1997 Congressional Hearings
Intelligence and Security






Wednesday, October 23, 1997

Room 2237 Rayburn Building, 10:00 AM

Dempsey Testimony

Testimony of James X. Dempsey
Senior Staff Counsel
Center for Democracy and Technology

before the
House Committee on the Judiciary
Subcommittee on Crime

CALEA Implementation

October 23, 1997

I. Introduction and Summary
The Center for Democracy and Technology (CDT) is pleased to have this opportunity to testify about implementation of the Communications Assistance for Law Enforcement Act of 1994 (CALEA).

Our testimony will make the following points:

CALEA is critically important to maintaining a balance among the interests of law enforcement, privacy and innovation as the nation's communications infrastructures continue to evolve and expand their importance in everyday life.

-Implementation of the legislation has gotten seriously off-track, largely because the FBI has departed from the reasonableness that marked the drafting of the law and instead has tried to use it to expand government surveillance capabilities.

Congress has to intervene to make clear to the FBI that it cannot dictate the design of the nation's phone system and cannot insist upon industry acquiescence to capabilities that go beyond the status quo. Congress must intervene to return CALEA to a narrow focus on preserving but not expanding law enforcement access.

Essential elements of the CALEA compromise

CALEA was intended "to balance three key policies: (1) to preserve a narrowly focused capability for law enforcement agencies to carry out properly authorized intercepts: (2) to protect privacy in the face of increasingly powerful and personally revealing technologies: and (3) to avoid impeding the development of new communications services and technologies." Judiciary Comm. Rep. 103-827, p. 13.

The essential features of the balance that Congress struck in CALEA were:
(1) Telephone companies would be required to ensure that their systems continue to enable government agencies to intercept communications and associated call-identifying data, notwithstanding developments in technology.
(2) Law enforcement's ability to wiretap would be preserved but not expanded.
(3) Law enforcement would not be able to dictate system design; rather industry would develop the technical specifications for implementation, with an appeal to the Federal Communications Commission (FCC) if the standards process failed.
(4) Privacy protections would be strengthened, especially to give added
protection to the increasingly rich category of transactional or signaling data, and carriers would be required to protect the privacy of communications not authorized to be intercepted.
(5) Carriers would be reimbursed for expenses in retrofitting existing equipment and adding additional capacity for law enforcement.
(6) Mechanisms of accountability and oversight would ensure that the implementation process is open to review by Congress and ultimately by the public.

CALEA is now in jeopardy.

CALEA was adopted in October 1994. Three years later, implementation of the statute is in a state of uncertainty approaching paralysis and its carefully-crafted balance is in jeopardy:

To date, the FBI still has not issued a final capacity notice advising communications carriers how many simultaneous law enforcement surveillances they must be able to accommodate. The FBI's two efforts so far have proposed surveillance capacities far in excess of historical patterns. Capacity, though, was supposed to be the easy part of implementation. Congress thought it would take one year; it is now almost three.

In terms of the harder issue, defining technical standards to give service providers and their manufacturers a safe harbor for complying with CALEA's capability requirements, the FBI has tried to dictate the adoption of enhanced surveillance capabilities and has blocked adoption of an industry standard that did not include all the FBI's detailed proposals.

It appears that the FBI is trying to avoid reimbursement of carriers for the full cost of implementation, shifting costs to carriers, thereby avoiding responsibility for prioritizing law enforcement's needs and defeating the principle of accountability.

CDT and other public interest organizations have joined the cellular industry in urging the Federal Communications Commission (FCC) to take over implementation of CALEA. CDT has argued to the FCC that the proposed industry standard already goes too far in expanding law enforcement capabilities and fails to protect the privacy of communications not authorized to be intercepted.

Meanwhile, the October 25, 1998 implementation deadline for CALEA is rapidly approaching and the FBI is threatening to seek sanctions against any company that fails to meet its interpretation of the law.

How did CALEA get so off track?

Since CALEA was enacted, the FBI has tried to enforce the statute that it wanted, rather than the balanced and narrowly-focused statute that Congress enacted. Early versions of digital telephony legislation would have given the Department of Justice design control over the nation's telecommunications system. Congress rejected that approach. It instead enacted broad functional criteria and deferred to the industry standards process to develop solutions, with an appeal to the FCC if that process failed. FBI Director Louis Freeh testified in 1994 that this Committee's work was "a vast improvement" over the earlier version. Freeh testified that the revised bill was a "remarkable compromise," that it achieved "a delicate, critical balance." He emphasized that the legislation "reflects reasonableness in every provision."

Since Congress finished its work, the FBI has rejected reasonableness. It has sought to dominate the industry standards process and has sought to assume for itself the type of design control over the nation's telecommunications system that Congress expressly denied it. The FBI has tried to use the statute to exploit the potential of the new digital technology to enhance rather than merely preserve its surveillance capability.

-- What can Congress do now?

CDT is a privacy and civil liberties organization focused on promoting democratic values in the new digital media. Much of the current staff at CDT were involved in the development of CALEA. I myself was assistant counsel to the Subcommittee that originated CALEA in the House, and I spent considerable time on this legislation. Having helped put this statute together, we cannot support it the way it is being implemented.

CDT does not question here the objective of preserving a narrowly-focused ability for the government to carry out electronic surveillance in the face of ongoing technological changes. Nor do we question here that wiretapping is a useful law enforcement tool, although we suspect it is not as critical as the current leadership of the FBI claims. Finally, we do not ask the Committee today to block the government from taking advantage of market-driven changes in technology that enhance surveillance. (One of the ironies of the CALEA debate is that digital technology in many ways enhances law enforcement's abilities.) Instead, we urge the Committee to return the CALEA implementation process to the spirit of reasonableness that characterized the drafting and enactment of CALEA. We urge the Committee to ensure that CALEA is not interpreted as a mandate to industry to affirmatively design a surveillance infrastructure, but merely as a requirement, in the words of FBI Director Freeh, to "preserv[e] that tool as it has existed since 1968." Hearings, p. 113. And because developments in technology are in some ways making surveillance easier, we urge the Committee to strengthen, not weaken the wiretap laws, to protect the privacy of innocent citizens.

CALEA is heading for the proverbial trainwreck. In October 1998, the legislation takes effect. Standards for implementation have not been adopted. Even if adopted tomorrow, they could not be incorporated into equipment until sometime in 1999 at the earliest. The FCC, however, is clearly reluctant to become involved in the matter. This means that, in October 1998, if not sooner, the statute could be thrown into the courts, with serious risks for law enforcement, industry and privacy.

It is clear now that it is time for Congress to intervene to reassert the balance that it intended in 1994. It can do so without reopening the entire statute. The goals of Congress should be to make it clear that the FBI cannot dominate the implementation process and that the FBI's proposals for enhanced surveillance capability are beyond the mandate of CALEA.

Congress can achieve these goals by directing the FBI to begin promptly to reimburse carriers to implement the proposed industry standard minus location tracking and the packet switching option and minus the other additional items still sought by the FBI.

Alternatively, Congress can amend the language of CALEA section 107(b) to require the FCC to institute a rulemaking on standards.

In light of the delays caused by the FBI, it seems necessary for Congress to extend the October 25, 1998 implementation deadline and the reimbursement cutoff date of January 1, 1995.

Congress should make it clear that location information is not a CALEA mandate, but because location tracking information will probably become increasingly available and increasingly specific within wireless systems, whatever is done in terms of CALEA implementation, Congress should amend Title III to enact a probable cause standard for access to location information.

II. CALEA Overview -- What Did Congress Intend?

For much of the history of telephony, the government's ability to wiretap was an unintended by-product of the design of the telephone system, and that capability remained largely static. More recently, the technology has been changing rapidly. In this time of rapid development, the industry could ignore law enforcement concerns, and design its systems only to meet market demands most efficiently, in which case some changes would enhance government surveillance capability and others would hinder it. At the other extreme, industry, if mandated, could build a comprehensive surveillance network. There is a middle course: society could try to achieve a balance, preserving a narrowly focused surveillance capability while protecting privacy and not impeding the development of new services to meet customer demands.

In CALEA, Congress chose this third path of balance. The law was intended to ensure that developments in technology did not have the unintended effect of eroding government surveillance capabilities. It is clear that Congress did not intend to mandate that the technology be developed in ways that would maximize its surveillance potential. The Judiciary Committee report states that CALEA was intended "to preserve a narrowly focused capability for law enforcement agencies to carry out properly authorized intercepts" (emphasis added). FBI Director Louis Freeh testified repeatedly and consistently that the legislation was intended to preserve, not expand the capability as it had existed since 1968. This Committee's report stressed that CALEA's requirements were to be narrowly construed.

In determining how far the FBI approach to CALEA implementation has departed from Congress' intent, it is useful to look at the actual problems that were presented to Congress. Between 1992 and 1994, the FBI conducted a series of surveys of federal, state and local law enforcement agencies and found 183 technology-based problems out of the tens of thousands of surveillances conducted. (The problems covered both Title III content interceptions and the interception of call-identifying information through pen registers and trap and trace devices.)

Of the problems identified by the FBI, the most common was lack of adequate capacity in cellular systems to accommodate multiple surveillances at the same time. This accounted for 30% of all problems law enforcement could identify. The second most common problem was the inability of certain cellular systems to provide law enforcement with call-identifying information on a real-time or contemporaneous basis. (The cellular system collected dialing information, but there was a delay before the information could be accessed.) The third most common set of problems related to special dialing features. Basically, when a person uses speed dialing, voice dialing or automatic redial or call-back, the pen register on the customer line only picks up the coded command, not the full number that it represents. The fourth most common problem was call forwarding. Law enforcement could not capture incoming calls to the target's line that were forwarded at the central office using a service provided by the telephone company. Like the other problems, call forwarding was not a uniquely "digital" problem; it had existed in the analog world. There were other miscellaneous problems. See Judiciary Comm. Rep., p. 15.

From this survey, it was clear to Congress that there were problems meriting legislation. And, of course, Congress was concerned to ensure that the future evolution of technology did not create new problems. But it was a fundamental assumption of Congress in 1994 that most equipment in place at the time was able to meet law enforcement surveillance requirements. After all, of the tens of thousands of wiretaps, pen registers and traps and traces conducted in the 1992-94 timeframe, there had been only 183 documented problems. This type of record cannot serve as the basis for a comprehensive redesign of the nation's' telecommunications system.

Conclusive evidence that Congress' assumption was correct is found in the fact that since 1994, even though CALEA implementation has been stalled, even though industry has continued to install equipment not designed with law enforcement's requirements in mind, electronic surveillance continues to be carried out. In the years since CALEA was enacted, the numbers of wiretaps, pen registers and trap and trace devices have remained at all-time highs, while the number of persons intercepted and the number of conversations monitored have gone up. There is no need for a comprehensive redesign of the telecommunications networks. Most equipment and services in place today are "CALEA compliant."

III. Privacy Problems Raised by CALEA Implementation

Despite the discrete nature of the problems identified by the FBI and presented to Congress in 1994, and despite evidence that the nation's telecommunications system continues to support law enforcement wiretaps, the FBI has pushed for a comprehensive redesign of communications infrastructures. The FBI dominated the industry standards setting process. Under pressure from the FBI, industry yielded, and put forth a proposed standard that expands surveillance capabilities and fails to protect the privacy and security of communications not authorized to be intercepted.

Two provisions of the industry proposed standard are of major concern:
A. Location Tracking

The FBI wants to require wireless carriers to provide law enforcement agencies with location information at the beginning and end of any cellular and PCS communication, thereby turning the nation's wireless phones -- now used by millions of ordinary citizens -- into real-time tracking devices. It was the express intent of Congress, supported by the Director of the FBI on the record in public testimony, that CALEA not include any location or tracking requirement.

At the first joint House and Senate hearing leading to enactment of CALEA, FBI Director Freeh expressly testified that CALEA would not require carriers to make location information uniformly available. Director Freeh testified that "call setup information" (later changed to "call-identifying information") as a CALEA requirement was not intended to include location information. Freeh was very clear in disavowing any intent to cover such information:
"[Call setup information] does not include any information which might disclose the general location of a mobile facility or service, beyond that associated with the area code or exchange of the facility or service. There is no intent whatsoever, with reference to this term, to acquire anything that could properly be called tracking' information." Hearings, p. 6.
Wireless phone tracking was a very potent source of opposition to CALEA. The FBI was eager to put it off the table. Nothing in the subsequent negotiations over CALEA brought it back in. When FBI Director Freeh returned to Congress to praise the revised CALEA bill, he never mentioned tracking. Ever since the law was signed, the FBI has worked mightily to claim that tracking is a CALEA mandate, and industry, while never agreeing that it was a mandate, put it in the standard.

B. Packet Switched Content Delivery

Telecommunications companies are beginning to incorporate in their systems "packet switching" protocols similar to those used on the Internet. In a packet switching system, communications are broken up into individual packets, each of which contains addressing information that gets the packets to their intended destination, where they are reassembled.

This development has potentially profound implications for government surveillance. It has always been assumed that there is a distinction between call content, which is entitled to full Fourth Amendment protection requiring a judicial warrant based on probable cause, and signaling information, which is protected under a much lower relevance standard. In CALEA, Congress required companies to use technology that kept these two separate. But in the CALEA process, industry and the FBI assumed -- apparently with little study -- that it is not feasible to provide signaling information separate from the communications content in a packet switching environment. Therefore, the FBI and industry have proposed a standard that allows companies to deliver the entire packet data stream -- including call communications -- when law enforcement is entitled to receive only dialing or signaling information under a pen register order. The proposed standard relies on law enforcement to sort out the addressing information from the content, keeping the former but ignoring the latter.

This approach, were it followed, could well represent a total obliteration of the distinction between call content and signaling information that was a core assumption of the Electronic Communications Privacy Act of 1986. It also violates section 103(a)(4)(A) of CALEA, which requires carriers to ensure that their systems "protect[] the privacy and security of communications and call-identifying data not authorized to be intercepted."

Before casting aside a basic distinction of the wiretap laws, there should be a careful technical examination of whether call-identifying information can reasonably be separated from the full data packet. The implementation of CALEA could go forward without a packet-switching standard. A technical inquiry, by the FCC or another entity, undertaken at the direction of Congress, could examine the privacy and security aspects of packet switching and determine whether, and if so how, call content can be withheld from the government when the government is not authorized to receive it. Otherwise, Congress should act to make it clear that the government can access packet data information only in response to a Title III order, not in response to a pen register order

C. Additional Surveillance Enhancements Sought by the FBI

In the foregoing respects, the standard proposed by industry under FBI pressure already exceeds the outer limits of what Congress intended to mandate through CALEA. The FBI, however, has made it clear that it is not satisfied with the standard. The FBI has urged expansion of the standard to require functionality that goes even further beyond anything Congress contemplated. The FBI's "punch-list" of enhancements includes:

_ Multi-party monitoring - The FBI wants phone companies to design their systems so the government can monitor all parties to a multi-party call even after the subject of the intercept order is no longer participating in the call. The purpose of CALEA was to follow the target, but the FBI wants to continue monitoring those left behind after the subject of the court order is no longer on the call. Not only is this not mandated by CALEA, but providing it would violate section 103(a)(4)(A) of CALEA and the particularity requirement of Title III and the Fourth Amendment, since law enforcement is not authorized to intercept the calls of people not named in the order, when they are not using the facilities named in the order.

_ Expanded definition of call-identifying information - Much of the controversy under CALEA relates to the distinction between interception of call content and the interception of call-identifying information. Call-identifying information is collected with pen registers or trap and trace devices, authorized without probable cause and without the discretionary review accorded to full call content interceptions. The FBI is seeking an expanded definition of "call-identifying information" in order to increase the amount of information that it obtains under the minimal standard applicable to pen registers.

But CALEA rejected this approach. Because Congress was concerned with a blurring of the distinction between call-identifying data and call content, it included in CALEA an amendment to the pen register statute to require law enforcement when executing a pen register to use equipment "that restricts the recording or decoding of electronic or other impulses to the dialing and signaling information utilized in call processing." CALEA section 207(b), codified at 18 U.S.C. 3121(c). Other signaling or sounds that do not relate to dialed numbers are neither encompassed by the pen register law nor required by CALEA. Contrary to this intent, the FBI wants to use pen registers to collect digits that the subject dials after cut-through. These digits do not identify a call in any sense but rather are content-related. The FBI is also seeking on-line notifications of customer changes in service, messages indicating when a party puts a call on hold, and messages indicating when the subject has a voice mail.

D. Capacity

One of the major issues that prompted Congress to adopt CALEA was concern that telephone switches would not have the capacity to conduct multiple simultaneous intercepts. This had already been a problem in cellular systems, especially in New York City, where a number of law enforcement agencies operate and were competing for a limited number of surveillance ports on cellular switches.

Since law enforcement surveillance activity obviously varies from region to region, CALEA requires the FBI to issue notice of its capacity requirements for each geographic area, so that carriers know how much capacity to install. In October, 1995, the FBI issued its first proposed capacity notice. It seemed to require companies in major cities to install a surveillance capacity that would allow simultaneous monitoring of up to 1% of customer lines in service. This proposal was roundly criticized as excessive and the FBI withdrew it.

In January, 1997, the FBI issued a second notice, using a new methodology based on past activity. However, this second notice was also deficient in three ways:

(1) The FBI exaggerated law enforcement's past experience. The Bureau collected data, consisting of combined federal, state and local law enforcement surveillance activity for each county or service area nationwide, between 1993 and 1995. From this data, the FBI determined the 24-hour peak of surveillance activity for each switch, over the course of the 26 month survey period. From switch to switch, these peaks did not occur on the same day, but the FBI added them together to obtain a hypothetical county-wide "peak," which the notice requires companies to meet as if the surveillances occurred all on the same day.

(2) The second notice and some of the FBI's informal comments about it have seemed to imply that each and every carrier serving a particular area would have to install capacity sufficient to meet the total surveillance needs for that region, even if the carrier only served a portion of the customers in the area. Even broader interpretations of the notice, which the FBI has informally disavowed, would require carriers to install in each switch a capacity sufficient to meet the requirements projected for an entire county or multi-county service area. Under either of these interpretations, the requirements of the second notice would require industry to install capacity unrelated to historical surveillance activity, costing taxpayers many millions of dollars in unnecessary reimbursement.

(3) The second notice draws no distinction between the capacity required to intercept call content and the capacity required to access dialed number information, even though CALEA requires a distinction between interceptions of call content and interceptions of call-identifying information through pen registers or trap and trace devices. The FBI indicates that 90% of all surveillances involve access only to dialed number information, not call content. The distinction is important for privacy because the capacity to intercept call content is more intrusive (and may be more expensive) than the capacity to intercept call-identifying information. Congress wanted companies to use technology that limited the amount of information provided to law enforcement under pen register and trap and trace authority. The second notice ignores that intent.

Given the lack of any official written interpretation of the notice that is subject to public review, we have concluded that the problems created by the conflicting interpretations of the second notice are so profound that the FBI should issue another notice for further public comment, making it clear what capacity levels were intended.

IV. Strong Privacy Protections Are Essential to the Integrity of CALEA

CALEA was based on the dual premise that the laws authorizing electronic surveillance have strict legal requirements to protect privacy and that those standards are strictly enforced by the courts. In the absence of such strict legal requirements -- if they are weakened legislatively or if they are not enforced by the courts -- then the premise of CALEA falters and the legislation becomes far more threatening, requiring as it does the ubiquitous preservation of easy technical access.

Unfortunately, since CALEA was enacted, the Justice Department has sought numerous weakening amendments to the wiretap laws. Congress so far has rejected most, but it included two weakening changes in the 1996 terrorism bill. There, the Justice Department won Congressional repeal of one of the privacy enhancements adopted in CALEA with the intent of balancing privacy concerns with law enforcement needs (the now-repealed provision extended the privacy protections of the wiretap laws to wireless data transfers). In addition, this Committee inserted a provision carving electronic funds transfer information out of the definition of electronic communication. In the Senate, there was a proposal to carve out wiretapping in prisons. Further, the Justice Department continues to pursue other amendments that would loosen the privacy standards of the wiretap laws, notably the standards for roving taps.

Some clarifications in the wiretap laws may be warranted. But it undermines the foundations of CALEA if those changes weaken the existing privacy protections, or if those protections are not working as intended to limit investigative agency discretion. Unless Title III, ECPA, and the pen register statute constitute meaningful privacy legislation, the foundation of CALEA will be eroded.

If this Committee supports CALEA, it should support strong privacy provisions in the wiretap laws. Continuing technological developments are already shifting the balance in law enforcement's favor. Wireless telephone systems are developing the capability to provide more refined location information on wireless phone users. Nonconsensual government monitoring of location through a wireless phone implicates privacy interests. Since wireless telephones are regularly carried into places where a person has a reasonable expectation of privacy, Congress should clarify the law by requiring a warrant based on a showing of probable cause for nonconsensual governmental access to real-time wireless telephone location information.

Advanced signaling systems have also blurred the distinction between call-identifying information and call content. CALEA was intended to ensure that pen registers and trap and trace devices only collect signaling information utilized in call processing. It appears that that is not happening. Instead, it appears that more and more information is being handled on the signaling channel, subject only to the low pen register standard. If that is the direction of the technology, then Congress should amend the standards for governmental access to signaling data to require a judge to make an affirmative finding, based on a showing by the government, at least that the information sought is relevant and material to an ongoing criminal investigation.

V. Conclusions

There is a significant difference between what law enforcement thinks would be a useful capability versus what is essential to allow law enforcement to carry out surveillance as it has since 1968. There is a significant difference between authorizing law enforcement to take advantage of whatever capabilities are available as a result of market-driven developments versus using the power of the government to require industry nationwide to build a telecommunications system that optimizes the surveillance potential of the technology. In CALEA, Congress did not say that the FBI could require phone companies to design their systems to provide to law enforcement all the capabilities that could be technically produced. Rather, Congress said that the companies had to preserve a minimal capability.

Therefore, Congress should intervene to get the CALEA process back on track. It can do so directly, by authorizing the FBI to begin reimbursing carriers to implement the industry standard, minus tracking and packet switching, or Congress can require the FCC to exercise its rulemaking function and decide the petitions now before it. But it has to be made clear that the law does not allow the FBI to use the reimbursement process or the industry standards process to write its own demands into the network design. Congress will have to extend the deadlines, so that the FBI cannot use the pressure of October 1998 to force industry to capitulate. And Congress must make it clear that the government is responsible for reimbursing industry to retrofit existing equipment, including equipment installed after January 1, 1995. This will force the FBI to prioritize its requests and will keep the funding issue in the public light, rather than shifting the costs to the companies, where they hidden in the phone bills of consumers.

Regardless of the outcome of the CALEA implementation debate, it is clear that technology is moving in directions that increase government powers. Congress should ensure that those powers are carefully controlled. For this reason we urge the Committee, regardless of the outcome of the CALEA implementation debate, to establish a probable cause standard for access to location tracking information and a more meaningful standard for access to other signaling information.

CDT is an independent, non-profit public interest policy organization. The Center's mission is to develop and implement public policies to protect and advance individual liberty and democratic values in new digital communications media. The Center achieves its goals through policy development, public education, and coalition building. CDT coordinates the Digital Privacy and Security Working Group (DPSWG), a forum of more than 50 computer, communications, and public interest organizations and associations working on communications privacy issues. Members of the Working Group played a critical role in ensuring that CALEA included privacy protections and public accountability mechanisms and was narrowly tailored so as not to impede the deployment of new technology.

House Rule XI, clause 2(g)(4) disclosures: Neither James X. Dempsey nor the Center for Democracy and Technology have received any federal grant, contract or subcontract in the current or preceding two fiscal years, nor do they represent any entity that has received any federal grant, contract or subcontract in the current or preceding two fiscal years.

James X. Dempsey, Senior Staff Counsel
Center for Democracy and Technology
+1 202.637.9800 (v)
+1 202.637.0968 (f)