Susan Crawford blog :: Main Page

This Month

Month Archive

January 2006
December 2005
November 2005
October 2005
September 2005

Year Archive

2007
2006
2005
2004
2003

Search Google

Main Page

« November 20 | November 23 »

Tuesday, November 22

CALEA creep

by Susan on Tue 22 Nov 2005 11:03 PM EST

Sometimes the Commission can be a little flip, a little offhand. This happened in the CALEA order [pdf] that was released in late September. After saying that educational networks like those operated by universities and research libraries (including Internet2) probably wouldn't be subject to CALEA, the Commission stated:

To the extent, however, that these private networks are interconnected with a public network, either the PSTN or the Internet, providers of the facilities that support the connection of the private network to a public network are subject to CALEA [because they are substantial replacements for local telephone service].

There's a lot in the text of this footnote snippet. (It's note 100, for those of you who like footnotes.)

First of all, defining the PSTN and the internet as [roughly equivalent] "public networks" is a big rhetorical step. It seems as if the internet is being reframed as another flavor of telephone network. Rhetoric matters. That's why they called it the "broadcast flag" -- who could possibly be against a patriotic flag waving in a friendly way to protect beloved broadcast programs? As it turned out, of course, the broadcast flag was a massive cost-shifting and innovation-squelching effort of which the flag (the marking scheme) was the smallest and most inoffensive part. Names set the initial terms of debate, and there is reason to worry about setting up the traditional telephone network and the internet as peers -- both "public networks" that need to be protected and regulated like public libraries and public highways.

Beyond the naming scheme, it's quite a step to say that any private network (say, any enterprise VPN) that is capable of connecting to the internet must be CALEA-compliant -- if that's what the footnote is saying. If it's not saying that, what is it saying? What entities "support the connection of [a] private network to a public network"? Arguably all actors involved in making it possible for one network to connect to another -- all device manufacturers, all access providers, anyone who leases a line that connects to an ISP, all technicians.

An enormous consortium of associations calling itself the Higher Education Coalition recently filed comments in the CALEA proceeding. The Higher Education Coalition points out that private networks are exempted from CALEA, and that CALEA's coverage is specifically limited to common carriers.

But beyond the legal-beagle analysis, the Coalition's points on burden are very strong: since 2004, only one higher education institution has received a wiretap request, and it was complied with very swiftly -- within 24 hours. So what's the problem? Why would law enforcement need this subset of private networks to change all of their systems in advance so as to make them easily tappable? And here's what the vendors say (remember the new form of regulatory capture): "if the Commission or DOJ adopted an expansive reading of the [CALEA] Order, higher education and research institutions would have to replace much--if not all--of their network equipment." Even doing this with software would be "costly," according to these vendors.

This could cost billions of dollars -- just for the universities.

Now, the most important point of all is that the FCC hasn't yet said what anyone subject to its expansive reading of CALEA will have to do. All it has done is announce who may be covered by CALEA, and that these entities (any business with a private network that is capable of connecting to the internet? any free VoIP application that can interconnect?) will have just 18 months to comply. The clock is already running on an entirely uncertain, and hugely expensive, mandate.

Leave Comment | Permanent Link

blogs to read