On the heels of the House’s recent approval of the Cyber Intelligence Sharing and Protection Act (CISPA), CNET News reports that the FBI has drafted amendments to the Communications Assistance for Law Enforcement Act (CALEA) that would significantly expand the scope of the statute. The FBI and other law enforcement officials have long been concerned about the increasing volume of communications occurring on technology platforms that are beyond the reach of CALEA, and outside of law enforcement’s existing surveillance capabilities. The FBI reportedly terms this phenomenon the “Going Dark” problem. Solving it as the FBI proposes, however, could require significant operational changes by service providers that utilize such technologies.
Originally enacted in 1994, CALEA requires telecommunications carriers to construct and engineer their networks to accommodate lawful surveillance of communications over such networks. In 2005, at the urging of the Department of Justice and the FBI, the FCC expanded its interpretation of “telecommunications carriers” subject to CALEA to include facilities-based broadband and interconnected Voice over Internet Protocol (VoIP) service providers.
Now, CNET News is reporting that the FBI’s draft amendments would extend the scope and reach of CALEA and require technology companies that build and operate communications platforms – including social networks, messaging and non-interconnected VoIP – to alter their code in order to build in “back doors” that permit lawful surveillance (for example, pursuant to court order). Thus, the FBI’s amendments would reportedly extend CALEA obligations to social networks, non-interconnected providers of VoIP (like Skype, FaceTime, and Google Voice), instant messaging services, and Web-hosted email services. The FBI’s proposal would also reportedly include a gating threshold, such that the new obligations would only apply to technology platforms if the number of subscribers, or users, exceed a defined threshold.
Privacy advocates and technology providers are likely to oppose any such extension of CALEA. Concerns over legislation targeting copyright and intellectual property theft – the Stop Online Piracy Act (SOPA) and Protect IP Act (PIPA) – led Congress to shelve those bills after a widespread campaign by various segments of the Internet community. Wikipedia, Craigslist, Mozilla, and many other Internet sites staged blackouts of their service in January of this year, and Google’s home page took visitors to a petition against SOPA and PIPA.
Although it is unclear if the White House endorses such an extension of CALEA, if the proposal provokes a reaction similar to that seen during the SOPA and PIPA debates, the proposal may not go anywhere. Indeed, the President has stated his intent to veto another proposal to expand surveillance and information collection efforts on networks, i.e., CISPA, if passed in its current form. Instead, the White House backs the approach of the pending Cybersecurity Act of 2012 (S-2105) which includes provisions for various private sector entities to share cyber threat information to protect the Internet and network communications. The massive Cybersecurity Act in its current form would require the Department of Homeland Security to work with various government agencies and industry sectors to designate “critical infrastructure” for protection from cyberattacks. It would also likely require an overhaul of security standards and practices for communications networks as well as for the energy, financial services, and chemical production industries. The Cybersecurity Act will be debated in the coming weeks.
These federal efforts to change cybersecurity law obviously could force material changes in numerous business models, and require careful attention in the coming weeks and months.