CALEA and Network Security

W iretaps have been used since the invention of the telegraph and have been a legal element of the US law enforcement arsenal for more than a quarter century. In keeping with law enforcement’s efforts to keep laws current with changing technologies, in 1994 the US Congress passed the Communications Assistance for Law Enforcement Act (CALEA). The law proved to be controversial because it mandated that digitally switched telephone networks must be built wiretap enabled, with the US Department of Justice in charge of determining the appropriate technology standards. The law provided a specific exclusion for “information services.” Despite that explicit exemption, in response to a request from the US Federal Bureau of Investigation (FBI), in August 2005, the Federal Communications Commission (FCC) ruled that broadband voice over IP (VoIP) must comply with CALEA. Civilliberties groups and the industry immediately objected, fearing the ruling’s impact on privacy and innovation. There is another community that should be very concerned. Applying CALEA to VoIP requires embedding surveillance technology deeply into the protocol stack. The FCC ruling undermines network security and, because the Internet and private networks using Internet protocols support critical as well as noncritical infrastructure, national security as well. The FCC ruling is a step backward in securing the Internet, a national— and international—priority.