Copy Link
Add to Bookmark
Report
EFFector FBI Phone
========================================================================
From The Electronic Frontier Foundation FTP Archives (ftp.eff.org)
EFF 155 Second Street Cambridge, MA 02141 +1 617 864 0665
eff@eff.org
========================================================================
ANALYSIS OF THE FBI PROPOSAL REGARDING DIGITAL TELEPHONY
Executive Summary
Although the FBI has characterized its proposed "Digital Telephony"
legislation as relating to the preservation of government's ability to
engage in authorized wiretapping, the proposal actually requires that
all communications and computer systems be designed to facilitate
interception of private messages, on a concurrent and remote basis --
thus imposing new engineering standards that go far beyond any existing
law. As currently drafted, the proposal would impose substantial costs
and create significant uncertainties, despite the absence of any clear
showing that the proposed measures would be either effective or
necessary. In addition, the proposal raises serious security and
privacy concerns.
Beginning some time last year, the FBI has expressed concern that
technological changes occurring in the telecommunications industry might
have an adverse affect on the ability of law enforcement officials to
conduct lawful, authorized wiretapping. For example, the FBI has raised
questions about its ability to extract individual telephone calls from
multiplexed signals sent over light fibers using new digital protocols.
Various FBI proposals have generated concern on the part of industry
that the security and privacy of electronic communications and computer
systems might be weakened and that the competitiveness or technical
advancement of various systems might be undercut. No one in industry
challenges the FBI's right to cooperation in seeking to implement
wiretaps or disagrees with the proposition that law enforcement
officials need communications interception tools to do their vital job.
The communications industry, network users and public interest groups
are concerned with the broad sweep of the FBI's draft proposal and the
potential uncertainties and costs it would impose. This memorandum
explains the basis for those concerns.
Although the FBI proposal is described as relating to "digital
telephony," it actually applies to all forms of communication, including
all computer networks. The proposal requires that equipment be designed
to give access to communications on a "concurrent" basis, regardless of
the mobility of a target, in isolation from messages being exchanged by
any other persons. These requests may have complex and differing
application in different contexts, but they would certainly introduce
additional costs and substantial uncertainties for both equipment
manufacturers and everyone who offers messaging service to others.
These days, the list of those covered by the proposal ("providers of
electronic communications services" and "PBX owners") includes just
about everyone. Because the wiretap statute was written to protect the
privacy of a broad range of communications types, and because of the
growing interdependence and intermixing of all forms of communications,
the statutory language of the FBI proposal could turn out to require
redesign or expensive alteration of:
(1) public electronic mail systems, like those offered by MCI, AT&T
and a host of other companies and individuals;
(2) all telephone switches and the sophisticated equipment used by
long distance carriers;
(3) software used by online information services like Prodigy, GEnie,
Compuserve, America Online and many others;
(4) local area networks, linking all kinds of computers, operated by
small businesses, colleges and universities and many other types of
organizations, including links into these systems from other homes and
offices;
(5) PBXs owned by small and large businesses;
(6) high speed data networks connecting workstations with mainframes
and supercomputers, as well as those carrying messaging traffic across
the "Internet;"
(7) radio-based and cellular communications systems, including pocket
telephones and computers with radio-based modems;
(8) the thousands of small personal computers owned by businesses,
hobbyists, local governments, and political organizations that
communicate with others via computer bulletin boards;
(9) private metropolitan wide area communications systems used by
businesses such as large banks;
(10) satellite uplink and downlink equipment supporting radio and
television transmissions and other communications; and
(11) air-to-ground equipment serving general aviation and commercial
aircraft.
We are becoming an information economy and, accordingly, imposing
mandatory system design requirements on all those involved in the
transfer of information has an impact on large numbers of people and
most sectors of the economy.
There is no doubt that evolving technologies will challenge law
enforcement officials and industry alike. We need effective law
enforcement tools, as well as appropriate levels of privacy and security
in communications and computer systems. The goals underlying the FBI
proposal are valid and important ones. But they may well be best
achieved without additional legislation. Industry has historically
cooperated with law enforcement and is presently engaged in ongoing
discussions to identify specific problems and concrete solutions. This
cooperative process will lead to needed exchanges of technical
information, better understanding on all sides of the real policy
issues, and better, more cost-effective solutions. Congress should
reject the FBI proposal and encourage continuing discussions that will
lead to more specific identification of any problems and to more
concrete, cost-effective solutions.
* * * * * *
Analysis of the FBI Proposal Regarding Digital Telephony
What is Proposed? The most recent proposal imposes obligations to
provide various generic interception "capabilities and capacities" and
empowers the Attorney General to grant exemptions, after consultation
with the Federal Communications Commission, the Department of Commerce
and the Small Business Administration. See Attachment A. Any person who
manufactures equipment or provides a service that failed to comply with
the broad and vague requirements of the proposed statute would be
subject to a civil penalty of $10,000 per day.
How Serious is the Problem? The predicate for the FBI proposal is
that advances in technology have made it more difficult for the
government to intercept particular telephone conversations in the course
of legally-authorized wiretapping. There have been few actual problems,
historically, in executing authorized wiretaps. None have stemmed from
characteristics of communications equipment design (as distinct from
limitations in equipment capacity). On the other hand, it is clear
that, over time, changes in the technologies used for communications
will require the FBI (and the communications industry as a whole) to use
new techniques and to acquire additional equipment and skills. Some
developments, such as encryption, may make interception (or, at least,
understanding the contents of what has been "intercepted") much more
difficult -- but in ways that are not even addressed and cannot be fixed
by the proposed legislation. (It is difficult to evaluate the FBI
argument that it would have asked for more interceptions if some
technological barriers had not existed. There have always been and will
always be some technological barriers to interception of the content of
communications the participants seek to protect.)
Existing law requires all companies providing electronic
communications services to cooperate fully with lawful requests from the
FBI and other law enforcement officials -- and there is no history of
any general failure to provide such cooperation. See Attachment B.
Existing law also contemplates that the government will bear the costs
imposed by the government's requests for access to communications. (As
noted below, the proposal does not specifically extend that principle.)
There is no showing that the government lacks the financial resources to
modernize its communications equipment or to fund the costs of lawful
interceptions that it initiates. Since the total number of content
wiretaps in 1991 authorized by Federal and State courts was only 856
taps (and almost 60% of these were at the State level, 356 Federal
versus 500 State), and since the call-set-up or pen register tap orders
for 1991 at the Federal level were only 2,445, (thus, implying a
national total under 7,000), it appears the costs may be better targeted
to the specific lines or ports necessary, instead of burdening all lines
or ports existing in the network. See Administrative Office of the U.S.
Courts "Report on Applications For Orders Authorizing or Approving the
Interception of Wire, Oral, or Electronics Communications (Wiretap
Report)" for the period January 1, 1991 to December 31, 1991 and letter
from the Assistant Attorney General W. Lee Rawls to the Honorable Jack
Brooks, Chairman of the Committee on the Judiciary of the United States
House of Representatives, dated April 23, 1992, providing the annual
report of the Attorney General on pen register orders. By comparison,
there were over 138 million access lines as of December 31, 1990
according to the United States Telephone Association and this does not
include ports used for cellular or many other network accesses. (We
understand the current FBI budget provides for $9 million for new
digital telephony interception equipment.) Thus, although there is
valid reason to be concerned that changes in technology will challenge
law enforcement agencies to find and adopt new techniques, there is no
immediate crisis requiring swift action.
Broad Scope of the Current Proposal. The FBI proposal covers all
providers of "electronic communications services" and all "private
branch exchange operators." These days, that means just about everybody,
including every business that has its own phone switch and every company
that operates its own local or wide area computer network. The
Electronic Communications Privacy Act defines "electronic communications
services" to include electronic mail, file transfers over a Local Area
Network ("LAN") and, indeed, every form of transmission of a message
other than voice telephone calls (which are also covered by the proposal
as "wire" communications), and sound waves in the open air (the only
form of communication not covered by the proposal). See 18 U.S.C.
2510(12),(15). All "providers" of such services would be affirmatively
required, within three years, to provide law enforcement officials with
the "capability and capacity" to intercept communications. This
capability would have to be provided "concurrently" with the
communication, without detection (apparently without regard to the
target of the wiretap possibly employing sophisticated wiretap detection
capabilities), exclusive of any communications between other parties,
regardless of the mobility of the target, and without degradation of
service.
These absolute requirements might not be capable of being met, as a
technical matter, in some contexts, regardless of costs. The proposal
is redundant, in the sense that it requires the ability to access
communications at all points during their transmission, even though
access at one point is all that is needed in any given circumstance.
Although current wiretap law requires "minimization" and use of wiretaps
as a "last resort," the proposal imposes obligations on all
communications systems as if preserving the ability to wiretap at any
point should be the system designer's highest priority. The application
of these requirements would have substantially different costs and other
implications depending upon where in a communications pathway they were
actually applied. In any event, they dramatically expand the nature and
reach of current law -- which requires cooperation but does not grant
the government a right to redesign the communications network or the
equipment used by large numbers of businesses.
The FBI has defended its proposal on the ground that it is only
seeking to "preserve the status quo," by preventing changes in
technology from taking away capabilities that Congress meant to assure
when it passed the 1968 and 1986 wiretap statutes. But that
mischaracterizes the "status quo". The current wiretap statutes take
the communications networks as they find them and do not require any
provider of communications service to redesign the system, or to refrain
from using any particular technology, solely on the ground that such a
technology would make interception more difficult. While there may well
be sound reasons for all concerned to cooperate to seek to preserve for
the government a practical ability to engage in authorized wiretapping,
there is simply no existing legal authority for law enforcement
officials to mandate the use of particular technologies and, thus,
contrary to the claims made by the FBI, the proposal does not simply
maintain the status quo, but greatly expands the jurisdiction of the
Attorney General and would represent a giant step beyond current law and
congressional intent going back to 1968.
While the proposal imposes substantial uncertainties, to be discussed
below, there is no question that, as drafted, it would have an extremely
broad reach. As a result, it could complicate the development of
various new technologies. Even though the language of the proposal
would extend to cable information systems and Automated Teller Machines
("ATM"), the FBI has stressed in its proposal that various systems might
be exempted by executive action. But the exemption authority is vague
and standardless -- so the net effect is that every system provider has
to worry on a continuing basis about whether or not its system is
covered. Moreover, the proposal is clearly designed to cover any system
facilitating two-way conversation, regardless of the size of the
communications service provider. In consequence, any small business
that installs its own local PBX system for forwarding calls from
customers could be required to replace its equipment with new switches
that meet the law's requirements. If current online information services
do not track the "services" and "features" used by those who send
messages through their electronic mail channels, then expensive
modifications might be mandated. Because these electronic mail systems
are all being joined together, and some function as links that forward
messages between other systems, all might have to be designed to allow
"real time" interception by retransmission to a remote site -- even
though delayed searches of stored files would seem to make a lot more
sense in the context of electronic mail.
Costs Likely to be Imposed by the Proposal. The costs imposed by
this proposal would be passed on to consumers and to all subscribers to
electronic communications services. The total costs, including costs
imposed by its potentially disruptive impact on planning for new
computer and communication technologies, cannot be fully assessed -- but
would clearly be very substantial. In its report on the FBI's proposal,
the General Accounting Office ("GAO"), page 1, stated: "[N]either the
FBI nor the telecommunications industry has systematically identified
the alternatives, or evaluated their costs, benefits, or feasibility."
And further at page 4 of the GAO Report:
[T]he [FBI's] May proposal does not address what the telecommunications
industry would need to do to be in full compliance with the proposal in
the event it is enacted, the meaning of certain technical terms, or who
would pay for the cost of wiretapping solutions.
The proposal mandates compliance with very broadly stated functional
standards and contemplates that exemptions (available from the Attorney
General, without the benefit of any specific standards or criteria) will
be granted only after this broad new governmental authority has been
enacted into law. The most recent proposal assumes that the costs of
compliance will become a cost of doing business imposed on all
communications service providers -- and passed on to telephone
ratepayers and other subscribers to electronic communications services.
(The current law's provision that the government will pay reasonable
expenses incurred in cooperating with a specific request for
interception have not been expressly applied to this new requirement to
"provide the capability and capacity" to respond to such requests.)
Communication service providers and computer equipment manufacturers
could suffer major losses as a result of delays, mandatory redesigns,
and even prohibition of certain technological options.
There has been no opportunity as yet to compare (1) the costs the FBI
would incur to modernize its approach to interception (especially given the
data on the small number of taps performed annually) with (2) the costs
that would be incurred by consumers as a result of mandatory limitations on
new technology design applied to all technologies nationwide.
Uncertainties Created by the Proposal. By attempting to establish
open-ended duties, broadly defined, in statutory language, the current
proposal creates substantial uncertainties and could cause controversy
to supplant cooperation. For example, although current interception
orders predominantly relate to voice communications, the draft proposal
covers all forms of communication. This approach could sweep up systems
ranging from the cellular pager to the high-speed network designed to
transfer digital data between supercomputers. It raises a wide variety
of questions:
What exactly are the boundaries of the "public switched network" to
which the proposal refers?
On what basis would the Attorney General choose, or be required, to
provide exemptions?
How would the proposal affect systems that regularly encode messages
at the point of origin?
Does the required provision of capacity to intercept "concurrent with
the transmission to the recipient" mean that an electronic mail or voice
mail or facsimile mail system must be designed to signal the system
operator every time a message from a target of an investigation is
accessed by the person to whom that message might have been addressed?
Will it be technically feasible to detect and separate just those
parts of a communication signal coming from a particular residence or
other source, that "exclusively" represent the content coming from a
particular individual?
What is meant by the new, broad requirement that the government be
told what "services, systems, and features" have been used by the
subject of the interception?
Does the required provision of interception capacity "notwithstanding
... the use by the subject ... of any features of the ... system" have
the effect of requiring the system provider to offer to defeat any
encryption mechanism it may provide to subscribers?
Does the requirement to provide interception despite the target's
mobility mean that systems that inherently allow users to send and
receive from multiple points, without notice, cannot be used at all?
Will it be physically possible or economically feasible to prevent
"degradation of services" if the functional requirement for real time
tracking of any target means that some central database must be checked
by the service provider's computers every time a communication is made?
We don't know the answers to these questions, despite their
importance. More importantly, the answers to key policy questions may
differ substantially depending on what particular technology and
interception need (and minimization goal) is being addressed. And we
don't even know by what means providers of electronic communications
services and designers and users of electronic communications and
computing equipment will find out how the requirements will be applied
to their systems. In short, the FBI's proposal, as currently drafted,
may generate new and unnecessary controversy, despite its legitimate
goals, by attacking perceived problems at the wrong level of generality.
Threat to security and privacy. Ironically, in addition to creating
uncertainty and imposing costs, the proposal would itself create new and
serious security risks and undermine the privacy of electronic
communications. If electronic communications service providers must
design their systems to allow and ensure FBI access, then the resulting
mandatory "back doors" may become known to and be exploited by
criminals. Business is currently attempting to achieve greater security
in its communications, to counter the threats posed by unauthorized
access, computer viruses, and electronic theft. A proposal the FBI
seeks to justify in terms of law enforcement could well have the effect
of facilitating violations of law and reducing or preventing effective
security measures.
Threat to International Trade and Security Interests. As drafted,
the proposal appears to threaten U.S. interests in international trade
and competitiveness. Potential purchasers abroad may not buy products or
systems that they know have a "trap door" the United States Government
can easily open. If U.S. manufacturers of communications systems and
equipment and computer software have to go through a bureaucratic
certification or clearance process that is not applicable to their
foreign competitors, their race to the market with new technologies will
be slowed and their products and designs will be disadvantaged.
Legitimate Law Enforcement Interests and Concerns Can and Should be
Served. There is no doubt that authorized wiretapping is an important
weapon properly used by the FBI to fight serious crime. And there is
general agreement among communications service providers, and the makers
of communications and computing equipment, that the FBI is entitled to
full cooperation in its efforts to exercise the powers granted to it in
the wiretap statute. If new technologies require changes in police
tactics, then accommodations may be needed on all sides to make sure
that new tactics that do not threaten the effectiveness or safety of law
enforcement (or unreasonably threaten privacy interests) are available.
The FBI proposal has served a valuable purpose in drawing attention to
the need for adequate planning and redoubled cooperative efforts.
It is Too Soon to Tell Whether Legislation will be Necessary.
Despite the good intentions underlying the FBI proposal, there is
certainly no demonstrated need to hamper U.S. technological advances,
harm the competitiveness of the U.S. communications or computer
industries, or hinder efforts by business to increase computer security,
just to make sure that law enforcement officials can continue
indefinitely to use the same equipment and procedures that were
appropriate for an earlier technology. There has as yet been no clear
showing that the design of new technologies will not permit reasonable,
affordable and effective techniques to be used for authorized
interception. There has been no showing that the industry will not or
cannot cooperate fully, share technical information under appropriate
protections, and even design and supply new equipment at reasonable
cost, insofar as these steps prove necessary for the FBI to accomplish
its mission. There has been no clear showing that any capacity
limitations could not readily be remedied with the provision of adequate
financing for government law enforcement operations.
The Current Proposal is Clearly Premature, in Light of Active Ongoing
Efforts by Industry to Identify and Solve any Serious Problems. An ad
hoc coalition of interested parties has joined together to study the
issues posed by the FBI's proposal and to begin discussions involving
various business interests, public interest groups, the law enforcement
community, legislative staff, and representatives of the Administration.
All involved recognize that the FBI is entitled to have adequate tools
to fulfill its law enforcement objectives. For its part, the FBI has
recognized the value of industry cooperation and the need for a more
robust exchange of technical information. Once the technical issues
come into focus, particular policy issues may be ripe for decision, in a
context in which the costs and implications of such decisions for trade,
security and privacy concerns will be much more clear. Technical
Working Groups representing both the telephone companies and the
computer industry are hard at work -- but the issues are complex and
even the first stage of identifying serious potential problems for law
enforcement will take some time. Consideration of proposed solutions
should await the results of these detailed and technical discussions.
Conclusion
As the broad collaboration that accompanied consideration of the 1986
amendments to the wiretap statute showed, the public interest in sound
law enforcement, and public expectations of privacy and security, are
best served by encouraging a constructive exchange of views among
industry, concerned citizens and government, before any new legislation
is enacted. Congress should reject the FBI proposal and encourage
continuing discussions that will lead to more specific identification of
any problems and to concrete, cost-effective solutions.
Electronic Frontier Foundation
abcd - The Microcomputer Industry Association
Advanced Network & Services, Inc.
Agson, Inc.
American Civil Liberties Union
Arrow
AT&T
Cellular Telecommunications Industry Association
Computer and Business Equipment Manufacturers Association
Computer and Communications Industry Association
Computer Professionals for Social Responsibility
Digital Equipment Corporation
Eastman Kodak
Electronic Mail Association
Graphics Technologies, Inc.
IBM
Information Industry Association
Information Technology Association of America
Iris Associates
Logistics Management, Inc.
Lotus Development Corporation
Merisel, Inc.
Micro Computer Centers Inc.
Microsoft Corporation
Okidata
Oracle
Panamax
P C Parts Express
Prodigy
Seneca Data Distributors, Inc.
Software Publishers Association
Sun Microsystems
Telecommunications Industry Association
United States Telephone Association
Westbrook Technologies
For further information contact:
John Podesta 202/544-6906
Jerry Berman 202/544-9237
David Johnson 202/663-6723
for the Electronic Frontier Foundation
Downloaded From P-80 International Information Systems 304-744-2253
