ISP CALEA compliance
Steven M. Bellovin
smb at cs.columbia.edu
Fri May 11 19:43:50 UTC 2007
On Fri, 11 May 2007 10:52:21 -0400
William Allen Simpson <william.allen.simpson at gmail.com> wrote:
> David Lesher wrote:
> > > Speaking on Deep Background, the Press Secretary whispered:
> >> You work so hard to defend people that exploit children?
> >> Interesting. We are >> talking LEA here and not the latest in
> >> piracy law suits. The #1 request from a >> LEA in my experience
> >> concerns child exploitation.
> > That's nonsense, or his (press secretary's) experience consists of
> > watching
> /Law & Order/ and /Without a Trace/.
> No official statistics backs that up. Where in the world does he
> > I think you'll find most intercept orders are drug cases. > So I've
> > heard, but my experience was the Ashcroft 'net p0rn crackdown.
> What a waste of time and resources for a perfectly legal activity!
> Of course, CALEA (and PATRIOT) were supposed to be about tracking
> terrorists, not common criminals. That was never the real purpose;
> it was just a wish list.
> Also, with so many college students, we *are* talking about piracy
> lawsuits. But that's civil law, not CALEA or PATRIOT. Hopefully,
> they haven't tried to expand into that, too?
The latest revisions to copyright law did provide for more criminal
Let me toss in a few more factual URLs.
First, on this topic: Federal wiretap warrants can only be issued for
specific crimes. That list is in 18 USC 2516; see
The list is long, but it doesn't seem to include the RIAA's least
favorite activities -- at least, not yet... (The list has also been
expanded significantly in recent years. I haven't bothered to check
the details, but I think that most of the expansion was via the PATRIOT
Act. Much of the PATRIOT Act, I might add, was a long set of DoJ/FBI
wish list amendments, things they'd wanted for years but couldn't get
through Congress until after 9/11. My source for that, btw, is
conversations with people in DoJ.)
For CALEA deployment status, see
Note in particular how much more expensive CALEA taps are...
For the latest wiretap report, just out last week, see
Pay particular attention to Table 3. The highlight: 80% of all
wiretaps were for narcotics offenses. There is *no* separate category
for pornography, child or otherwise, which caps the percentage at the
3.5% for "Other". To be sure, the report notes that sensitive ongoing
cases are not counted; this may reflect ongoing sting operations or
national security wiretaps, There are no national security or
terrorism wiretaps listed, possibly because those fell under FISA (50
USC 1801 --
For those who remember the Crypto Wars of the 1990s, it's interesting
to note this section of the wiretap report:
Public Law 106-197 amended 18 U.S.C. 2519(2)(b) to require that
reporting should reflect the number of wiretap applications
granted for which encryption was encountered and whether such
encryption prevented law enforcement officials from obtaining
the plain text of communications intercepted pursuant to the
court orders. In 2006, no instances were reported of encryption
encountered during any federal or state wiretap.
The situation may be different for national security wiretaps, but of
course that's where compliance with any US anti-crypto laws are least
Folks, the factual and legal data is out there, and it's not that hard
to find. Interpreting it is harder, and frequently does require a
lawyer who really knows the field. (My favorite example there is 18
USC 2072(c)(6), which *permits* communications providers to disclose
customer records (except for content) to "any person other than a
governmental entity". I was surprised enough when I first read that
that I went and looked up the legislative history, and it means exactly
what it says. *But* -- such activity is no longer legal. Why? The
Telecom Reform Act of 1996 bars telcos, at least, from certain forms
of information sharing internally, to promote competition in the
telephony market. They weren't trying to fix the privacy flaw in the
older statute; fortunately, they did -- by accident...)
As Bill Simpson has quite correctly pointed out, you're also not
required to roll over and play dead when someone from the government
asks you for some data. There are laws they're obligated to follow,
too. Even if you want to look at it from a purely selfish position,
you and/or your company may be liable if you co-operate with an
improper or illegal request. Have a look at
which provides for civil liability for illegal wiretaps. You're clear,
under that statute, if you have good reason to believe the request is
legal under certain very specific sections of the wiretap law, but not
--Steve Bellovin, http://www.cs.columbia.edu/~smb
More information about the NANOG