Personal tools

berman.html

CFP'93 - EFF

CFP'93 - Analysis of the FBI Proposal Regarding Digital Telephony

The Electronic Frontier Foundation

Executive Summary

Although the FBI has characterized its proposed "Digital Telephony" legislation as relating to the preservation of government's ability to engage in authorized wiretapping, the proposal actually requires that all communications and computer systems be designed to facilitate interception of private messages, on a concurrent and remote basis - thus imposing new engineering standards that go far beyond any existing law. As currently drafted, the proposal would impose substantial costs and create significant uncertainties, despite the absence of any clear showing that the proposed measures would be either effective or necessary. In addition, the proposal raises serious security and privacy concerns.

Beginning some time last year, the FBI has expressed concern that technological changes occurring in the telecommunications industry might have an adverse affect on the ability of law enforcement officials to conduct lawful, authorized wiretapping. For example, the FBI has raised questions about its ability to extract individual telephone calls from multiplexed signals sent over light fibers using new digital protocols. Various FBI proposals have generated concern on the part of industry that the security and privacy of electronic communications and computer systems might be weakened and that the competitiveness or technical advancement of various systems might be undercut. No one in industry challenges the FBI's right to cooperation in seeking to implement wiretaps or disagrees with the proposition that law enforcement officials need communications interception tools to do their vital job. The communications industry, network users and public interest groups are concerned with the broad sweep of the FBI's draft proposal and the potential uncertainties and costs it would impose. This memorandum explains the basis for those concerns.

Although the FBI proposal is described as relating to "digital telephony," it actually applies to all forms of communication, including all computer networks. The proposal requires that equipment be designed to give access to communications on a "concurrent" basis, regardless of the mobility of a target, in isolation from messages being exchanged by any other persons. These requests may have complex and differing application in different contexts, but they would certainly introduce additional costs and substantial uncertainties for both equipment manufacturers and everyone who offers messaging service to others. These days, the list of those covered by the proposal ("providers of electronic communications services" and "PBX owners") includes just about everyone. Because the wiretap statute was written to protect the privacy of a broad range of communications types, and because of the growing interdependence and intermixing of all forms of communications, the statutory language of the FBI proposal could turn out to require redesign or expensive alteration of:

  • public electronic mail systems, like those offered by MCI, AT&T and a host of other companies and individuals;

  • all telephone switches and the sophisticated equipment used by long distance carriers;

  • software used by online information services like Prodigy, GEnie, Compuserve, America Online and many others;

  • local area networks, linking all kinds of computers, operated by small businesses, colleges and universities and many other types of organizations, including links into these systems from other homes and offices;

  • PBXs owned by small and large businesses;

  • high speed data networks connecting workstations with mainframes and supercomputers, as well as those carrying messaging traffic across the "Internet;"

  • radio-based and cellular communications systems, including pocket telephones and computers with radio-based modems;

  • the thousands of small personal computers owned by businesses, hobbyists, local governments, and political organizations that communicate with others via computer bulletin boards;

  • private metropolitan wide area communications systems used by businesses such as large banks;

  • satellite uplink and downlink equipment supporting radio and television transmissions and other communications; and

  • air-to-ground equipment serving general aviation and commercial aircraft.

We are becoming an information economy and, accordingly, imposing mandatory system design requirements on all those involved in the transfer of information has an impact on large numbers of people and most sectors of the economy.

There is no doubt that evolving technologies will challenge law enforcement officials and industry alike. We need effective law enforcement tools, as well as appropriate levels of privacy and security in communications and computer systems. The goals underlying the FBI proposal are valid and important ones. But they may well be best achieved without additional legislation. Industry has historically cooperated with law enforcement and is presently engaged in ongoing discussions to identify specific problems and concrete solutions. This cooperative process will lead to needed exchanges of technical information, better understanding on all sides of the real policy issues, and better, more cost-effective solutions. Congress should reject the FBI proposal and encourage continuing discussions that will lead to more specific identification of any problems and to more concrete, cost-effective solutions.

Analysis of the FBI Proposal Regarding Digital Telephony

What is Proposed? The most recent proposal imposes obligations to provide various generic interception "capabilities and capacities" and empowers the Attorney General to grant exemptions, after consultation with the Federal Communications Commission, the Department of Commerce and the Small Business Administration. Any person who manufactures equipment or provides a service that failed to comply with the broad and vague requirements of the proposed statute would be subject to a civil penalty of $10,000 per day.

How Serious is the Problem?

The predicate for the FBI proposal is that advances in technology have made it more difficult for the government to intercept particular telephone conversations in the course of legally-authorized wiretapping. There have been few actual problems, historically, in executing authorized wiretaps. None have stemmed from characteristics of communications equipment design (as distinct from limitations in equipment capacity). On the other hand, it is clear that, over time, changes in the technologies used for communications will require the FBI (and the communications industry as a whole) to use new techniques and to acquire additional equipment and skills. Some developments, such as encryption, may make interception (or, at least, understanding the contents of what has been "intercepted") much more difficult - but in ways that are not even addressed and cannot be fixed by the proposed legislation. (It is difficult to evaluate the FBI argument that it would have asked for more interceptions if some technological barriers had not existed. There have always been and will always be some technological barriers to interception of the content of communications the participants seek to protect.)

Existing law requires all companies providing electronic communications services to cooperate fully with lawful requests from the FBI and other law enforcement officials - and there is no history of any general failure to provide such cooperation.

Existing law also contemplates that the government will bear the costs imposed by the government's requests for access to communications. (As noted below, the proposal does not specifically extend that principle.) There is no showing that the government lacks the financial resources to modernize its communications equipment or to fund the costs of lawful interceptions that it initiates.

Since the total number of content wiretaps in 1991 authorized by Federal and State courts was only 856 taps (and almost 60% of these were at the State level, 356 Federal versus 500 State), and since the call-set-up or pen register tap orders for 1991 at the Federal level were only 2,445, (thus, implying a national total under 7,000), it appears the costs may be better targeted to the specific lines or ports necessary, instead of burdening all lines or ports existing in the network. See Administrative Office of the U.S. Courts "Report on Applications For Orders Authorizing or Approving the Interception of Wire, Oral, or Electronics Communications (Wiretap Report)" for the period January 1, 1991 to December 31, 1991 and letter from the Assistant Attorney General W. Lee Rawls to the Honorable Jack Brooks, Chairman of the Committee on the Judiciary of the United States House of Representatives, dated April 23, 1992, providing the annual report of the Attorney General on pen register orders.

By comparison, there were over 138 million access lines as of December 31, 1990 according to the United States Telephone Association and this does not include ports used for cellular or many other network accesses. (We understand the current FBI budget provides for $9 million for new digital telephony interception equipment.) Thus, although there is valid reason to be concerned that changes in technology will challenge law enforcement agencies to find and adopt new techniques, there is no immediate crisis requiring swift action.

Broad Scope of the Current Proposal

The FBI proposal covers all providers of "electronic communications services" and all "private branch exchange operators." These days, that means just about everybody, including every business that has its own phone switch and every company that operates its own local or wide area computer network. The Electronic Communications Privacy Act defines "electronic communications services" to include electronic mail, file transfers over a Local Area Network ("LAN") and, indeed, every form of transmission of a message other than voice telephone calls (which are also covered by the proposal as "wire" communications), and sound waves in the open air (the only form of communication not covered by the proposal). (See 18 U.S.C. 2510(12),(15).) All "providers" of such services would be affirmatively required, within three years, to provide law enforcement officials with the "capability and capacity" to intercept communications. This capability would have to be provided "concurrently" with the communication, without detection (apparently without regard to the target of the wiretap possibly employing sophisticated wiretap detection capabilities), exclusive of any communications between other parties, regardless of the mobility of the target, and without degradation of service.

These absolute requirements might not be capable of being met, as a technical matter, in some contexts, regardless of costs. The proposal is redundant, in the sense that it requires the ability to access communications at all points during their transmission, even though access at one point is all that is needed in any given circumstance. Although current wiretap law requires "minimization" and use of wiretaps as a "last resort," the proposal imposes obligations on all communications systems as if preserving the ability to wiretap at any point should be the system designer's highest priority. The application of these requirements would have substantially different costs and other implications depending upon where in a communications pathway they were actually applied. In any event, they dramatically expand the nature and reach of current law - which requires cooperation but does not grant the government a right to redesign the communications network or the equipment used by large numbers of businesses.

The FBI has defended its proposal on the ground that it is only seeking to "preserve the status quo," by preventing changes in technology from taking away capabilities that Congress meant to assure when it passed the 1968 and 1986 wiretap statutes. But that mischaracterizes the "status quo". The current wiretap statutes take the communications networks as they find them and do not require any provider of communications service to redesign the system, or to refrain from using any particular technology, solely on the ground that such a technology would make interception more difficult. While there may well be sound reasons for all concerned to cooperate to seek to preserve for the government a practical ability to engage in authorized wiretapping, there is simply no existing legal authority for law enforcement officials to mandate the use of particular technologies and, thus, contrary to the claims made by the FBI, the proposal does not simply maintain the status quo, but greatly expands the jurisdiction of the Attorney General and would represent a giant step beyond current law and congressional intent going back to 1968.

While the proposal imposes substantial uncertainties, to be discussed below, there is no question that, as drafted, it would have an extremely broad reach. As a result, it could complicate the development of various new technologies. Even though the language of the proposal would extend to cable information systems and Automated Teller Machines ("ATM"), the FBI has stressed in its proposal that various systems might be exempted by executive action. But the exemption authority is vague and standardless - so the net effect is that every system provider has to worry on a continuing basis about whether or not its system is covered. Moreover, the proposal is clearly designed to cover any system facilitating two-way conversation, regardless of the size of the communications service provider. In consequence, any small business that installs its own local PBX system for forwarding calls from customers could be required to replace its equipment with new switches that meet the law's requirements. If current online information services do not track the "services" and "features" used by those who send messages through their electronic mail channels, then expensive modifications might be mandated. Because these electronic mail systems are all being joined together, and some function as links that forward messages between other systems, all might have to be designed to allow "real time" interception by retransmission to a remote site - even though delayed searches of stored files would seem to make a lot more sense in the context of electronic mail.

Costs Likely to be Imposed by the Proposal

The costs imposed by this proposal would be passed on to consumers and to all subscribers to electronic communications services. The total costs, including costs imposed by its potentially disruptive impact on planning for new computer and communication technologies, cannot be fully assessed - but would clearly be very substantial. In its report on the FBI's proposal, the General Accounting Office ("GAO"), page 1, stated: "[N]either the FBI nor the telecommunications industry has systematically identified the alternatives, or evaluated their costs, benefits, or feasibility." And further at page 4 of the GAO Report: [T]he [FBI's] May proposal does not address what the telecommunications industry would need to do to be in full compliance with the proposal in the event it is enacted, the meaning of certain technical terms, or who would pay for the cost of wiretapping solutions.

The proposal mandates compliance with very broadly stated functional standards and contemplates that exemptions (available from the Attorney General, without the benefit of any specific standards or criteria) will be granted only after this broad new governmental authority has been enacted into law. The most recent proposal assumes that the costs of compliance will become a cost of doing business imposed on all communications service providers - and passed on to telephone ratepayers and other subscribers to electronic communications services. (The current law's provision that the government will pay reasonable expenses incurred in cooperating with a specific request for interception have not been expressly applied to this new requirement to "provide the capability and capacity" to respond to such requests.) Communication service providers and computer equipment manufacturers could suffer major losses as a result of delays, mandatory redesigns, and even prohibition of certain technological options. There has been no opportunity as yet to compare (1) the costs the FBI would incur to modernize its approach to interception (especially given the data on the small number of taps performed annually) with (2) the costs that would be incurred by consumers as a result of mandatory limitations on new technology design applied to all technologies nationwide.

Uncertainties Created by the Proposal

By attempting to establish open-ended duties, broadly defined, in statutory language, the current proposal creates substantial uncertainties and could cause controversy to supplant cooperation. For example, although current interception orders predominantly relate to voice communications, the draft proposal covers all forms of communication. This approach could sweep up systems ranging from the cellular pager to the high-speed network designed to transfer digital data between supercomputers. It raises a wide variety of questions:

  • What exactly are the boundaries of the "public switched network" to which the proposal refers?

  • On what basis would the Attorney General choose, or be required, to provide exemptions?

  • How would the proposal affect systems that regularly encode messages at the point of origin?

  • Does the required provision of capacity to intercept "concurrent with the transmission to the recipient" mean that an electronic mail or voice mail or facsimile mail system must be designed to signal the system operator every time a message from a target of an investigation is accessed by the person to whom that message might have been addressed?

  • Will it be technically feasible to detect and separate just those parts of a communication signal coming from a particular residence or other source, that "exclusively" represent the content coming from a particular individual?

  • What is meant by the new, broad requirement that the government be told what "services, systems, and features" have been used by the subject of the interception?

  • Does the required provision of interception capacity "notwithstanding ... the use by the subject ... of any features of the ... system" have the effect of requiring the system provider to offer to defeat any encryption mechanism it may provide to subscribers?

  • Does the requirement to provide interception despite the target's mobility mean that systems that inherently allow users to send and receive from multiple points, without notice, cannot be used at all?

  • Will it be physically possible or economically feasible to prevent "degradation of services" if the functional requirement for real time tracking of any target means that some central database must be checked by the service provider's computers every time a communication is made?

We don't know the answers to these questions, despite their importance. More importantly, the answers to key policy questions may differ substantially depending on what particular technology and interception need (and minimization goal) is being addressed. And we don't even know by what means providers of electronic communications services and designers and users of electronic communications and computing equipment will find out how the requirements will be applied to their systems. In short, the FBI's proposal, as currently drafted, may generate new and unnecessary controversy, despite its legitimate goals, by attacking perceived problems at the wrong level of generality.

Threat to Security and Privacy

Ironically, in addition to creating uncertainty and imposing costs, the proposal would itself create new and serious security risks and undermine the privacy of electronic communications. If electronic communications service providers must design their systems to allow and ensure FBI access, then the resulting mandatory "back doors" may become known to and be exploited by criminals. Business is currently attempting to achieve greater security in its communications, to counter the threats posed by unauthorized access, computer viruses, and electronic theft. A proposal the FBI seeks to justify in terms of law enforcement could well have the effect of facilitating violations of law and reducing or preventing effective security measures.

Threat to International Trade and Security Interests

As drafted, the proposal appears to threaten U.S. interests in international trade and competitiveness. Potential purchasers abroad may not buy products or systems that they know have a "trap door" the United States Government can easily open. If U.S. manufacturers of communications systems and equipment and computer software have to go through a bureaucratic certification or clearance process that is not applicable to their foreign competitors, their race to the market with new technologies will be slowed and their products and designs will be disadvantaged.

Legitimate Law Enforcement Interests and Concerns Can and Should be Served There is no doubt that authorized wiretapping is an important weapon properly used by the FBI to fight serious crime. And there is general agreement among communications service providers, and the makers of communications and computing equipment, that the FBI is entitled to full cooperation in its efforts to exercise the powers granted to it in the wiretap statute. If new technologies require changes in police tactics, then accommodations may be needed on all sides to make sure that new tactics that do not threaten the effectiveness or safety of law enforcement (or unreasonably threaten privacy interests) are available. The FBI proposal has served a valuable purpose in drawing attention to the need for adequate planning and redoubled cooperative efforts.

It is Too Soon to Tell Whether Legislation will be Necessary

Despite the good intentions underlying the FBI proposal, there is certainly no demonstrated need to hamper U.S. technological advances, harm the competitiveness of the U.S. communications or computer industries, or hinder efforts by business to increase computer security, just to make sure that law enforcement officials can continue indefinitely to use the same equipment and procedures that were appropriate for an earlier technology. There has as yet been no clear showing that the design of new technologies will not permit reasonable, affordable and effective techniques to be used for authorized interception. There has been no showing that the industry will not or cannot cooperate fully, share technical information under appropriate protections, and even design and supply new equipment at reasonable cost, insofar as these steps prove necessary for the FBI to accomplish its mission. There has been no clear showing that any capacity limitations could not readily be remedied with the provision of adequate financing for government law enforcement operations.

The Current Proposal is Clearly Premature, in Light of Active Ongoing Efforts by Industry to Identify and Solve any Serious Problems An ad hoc coalition of interested parties has joined together to study the issues posed by the FBI's proposal and to begin discussions involving various business interests, public interest groups, the law enforcement community, legislative staff, and representatives of the Administration. All involved recognize that the FBI is entitled to have adequate tools to fulfill its law enforcement objectives. For its part, the FBI has recognized the value of industry cooperation and the need for a more robust exchange of technical information. Once the technical issues come into focus, particular policy issues may be ripe for decision, in a context in which the costs and implications of such decisions for trade, security and privacy concerns will be much more clear. Technical Working Groups representing both the telephone companies and the computer industry are hard at work - but the issues are complex and even the first stage of identifying serious potential problems for law enforcement will take some time. Consideration of proposed solutions should await the results of these detailed and technical discussions.

Conclusion

As the broad collaboration that accompanied consideration of the 1986 amendments to the wiretap statute showed, the public interest in sound law enforcement, and public expectations of privacy and security, are best served by encouraging a constructive exchange of views among industry, concerned citizens and government, before any new legislation is enacted. Congress should reject the FBI proposal and encourage continuing discussions that will lead to more specific identification of any problems and to concrete, cost-effective solutions.

This report was prepared by the Electronic Frontier Foundation in coalition with:

abcd - The Microcomputer Industry Association
Advanced Network & Services, Inc.
Agson, Inc.
American Civil Liberties Union
Arrow
AT&T
Cellular Telecommunications Industry Association
Computer and Business Equipment Manufacturers Association
Computer and Communications Industry Association
Computer Professionals for Social Responsibility
Digital Equipment Corporation
Eastman Kodak
Electronic Mail Association
Graphics Technologies, Inc.
IBM
Information Industry Association
Information Technology Association of America
Iris Associates
Logistics Management, Inc.
Lotus Development Corporation
Merisel, Inc.
Micro Computer Centers Inc.
Microsoft Corporation
Okidata
Oracle
Panamax
PC Parts Express
Prodigy
Seneca Data Distributors, Inc.
Software Publishers Association
Sun Microsystems
Telecommunications Industry Association
United States Telephone Association
Westbrook Technologies

For further information contact: Jerry Berman 202/544-9237 or David Johnson 202/663-6723 for the Electronic Frontier Foundation


Return to CPSR conferences page.
Return to the CPSR home page.
Send mail to webmaster.
Archived CPSR Information
Created before October 2004
Announcements

Sign up for CPSR announcements emails

Chapters

International Chapters -

> Canada
> Japan
> Peru
> Spain
          more...

USA Chapters -

> Chicago, IL
> Pittsburgh, PA
> San Francisco Bay Area
> Seattle, WA
more...
Why did you join CPSR?

I want to use my expertise to try to change the way the public sees the whole voting machine mess.