CALEA

Citation: Communications Assistance for Law Enforcement Act of 1994 (CALEA), Pub. L. No. 103-414, 108 Stat. 4279 (1994), codified at 47 U.S.C. §§1001-10.

Overview
In the early 1990s the Federal Bureau of Investigation (FBI) asked Congress for legislation to assist law enforcement agencies to continue conducting electronic surveillance. The FBI argued that the deployment of digital technologies in public telephone systems was making it increasingly difficult for law enforcement agencies to conduct electronic surveillance of communications over public telephone networks. As a result of these arguments and concerns from the telecommunications industry, as well as issues raised by groups advocating protection of privacy rights, the Communications Assistance for Law Enforcement Act (CALEA) was enacted on October 25, 1994. CALEA was not intended to expand law enforcement’s authority to conduct electronic surveillance. On the contrary, the Act was intended only to ensure that after law enforcement obtains the appropriate legal authority, carriers will have the necessary capabilities and sufficient capacity to assist law enforcement in conducting digital electronic surveillance regardless of the specific telecommunications systems or telecommunications services deployed.

CALEA requires telecommunications carriers to modify their equipment, facilities, and services, wherever reasonably achievable, to ensure that they are able to comply with authorized electronic surveillance actions.

Subject to regulatory review by the Federal Communications Commission (FCC), communications carriers were responsible for the initial development of technical standards to fulfill their surveillance capability responsibilities under CALEA. These modifications were originally planned to be completed by October 25, 1998. Since that time, the Federal Communications Commission (FCC) issued two additional orders establishing June 30, 2002, as the date by which telecommunications carries must have upgraded all their systems. Equipment manufacturers have fulfilled their obligation to provide CALEA solutions and carriers are implementing them.

Following release of the industry group’s proposed standard (the so-call J-Standard, officially the Interim Standard/Trial Standard J-STD-025), the Center for Democracy and Technology appealed to the FCC claiming the J-Standard violated CALEA’s privacy protections and impermissibly expanded government surveillance capabilities. The Justice Department and the FBI also petitioned the Commission for modifications, arguing that the J-Standard did not include all of CALEA’s required assistance capabilities. The Department sought a list of nine additional surveillance capabilities, its so-called punch list. After receiving public comment on the petitions, the FCC resolved the challenges to the J-Standard in its Third Report & Order.

Main provisions
47 U.S.C. §1002 directs the telecommunications industry to design, develop, and deploy solutions that meet certain assistance capability requirements for telecommunications carriers to support law enforcement in the conduct of lawfully-authorized electronic surveillance. Pursuant to a court order or other lawful authorization, carriers must be able, within certain limitations, to: (1) expeditiously isolate all wire and electronic communications of a target transmitted by the carrier within its service area; (2) expeditiously isolate call-identifying information that is reasonably available on a target; (3) provide intercepted communications and call-identifying information to law enforcement; and (4) carry out intercepts unobtrusively, so targets are not made aware of the electronic surveillance, and in a manner that does not compromise the privacy and security of other communications.

To allow carriers to give law enforcement the means to conduct its wiretaps, 47 U.S.C. §1003 requires the Attorney General to determine the number of simultaneous interceptions (law enforcement agencies’ estimate of their maximum capacity requirements) that telecommunications carriers must be able to support.

To maintain privacy rights of individuals, 47 U.S.C. §1004 requires telecommunications carriers to ensure that any interception of communications or access to call-identifying information that is conducted within their premises can only be done with a court order. It also requires the specific intervention of an officer or employee of the carrier acting in accordance with regulations prescribed by the FCC. 47 U.S.C. §1005 directs telecommunications carriers to consult with telecommunications equipment manufacturers to develop equipment necessary to comply with the capability and capacity requirements identified by the FBI.

For efficient industry-wide implementation of the above requirements, 47 U.S.C. §1006 directs the law enforcement community to coordinate with the telecommunications industry and state utility commissions to develop suitable technical standards and establish compliance dates for equipment.

47 U.S.C. §1008 gives the Attorney General, subject to the availability of appropriations, authority to pay telecommunications carriers for all reasonable costs directly associated with the modifications performed by carriers in connection with equipment, facilities, and services installed or deployed on or before January 1, 1995 (known as the “grandfather” date).

Initial Delays
CALEA gave implementation responsibility to the Attorney General, who, in turn, delegated the responsibility to the FBI. The FBI lead that nationwide effort on behalf of federal, state, and local law enforcement agencies. FBI officials initially anticipated that it would take a year for a standard to be developed and agreed upon by law enforcement, the telecommunications carriers, and the equipment manufacturers. Telecommunications consultants estimated that it would take the industry another three years to design, build and deploy new systems to comply with CALEA. Instead, industry and law enforcement became involved in a protracted dispute over what should be required for law enforcement’s wiretapping capabilities. By March 1997, the completion of the capability standard was overdue by 16 months. The FBI attempted to expedite the industry’s implementation of CALEA by releasing regulations that included a cost recovery plan for the federal government’s payment of costs associated with CALEA, as well as capability and capacity requirements for the industry to meet. The plan required more extensive upgrades to networks than the telecommunications industry believed were necessary for law enforcement to preserve its wiretapping capabilities. Industry groups and privacy advocates disputed the FBI’s plan. They argued that the FBI was attempting to expand its surveillance capabilities beyond the congressional intention of CALEA, and was attempting to unfairly shift costs and accountability away from the federal government onto private industry. Furthermore, the industry argued that, without an adopted capability standard, it could not begin designing, manufacturing, and purchasing the equipment to achieve CALEA compliance.

In December 1997, the Telecommunications Industry Association (TIA, representing telecommunications equipment manufacturers) adopted, over the objections of the law enforcement community, a technical standard, J-STD-025, also known as the “J-standard.” This standard prescribes upgrades to network devices to meet CALEA’s assistance capability requirements for local exchange, cellular, and broadband personal communications services (PCS). Although the FBI claimed that the J-standard did not provide all of the capabilities needed, the industry asserted that CALEA’s language stated that telecommunications carriers would be compliant if they met publicly available standards adopted by the industry.

Privacy rights groups, on the other hand, protested two aspects of the J-standard that they asserted would make information beyond what is legally required available to law enforcement. One was a feature enabling the telecommunications network to provide location information for users of mobile wireless telecommunications services. The location information protocols in J-STD-025 allow law enforcement agencies to obtain information on the physical location of the nearest cell site (i.e., the receiver/transmitter antenna and base station) of mobile phone handsets at the beginning and end of each call.

Wireless carriers are now deploying another technology (called triangulation) that will enable the carriers, and law enforcement, to track wireless telephone users more precisely, potentially within a few meters. The other was a feature enabling the network to access packet-mode data from telephone calls using more advanced systems. Privacy rights groups argued that these capabilities would violate the Fourth Amendment rights of individuals against unreasonable searches and seizures. Despite these objections, telecommunications manufacturers designed new switches and upgrades to existing switches according to the J-standard.

The FBI’s “Punch List”
In the negotiations to develop the J-standard, TIA had refused to include some of the capabilities that law enforcement officials claimed they needed to facilitate digital wiretapping. As a result, in March 1998, the FBI petitioned the FCC to require the telecommunications industry to adopt eleven additional capabilities.

Industry and privacy rights groups protested that the FBI’s plan would unlawfully expand enforcement capabilities. Eventually, the “punch-list” included the following six items :
 * Content of subject-initiated conference calls &mdash; Would enable law enforcement to access the content of conference calls supported by the subject’s service (including the call content of parties on hold).
 * Party hold, join, drop &mdash; Messages would be sent to law enforcement that identify the active parties of a call. Specifically, on a conference call, these messages would indicate whether a party is on hold, has joined or has been dropped from the conference call.
 * Subject-initiated dialing and signaling information &mdash; Access to all dialing and signaling information available from the subject would inform law enforcement of a subject’s use of features (such as the use of flash-hook and other feature keys).
 * In-band and out-of-band signaling (notification message) &mdash; A message would be sent to law enforcement whenever a subject’s service sends a tone or other network message to the subject or associate (e.g., notification that a line is ringing or busy).
 * Timing information &mdash; Information necessary to correlate call-identifying information with the call content of a communications interception.
 * Dialed digit extraction &mdash; Information would include those digits dialed by a subject after the initial call setup is completed.

Capacity Requirements
The FBI’s subsequent implementation actions were also opposed by the telecommunications industry. In March 1998, the FBI announced its estimated capacity requirements for local exchange, cellular, and broadband PCS. The industry protested the FBI’s estimates, arguing that it would require telephone carriers to accommodate thousands of wiretaps simultaneously, an impractical and unnecessary burden. In July 1998, the FBI developed guidelines and procedures to facilitate small carrier compliance with its capacity requirements, and asked carriers to identify any systems or services that did not have the capacity to accommodate those requirements.

In December 1998, the FBI began a proceeding to develop capacity requirements for services other than local exchange, cellular, and broadband PCS, asked additional questions of interested parties in June 2000. These technologies and services included paging, mobile satellite services, specialized mobile radio, and enhanced specialized mobile radio. To date, the proceeding is still pending.

FCC Actions
As a result of petitions from the industry and the FBI, the FCC became involved in the implementation of CALEA. In October 1997, the FCC released its first Notice of Proposed Rule Making (NPRM) on CALEA implementation.12 The NPRM sought comments from interested parties regarding a set of policies and procedures proposed by the FCC for telecommunications carriers to follow.

The proposed procedures would (1) preclude the unlawful interception of communications, (2) ensure that authorized interceptions are performed, (3) maintain secure and adequate records of any interceptions, and (4) determine what entities should be subject to these requirements, whether the requirements are reasonable, and whether to grant extensions of time for compliance with the requirements.

In response to the NPRM, telecommunications carriers, privacy rights groups, and the FBI submitted comments to the FCC to attempt to influence the final decision. Then, in April 1998, the FCC released a Public Notice requesting comments on issues raised in those petitions concerning the dates that carriers were required to comply with CALEA and the dispute over the J-standard. Based on comments it received, the FCC extended the implementation deadline until June 30, 2000, stating that without a standard, the necessary equipment would not be available in time.13

In October 1998, the FCC initiated a proceeding to review the technical capabilities prescribed by the J-standard.14 The goal of that proceeding was to determine whether telecommunications carriers should be required under CALEA to meet the FBI’s “punch list” items. The FCC addressed these issues in several documents released over the following year. In March 1999, the FCC’s First Report and Order established the minimum capability requirements for telecommunications carriers to comply with CALEA.15 Telecommunications carriers were required to ensure that only lawful wiretaps occur on their premises and that the occurrence of wiretaps is not divulged to anyone other than authorized law enforcement personnel. On August 2, 1999, the FCC decided to allow carriers to decide how long they would maintain their records of law enforcement’s wiretap, pen register, and trap and trace interceptions.16

On August 31, 1999, the Second Report and Order established a definition for “telecommunications carrier” to include all common carriers, cable operators, electric and other utilities that offer telecommunications services to the public, commercial mobile radio services, and service resellers.17 The definition did not include Internet service providers (ISPs), which were explicitly excluded under the CALEA statute.

The FCC’s Third Report and Order, released August 31, 1999, adopted technical requirements for wireline, cellular, and broadband PCS carriers to comply with CALEA requirements.18 The ruling adopted the J-standard, including the two capabilities that were opposed by the privacy rights groups (i.e., the ability to provide location information and packet-mode data to law enforcement). As described above, the FCC also adopted six of the punch list capabilities requested by the FBI to be implemented by telecommunications carriers. The Order required all aspects of the J-standard except for the packet-mode data collection capability to be implemented by June 30, 2000. The Order required carriers to comply with the packet-mode data capability and the six punch list capabilities by September 30, 2001.19 (The FCC ultimately extended the date by which all telecommunications carriers must have upgraded their systems to June 30, 2002.20)

On April 9, 2001, the FCC adopted its Second Order on Reconsideration,21 which clarified the arrangements telecommunications carriers must make to ensure that law enforcement agencies can contact them when necessary, and the interception activity that triggers a record-keeping requirement.

In September 2001, FCC released a tandem Order22 and Public Notice23 on CALEA implementation. In the Order, the Commission extended until November 19, 2001, the deadline by which wireline, cellular, and broadband personal communications services (PCS) carriers must implement a packet-mode communications electronic surveillance capability, or to seek individual relief under section 107(c) of CALEA. The notice explained the petitioning process for telecommunications carriers seeking relief under section 107(c) for an extension of the new compliance deadline with respect to packet-mode communications, as well as other safe harbor standards.

Finally, on April 11, 2002, the FCC released an Order on Remand,24 which responded to a decision issued by the United States Court of Appeals for the District of Columbia Circuit25 vacating four of the punch list electronic surveillance capabilities mandated by the Third Report and Order in this proceeding. The FCC found that all of the capabilities were necessary and authorized by CALEA and had to be provided by wireline, cellular, and broadband PCS telecommunications carriers by June 30, 2002. The FCC also required that two additional punch list capabilities that were mandated by the Third Report and Order, but not reviewed by the Court of Appeals be provided by that same date.

The FCC granted preliminary extensions to requesting carriers with respect to punch list implementation that will expire on June 30, 2004. It granted preliminary extensions in connection with “packet” services that had been scheduled to expire on November 19, 2003, but that date was further extended to January 30, 2004.

Privacy Challenges
The United States Telecom Association, the Cellular Telecommunications Industry Association, the Center for Democracy and Technology and several other privacy organizations challenged the FCC order in the United States Court of Appeals for the District of Columbia. The FCC and the Justice Department filed separate briefs defending the Commission’s action. The challengers questioned inclusion of the six of the law enforcement assistance capabilities which the FCC order insisted upon: two from the J-Standard (cellular antenna tower location information and packet-mode data) and four from the FBI’s punch list (dialed digit extraction, party hold/join/drop, subject-initiated dialing and signaling, and in-band out-of-band signaling).

On August 15, 2000, in United States Telecom Ass’n v. FCC, the court of appeals vacated the order and sent back to the FCC that portion of the Commission’s order dealing with the four challenged punish list items, but confirmed the FCC’s authority with respect to digital packet mode data and the antenna tower location.

Application to Internet-based Services
Since 2004, the FCC has considered a number of questions as to how to apply CALEA to new technologies, such as Voice over Internet Protocol (VoIP). In August 2005, in response to a March 2004 petition by a group of law enforcement agencies, the FCC released a Notice of Proposed Rulemaking and Declaratory Ruling which required providers of certain broadband and interconnected VoIP services to accommodate law enforcement wiretaps. The FCC found that these services could be considered replacements for conventional telecommunications services already subject to wiretap rules, including circuit-switched voice service and dial-up Internet access. The Order is limited to facilities-based broadband Internet service providers and VoIP providers that offer services that use the public switched telephone network (“interconnected VoIP providers).

In May 2006, the FCC addressed several outstanding issues regarding CALEA implementation. Among other clarifications, the FCC (1) affirmed its May 14, 2007 compliance deadline for facilities-based broadband Internet access and interconnected VoIP services, and clarified that the date applied to all such providers; (2) explained that the FCC does not plan to intervene in the standards-setting process in this matter; (3) permitted telecommunications carriers the option of using Trusted Third Parties to assist in meeting their CALEA obligations; (4) restricted the availability of compliance extensions to equipment, facilities, and services deployed prior to October 25, 1998; (5) found that the FCC may enforce action under section 229(a) of the Communications Act against carriers that fail to comply with CALEA; and (6) concluded that carriers are responsible for CALEA development and implementation costs for post-January 1, 1995, equipment and facilities, and declined to adopt a national surcharge to recover CALEA costs.

In June 2006, the United States Court of Appeals for the District of Columbia Circuit affirmed the FCC’s decision concluding that VoIP and facilities-based broadband Internet access providers have CALEA obligations similar to those of telephone companies.