Pages: pp. 8-10
A multipronged legal challenge to the US Federal Communications Commission's (FCC) decision to compel broadband service providers and some voice-over-IP (VoIP) service providers to comply with wiretapping requests under the Communications Assistance for Law Enforcement Act (CALEA) is winding its way through a federal appeals court, where judges might start deliberating the case by the middle of the year.
John Morris, director of the Internet Standards, Technology, and Policy Project at the Center for Democracy and Technology (CDT), says oral arguments on the appeal — filed by the CDT, the Electronic Frontier Foundation, the American Library Association, CompTel, the Electronic Privacy Information Center, pulver.com, and Sun Microsystems — could be heard sometime in the second quarter of 2006, after which the US Court of Appeals for the District of Columbia could presumably render its decision. The CDT and 10 other organizations also filed a request for a stay of the FCC's CALEA decision, arguing that the FCC's 18-month deadline for installing wiretap-friendly technologies be halted until the legal process is complete. They expect the appeal to be successful because the FCC failed to specify what modifications must be made.
"The FBI has not ever answered the question of what they're going to require VoIP or broadband providers to do, so I have no way of knowing what law enforcement is going to require," Morris says. "So I have no way of predicting what design changes might be required. It's a broad range of possible modifications; some approaches would not be overwhelmingly burdensome, and some would be impossible.
"We also contend it was an arbitrary and capricious thing for the FCC to even make its decision without knowing that information. The FCC is under an obligation under statute to make a public-interest determination — is extending CALEA in the pubic interest? We don't comprehend at all how the Commission can make a public-interest decision without knowing what burdens it would place on the Internet."
Arguments over the FCC's CALEA decision are assuming a Socratic parsing of definitions and interpretations of the wiretapping limits the US Congress intended when it passed CALEA in 1994. And taken in concert with a separate decision announced at the same time, the FCC's actions are causing many industry observers consternation.
According to this decision, incumbent providers of wireline broadband services — namely the regional Bell Operating Companies (BOCs) offering DSL services — don't have to share their local loop facilities with competitors such as America Online and EarthLink. The FCC's reasoning was that the BOC's DSL services didn't fall under the traditional aegis of telecommunications services subject to regulation and therefore should be defined as information services, which have been comparatively free of regulation — and under which definition cable broadband providers have been operating.
That decision is part of a larger picture of maneuvering for supremacy in physical network architecture. While the BOCs argued that telecommunications regulations hampered their ability to compete with cable providers, they also lobbied heavily to halt the construction of low-cost municipal broadband networks. In releasing the BOCs from line-sharing requirements, the FCC signaled it was going to let cable providers and the BOCs slug it out in the consumer market. The FCC hailed its decision as one allowing greater competition, although some observers said it assured a duopoly that would hamper customer choice and technological innovation in the long run.
Then, with contradictory logic, the FCC announced that broadband Internet access and certain VoIP services were to be considered not as information services, but as telecommunications services subject to CALEA regulations.
Uncharitable readings of the FCC's contradictory decisions say they paint a picture of an FCC overly friendly to entrenched business interests and undue governmental reach into the Internet, contrary to the public interest. At the very least, public policy mavens seeking some sort of consistent reading of FCC policy have been flummoxed. An analysis of the actions, written by VoIP entrepreneur Jeff Pulver, said the FCC found itself caught in a "definitional shell game" of its own making.
"The perceived logic was that the FCC would have to adopt new CALEA obligations for 'Information Services' if it was going to adopt an Order in the Wireline Broadband Services proceeding that would designate DSL and other wireline Broadband Internet access services as 'Information Services' and therefore no longer subject to Title II Telecom regulations," Pulver wrote in his weblog ( http://pulverblog.pulver.com/archives/003193.html). "If the FCC had simply played its definitional shell game, relabeling Internet access services as 'Information Services,' not 'Telecom Services,' and moving wireline Internet access services out of Title II and into Title I, then, in one fell swoop, the FCC might have lost the current authority to impose CALEA obligations on these newly designated non-Telecom, non-Title II services. In order to assuage concerns from [the US Department of Justice, Federal Bureau of Investigation, and Drug Enforcement Agency], the FCC had to simultaneously ensure that CALEA would continue to apply without interruption to these redesignated services. Thus, the FCC adopted (even if it did not release and, maybe, had not fully fleshed out its rationale for) the CALEA Order for VoIP services, concurrent with adoption of the Wireline Broadband Order."
The CDT's Morris says the FCC's rush to cover all its bases in the contradictory decisions does indeed form a basis for legal challenges.
"As part of the deal they struck internally to deregulate DSL, they rushed out the door essentially a press release announcing they were imposing CALEA obligations on broadband service. So there is no question they're very closely related, and it's fairly clear the Commission didn't actually have any of the details hammered out in terms of how it was going to impose CALEA on broadband service providers. Now they've hammered out some of the details, though not all of them. And so the CDT and others have filed a challenge."
An FCC representative said the Commission was referring questioners back to the 59-page order, released on 23 September 2005. In the order, the FCC stated its rationale for imposing CALEA requirements on information services, citing a "never before used" provision of the 1994 law. That provision — the Substantial Replacement Provision (SRP) — requires the FCC to classify certain broadband and VoIP service providers as telecommunications carriers for CALEA purposes, even if those providers aren't telecommunications carriers under the Communications Act of 1934.
The Commission also stated in its order that details such as "compliance extensions and exemptions, cost recovery, identification of future services and entities subject to CALEA, and enforcement" would be released in a subsequent announcement, though it didn't hint as to when the compliance requirements would be issued. The FCC's rationale was that the delay would enable the community to focus its future discussions on how those details might be implemented, rather than the legal and philosophical question of whether the affected services were covered under CALEA. However, even upon issuing the order, the Commissioners were aware that many of those "ongoing discussions" would indeed be focused on the order's fundamental applicability — and would likely be taking place in one court or another.
"Because litigation is as inevitable as death and taxes, and because some might not read the statute to permit the extension of CALEA to the broadband Internet access and VoIP services at issue here, I have stated my concern that an approach like the one we adopt today is not without legal risk," said Commissioner Kathleen Abernathy in her statement accompanying the decision.
Although the FCC is reserving the release of specific CALEA requirements, critics and others affected by the decision say that the extension of CALEA obligations onto broadband and VoIP technologies is a possible harbinger of more intrusive decisions that could hamper both innovation and privacy rights as new technologies come online.
Harold Krent, dean and law professor at the Illinois Institute of Technology's Kent College of Law, says the CALEA argument draws comparisons to the concerns expressed over the FBI's packet-sniffing technology, Carnivore. The FBI ended up using Carnivore very little and retired it in 2005. Krent says given Carnivore's history, law enforcement claims that such technology is critical in the fight against international terrorists and criminals should be regarded skeptically. "I think a lesson to be learned there is, if they say it's going to be critical, it may actually be helpful against a mid-level criminal," he says. "I don't think it's critical for a sophisticated network."
The CDT's Morris says the FCC's order also demonstrates that law enforcement is attempting to pass the responsibility for designing IP-based surveillance technology onto service providers instead of innovating for its own uses.
"Law enforcement is relying on companies to translate an Internet stream of packets and turn it into a circuit-switched call," he says. "Law enforcement is not internally developing the capability to understand IP communications and that means law enforcement will be completely unable to intercept the communications of any sophisticated terrorist organization or criminal organization, because it is a trivial matter for a moderately knowledgeable engineer to sit down and create a voice communication system just to be used by the internal criminal network."
Morris says the CDT and other organizations are concerned that a continual, if incremental, expansion of law enforcement powers over IP technology — such as possibly demanding wiretapping capabilities over peer-to-peer (P2P) voice technology — is a prime example of hampering innovation at the application layer, which would have a chilling effect on new breakthroughs.
Steven Gordon, professor of IT management at Babson College, says that if the FCC's CALEA decision is upheld, at least one area of application — wiretap compliance applications — will thrive. "Wherever there is a legal requirement or regulation, there is an industry that steps up to provide solutions," Gordon says.
Yet, Morris also says there are troubling questions at levels below the application layer. For example, he says, it's still unclear whether a DSL provider would be responsible for delivering data packets to law enforcement that were part of a P2P communication with no connection to public phone services but were carried over the DSL provider's pipes, and whether those packets need to be filtered from the rest of the data stream.
For some observers, there's a certain amount of irony in the fact that, as the Bush Administration nominates US Supreme Court judges that it considers conservative "strict constructionists" not predisposed to alter precedent, the FCC has shown an eagerness to be an activist agency in extending CALEA.
"I'd like a little strict constructionism of the CALEA statute today," Morris says. "It's certainly being stretched beyond all recognition right now."
Following a grueling two-year negotiation process, delegates from more than 100 countries reached a compromise on Internet governance at the World Summit on the Information Society (WSIS) in November. The accord doesn't change the role of the US in Internet oversight, but it calls for the creation of the Internet Governance Forum, which will begin operations in early 2006. The forum's purpose is to give governments a stronger say in Internet policy issues, including the Internet address system, as well as issues such as development, security, and quality of service.
The WSIS announcement of the agreement is at www.consortiuminfo.org/bulletins/nov05.php. The Consortium Standards Bulletin's November theme issue on WSIS and the Internet governance controversy is available at www.consortiuminfo.org/bulletins/nov05.php.
In conjunction with the WSIS, the Global Symposium for Regulators (GSR) met to establish best practice guidelines aimed at encouraging broadband deployment in developing countries. The GSR's vision includes reducing regulation, increasing incentives, and coordinating efforts to "rapidly unleash commercial broadband deployment opportunities."
The guidelines are available at www.itu.int/ITU-D/treg/Events/Seminars/2005/GSR05/consultation.html.
The Apache Software Foundation has launched a new version of its Apache HTTP Server, marking the first significant stable branch release since April 2002. Apache 2.2 uses the Apache Portable Runtime 1.0 API, which offers libraries that interface between the server and the underlying operating system. The new release also includes improved authentication and authorization features.
More information is available at http://httpd.apache.org/docs/2.2.
Telecom Italia and Samsung Electronics will team up to offer trials of Wireless Broadband (WiBro) technology at the 2006 Winter Olympics, to be held in Turin, Italy, 10–26 February. WiBro is designed to offer mobile users access speeds of up to 30 megabits per second. Using Samsung's new WiBro-compatible phones, South Korea launched trial WiBro service in Pusan to coincide with the November Asia-Pacific Economic Cooperation forum.
WiBro overviews are available at www.itu.int/ITU-D/imt-2000/documents/Busan/Session3_Yoon.pdf and www.ida.gov.sg/idaweb/techdev/infopage.jsp?infopagecategory=&infopageid=I3098&versionid=2.
The W32/Zafi-D worm was the top virus in 2005, even though the W32/Sober-Z worm reached number three just a month after its introduction, according to the annual security report from the anitvirus firm Sophos. In 2005, threats increased by 48 percent over the previous year. Although worms dominated in terms of infection rates, Trojan software that logs users' behavior or allows remote control over their PCs outnumbered worms by almost 2 to 1, highlighting the increasing use of targeted attacks.
More information on the report is available at www.sophos.com/pressoffice/news/articles/2005/12/toptensummary05.html.
The Cyber Security Industry Alliance gave the Bush administration and the US Congress a D grade for their efforts to improve the nation's infrastructure security in 2005. Priorities are a key issue, according to CSIA CEO Paul Kurtz, who noted that the White House had offered "little strategic direction or leadership" on information security.
More information is available at www.csialliance.org/StateofCyberSecurity2006.