were concerned that the rules were too broad, the FBI was happy (the FCC had given them all they could want), and the telephone companies were concerned that the changes would be too expensive. The civil liberties groups and the telecom industry filed suits to force the FCC to revise its order.
In the case at hand, the telecom industry sued, claiming various things but attempting, in general, to reduce the cost of compliance. The lawsuit was partially successful. The court rejected certain aspects of the FCC's order, and accepted the cell-location and packet-headers parts. The reason for rejecting the other parts was basically that the FCC did not justify itself sufficiently - there are various requirements, created by previous courts, that when an agency creates rules like this that will have the force of law, that they do so in a reasonable and justified manner. The court felt that the stricken requirements did not meet this standard, and chucked the ball back into the FCC's court.
Fast-forward to today. The FCC has reinstated all of the four requirements that were stricken by the courts, and this time it took pains to justify itself. That's what the Reuters article linked above is talking about, and you can read the order yourself in text or in PDF.
There are other lawsuits filed against CALEA that have not yet concluded. Rulings in those may be expected this summer.
As a sidenote, a great many other laws have passed since then expanding other surveillance activities. Under them, the government can now record your internet-browsing activities in much the same way as they can can trace your phone calls - without judicial supervision. If you haven't already, you might wish to read more about the PATRIOT Act.
Maybe everyone doesn't want their privacy violated, but cellular phone devices are frequently used in criminal activities because of their mobility. I'm not saying this post is right or wrong, but at least they aren't tapping everyone's land line. While criminals could just switch to say, pay phones that work, to do their bidding, cell phones are a lot more convenient. Even if some do change their numbers every two days.
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
Yet another way to hurt the good guys.
I wonder when the word "privacy" will altogether disappear from English dictionaries....
-kwishot
Enough said.
You might need to spend a bit in there but you will find the goods. Please DO NOT xfer files in bulk. Its running financially strapped. You should buy cdrom archives of the bulk of it before the site suffers and dwindles from bandwidth abuse.
this does not make cell phones more "tapable" than a regular phone. they have thier ways of tapping your land phone already. it does not mean they are listening to it. the same applies here. they will have a way to tap your cell phone, but they are most likely not listening to it anyway... that aside, i am sure they will be listening to some phone calls regardless of thier content, mostly so they can justify the $500 millon they spent getting such a system in place.
From the text:
Although we understand "call- identifying information" to consist of both dialing and signaling information that may or may not be described in terms of telephone numbers, we emphasize that not all dialing and signaling information is "call-identifying information." For example, parties using bank- by- phone systems, automated prescription renewal services, and voicemail systems often enter account numbers, prescription numbers and passcodes that do not affect how the network processes the ongoing call. To reach this distinction, we look at the definition of "call- identifying information":
"dialing or signaling information that identifies the origin, direction, destination, or termination of each communication generated or received by a subscriber by means of any equipment, facility, or service of a
telecommunications carrier." 81 While some dialing or signaling information identifies the origin, direction, destination, or termination of a communication, 82 other dialing or signaling information - such as a bank account number - clearly does not. Again, an analysis of traditional pen register surveillance supports this distinction. During a traditional pen register surveillance, a LEA receives all signals that are
sent from the intercept subject to the carrier, including 'off- hook' and 'on- hook' signals, hook flashes, ringing tones and busy signals. 83 Because special equipment is used to identify and record those audio
signals used in call processing, the traditional model recognizes that there is a distinction between audio signals that are call content and audio signals that are call- identifying. 84 This model also supports a broad interpretation of what "identifies" the origin, direction, destination, or termination of a communication.
------
I've been briefly looking over the document, and I can't seem to find where they specifically say that they want access to the call *content*. In fact, they seem to be saying that their original intent (to get call-identifying information) was misinterpreted to mean call-content.
Maybe I just haven't found it yet, but does anyone know which part specifically says that they need access to call *content*?
-kwishot
this means little. it's not like tomorrow the FBI's gonna know what your PIN is for your bank account. this was jsut a proposal.
Also, because the judge initially rejected the FCC interpretation due to lack of justification doesnt mean he'll approve it because they "justified" it. He only rejected them the first time because EPIC et al said they didnt provide justification, and the judge agreed. Now (if I know legal patterns well enough) EPIC et al is going to be challenging those justifications, making the judge decide on the merits of the FCC's justification. Only after the judge gives the ok to the FCC does this actually become a real issue (for those who care about it).
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
...but only on one condition.
I would agree to this, if it were explicitly stated that the companies were legally required to refuse the information if a specific warrant is not shown to the company.
That's just it. The FBI can search whatever the heck of mine they want, if they show me a warrant first. No sooner.
Slashocrats?
According to this article on Yahoo, the FCC will require all US wireline, cellular, and broadband PCS carriers to provide law enforcement with surveillance capabilities by June 30th.
Well, I certainly hope this helps us put a stop to those pesky terrorists. After all, look how well the RICO laws worked at eliminating organized crime.
--saint
Considering how our privacy has gone down the tubes, it's time to roll out the encryption. One thing we can be grateful for is the delay, giving us more broadband options for our encoded communications. Break out PGP phone and all the rest, and hope they don't ban crypto as well.
I'd phone my congressman and senator to complain but I, errr, don't want to.
As a professional who writes software for phone systems and switches, I'm telling you compliance with that date is impossible as are the other CALEA requirements. There is too much old telecomunications equipment that cannot be upgraded by then. The Original rules written after the 1996 Telecommunications Act was passed was going to give us a few more years. This date is completely irrational.
> I wonder when the word "privacy" will altogether disappear from English dictionaries....
Of course it'll always be there. See:
Privacy \Pri"va*cy\, n.; pl. Privacies. [See Private.]
1. The state of acting in secret in order to plot a terrorist activity. "The terrorist needed privacy so nobody could see the bomb he was preparing."
2. A dubious cause that various underground bodies like the ACLU (American Criminal Liberties Union) and the EFF (Electronic Fear Foundation) rally around.
3. (slang) General descriptor of something which threatens security and freedom. "That new bill Senator Jones is introducing is horrible. It's a privacy!" or "Encryption is a privacy to all we hold dear."
[PowerPoint] is a tool for capitalist presentation
Nice, Slashocrat. :)
I would be a Republican, but I dont want forced Religion.
I would be a Democrat, but I dont want political correctness.
I would be a Libertarian, if they could win.
Maybe a Party already exists with Slashdot values.
* WASHINGTON, DC -- A new federal regulation that turns every cellular phone into a "homing beacon" -- and allows the government to pinpoint the exact location of a phone call -- is an ominous development with troubling implications for privacy, the Libertarian Party said today.
* The Libertarian Party joined with thousands of concerned Internet users in "turning its web pages black" in protest of President Clinton's signing the unconstitutional "Communications Decency Act" in 1995.
* The Libertarian Party continues to speak out today against the attempts by Democrats and Republicans to find loop-holes in the First Amendment, so they can turn the Internet into a government-controlled medium.
-
Every decent man is ashamed of the government he lives under. - H. L. Mencken (1880 - 1956)
The network doesn't need GPSes in the phone to locate the phone:
The existing base stations already locate the phone by relative signal strength, at a minimum, to decide which station is the best one to contact it. They do this as a separate transaction before actually ringing the phone. If you don't have a monitor on the phone to let you know every time it transmits you won't know if they're pinging it.
With a very small software upgrade the phone companies can trivially locate the phone to the resolution of the nearest cell tower whenever it is being used, and with a very slightly more extensive software upgrade they can ping it but not ring it, and tell the police the results.
The base stations can also measure the round-trip delay to the phone, thus obtaining the radius of a sphere centered on the cell antenna. The phone will be on the surface of that sphere if the path is direct, slightly inside it if the path takes a bounce. (The intersection of the sphere with the earth's surface is a circle if the ground is level.) With two base stations the phone is located to the intersection of two spheres - a vertical circle intersecting the ground at two points. With three base stations (that aren't on a straight line but are at the same altitude) you typically get one or two points in space, and if it's two they're one above the other. Bingo.
Of course this also works just pinging the phone without ringing it. There's a variant that lets the one handling the call or pinging the phone provide timing info to others that are passively monitoring.
This capability is already deployed in some cell systems. In at least one city it is used to create traffic condition reports by measuring the speed of active cell phones in traffic on major routes.
These capabilities make it possible to "tail" anyone with a cell phone, any time the phone is powered up.
Once you're being tailed the location data can be archived, then data-mined to to create a dossier of your typical behavior, then call for a cop's attention if you deviate from your normal travel habits.
One of the reasons the mandate is so expensive is it requires enough equipment to simultaneously monitor an ENORMOUS number of phones. (Something like a third of all of them or a third of the calls in progress, if I recall old news items correctly.) It's not enough to continuously monitor everybody all the time. But I seem to recall thinking that it IS enough to monitor everybody with a criminal record or a green card, even in "high-crime" residential areas, plus all the pay phones. (Am I confused on this?) Of course cell-phone location monitoring, rather than call content monitoring, isn't a big load once the software is in place to do it at all. So that can be done to ALL the cellphones ALL the time.
Let's see, with GPS installed and phone taps readily available now, doesn't that make anyone else here just a wee bit uneasy about using a cell phone?
Yep.
Makes me want to turn off my phone (and remove the battery) whenever I'm not actually making a call, and to use a vending-machine calling card in payphones when on vacation.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
The elite must be worried, so they need to tighten the grip on us. Too many people busy trying to figure out what really happened last September, and there is a real danger to the forces in power that democracy might break out.
--Mike--
...when The People don't Retain them?
Ben Masel: 51,282 votes for US Senate in the Wisconsin Democratic Primary
What I have found particularly striking is the extensive effort made to suppress this story.
I'm not sure how much of this story I believe, here are some other (mostly right-wing) sites that covered this:
I do not deploy Linux. Ever.
So if you dial your bank to transfer funds to checking, or dial your
voicemail to retrieve it, or send a message to someone's pager, your bank account
number and PIN, your voicemail password, whatever you sent to the pager - all
that can be retrieved without a search warrant by any law enforcement official.
So let's say a LEO gets your PIN for your bank account. Would this give said LEO the right to access the account? Worse yet, if the LEO was corrupt, the issue would be moot: You'd be cleaned out in a heartbeat.
I wonder how long it will be before someone comes up with a digital scrambler for secure communications...a pay-per-call "anonymizer" service designed to obfuscate called numbers...hacks to obfuscate one's own phone number...or would all of these be prohibited by the DMCA?
My company produces software for law enforcement agencies. A large part of my peronal job has been to write routines to 'import' the data that the telcos and such give the LEOs (law enforcement officers).
The telcos don't like doing this at all. While some give us nice comma-delimited files, others give terminal screen prints (imagine looking at the data on a terminal, hitting 'printscreen to file', pgdn, 'printscreen to file', pgdn, and so on), and even worse formats, such as PDF (without the data in 'strippable' format). I'm surprised they haven't given us pure image files yet.
From what I'm told, the law that the says the telcos have to provide this data pretty much says that they have to provide it in 'electronic form'. So sending it in PDF/Word/Excel formats technically compiles, but of course it's hardly usable. Supposedly it's a big pissing match between the FBI, saying, "Provide us this data; we have a law that says you have to!", and the telcos, saying, "OK, here 'ya go! 'Electronic' form it is! (and no more)".
This really hurts the non-FBI LEOs; if we weren't handling this data for them, they'd have a bitch of a time scaling their wiretapping. The FBI, on the other hand, has gobs of resources to hire data-entry people to type the PDF's and such back in. So they might be your Big Brother, but your local PD certainly isn't; they're at the the mercy of the telcos.
Arent these two ideals in total contradiction to each other? what am I missing?
dominionrd.blogspot.com - Restaurants on