WILL THE PARIS ATTACK PROMPT AN UPDATE OF CALEA?
The November 13th terrorist attacks in Paris triggered an immediate expansion of electronic surveillance in the U.S. Within two days of the attacks, CNN and other news outlets reported that the FBI had sharply increased its surveillance of potential terrorists, especially those suspected of involvement with the Islamic State, or “ISIS.”
U.S. leaders in law enforcement and intelligence also revived complaints that their surveillance teams are “going dark.” They pointed to the widespread adoption of strong encryption and techniques used to evade surveillance. Does this mean U.S. law enforcement will soon ask Congress to update the CALEA (lawful surveillance capability) mandate on communication service providers?
Past Initiatives to Update CALEA
The CALEA statute was enacted in 1994, before the Internet was broadly available. In fact, the statute expressly exempted email and other “information services” from its scope of coverage. In 2005 the FCC expanded the scope of CALEA to include broadband access service and two-way interconnected VoIP service. But the expansion did not fill the coverage gap for email, social networks, or other innovations such as XBOX and Sony Playstation gaming consoles, which offer both voice and text messaging.
In 2007 the Department of Justice (DOJ) and FBI announced that to keep their surveillance agents from going dark Congress should update CALEA to cover social networks. They also spoke of changing CALEA’s provision on encryption, which had become inadequate to help law enforcement decode intercepted signals. Privacy groups opposed any edits to CALEA, especially the encryption provision. In their view, giving law enforcement a “backdoor” to encrypted communications would only weaken the public’s protection from hackers and foreign spies. Ultimately the DOJ never submitted a CALEA legislative proposal to Congress, so the statute remained unchanged.
In 2011 the DOJ approached Congress about the going-dark issue, and the House Judiciary Committee held a hearing on whether to modify CALEA. Witnesses gave testimony about social networks, encryption, and other possible statutory fixes. Congressional leaders invited the DOJ to present a legislative draft. But the DOJ didn’t respond.
By 2014 the communications landscape had grown more challenging than ever for law enforcement. Many network owners and users had fortified their privacy defenses in the wake of the 2012 revelations of contractor Ed Snowden about the vastly powerful surveillance programs of the NSA. One of those defenses was Apple and Google’s “encryption-by-default” policy. The policy helped secure the encrypted content of an iPhone or Android phone from unauthorized access but also blocked law enforcement agents from gaining access, even when legally authorized to do so. In October of 2014 FBI Director James Comey announced he would meet members of Congress and seek an update of CALEA, primarily to overcome the encryption barrier. However, by October of 2015 he backed down, explaining that more thought was needed on how the decryption should work.
The Current Push to Update CALEA
Since the Paris attacks the US government seems more determined than ever to update the 21-year-old CALEA law. Calls for stronger surveillance capabilities are now heard not just from FBI Director Comey but CIA Director William Brennan, Director of National Intelligence James Clapper, congressional leaders in both parties, and presidential candidates in both parties.
One reason for the newfound concern over surveillance techniques is because the public, not just law enforcement, now questions the adequacy of the existing intercept tools. After November 13th the world discovered that French authorities had placed some of the Paris terrorists, including mastermind Abelhamid Abaaoud, under surveillance but were still surprised by the attack. Media reports further revealed that terrorists in France and Belgium use gaming systems such as Sony Playstation and encrypted applications such as WhatsAp to communicate. Other reports added that ISIS recruits people on social media networks and then moves the conversations to encrypted channels to plan terror plots.
Privacy advocates are alarmed that communication users may lose the freedom, security, and privacy ensured by current networks. The last thing they want is a repeat of Congress’s post-9/11 rush to legislate broad new surveillance powers that weakened user protections. The privacy camp has strong advocates in Washington, including Democratic Senator Ron Wyden and Republican presidential candidates Ted Cruz and Rand Paul.
The Likelihood of a CALEA Update
Multiple committees in Congress are now scheduling hearings on the encryption issue. Whether the proceedings will ripen into proposed legislation remains to be seen. Any law addressing the complexities of encryption would be unusually difficult to draft.
Judging from the media debate, there is a good chance Congress will somehow amend the old CALEA statute. Whether they accomplish the task very soon seems more speculative, especially considering the distractions of the upcoming presidential election year. Much depends on which public demand grows stronger: the one for public safety or the one for privacy.