The FCC has released its Notice of Proposed Rulemaking (NPRM) on Internet wiretapping. (Backstory here.) The NPRM outlines a set of rules that the FCC is likely to issue, requiring certain online service providers to facilitate (properly authorized) government wiretapping of their customers. The document is a dense 100 pages, and it touches on issues from protocol design to administrative law to network economics, so no one reader or analyst can hope to understand it whole. Below is my initial reaction to reading it.
I’ll start by noting that the FCC isn’t working with a clean slate but must adopt the framework established by the CALEA statute. Some FCC critics (not including me) would prefer a world in which the government could never wiretap anybody for any reason; but that’s not the FCC’s decision to make. The question before the FCC is how to apply the CALEA statute to new Net services, not what the optimal wiretapping policy would be.
One important question is whether the FCC has the authority to issue the rules it is considering. Even some of the FCC commissioners express doubt on this point. This question is outside my expertise, so I’ll defer to people like Susan Crawford (who also has doubts about the FCC’s authority).
Instead, I’ll ask whether the FCC’s proposals are good policy, if we take as given the value judgments expressed in the CALEA statute, which I read as these three: (1) Properly authorized wiretapping is an important law enforcement and national security tool. (2) If necessary, communications providers should accept modest costs to enable lawful wiretapping. (3) In designing networks, wiretappability should be a consideration, but it can be overridden by other important design factors. (Again: I’m not taking a position here for or against these three statements; I’m only asserting that they reflect the views of Congress, as expressed in CALEA.)
The FCC’s first proposal is to require broadband ISPs to be ready to provide law enforcement with the packet-level traffic of any of the ISPs’ customers. I read this rule as requiring ISPs to make their best effort to turn over the raw packets as actually sent and received by the customer, and not as requiring ISPs to interpret, classify, or decode the traffic. This seems like a reasonable rule, in light of CALEA. Capturing the necessary packet-streams won’t be overly expensive for ISPs and doesn’t seem to require redesign of ISPs’ networks; and law enforcement can analyze the packet stream as necessary by using standard tools.
The second, and harder, question answered by the FCC is whether to require VoIP (i.e., voice service over the Internet) to be wiretappable. The FCC tries to take a middle ground on this issue, requiring only “managed” VoIP services to be tappable. The definition of “managed” is a little fuzzy, but it seems to apply only to services that meet all three of these criteria: (1) they look to the consumer like a kind of telephone-like service; (2) they allow calls to people with old-fashioned phones; and (3) they involve the provider’s equipment in each call (i.e., involvement in the call itself, not just as a sort of directory service). VoIP services that are “managed” in this sense would be required to facilitate wiretapping. Other services, like voice-enabled instant messaging, are not managed and so would not have to facilitate wiretapping.
The FCC’s proposed rule looks to me like a reasonable attempt to apply the goals of CALEA to VoIP technology. Managed services are precisely those that are best situated to capture the kind of information needed for wiretapping; and network designs that are inherently unwiretappable would seem to qualify as unmanaged. Two caveats apply, though. First, the NPRM’s definition of “managed” isn’t completely clear, so the definition I gave above may not be the one the FCC meant. Second, as any close reading of the NPRM will demonstrate, the actual application of a CALEA regime to these technology would involve lots of detailed decisions and determinations by the FCC and others, and the details could be bungled. (Indeed, given the sheer number of details, and their complexity, some nonzero amount of bungling seems inevitable.)
There’s much, much more in the NPRM, but I’ve gone on long enough, so I’ll stop for now. My overall impression is that this is a document that will get criticism from both directions. Law enforcement will think it doesn’t do enough; and some technologists will think it meddles too much in their affairs. Contrary to the cliche, criticism from both sides often doesn’t mean you’re doing a good job. But this may be one of those cases where the cliche is right. Overall, I think the FCC has done a pretty good job of applying the semi-contradictory goals of CALEA in a new arena.
