------------------------------------------------------------------------
****** ******** *************
******** ********* *************
** ** ** *** POLICY POST
** ** ** ***
** ** ** *** October 20, 1995
** ** ** *** Number 26
******** ********* ***
****** ******** ***
CENTER FOR DEMOCRACY AND TECHNOLOGY
------------------------------------------------------------------------
A briefing on public policy issues affecting civil liberties online
------------------------------------------------------------------------
CDT POLICY POST Number 26 October 20, 1995
CONTENTS: (1) FBI Announces Digital Telephony Surveillance Capacity Request
(2) Subcribe To The CDT Policy Post Distribution List
(3) About CDT, Contacting Us
This document may be re-distributed freely provided it remains in its
entirety.
-------------------------------------------------------------------------
(1) FBI NOTICE BEGINS DIGITAL TELEPHONY COMPLIANCE PROCESS -- PUBLIC
ACCOUNTABILITY FOR FBI REQUEST ESSENTIAL
On Monday October 16 1995, the FBI published its initial request for
surveillance capacity as required under Section 104 (a) of the
Communications Assistance for Law Enforcement Act (PL 104-144, a.k.a.
Digital Telephony). As required by law, the FBI will accept public
comments on the proposed capacity requirements for 30 days (ending November
15, 1995). The notice, which includes instructions for submitting
comments, is attached below.
CDT is in the process of examining the proposed notice, and will issue
formal comments in the next several weeks. We are evaluating the notice
with the following criteria in mind:
* Has the FBI met all the public accountability and oversight criteria
required by the statute?
* What is the impact of the proposed notice on the privacy of individual
telephone subscribers and the security of telecommunications networks?
* Does the requested capacity accurately reflect the needs of law
enforcement?
* The capacity requests are based on an FBI survey of recent surveillance
activity. Is the factual justification for the FBI request sufficiently
detailed to facilitate a substantial public discussion about the
reasonableness of the needs?
* Does the FBI expect telecommunications carriers to comply with the
capacity requests if Congress fails to appropriate funds for
reimbursement?
CDT plans to meet with the FBI to discuss the proposed notice. CDT will
also work both on our own and through the Digital Privacy and Security
Working Group (DPSWG, a coalition of over 50 public interest groups,
telecommunications carriers, manufacturers, trade associations, coordinated
by CDT), and with members of Congress to ensure that the reporting
requirements and public accountability provisions of the law are enforced
and that law enforcement provides the necessary accounting of its
capability requests.
CDT stands ready to intervene as necessary before Congress, the Federal
Communications Commission, the telecommunications industry standards bodies
charged with setting technical standards for implementing the requirements,
and at other points necessary to ensure that privacy is protected and the
public accountability provisions are strictly enforced. We will continue
to update you on developments on this issue as they occur.
________________________________________________________________________
BACKGROUND -- PUBLIC OVERSIGHT REQUIREMENTS IN THE DIGITAL TELEPHONY LAW
The Communications Assistance for Law Enforcement Act (CALEA) requires
telecommunications carriers to ensure that their systems contain sufficient
capability and capacity to permit law enforcement to conduct authorized
electronic surveillance. However, the requirements of the statute do not
apply to the Internet, commercial online services (such as America Online,
Prodigy, or Compuserve), or BBS's.
The statute also contains specific new statutory privacy protections for
transactional records generated by online electronic communications
services, greater protection for cordless telephones, and prohibitions on
pen register authority to gather location information ('pen registers' are
devices used to gather dialed numbers). Furthermore, the statute contains
provisions which require public accountability and oversight over law
enforcement surveillance capacity requests, telecommunications carrier
liability, standards setting, and cost reimbursement.
Although law enforcement officials must still obtain a search warrant in
order to conduct a wiretap, the statute granted law enforcement new
authority to influence the design of telecommunications networks. This
authority must be closely monitored through the law's public accountability
and oversight provisions to ensure that law enforcement does not over-reach
or abuse the powers granted under the statute.
The statute separates compliance into two categories:
* CAPACITY (The subject of the current notice): The ability of a
telecommunications network to accommodate a specified number of
intercepts, pen register, and trap and trace devices; and
* CAPABILITY: Functional requirements to ensure that a telecommunications
network can enable law enforcement to conduct electronic surveillance.
Below is a basic overview of the compliance processes for both the capacity
and capability requirements of the Digital Telephony law, along with a
description of the proposed notice. A more detailed explanation of the
compliance process, as well as the privacy and public accountability
provisions can be found on CDT's Digital Telephony Web Page
(URL:http://www.cdt.org/digtel.html)
_______________________________________________________________________
SURVEILLANCE CAPACITY REQUIREMENTS
Section 104 of CALEA requires telecommunications carriers to ensure that
their systems posses sufficient capacity to accommodate a specified number
of simultaneous intercepts, pen register, and trap and trace devices. As
required by Section 104 (a)(1), the FBI, after consultation with state and
local law enforcement officials and the telecommunications industry, has
published an initial notice or capacity requirements. Section 104 (a)(1)
requires that the FBI seek public comment and then publish in the federal
register and provide to telecommunications carriers:
1. NOTICE OF ACTUAL CAPACITY: The actual number of simultaneousintercepts,
pen registers, and trap and trace devices that will be necessary 4 years
from the date of enactment (October 25, 1998) (Sec 104 (a)(1)(A); and
2. NOTICE OF MAXIMUM CAPACITY: The maximum capacity required to accommodate
all intercepts, pen registers, and trap and trace devices that the
Attorney General estimates government agencies will be authorized to
conduct simultaneously after the date 4 years after enactment (Sec 104
(a)(1)(B)).
Carriers then have 180 days to identify which aspects of their networks are
not compliant with the published capacity requirements. Section 104 (e)
requires the government to reimburse telecommunications carriers for all
reasonable costs associated with capacity upgrades. If the government
fails to reimburse a carrier, that carrier will not have to modify any
feature or service. This provision is intended to ensure that the
government prioritizes capacity requests and does not demand unnecessary
surveillance capability financed by hidden charges to subscribers.
_______________________________________________________________________
PROPOSED CAPACITY REQUIREMENTS
Throughout the past year, the FBI, through its Telecommunications Industry
Liaison Unit (TILU) developed a "baseline of electronic surveillance
activity" by compiling information from telecommunications carriers, law
enforcement, U.S. District Courts, State Attorney's General, and State
District Attorneys.
From this information, the FBI derived the total simultaneous electronic
surveillance activity by switch and geographic area. Future capacity needs
were determined by considering the impact of demographics, market trends,
and "other factors" [page 53645, see below] (Section 104 (a)(2) gives the
FBI broad latitude in determining the basis of capacity needs).
As described above, the capacity requests include both "actual capacity"
(which must be in place within 4 years), and "maximum capacity" (which must
be in place after 1998). The FBI has proposed to create three categories of
capacity requirements based on the projected number of simultaneous
surveillance orders in geographic areas. Requirements are based on what
the FBI refers to as the "engineered capacity" of each switch, feature, or
service in a specific geographic region [page 53646, see below].
Although we contacted several telecommunications carriers, CDT has not yet
been able to determine precisely what "engineered capacity" corresponds to.
According to the FBI notice, engineered capacity refers to the maximum
number of subscribers that can be served by a particular equipment,
facility, or service. For the purposes of the descriptions below, we
assume that the average number of subscribers is equal to 100,000 for each
facility, equipment, or service deployed on a telecommunications carrier's
network. Of course, it could be far more or less depending on the actual
definition of the term and the number of subscribers per equipment,
facility, or service.
CATEGORY III -- Baseline Surveillance Capacity
According to the notice, all telecommunications carriers would be required
to meet the Category III requirements. The FBI estimates that roughly 75%
of the U.S. would be covered by this category [page 53646, see below].
ACTUAL CAPACITY: .05% of engineered capacity, or 50 simultaneous
surveillance orders for each equipment, facility, or service serving
100,000 subscribers.
MAXIMUM CAPACITY: .25% of engineered capacity, or 250 simultaneous
surveillance orders for each equipment, facility, or service serving
100,000 subscribers, by 1998.
CATEGORY II -- Areas With Moderate Surveillance Activity
Carriers in geographic areas which the FBI estimates require higher than
average surveillance capacity, including large suburban areas and some
urban areas will be required to meet Category II and Category I
requirements. The FBI estimates that roughly 25% of the U.S. will be
covered by Category II and Category I [page 53646, see below].
ACTUAL CAPACITY: .25% of engineered capacity, or 250 simultaneous
surveillance orders for each equipment, facility, or service serving
100,000 subscribers.
MAXIMUM CAPACITY: .5% of engineered capacity, or 500 simultaneous
surveillance orders for each equipment, facility, or service serving
100,000 subscribers, by 1998.
CATEGORY I -- Areas With Heavy Surveillance Activity
Large urban areas and other areas the FBI estimates require the greatest
surveillance capacity would fall under Category I [page 53646, see below].
ACTUAL CAPACITY: .5% of engineered capacity, or 500 simultaneous
surveillance orders for each equipment, facility, or service serving
100,000 subscribers.
MAXIMUM CAPACITY: 1% of engineered capacity, or 1000 simultaneous
surveillance orders for each equipment, facility, or service serving
100,000 subscribers, by 1998.
_______________________________________________________________________
SURVEILLANCE CAPABILITY REQUIREMENTS
In addition to specific capability requirements, the Digital Telephony
statute requires telecommunications carriers to ensure that they possess
sufficient capability to enable law enforcement, pursuant to proper legal
authorization, to (Section 103):
1. expeditiously isolate and intercept all wire and electronic
communications within a carrier's network;
2. expeditiously isolate and enable the government to access call
identifying information;
3. deliver intercepted communications and call-identifying information to a
location specified by the government (but only with the affirmative
intervention of the telecommunications carrier). Remote monitoring is
explicitly prohibited;
4. to meet these requirements in a way that protects the privacy and
security of communications and call-identifying information not
authorized to be intercepted.
_______________________________________________________________________
PROCESS FOR DETERMINING AND MEETING CAPABILITY REQUIREMENTS
The process for determining and meeting capability requirements (outlined
in Sections 103 and 107 of the statute) is separate and distinct from the
process for determining capacity requirements.
The CALEA requires law enforcement determine the specific capabilities it
needs, and consult with appropriate telecommunications trade associations,
standards setting bodies, representatives of users of telecommunications
equipment, and State utility commissioners in order to determine what
specific changes are required to meet the capability requirements (Sec 107
(a)).
The telecommunications industry, through standards-setting bodies, is
charged with developing technical standards to meet the capability
requirements (the statute explicitly prohibits the government from imposing
any technical standards on the telecommunications industry). Finally, the
standards can be challenged before the FCC if any person believes they do
not adequately protect privacy or fail to meet other requirements (Sec. 107
(e)). Carriers are responsible for meeting the capability requirements by
October 1998.
The FBI is currently in the process of determining its specific capability
needs
_______________________________________________________________________
NEXT STEPS
When Congress passed the Digital Telephony bill last year, it
simultaneously authorized, but did not appropriate, $500 million to
reimburse telecommunications carriers capacity upgrades and capability
upgrades where compliance is not 'reasonably achievable (Sec 109 (b)). If
Congress fails to appropriate funds to cover reimbursement,
telecommunications carriers will not be obligated to comply with the
requirements of the statute.
The Administration has requested to fund the program through a 30-percent
surcharge on civil monetary penalties and criminal fines at a level of $100
million dollars for fiscal year 1996. The request is currently part of the
stalled anti-terrorism legislation. However, the FBI expects that funds
will be appropriated as part of the Commerce, Justice, State appropriations
bill, which is currently pending before the Congress.
CDT believes that no funds should be appropriated or spent to fund the
implementation of the Digital Telephony law unless and until law
enforcement demonstrates it has met the public accountability and oversight
provisions. CDT is committed to working with the telecommunications
industry, Congress, and the FBI to ensure that this requirement is met.
For More Information Contact:
Daniel Weitzner, Deputy Director: djw@cdt.org
Jonah Seiger, Policy Analyst: jseiger@cdt.org
-----------------------------------------------------------------------
(2) THE PROPOSED NOTICE OF CAPACITY REQUIREMENTS FROM THE FEDERAL
REGISTER, OCTOBER 16 1995.
Note: Follow this link to view the text of the FBI's notice
---------------------------------------------------------------------------
(3) HOW TO SUBSCRIBE TO THE CDT POLICY POST LIST
To subscibe to the policy post distribution list, send mail to
"Majordomo@cdt.org" with:
subscribe policy-posts
in the body of the message (leave the subject line blank)
-----------------------------------------------------------------------
(4) ABOUT THE CENTER FOR DEMOCRACY AND TECHNOLOGY/CONTACTING US
The Center for Democracy and Technology is a non-profit public interest
organization based in Washington, DC. The Center's mission is to develop
and advocate public policies that advance constitutional civil liberties
and democratic values in new computer and communications technologies.
Contacting us:
General information: info@cdt.org
World Wide Web: URL:http://www.cdt.org
FTP URL:ftp://ftp.cdt.org/pub/cdt/
Snail Mail: The Center for Democracy and Technology
1001 G Street NW * Suite 500 East * Washington, DC 20001
(v) +1.202.637.9800 * (f) +1.202.637.0968
-----------------------------------------------------------------------
End Policy Post No. 26
Return to the CDT Publications Page
Return to the CDT Home Page