Government Affairs Blog
May 10, 2019
SHOULD ADVANCED COMMUNICATIONS NETWORKS INSTALL LAWFUL SURVEILLANCE CAPABILITIES?
Facebook recently announced a major redesign of its social media platform that will accommodate more advanced communications. Other high-tech competitors, including website operators, app developers, and handset vendors, have likewise introduced new ways to communicate. Unlike traditional communications carriers, the advanced providers are not subject to the CALEA lawful surveillance mandate. Should they be?
The Scope of Communications Providers Covered by CALEA
When CALEA was enacted in 1994, the statute applied to traditional telecommunications carriers. Think plain old telephone service, cellular radio, and other common carrier offerings such as satellite phone service. At the time, federal legislation was needed because the complexities of cellular signaling frustrated lawful surveillance. The statute therefore required all “telecommunications carriers” to facilitate court-ordered surveillance by installing technical capabilities for interception in their networks. A telecommunications carrier was defined as an entity that provided “transmission or switching” of electronic communications.
The 1994 Congress was aware of the internet. But because the new computer-based medium was not used significantly by criminals, and because political leaders wanted to let the nascent technology grow unfettered by regulation, they limited CALEA by exempting “information services” and “electronic messaging services.” The latter category referred to email.
Since then, CALEA has never been amended. However, in 2005 the FCC broadened its interpretation of CALEA to include two internet-age services: broadband access and two-way interconnected VoIP.
The New Communication Service Providers
After 2005 the internet continued to evolve. Facebook is a good example. Its latest overhaul will facilitate more personalized, privacy-focused communications for individuals and groups. Users will find it easier to make new friends, coordinate social events, apply for jobs, and navigate the dating world. End-to-end encryption will be more uniformly applied. In the process, Facebook will unite its wildly popular apps for text messaging, voice communications, photo-posting, and video sharing (currently branded as Messenger, WhatsApp and Instagram) and make them more user-friendly. Less attention will be devoted to Facebook’s impersonal and unsecured “News Feed” broadcasts to the world.
Facebook is hardly the only communications innovator. For years Google Voice has offered a suite of messaging, telephony and voice mail, while Google Hangouts has carried messaging and videoconferencing. Apple provides similar services on its iMessage platform. With Twitter, Tumblr and Reddit, users can upload multi-media content to the internet and exchange comments on the digital creations. Snapchat is an app that lets a user decide how long a message, photo, or video will appear on the recipient’s device before it automatically disappears. A cross-platform app called Signal provides end-to-end encrypted messaging, voice communication, and video calling.
The Resulting CALEA Coverage Divide
None of the above-described new communications providers say they are subject to CALEA. They contend that because email is a CALEA-exempt “electronic messaging service,” the same exemption applies to text messaging, multi-media messaging, and rich communication services. But legal experts in law enforcement may disagree. To them, putting advanced messaging beyond the reach of CALEA only hinders investigators from accessing the data they need to solve crimes. Congress or the Federal Communications Commission could resolve the legal ambiguity. But so far neither authority has addressed the issue.
Where a messaging service is provided via an “over-the-top” app, as opposed to a wireless carrier, the argument for CALEA exemption grows stronger. First, the app developer could assert that because it does not provide “transport” or “switching” of electronic communications it is not a CALEA telecommunications carrier. Next, the developer could claim it offers an exempt information service, no different for CALEA purposes than an internet search, browsing, or web site service. Finally, the entrepreneur could seek refuge under the electronic messaging service exemption.
No doubt criminals and terrorists know which communication networks are equipped for lawful surveillance. The more sophisticated bad guys go to extremes to keep their conversations concealed from investigators. Nevertheless, in the case of advanced communication services, even a valid court order for surveillance may be impossible to implement if the targeted network lacks CALEA-prescribed technical capabilities.
Exacerbating the problem for law enforcement is the spread of end-to-end encryption. There is no one place in such a communication path where the voice or text is converted to plain text, so there is no place where a lawful intercept can capture the communication in a readable form. FBI agents have asked Apple and Facebook to decrypt suspect communications to help solve investigations. But the high-tech titans refused. Neither entity is a CALEA telecommunications carrier. Even if they were subject to CALEA, the statute would not prevent them from securing communications with impenetrable encryption. It is already common for networks to facilitate encryption in a way that even the network owners cannot decrypt.
The proliferation of non-interceptable communications services has caused law enforcement to complain they are “going dark.” The fear is that many suspects may be communicating entirely without detection. If left unaddressed, the problem may ultimately be called “going into a black hole.”
Another consequence of the surveillance-stunting trend is that the communications industry now lives in a regulatory divide. Some service providers are required by CALEA to install technical capabilities for lawful surveillance while their competitors are not. This type of disparity is unknown in most, if not all foreign jurisdictions. In countries from Canada to the European Union, Australia, and Brazil, the surveillance statutes contain no exemptions for information services or electronic messaging. To those nations, CALEA must look like an ancient relic.
Closing the CALEA Coverage Divide
CALEA is now 25 years old. The internet is no longer a nascent service free from significant criminal or terrorist use. On the contrary, the nefarious actors presumably exploit the most advanced internet-based techniques to plan and execute their schemes. This is reason enough, for public safety minded people, to close the CALEA coverage divide. Congress could do so by updating the old statute.
On the other hand, updating CALEA is not as easy as repealing the exemptions for information services and electronic messaging. The statutory definition of “telecommunication service” does not fit social media networks, handset vendors, or app developers. Some of those cutting-edge innovators have no physical presence in the U.S. and therefore may not even fall within U.S. jurisdiction. Others may lack access to a suspect’s communications content or metadata. Yet another issue: the advanced entities generally operate beyond the jurisdiction of the FCC, the regulator that implements and enforces CALEA.
Even if the CALEA coverage gap is closed, end-to-end encryption would continue to stymie law enforcement investigations. Law enforcement agencies worldwide want lawful access to suspect communications in plain text. But private sector experts warn that industry should not create such decryption “back doors” because doing so would compromise the privacy and security of innocent communications.
Congress has the authority to prevent law enforcement from going dark. Ideally, the lawmakers should preserve law enforcement’s ability to conduct lawful surveillance, return industry to a level regulatory playing field, and strictly protect user privacy.
March 18, 2019
HOW WOULD A NEW NATIONWIDE PRIVACY LAW IMPACT COMMUNICATION SERVICE PROVIDERS?
Congress may soon adopt a statute to provide nationwide privacy protection for personal information collected online. How would the new law affect communication service providers (CSPs)?
State privacy initiatives are pushing Congress to enact a nationwide privacy law
Companies that provide services through the internet commonly collect records containing personal facts about their customers. Meanwhile, the service providers increasingly sell those records to third parties, especially for marketing purposes. No one nationwide law protects the privacy of the personal data. Privacy advocates have called for a national privacy law, but in the absence of congressional action, individual states have taken matters into their own hands. Last year California adopted a strong privacy law, and other states have signaled their intent to follow suit. The specter of 50 different privacy mandates has provoked anxiety in the business community.
Arguably, the pro-privacy trend in America was inspired by a strong European privacy law called the General Data Protection Regulation (GDPR), which gained approval in 2016 and took effect in 2018. The GDPR gave “data subjects” the “fundamental right” to decide how their personal information is “controlled” and “processed.” Fines for breaches of the GDPR were set as high as four percent of a violator’s annual revenue. Since the advent of GDPR, many non-European nations have decided to craft similar nationwide privacy laws. Experts believe the widespread legislation could make the GDPR a global standard.
In response to the above policy tensions, congressmen have proposed nearly a dozen privacy laws that would apply nationwide and potentially preempt the state initiatives. The proposals would generally protect the privacy of all Americans who disclose personal information in their online transactions. Some of the legislative approaches would give consumers a privacy-protecting “bill of rights” similar to the GDPR. Other draft statutes would focus more on cyber security and data breach notices. Most of the legal schemes would be implemented through the Federal Trade Commission (FTC).
CSPs already operate under a nationwide privacy law: the SCA
CSPs use online-generated records to register and serve subscribers. These service providers already follow legal guidelines to protect the privacy of the records and disclose them in response to due process requests from law enforcement. The records-management policies are governed by the federal Stored Communications Act (SCA).
How would a new nationwide privacy law be reconciled with the SCA?
A new nationwide privacy law would likely parallel the SCA
None of the data privacy laws percolating on Capitol Hill would abolish or limit the SCA. Instead, the privacy measures would co-exist with the SCA. As a result, CSPs would continue to receive investigative requests from law enforcement. However, a mistake in handing subscriber records could subject the CSP to liability under both the new law and the SCA.
Reviewing a sample of the pending privacy bills reveals the potential interplay between those legal frameworks and the SCA.
The proposed Consumer Data Protection Act (S. 2188) would govern companies that use the internet to collect and share consumer data. It would instruct the FTC to establish a national “Do Not Track” website, similar to the existing “Do Not Call” site, so consumers may opt out of unwanted online marketing. The Act would not cover:
by law; … disclosures made pursuant to an order of a court or administrative
tribunal; … disclosures made in response to a subpoena, discovery request,
or other lawful process …. or … disclosures made to investigate, protect
themselves and their customers from, or recover from fraud, cyber attacks,
or other unlawful activity ….
A violation of the Act could trigger an FTC investigation and a fine totaling up to $25 million. In addition, an aggrieved consumer could pursue a private cause of action to recover damages, including punitive damages in egregious cases.
Under the Consumer Data Protection Act, if a law enforcement agency serves a CSP with a valid subpoena for a suspect’s subscriber records, the CSP would be required by the SCA to disclose the records, and the disclosure would be exempt from the Consumer Data Protection Act. However, if the CSP sends a subscriber a marketing message despite the person’s Do-Not-Track command, the CSP could be liable under both the SCA and the Consumer Data Protection Act.
The proposed Information Transparency & Personal Data Control Act (H.R. 6864) would generally govern web site “operators” engaged in the collection and sale of “sensitive personal information,” including financial information. Among other things, the bill would require the operators to: (a) give customers notice and a right of opt-in consent to the use of the sensitive data; and (b) observe policies to protect the privacy and security of the data. The bill would exempt sensitive data uses when the operators are “responding in good faith to valid legal process.” In an enforcement proceeding the FTC could levy a fine of up to $40,000.
Under this statutory formula, suppose a law enforcement agency sends a CSP a valid subpoena to learn a suspect/subscriber’s credit card payment information. Under the SCA, the service provider would properly disclose the credit card details. And because this sensitive personal information would be delivered in response to valid legal process, the disclosure would be exempt from the Information Transparency & Personal Data Control Act. Nevertheless, if the CSP were to sell the credit card data to an internet data broker, the seller could be punished under both the SCA and the Information Transparency & Personal Data Control Act.
The Congressional privacy bills that focus on cyber security and data breaches would likewise apply independently of the SCA. For example, if someone could hack into a CSP’s customer care database and delete subscriber records, the service provider might suffer penalties under both the data breach law and the SCA.
CSPs should prepare to meet both a new nationwide privacy law and the SCA
Congress is responding to growing public pressure for a nationwide data privacy law. The planned national privacy law may parallel some or all of the GDPR. So far, the question for CSPs is not whether such a national law would reduce their obligation to meet the needs of law enforcement. It would not. The new law would likely exempt valid SCA disclosures.
The greater concern is how CSPs would cope with any new privacy law layered atop the SCA. In an age of dual federal privacy regimes, a privacy violation could subject a CSP to two federal enforcement actions. CSPs should therefore prepare their privacy programs for a new source of potential liability.
January 14, 2019
AUSTRALIA’S NEW ENCRYPTION LAW: WHAT DOES IT MEAN TO THE COMMUNICATIONS INDUSTRY?
On December 8th the government of Australia enacted a statute designed to help law enforcement and intelligence agencies overcome technical barriers to lawful electronic surveillance. The most notable provisions of the statute would help monitor criminals, spies and terrorists whose communications are encrypted. How exactly will the new “Encryption Act” work, and what are the implications for the communications industry?
The ‘Going Dark’ Problem
Australia’s Telecommunications and Other Amendments (Assistance and Access) Act 2018 (the Encryption Act) was adopted to help government investigators implement court orders for lawful surveillance without crashing into the technical brick wall of encryption. For years law enforcement agencies in democracies worldwide had complained that they were ‘going dark’ because they could not decipher the lawfully intercepted communications. The gradual deployment of strong encryption had made the task increasingly difficult.
In the U.S. the “CALEA” lawful surveillance statute attempted to solve the encryption problem, but the measure was ineffective. A provision of the mandate required the communications industry to install surveillance solutions that would decipher encrypted communications. Unfortunately, the 1994 law failed to keep pace with modern encryption configurations.
Privacy groups actively opposed ideas to save investigations from going dark. In their view, any technique powerful enough to translate an encrypted phone call, email, or SMS message into plain text could be acquired and exploited by hackers to invade the privacy of innocent users. The activists rightly argued that communications privacy was vital to win subscriber trust.
How Australia’s Encryption Act Addresses the Going Dark Problem
Australia’s Encryption Act enables lawful access to a suspect’s encrypted messages. The Act applies to all “designated communications providers” (DCPs). This category includes not only traditional communication service providers such as telephone companies and wireless carriers but also VoIP providers, satellite operators, web site hosts, and telecom equipment vendors. Any communications industry competitor that operates facilities in Australia – or otherwise serves an Australian user – is apparently subject to the law.
The Act paves a path to decryption for both law enforcement and national security investigators. Specifically, the beneficiaries include the Australian Security and Intelligence Organisation, the Australian Secret Intelligence Service, the Australian Signals Directorate, the Australian Federal police, the Australian Crime Commission, and the state and territory police forces.
Under the Act, the government may serve a DCP with any of three legal instruments. The first and least onerous document is the “technical assistance request.” A technical assistance request seeks surveillance support on a voluntary basis. For example, the government could question Apple about the encryption program applied to its iPhones. It could also inquire about how to access encrypted messages stored in an iPhone. The exact scope of the voluntary assistance was left undefined.
More burdensome is the “technical assistance notice.” This legal instrument is compulsory. A technical assistance notice may require a DCP to activate an existing decryption capability to access suspect communications or user logs. Presumably, this mandatory measure would be invoked only where a DCP refuses to help voluntarily.
The last form of assistance, called the “technical capability notice,” is also compulsory. It would require a DCP to develop a new decryption capability. For example, it may compel a DCP to provide law enforcement with a suspect’s password, if possible, or make the suspect’s communications accessible through a push technology.
As you would expect, anyone who fails to comply with either of the above-described notices could be fined.
How the Act Addresses Security and Privacy
The authors of the Encryption Act considered the risk of creating encryption “backdoors” that might be exploited by bad guys. Accordingly, the Act stated that a DCP shall not be forced to build a “systematic weakness or “systematic vulnerability” into its infrastructure. A systematic weakness or vulnerability was defined as a technical condition that would “affect a whole class of technology,” as opposed to “a particular person.” Observers say these definitions will likely be interpreted through case-by-case litigation.
Members of the Australian parliament wanted the Encryption Act to include additional provisions for security and privacy. To accommodate these political leaders, the government adopted the Act with a promise to discuss further modifications in 2019.
The Impact of the Act on the Communications Industry
The Encryption Act imposes a potentially expensive regulatory burden. In particular, the open-ended technical capability notice could expose a service provider to any kind of encryption-related technical mandate. On the other hand, the Act provides cost-based reimbursement for entities subject to such demands.
Also consider that the Act may impact some communications competitors heavily and others not at all. Regrettably, the service providers that undertook the greatest efforts to secure their networks with strong encryption may now be forced to expend the greatest resources to penetrate that security for the sake of improved surveillance. These entities are inferably the ones that marketed to the most privacy-minded customers. Thus, the new law may erode their competitive advantage. The harm may not be too significant, however, as long as Australia observes standards for surveillance and security that apply equally to all competitors.
Possibly, an international competitor with only a token presence in Australia could be forced to rearchitect its encryption infrastructure throughout its global network. In effect, Australia could dictate surveillance practices in other countries, even those that prioritize subscriber privacy. It is unclear how these policy conflicts would be resolved.
Further complicating the risk of a surveillance-privacy conflict, the U.S. and other countries may learn from Australia’s example and adopt decryption laws of their own. The intelligence alliance known as the “Five Eyes” – consisting of the U.S., Canada, the United Kingdom, Australia, and New Zealand – has spent years lobbying for relief from the blinding effect of encryption. If all these governments adopt decryption mandates, the communications industry may struggle to reconcile the potentially divergent technical assistance demands.
One overriding factor may ultimately iron out the above-described regulatory wrinkles. All democracies experience similar needs for lawful surveillance and privacy. Cool-headed diplomacy could produce an international consensus that balances the two policy goals. In fact, the U.S. has already negotiated treaties of law enforcement cooperation called “mutual legal assistance treaties” with numerous countries worldwide. Moreover, the U.S. Congress is gravitating towards a bipartisan national privacy law that would emulate the privacy framework of the European Union.
How Industry Service Providers Should Comply with the Act
The Encryption Act does not require covered communications service providers to take any immediate compliance steps. Instead, the tasks will emerge ad hoc as the Australian government may decide. The first providers to be contacted will probably be those with the largest subscriber bases. After all, the biggest networks tend to witness the greatest volume of illegal activity.
Smart service providers will not wait for an Encryption Act mailing from the government. They will take inventory of their encryption capabilities now.
To begin with, a provider should amass literature that answers the kind of encryption-related questions a law enforcement agency might ask in a technical assistance request. What type of encryption is employed in which services and features? Can the encrypted communications be decrypted today? If not, what types of technical modifications would be needed to meet that goal? How could the decryption solution minimize the risk of a systematic weakness or systematic vulnerability?
Next, each service provider should study the feasibility of its decryption options. It should specifically examine how the cost of complying with a technical assistance notice or technical capability notice may be compensated through the government’s cost-recovery process. To decrypt a given type of communication, would the resource burden be prohibitive? If so, that fact should be documented. It could prove decisive when contesting a technical capability notice.
After completing the above-described analyses, a service provider could request a meeting with Australian law enforcement to present its compliance strategy. Law enforcement officials respect industry members that position themselves as good corporate citizens. Meanwhile, the public-private meeting could help manage regulatory expectations.
A new and technically-challenging regulatory mandate like Australia’s Encryption Act is bound to increase the communications industry’s potential liability. However, a little planning and talking with regulators could substantially mitigate the risk.
January 4, 2019
Subsentio General Counsel Joel Margolis Interviewed by Corporate Counsel Magazine
Last week Corporate Counsel Magazine interviewed Subsentio General Counsel Joel Margolis. The reporter asked Joel about Subsentio’s comments in the pending Department of Commerce rule making proceeding on advanced technologies. In the comments, Subsentio had proposed a novel approach for the administration of export controls governing advanced surveillance technologies. The approach would create a streamlined process of approvals for exporters who qualify as “trusted” parties.
For the full article, please click the link below.
November 14, 2018
HOW ARE LAW ENFORCEMENT INVESTIGATIONS AFFECTED BY THE SUPREME COURT’S RULING ON WIRELESS LOCATION PRIVACY?
I recently moderated a legal seminar in Washington, D.C. on the issue of wireless location privacy. The seminar was hosted by the Federal Communications Bar Association, and the panelists represented a variety of opposing interests. In a series of questions, I asked them how law enforcement investigations are affected by the Supreme Court’s June 22, 2018 ruling in Carpenter v. US. The panelists’ reactions were not as divisive as you might think.
Based on the seminar, Carpenter is impacting law enforcement investigations significantly, despite the open-ended nature of the ruling. At the same time, the ruling’s loose logic will likely spawn a generation of litigation to strengthen privacy protection for other types of personal data.
The Carpenter Ruling
Carpenter v US held that wireless communication subscribers have a reasonable expectation of privacy in the long-term accumulation of records that track their wireless locations because the records reveal personal details about their lives, and therefore law enforcement investigators may collect such data only after qualifying for a judicial warrant, which requires them to serve a judge with a demonstration of probable cause. Probable cause is a higher standard of due process than the “2703(d)” hurdle widely observed in the pre-Carpenter days.
The Carpenter ruling was controversial. To begin with, courts had traditionally applied the legal standard of probable cause only to communications content such as phone conversations, email and SMS texts, and everything an internet user may view and hear during a browsing session. Carpenter applied probable cause to the non-content realm of wireless location records.
Another novel feature of Carpenter downplayed the traditional “Third Party Doctrine” of privacy protection. The Third Party Doctrine instructed that “business records” produced by activities such as phone calls, banking transactions, credit card charges, and hotel reservations were not private for purposes of the Fourth Amendment, and therefore not subject to the probable cause standard, because the customers of these services shared those personal details with their third party service providers. Carpenter held that wireless location records deserve Fourth Amendment protection even though subscribers share the information with their wireless carriers.
Yet another oddity of Carpenter appeared in a footnote. The incidental remark stated that wireless location records lasting as long as seven days would receive Fourth Amendment status but a shorter span of location data might not. In response, observers questioned why seven days of such data should deserve any more privacy protection than six days or five.
The Consensus Interpretation of the Ruling
One of the panelists at the above-described seminar was a high-ranking attorney in the Department of Justice. Another was a senior counsel in a Tier I communications company. The third was a spokesperson for a leading public interest group that watchdogs government surveillance. And the last was a Fourth Amendment scholar with the National Association of Criminal Defense Lawyers. You might expect these diverse experts to present different interpretations of the Carpenter case. They did not.
All four experts agreed Carpenter raised as many questions as it answered. What should be the scope of the probable cause standard now that it covers at least one type of non-content communications? How will judges know whether and how to apply the Third Party Doctrine to all the myriad types of personal business records shared with service providers? Should wireless carriers insist on probable cause-based warrants, as opposed to 2703(d) orders, before fulfilling all law enforcement requests for location records, regardless of whether the covered timeframe extends as long as seven days?
The last question may be yielding to a practical result. When the communications provider panelist was asked how his company’s law enforcement assistance staff applies Carpenter, he said they “hold law enforcement to the highest standard.” He explained that they expect warrants for all location records requests, even those with one-day timeframes, while accepting lower levels of due process in emergency situations, as the Carpenter Court allowed.
The DOJ representative was asked how Carpenter has changed the government’s efforts to gather location data. He said their current policy is to meet the probable cause standard as often as possible, even when requesting fewer than seven days of records. However, he warned that the new practice makes it harder to solve crimes.
These responses indicate that Carpenter has substantially raised the bar for nearly all law enforcement requests involving location records.
The Consensus Prediction of Outcomes from the Ruling
The four panelists also offered similar predictions of how Carpenter will shape future investigations. They all expect abundant litigation over the questions left unanswered by the case. For example, now that law enforcement must show top-level due process to obtain records of a suspect’s past wireless locations, the investigators may eventually be held to the same high standard before engaging in real-time location monitoring.
Likewise, now that location data is subject to probable cause, other types of communications metadata may gradually fall under the same legal standard. Knowing who called a suspect, and who the suspect called, can be revealing about the individual’s personal life.
Conceivably, we may see legal fights over the Fourth Amendment treatment of non-communications records. Some examples include video surveillance data, facial recognition data, data generated by the “internet of things,” and of course, the records kept by banks, credit card companies and hotels.