Wiretaps in the Internet Age
Kristopher Nelson
December 12, 2005
A fundamental point of contention in a democratic society is the need
to balance the enforcement of laws with the rights of citizens. In
the United States, the 4th Amendment to the Constitution protects
the rights of citizens to be free from "unreasonable search and
seizure." Throughout our history, the exact meaning of this broad
phrase has been debated, changed, affirmed and changed again, both
because of changing societal norms and because of changes in technology.
In the modern area, this is nowhere more visible than in the use of
wiretaps and their development from early telegraphic use to their
modern application of monitoring Internet communications of all sorts.
The goal of this paper is to examine the history of wiretapping and
its application in today's Internet-connected world, and to focus
especially on the public-policy issues of modern attempts to extend
wiretapping beyond telephones and into the realm of the Internet.
The main focus of this paper will be the public-policy implications
around one specific example in which the executive branch is attempting
to upset the delicate balance between law enforcement and privacy
to encompass new territory through the extension of a 1994 act of
Congress. In addition, this paper will limit its focus to traditional
wiretaps conducted by law-enforcement agencies under standard court
orders, and not those carried out by intelligence agencies like the
Central Intelligence Agency, or those performed under somewhat different
legal standards, such as that authorized by the "Foreign Intelligence
Surveillance Act" (FISA).
Traditionally, "wiretapping" referred to the interception of
communication carried over wires. It began in the 1800s with the widespread
adoption of the telegraph, and then carried over in the late 1800s
and 1900s to the telephone. Originally, "wiretapping" connoted
a physical device-the "tap"-which was placed somewhere along
the wired connection between the two parties, and allowed a third
party to listen in to the communication. Today, wiretaps may be more
virtual than physical, allowing for the interception of, for example,
faxes, e-mails, Web traffic and Voice-over-IP communications.
1
One of the key benefits to wiretaps, especially in modern times, is
the anonymity and security provided to the eavesdropper: there is
generally no way for the participants in the tapped communication
to know if they are being listened to or who is doing the listening.
It is also technically relatively easy in the majority of cases to
put a tap in place. This, combined with the comfort people today have
with communicating highly-sensitive information over electronic devices,
makes wiretaps an extremely valuable tool for law enforcement, especially
when pursuing organized crime and terrorist groups. This same boon
to law enforcement presents a strong threat to personal privacy and
individual liberty, however, for it is equally possible for governments
to abuse this power at the expense of the privacy and individual liberty
of its citizens (as China currently does).
A Brief History of Wiretaps
Karin Cheung writes:
Finding the proper balance among privacy, security, and law enforcement
interests in the realm of wiretapping has always been a complex endeavor.
With rapid changes in communications technology quickly reshaping
the way people interact, the nation must frequently re-examine its
laws to ensure equilibrium among these competing concerns. 2
This re-examination led to the passage in 1968 of the first federal
statutes controlling wiretapping ("Title III"), the "Electronic
Communications and Privacy Act" of 1986 (ECPA), the "Communications
Assistance for Law Enforcement Act" of 1994 (CALEA)
3 and now the attempted extension by the FCC of CALEA.
The foundation of wiretap legislation is the 4th Amendment of the
United States Constitution, which reads:
The right of the people to be secure in their persons, houses, papers,
and effects, against unreasonable searches and seizures, shall not
be violated, and no warrants shall issue, but upon probable cause,
supported by oath or affirmation, and particularly describing the
place to be searched, and the persons or things to be seized.
The 4th Amendment is particularly controversial in terms of wiretaps
where no
physical search takes place. Since the 4th Amendment
was originally construed only to apply to physical searches-based
on the language of "persons, houses, papers, and effects"-
early courts held that no warrant was needed, provided there was no
physical trespass (see
Olmstead v. United States, 1928).
The need for law enforcement to seek judicial oversight, in the form
of a warrant, for wiretaps has existed since
Katz v. United
States in 1967 and the codification in Federal statute in 1968 of
Title III of the "Omnibus Crime Control and Safe Streets Act."
Title III begins:
To safeguard the privacy of innocent persons, the interception of
wire or oral communications where none of the parties to the communication
has consented to the interception should be allowed only when authorized
by a court of competent jurisdiction and should remain under the control
and supervision of the authorizing court.
In its most basic form, Title III outlawed wiretapping except when
law enforcement agents obtained a specific court order. In addition,
it limited wiretaps to specific serious crimes and only as a last
resort when other investigative techniques had been exhausted. It
required that interception of non-relevant communications be minimized.
Finally, law enforcement officers were required to notify the target
within a specific time period in order to allow for challenges to
probable cause and the conduct of the wiretap.
4
In 1986, Congress passed the "Electronic Communications Privacy
Act" (ECPA) to extend these same limitations to new electronic communications,
including video, text, audio, and other forms of data transmission.
Law enforcement agents were now required to obtain a warrant to, for
example, intercept and read e-mail. Other forms of Internet-based
communications were not explicitly included (although ECPA clearly
implied they should be) until the passage of the "Uniting and
Strengthening America by Providing Appropriate Tools Required to Intercept
and Obstruct Terrorism Act" (USA PATRIOT Act) in 2001.
5
A core underpinning of Title III was Congress' assumption "that
capture of electronic communications would not be an unreasonable
intrusion if there were stringent
ex parte judicial review
before the fact, minimization during a search, and equally stringent
adversarial review after the investigation had been completed."
6 This limited framework supporting restricted wiretaps began to slowly
degrade over the years as law enforcement pushed the boundaries of
what was permitted and courts and legislatures began to allow them
greater latitude in granting warrants.
7 Nonetheless, an uneasy balance was maintained for almost 40 years.
Disrupting the Balance through CALEA
This balance came under strong assault as the Internet began to carry
more and more communications and law enforcement expressed a corresponding
interest in making Internet-based wiretaps easier and more efficient.
One early approach in the late 1990s was to piggyback built-in wiretap
requirements onto the development of IPv6, the next generation Internet
Protocol (IP) developed by the Internet Engineering Task Force (IETF).
This proposal went nowhere, as industry concerns about security and
privacy overcame this desire by law enforcement to change the architecture
of the Internet at a fundamental level.
Law enforcement's next effort came several years later, in 2004 and
2005, when they pushed the FCC into extending CALEA-the "Communications
Assistance for Law Enforcement Act" of 1994-to cover Internet
Service Providers (ISPs) and universities, and not just the original
"telecommunications carriers" specified in the Act itself. The
goal was to cover "private networks," including Internet providers
and universities, and hold them accountable to the same $10,000 per
day fine for noncompliance as large telecommunications carriers currently
face. The FCC is also looking to expand CALEA to cover new Voice-over-IP
communications by requiring industry to build in ways to make it easy
for law enforcement to tap communications.
8
CALEA was controversial when it finally became law in 1994, as it
required telecommunications carriers-AT&T, Sprint, and MCI, for
example-to change the design of their networks to facilitate wiretaps
by law enforcement: "Congress asked whether this choice [of
codes and of technological design and thus a choice among values]
should be solely private (made by telephone engineers) or partially
public (influenced by Congress). It chose the latter" in passing
CALEA
9.
The Act essentially put the majority of the burden and cost on the
carriers themselves, instead of on law enforcement. However, private
industry was not willing to give up control easily. To accomplish
it, CALEA included two core compromises: first, Congress authorized
$500 million to reimburse carriers for the expense in updating and
changing equipment (although as of 2000, the money remained an "unfunded
mandate" and had yet to be delivered) and second, the Act specifically
forbid the government from requiring or dictating specific technological
designs. Instead, the FCC was tasked with working
with carriers
to design technology that would be compatible with the requirements
of CALEA.
10
CALEA functioned primarily because there were relatively few telecommunications
carriers and because all telephone communications at the time passed
through these very centralized companies. (Telephony was a centralized
service in 1994.) Lawrence Lessig writes on page 45 of
Code
and Other Laws of Cyberspace:
Regulation like this works because telephone companies are few. It
is relatively easy for the government to verify that the telephone
company is complying with its rules; it would be hard to establish
a rogue telephone company (outside the context of Internet telephony
at least). Thus, indirect regulation depends on there being a useful
target for regulation. But if there is such a target, and that target
can control the code of the network, then the government can regulate
the code.
Originally, CALEA was explicitly aimed at telecommunications carriers
only. Its purpose was to "amend title 18, United States Code,
to make clear a telecommunications carrier's duty to cooperate in
the interception of communications for law enforcement purposes."
In addition, it was specifically limited in application to exclude
"[i]nformation services; private networks and interconnection
services and facilities."
However, the FCC (the "Commission") was allowed to redefine
"telecommunications carrier" to include
a person or entity engaged in providing wire or electronic communication
switching or transmission service to the extent that the Commission
finds that such service is a replacement for a substantial portion
of the local telephone exchange service and that it is in the public
interest to deem such a person or entity to be a telecommunications
carrier for purposes of this title.
This redefinition, however, was not to include "persons or entities
insofar as they are engaged in providing information services."
11
On August 5, 2005, the FCC extended CALEA to include "facilities-based
providers of any type of broadband Internet access" (essentially,
internet service providers of all sorts, large and small, public and
private) for the following reasons:
(1) they are providing a switching or transmission functionality;
(2) this functionality is a replacement for a substantial portion
of the local telephone exchange service, specifically, the portion
used for dial-up Internet access; and (3) public interest factors
weigh in favor of subjecting broadband Internet access services to
CALEA.
Interestingly, the "substantial portion" test, says the FCC,
is met "if a service replaces any significant part of an individual
subscriber's functionality previously provided via circuit-switched
local telephone exchange service."
12 This focus on the individual subscriber instead of the market as
a whole makes it much easier to say that broadband providers are "substantially"
replacing local telephone service.
These extensions by the FCC were made at the behest of the Department
of Justice (DOJ) and its agencies, especially the Federal Bureau of
Investigation (FBI) and, to a lesser extent, the Drug Enforcement
Administration (DEA). These executive branch law enforcement agencies
felt that their ability to tap the communications of individuals who
may be involved in crimes or terrorist actions was being compromised
by the changing technical nature of communications in the Internet
age. Their argument, at its core, is that "it's hard for [the
DOJ or the FBI] to intercept all the communications that they need.
Without structural changes to the Internet, they won't be able to
conduct the same quality of investigations that they did ten years
ago."
13
The Problem with CALEA
While law enforcement is correct that surveillance is sometimes necessary
for the safety and security of the people, liberty requires that this
necessity be restricted by both the courts and prefers that it also
be restricted by design and architecture. Liberty is best preserved
when the government must exert itself to invade our privacy, even
for legitimate law enforcement purposes. The extension by the FCC
of CALEA to include "private networks" is an attempt to re-engineer
the Internet in favor of government control without markedly improving
crime reduction. Doing so disrupts the delicate balance between civil
liberties and law enforcement. In short, it is simply not sound public
policy.
There are five main public-policy arguments against the extension
of CALEA: (1) wiretapping is already possible and easy enough for
law enforcements needs in a democratic society; (2) the extension
of CALEA is economically inefficient, as the new required infrastructure
would be costly and out-of-proportion to the potential benefit to
law enforcement; (3) the Internet and Internet service providers are
qualitatively and quantitatively not like the telephone system or
the telecommunications carriers CALEA was designed for; (4) technological
innovation will suffer and non-American companies will benefit; (5)
CALEA compliance would result in a greater potential for security
problems, both at the personal, corporate and national level. Additionally,
there are two key legal arguments against the FCC's extension of CALEA:
the statute exempts "information providers," but the FCC lacks
the authority to ignore that exemption; and the FCC's interpretation
of "substantial replacement" is contrary to the statutory language
and the legislative intent of CALEA.
The FCC's interpretation and extension of CALEA to Internet providers
is legally in doubt due to these two key legal problems. The statutory
language of CALEA explicitly excludes "information providers."
Only by legal slight-of-hand does the FCC interpret its authority
under CALEA to allow it to ignore this clearly articulated restriction
in favor of expanding the definition of telecommunication carrier
to include Internet providers. In many other contexts, the FCC and
the courts have held that Internet providers
are information
providers-to decide now that they are
not and they should
instead be held to the standards of CALEA goes against both precedent
and the clear language of the statute itself. In addition, the FCC
has invented a novel method of defining "substantial replacement"
to allow it to extend CALEA to cover non-telecommunications carriers,
by saying that the
capability to replace telephone switches
with Internet-based communications for an
individual subscriber
is enough to invoke CALEA's clause allowing the FCC to expand the
coverage of the Act.
In terms of public policy, it is first critical to remember that Internet-based
communications are not impossible to tap, either technically or legally.
In fact, the FBI and the DOJ "
never identified
any
instance or circumstance in which law enforcement has been unable
to intercept a target's Internet communications" in their request
to the FCC.
14 The real point of contention is
ease of tapping: CALEA makes
it easy for law enforcement to tap lines, because it places the burden
(and thus most of the cost) on the provider or carrier to do the tapping
instead of on law enforcement.
The second public-policy concern is that this displacement of the
burden exemplifies the latest trends by the executive branch to extend
law enforcement's reach at the expense of citizen's rights, without
a corresponding benefit in crime reduction or terrorism protection.
It is economically inefficient in its allocation of cost-in the
sense that society
as a whole will bear a greater cost for
the extension than it will without it-since it requires thousands
of providers, both large and small, public and private, to spend millions
of dollars to comply with wiretap regulations that may rarely be invoked.
A small ISP may never receive a legal wiretap order, yet it will still
be required to spend thousands of dollars to replace its equipment
and restructure its network to the benefit of law enforcement. While
it may have made sense in the past for several large and dominant
telecommunications providers to shoulder the burden, it makes little
sense in the current market structure of Internet providers.
Third, both the market structure of Internet providers and, in a related
fashion, the technological infrastructure of the Internet is different
from that of the old telecommunications carriers: "crucial differences
between the two systems mean that what is healthy for one in terms
of marketplace incentives and technological development is unhealthy
for the other."
15 The Internet is a decentralized system, both in economic and technological
terms. Its utility and functionality arises from its "edges":
devices and systems positioned at the end-points of communications.
Google lives at one end of my search; my computer is at the other.
The "middle-man" Internet provider is simply responsible for
getting data back and forth between us. While the Internet provider
is a necessary player, the real value is added at the edges of the
network, where thousands-even millions-of different systems can
interact in an infinite number of ways. This decentralized format,
spanning the entire globe, is both resistant to government interference
and distinctly sensitive to it. Government will likely be unable to
ever completely control Internet communications, but it can certainly
make that communications difficult. It can restrict the value that
can be easily offered, and negatively impact both individual liberty
and economic growth.
The telephone network that CALEA was designed to control, on the other
hand, is radically different. The telephone is a relatively dumb instrument,
mostly unchanged over the last 100 years. The usefulness of the telephone
comes from the
network itself and those who provide the network.
These few providers exercise centralized control and can thus themselves
be easily controlled. Unlike the Internet, where individuals at the
end points can introduce new technologies essentially at will, changing
the telephone network is far more difficult. Thus, there are more
readily accessible targets (the small number of big telecommunications
carriers) for government control in the case of the telephone network,
and shifting the cost and burden to them makes economic and even public
policy sense.
Fourth, imposing the burden of CALEA compliance on Internet providers
inhibits innovations and shifts new development outside of American
jurisdictions. For example, the development of Voice-over-IP systems-a
revolutionary change away from traditional, centralized communications
models-would have been difficult to develop in an environment where
surveillance compatibility was a primary requirement. As the Electronic
Frontier Foundation writes:
CALEA means that innovators will always be forced to think inside
the box of surveillance. Their designs and ideas will be limited by
a government mandate that requires them to build technology for the
purpose of spying rather than playing games, talking to colleagues,
or collaboratively making art over the Internet. This will stifle
creativity and result in a non-competitive technology market. The
only creativity will exist off-shore, where developers outside the
U.S. will develop technologies to circumvent U.S. law enforcement
capability.16
In short, technological innovation will suffer and non-American companies
will benefit, a result that favors perceived benefits to law enforcement
in the short-term over long-term benefits to society as a whole.
Fifth, forcing thousands of Internet providers to adhere to CALEA
would result in a greater likelihood of security problems, many of
which would endanger our security more than any wiretap difficulties
ever would. Any "backdoor" built into any system would be potentially
exploitable by people other than law enforcement, exposing individuals
and companies to a greater threat of identity theft and corporate
espionage. In addition, forcing providers to adhere to government-mandated
surveillance standards would lead to equipment manufacturers building
technology more open to surveillance. In a world context, this could
have profound impacts: the FBI may arguably be trustworthy enough
to handle the power that ubiquitous access to surveillance data would
bring, but will their Chinese or Iranian counterpart?
Striking the Right Balance
If we grant that law enforcement, to prevent nightmare scenarios-and
even to deal with day-to-day, run-of-the-mill crime-ought to have
judicially supervised wiretaps (and U.S. courts and legislatures have
done just that, as we already discussed), then it makes sense to require
that Internet providers cooperate. Criminals should not simply and
trivially be able to move to Internet-based communications and so
easily escape law enforcement's reach.
But we must find a compromise position, where the majority of law
enforcement's needs are met, without placing an onerous burden on
Internet providers and without making wiretaps
too easy for
law enforcement to execute. Wiretaps should be allowed
only
through due process of law, not accident, malicious activity or even
overzealousness. The burden of implementation should stay on law enforcement
and the executive branch, not be shifted to private or university
Internet providers. Authorizing a wiretap ought to be a delicate process,
one requiring thought and analysis. We should not bludgeon companies
or organizations into compliance, and we should not shift the burden
to them, but rather regulate and encourage good compliance that benefits
society as a whole by assisting law enforcement both to catch criminals
and to prevent criminal activity in the first place. In the end, law
enforcement agencies should bear the primary burden of executing lawful
warrants.
This can only come through properly considered Congressional legislation,
not legally creative extensions by the FCC and the executive branch
into realms Congress never intended them to enter. CALEA was intended
for a centralized telecommunications market with relatively few large
players, not for a diverse market of Internet providers, some of which
are small, some large and some public (such as universities or even
municipalities). As it stands currently under Title III, ECPA and
the PATRIOT Act, Internet providers are required to-and do-assist
law enforcement. Additional Congressional clarification of this role
would be beneficial, but extension of burdensome requirements by the
FCC, with fuzzy economic and social implications, is not.
In short, by insisting that users of new Internet-based technologies
still have a reasonable expectation of privacy and requiring law enforcement
to get warrants, and by also requiring Internet providers to
allow
wiretapping but encouraging proper implementation by putting the burden
on law enforcement to execute the wiretap, we strike the right balance
on the questions of privacy and economics. Only by balancing all these
questions, and only by carefully implementing a solution, will we
be able to achieve the delicate balance that will encourage economic
development, discourage criminal behavior, protect privacy and free
speech rights, and also protect the safety of the public. It is a
tricky business, but one that we need to get right.
Footnotes:
1Karin Cheung. "Tapping the Net: A Study of the Wiretap Debates."
http://www.swiss.ai.mit.edu/6.805/student-papers/fall99-papers/cheung-wiretap.html
2Cheung.
3Public Law 103-414, 108 Stat. 4279, 47 USC § 1001 and parts
of 18 USC.
4Sarah Boucher, et. al. "Internet Wiretapping and Carnivore."
http://www.swiss.ai.mit.edu/6.805/student-papers/spring01-papers/carnivore.doc
5Wendy Hart and Diana Johnson. " Carnivore: Taking a Bite our of
Internet Privacy." http://gsulaw.gsu.edu/lawand/papers/su03/hart_johnson/
6James X. Dempsey. "Communications Privacy in the Digital Age:
Revitalizing the Federal Wiretap Laws to Enhance Privacy."
Albany
Law Journal of Science & Technology. 1997: vol. 8, number 1, 4,
p. 85. See also S. Rep. No. 99-541, at 2-3, 5 (1986).
7This is evident in six main areas, according to the James Dempsey:
(1) the list of crimes for which wiretapping is allowed has grown
from 26 in 1968 to 95 in 1996; (2) judges rarely deny wiretaps (from
1991 to 2001, judges have only rejected three state or federal wiretap
requests, according to the ACLU); (3) the duration of wiretaps has
grown as have the number of calls intercepted, (4) the courts now
allow wiretapping even when all other techniques have not been exhausted;
(5) the "minimization" requirement has not been strictly enforced
by the judiciary; and (6) suppression motions are rarely granted (only
4.3% of requests were granted between 1985 and 1994).
8Cheung.
9Lawrence Lessig.
Code and Other Laws of Cyberspace, p. 45.
10Boucher, et. al.
11The full text of CALEA is available at: http://www.epic.org/privacy/wiretap/calea/calea_law.html
12FCC Order dated August 5, 2005, page 6.
13EFF. http://www.eff.org/Privacy/Surveillance/CALEA/
14EFF and CDT. "Request for Stay." November 23, 2005. http://www.eff.org/Privacy/Surveillance/CALEA/calea_order_stay_request.pdf
15EFF.
16EFF.
File translated from
TEX
by
TTH,
version 3.38.
On 20 Mar 2007, 14:27.