Images de page
PDF
ePub

While the FBI proposal is described as relating to "digital telephony," it actually applies to all forms of

communication, including all computer networks.

Executive Summary

Although the FBI has characterized its proposed "Digital Telephony" legislation as relating to the preservation of government's ability to engage in authorized wiretap ping, the proposal actually requires that all communications and computer systems be designed to facilitate interception of private messages, on a concurrent and remote basis-thus imposing new engineering standards that go far beyond any existing law. As currently drafted, the proposal would impose substantial costs and create significant uncertainties, despite the absence of any clear showing that the proposed measures would be either effective or necessary. In addition, the proposal raises serious security and privacy concerns.

Beginning in 1991, the FBI expressed concern that technological changes occurring in the telecommunications industry might have an adverse effect on the ability of law enforcement officials to conduct lawful, authorized wiretapping. For example, the FBI raised questions about its ability to extract individual telephone calls from multiplexed signals sent over light fibers using new digital protocols. Various FBI proposals have generated concern on the part of industry that the security and privacy of electronic communications and computer systems might be weakened and that the competitiveness or technical advancement of various systems might be undercut. No one in industry challenges the FBI's right to cooperation in seeking to implement wiretaps or disagrees with the proposition that law enforcement officials need communications interception tools to do their vital job. The communications industry, network users and public interest groups are concerned with the sweep of the FBI's draft proposal and the potential uncertainties and costs it would impose.

Although the FBI proposal is described as relating to "digital telephony," it actually applies to all forms of communication, including all computer networks. The proposal requires that equipment be designed to give access to communications on a "concurrent" basis, regardless of the mobility of a target, in isolation from messages being exchanged by any other persons. These requests may have complex and differing application in different contexts, but they would certainly introduce additional costs and uncertainties for both equipment manufacturers and everyone who offers messaging service to others. These days, the list of those covered by the proposal ("providers of electronic communications services" and "PBX owners") includes just about everyone. Because the wiretap statute was written to protect the privacy of a broad range of communications types, and because of the growing interdependence and intermixing of all forms of communications, the statutory language of the FBI proposal could turn out to require redesign or expensive alteration of:

• public electronic mail systems, like those offered by MCI, AT&T and` others;

• all telephone switches and the equipment used by long distance carriers; • software used by online information services like Prodigy, Genie, Compuserve, America Online and many others;

• local area networks, linking all kinds of computers, operated by small businesses, colleges and universities and other organizations, including links into these systems from homes and offices;

• PBXS owned by small and large businesses;

• high speed networks connecting workstations with mainframes and supercomputers, as well as those carrying traffic across the "Internet;" • radio-based and cellular communications systems, including pocket telephones and computers with radio-based modems;

• the thousands of personal computers owned by businesses, hobbyists, local governments, and political organizations that communicate with others via computer bulletin boards;

• private metropolitan wide area communications systems used by businesses such as large banks;

• satellite uplink and downlink equipment supporting radio and television transmissions and other communications; and

• air-to-ground equipment serving general aviation and commercial aircraft.

The United States is becoming an information economy. Imposing mandatory system design requirements on those involved in the transfer of information has an impact on large numbers of people and most sectors of the economy.

There is no doubt that evolving technologies will challenge law enforcement officials and industry alike. We need effective law enforcement tools, as well as appropriate levels of privacy and security in communications and computer systems. The goals underlying the FBI proposal are valid and important ones. But they may well be best achieved without additional legislation. Industry has historically cooperated with law enforcement and is presently engaged in ongoing discussions to identify specific problems and concrete solutions. This cooperative process will lead to needed exchanges of technical information, better understanding on all sides of the real policy issues, and better, more cost-effective solutions. Congress should reject the FBI proposal and encourage continuing discussions that will lead to more specific identification of any problems and to more concrete, cost-effective solutions.

The Digital Telephony Report

Introduction: What Is Proposed?

The most recent FBI proposal imposes obligations to provide various generic interception "capabilities and capacities" and empowers the Attorney General to grant exemptions, after consultation with the Federal Communications Commission, the Department of Commerce and the Small Business Administration. Any person who manufactures equipment or provides a service that does not comply with the broad and vague requirements of the proposed statute would be subject to a civil penalty of $10,000 per day.

How Serious Is the Problem?

The predicate for the FBI proposal is that advances in technology have made it more difficult for the government to intercept particular telephone conversations in the course of legally-authorized wiretapping. There have been few actual problems, historically, in executing authorized wiretaps. None have stemmed from characteristics of communications equipment design (as distinct from limitations in equipment capacity). On the other hand, it is clear that changes in the technologies used for communications will require the FBI (and the communications industry as a whole) to use new techniques and to acquire additional equipment and skills. Some developments, such as encryption, may make interception (or, at least, understanding the contents of what has been "intercepted") much more difficult - but in ways that are not even addressed and cannot be fixed by the proposed legislation. (It is difficult to evaluate the FBI argument that it would have asked for more interceptions if some technological barriers had not existed. There have always been and will always be some technological barriers to interception of the content of communications the participants seek to protect.)

Existing law requires all companies providing electronic communications services to cooperate fully with lawful requests from the FBI and other law enforcement officials - and there is no history of any general failure to provide such cooperation.

Existing law contemplates that the government will bear the costs imposed by requests for access to communications. (As noted below, the proposal does not specifically extend that principle.) There is no showing that the

There have been few actual problems, historically,

in executing authorized wiretaps.

None have stemmed from characteristics of communications equipment design....

[The proposal] greatly expands the jurisdiction of the Attorney General and would represent a giant step beyond current law and congressional intent going back to 1968.

government lacks the financial resources to modernize its communications equipment or to fund the costs of lawful interceptions that it initiates.

Since the total number of content wiretaps in 1991 authorized by Federal and State courts was only 856 taps (and almost 60% of these were at the State level, 356 Federal versus 500 State), and since the call-set-up or pen register tap orders for 1991 at the Federal level were only 2,445, (thus, implying a national total under 7,000), it appears the costs may be better targeted to the specific lines or ports necessary, instead of burdening all lines or ports existing in the retwork

By comparison, there were over 138 million access lines as of December 31, 1990 according to the United States Telephone Association, and this does not include ports used for cellular or many other network accesses. (We under stand the current FBI budget provides for $9 million for new digital telephony interception equipment.) Thus, although there is valid reason to be concerned that changes in technology will challenge law enforcement agencies to find and adopt new techniques, there is no immediate crisis requiring swift action.

Broad Scope of the Current Proposal.

The FBI proposal covers all providers of "electronic communications services" and all "private branch exchange operators" (PBXs). These days, that means I just about everybody, including every business that has its own phone switch and every company that operates its own local or wide area computer network. The Electronic Communications Privacy Act defines "electronic communications services" to include electronic mail, file transfers over a Local Area Network ("LAN") and, indeed, every form of transmission of a message other than voice telephone calls (which are also covered by the proposal as "wire" communications; and sound waves in the open air (the only form of communication not covered by the proposal). (See 18 U.S.C.2510(12),(15).) All "providers" of such services would be affirmatively required, within three years, to provide law enforcement officials with the "capability and capacity" to intercept communications. This capability would have to be provided "concurrently" with the communication, without detection (apparently without regard to the target of the wiretap possibly employing sophisticated wiretap detection capabilities), exclusive of any communications between other parties, regardless of the nobility of the target, and without degradation of service.

These absolute requirements might not be capable of being met, as a technical matter, in some contexts, regardless of costs. The proposal is redundant, in the sense that it requires the ability to access communications at all po:nts during their transmission, even though access at one point is all that is needed in any given circumstance. Although current wiretap law requires "minimization" and use of wiretaps as a "last resort," the proposal imposes obligations on all communications systems as if preserving the ability to wiretap at any point should be the system designer's highest priority. The application of these requirements would have substantially different costs and other implications depending upon where in a communications pathway they were actually applied. In any event, they dramatically expand the nature and reach of current law-which requires cooperation but does not grant the government a right to redesign the communications network or the equipment used by large numbers of businesses.

The FBI has defended its proposal on the ground that it is only seeking to "preserve the status quo," by preventing changes in technology from taking away capabilities that Congress meant to assure when it passed the 1968 and 1986 wiretap statutes. But that mischaracterizes the "status quo." The current wiretap statutes take the communications networks as they find them and do not require any provider of communications service to redesign the system, or to refrain from using any particular technology, solely on the ground that such a technology would make interception more difficult. While there may well be

sound reasons for all concerned to cooperate to seek to preserve for the government a practical ability to engage in authorized wiretapping, there is simply no existing legal authority for law enforcement officials to mandate the use of particular technologies and, thus, contrary to the claims made by the FBI, the proposal does not simply maintain the status quo, but greatly expands the jurisdiction of the Attorney General and would represent a giant step beyond current law and congressional intent going back to 1968.

While the proposal imposes substantial uncertainties, there is no question that, as drafted, it would have an extremely broad reach. As a result, it could complicate the development of various new technologies. Even though the language of the proposal would extend to cable information systems and Automated Teller Machines ("ATMs"), the FBI has stressed in its proposal that various systems might be exempted by executive action. But the exemption authority is vague and standardless-so the net effect is that every system provider has to worry on a continuing basis about whether or not its system is covered. Moreover, the proposal is clearly designed to cover any system facilitating two-way conversation, regardless of the size of the communications service provider. In consequence, any small business that installs its own local PBX system for forwarding calls from customers could be required to replace its equipment with new switches that meet the law's requirements. If current online information services do not track the "services" and "features" used by those who send messages through their electronic mail channels, then expensive modifications might be mandated. Because these electronic mail systems are all being joined together, and some function as links that forward messages between other systems, all might have to be designed to allow "real time" interception by retransmission to a remote site-even though delayed searches of stored files would seem to make a lot more sense in the context of electronic mail.

Costs Likely to Be Imposed by the Proposal.

The costs imposed by this proposal would be passed on to consumers and all subscribers to electronic communications services. The total costs, including costs imposed by its potentially disruptive impact on planning for new computer and communication technologies, cannot be fully assessed — but would be very substantial. In its report on the FBI's proposal, the General Accounting Office ("GAO"), page 1, stated: "[Neither the FBI nor the telecommunications industry has systematically identified the alternatives, or evaluated their costs, benefits, or feasibility." And further at page 4 of the GAO Report: [T]he [FBI's] May proposal does not address what the telecommunications industry would need to do to be in full compliance with the proposal in the event it is enacted, the meaning of certain technical terms, or who would pay for the cost of wiretapping solutions."

The proposal mandates compliance with very broadly stated functional standards and contemplates that exemptions (available from the Attorney General, without the benefit of any specific standards or criteria) will be granted only after this broad new governmental authority has been enacted into law. The most recent proposal assumes that the costs of compliance will become a cost of doing business imposed on all communications service providers-and passed on to telephone ratepayers and other subscribers to electronic communications services. (The current law's provision that the government will pay reasonable expenses incurred in cooperating with a specific request for interception has not been expressly applied to this new requirement to "provide the capability and capacity to respond to such requests.) Communication service providers and computer equipment manufacturers could suffer major losses as a result of delays, mandatory redesigns, and even prohibition of certain technological options. There has been no opportunity as yet to compare (1) the costs the FBI would incur to modernize its approach to interception (especially given the data on the small number of taps performed annually) with (2) the costs that would be incurred by

Although there is valid reason to be concerned that changes

in technology will challenge law enforcement agencies to find and adopt new techniques, there is no immediate crisis requiring swift action.

As drafted,

the proposal appears

to threaten U.S. interests

in international trade and competitiveness.

consumers as a result of mandatory limitations on new technology design applied to all technologies nationwide.

Uncertainties Created by the Proposal.

By attempting to establish open-ended duties, broadly defined, in statutory language, the current proposal creates substantial uncertainties and could cause controversy to supplant cooperation. For example, although current interception orders predominantly relate to voice communications, the draft proposal covers all forms of communication. This approach could sweep up systems ranging from the cellular pager to the high-speed network designed to transfer digital data between supercomputers. It raises a wide variety of questions:

What exactly are the boundaries of the "public switched network" to which the proposal refers?

On what basis would the Attorney General choose, or be required, to provide exemptions?

• How would the proposal affect systems that regularly encode messages at the point of origin?

Does the required provision of capacity to intercept "concurrent with the transmission to the recipient" mean that an electronic mail or voice mail or facsimile mail system must be designed to signal the system operator every time a message from a target of an investigation is accessed by the person to whom that message might have been addressed?

• Will it be technically feasible to detect and separate just those parts of a communication signal coming from a particular residence or other source, that "exclusively" represent the content coming from a particular individual?

[ocr errors]

What is meant by the new, broad requirement that the government be told what "services, systems, and features" have been used by the subject of the interception?

Does the required provision of interception capacity "notwithstanding ... the use by the subject ... of any features of the ... system" have the effect of requiring the system provider to offer to defeat any encryption mechanism it may provide to subscribers?

Does the requirement to provide interception despite the target's mobility mean that systems that inherently allow users to send and receive from multiple points, without notice, cannot be used at all? Will it be physically possible or economically feasible to prevent "degradation of services" if the functional requirement for real time tracking of any target means that some central database must be checked by the service provider's computers every time a communication is made?

We don't know the answers to these questions, despite their importance. More importantly, the answers to key policy questions may differ substantially depending on what particular technology and interception need (and minimization goal) is being addressed. And we don't even know by what means providers of electronic communications services and designers and users of electronic communications and computing equipment will find out how the requirements will be applied to their systems. In short, the FBI's proposal, as currently drafted, may generate new and unnecessary controversy, despite its legitimate goals, by attacking perceived problems at the wrong level of generality.

Threat to Security and Privacy.

Ironically, in addition to creating uncertainty and imposing costs, the proposal would itself create new and serious security risks and undermine the privacy

« PrécédentContinuer »