May 10, 2019

Facebook recently announced a major redesign of its social media platform that will accommodate more advanced communications.  Other high-tech competitors, including website operators, app developers, and handset vendors, have likewise introduced new ways to communicate.  Unlike traditional communications carriers, the advanced providers are not subject to the CALEA lawful surveillance mandate. Should they be?


The Scope of Communications Providers Covered by CALEA


When CALEA was enacted in 1994, the statute applied to traditional telecommunications carriers. Think plain old telephone service, cellular radio, and other common carrier offerings such as satellite phone service.  At the time, federal legislation was needed because the complexities of cellular signaling frustrated lawful surveillance. The statute therefore required all “telecommunications carriers” to facilitate court-ordered surveillance by installing technical capabilities for interception in their networks.  A telecommunications carrier was defined as an entity that provided “transmission or switching” of electronic communications.


The 1994 Congress was aware of the internet. But because the new computer-based medium was not used significantly by criminals, and because political leaders wanted to let the nascent technology grow unfettered by regulation, they limited CALEA by exempting “information services” and “electronic messaging services.”  The latter category referred to email.


Since then, CALEA has never been amended.  However, in 2005 the FCC broadened its interpretation of CALEA to include two internet-age services: broadband access and two-way interconnected VoIP.  


The New Communication Service Providers


After 2005 the internet continued to evolve.  Facebook is a good example. Its latest overhaul will facilitate more personalized, privacy-focused communications for individuals and groups.  Users will find it easier to make new friends, coordinate social events, apply for jobs, and navigate the dating world. End-to-end encryption will be more uniformly applied.  In the process, Facebook will unite its wildly popular apps for text messaging, voice communications, photo-posting, and video sharing (currently branded as Messenger, WhatsApp and Instagram) and make them more user-friendly.  Less attention will be devoted to Facebook’s impersonal and unsecured “News Feed” broadcasts to the world.


Facebook is hardly the only communications innovator.  For years Google Voice has offered a suite of messaging, telephony and voice mail, while Google Hangouts has carried messaging and videoconferencing. Apple provides similar services on its iMessage platform.  With Twitter, Tumblr and Reddit, users can upload multi-media content to the internet and exchange comments on the digital creations. Snapchat is an app that lets a user decide how long a message, photo, or video will appear on the recipient’s device before it automatically disappears.  A cross-platform app called Signal provides end-to-end encrypted messaging, voice communication, and video calling.


The Resulting CALEA Coverage Divide


None of the above-described new communications providers say they are subject to CALEA.  They contend that because email is a CALEA-exempt “electronic messaging service,” the same exemption applies to text messaging, multi-media messaging, and rich communication services.  But legal experts in law enforcement may disagree. To them, putting advanced messaging beyond the reach of CALEA only hinders investigators from accessing the data they need to solve crimes.  Congress or the Federal Communications Commission could resolve the legal ambiguity. But so far neither authority has addressed the issue.


Where a messaging service is provided via an “over-the-top” app, as opposed to a wireless carrier, the argument for CALEA exemption grows stronger.  First, the app developer could assert that because it does not provide “transport” or “switching” of electronic communications it is not a CALEA telecommunications carrier. Next, the developer could claim it offers an exempt information service, no different for CALEA purposes than an internet search, browsing, or web site service.  Finally, the entrepreneur could seek refuge under the electronic messaging service exemption.


No doubt criminals and terrorists know which communication networks are equipped for lawful surveillance.  The more sophisticated bad guys go to extremes to keep their conversations concealed from investigators. Nevertheless, in the case of advanced communication services, even a valid court order for surveillance may be impossible to implement if the targeted network lacks CALEA-prescribed technical capabilities.


Exacerbating the problem for law enforcement is the spread of end-to-end encryption.  There is no one place in such a communication path where the voice or text is converted to plain text, so there is no place where a lawful intercept can capture the communication in a readable form.  FBI agents have asked Apple and Facebook to decrypt suspect communications to help solve investigations. But the high-tech titans refused. Neither entity is a CALEA telecommunications carrier. Even if they were subject to CALEA, the statute would not prevent them from securing communications with impenetrable encryption.  It is already common for networks to facilitate encryption in a way that even the network owners cannot decrypt.


The proliferation of non-interceptable communications services has caused law enforcement to complain they are “going dark.” The fear is that many suspects may be communicating entirely without detection.  If left unaddressed, the problem may ultimately be called “going into a black hole.”


Another consequence of the surveillance-stunting trend is that the communications industry now lives in a regulatory divide.  Some service providers are required by CALEA to install technical capabilities for lawful surveillance while their competitors are not.  This type of disparity is unknown in most, if not all foreign jurisdictions. In countries from Canada to the European Union, Australia, and Brazil, the surveillance statutes contain no exemptions for information services or electronic messaging.  To those nations, CALEA must look like an ancient relic.


Closing the CALEA Coverage Divide


CALEA is now 25 years old.  The internet is no longer a nascent service free from significant criminal or terrorist use.  On the contrary, the nefarious actors presumably exploit the most advanced internet-based techniques to plan and execute their schemes.  This is reason enough, for public safety minded people, to close the CALEA coverage divide. Congress could do so by updating the old statute.


On the other hand, updating CALEA is not as easy as repealing the exemptions for information services and electronic messaging.  The statutory definition of “telecommunication service” does not fit social media networks, handset vendors, or app developers. Some of those cutting-edge innovators have no physical presence in the U.S. and therefore may not even fall within U.S. jurisdiction.  Others may lack access to a suspect’s communications content or metadata. Yet another issue: the advanced entities generally operate beyond the jurisdiction of the FCC, the regulator that implements and enforces CALEA.


Even if the CALEA coverage gap is closed, end-to-end encryption would continue to stymie law enforcement investigations.  Law enforcement agencies worldwide want lawful access to suspect communications in plain text. But private sector experts warn that industry should not create such decryption “back doors” because doing so would compromise the privacy and security of innocent communications.


Congress has the authority to prevent law enforcement from going dark. Ideally, the lawmakers should preserve law enforcement’s ability to conduct lawful surveillance, return industry to a level regulatory playing field, and strictly protect user privacy.