SUBCOMMITTEE ON CRIME
COMMITTEE ON THE JUDICIARY
U.S. HOUSE OF REPRESENTATIVES
OVERSIGHT HEARING ON
THE IMPLEMENTATION OF THE COMMUNICATIONS ASSISTANCE FOR LAW ENFORCEMENT ACT OF 1994
Wednesday, October 23, 1997
Room 2237 Rayburn Building, 10:00 AM
It is an honor to appear again before this committee to discuss the Communications Assistance for Law Enforcement Act (CALEA). The last time I was here on this matter was over three years ago, when I testified along with my colleague here from CTIA, Tom Wheeler, and FBI Director, Louis Freeh.
USTA represents 1,100 wireline local exchange companies throughout the United States. Some of our member companies are among the largest corporations in the country, such as Bell Atlantic and BellSouth. We also represent dozens of mid-sized companies like Cincinnati Bell, ALLTEL, TDS, and Denver and Ephrata Telephone Company in Pennsylvania. The vast majority of our members are small, rural, family-owned businesses or telephone cooperatives, owned by their customers, such as Randolph Valley Telephone Cooperative in North Carolina, Lavaca Telephone Company in Arkansas, and Pulaski-White Telephone Cooperative in Indiana.
USTA member companies represent over 95% of all the telephone access lines in the country. And while our small company members serve only 3 percent of the U.S. population, their service territories cover over 40% of the country's land mass. Moreover, roughly 50% of the nearly 26,000 wireline telephone switches (the computers responsible for routing calls throughout the network) in the country are operated by these smaller companies; so while most access lines in the nation are served by a few companies, most switches in the country are operated by hundreds of small companies. This is important in understanding the potential ramifications of CALEA's implementation on telephone companies.
It must be pointed out that every one of these telephone companies has, and will continue to cooperate with law enforcement agencies in assisting them to perform properly authorized electronic surveillances. In fact, law enforcement has not divulged a single instance to us where a wireline carrier has not been able to perform a court ordered surveillance. As the annual report of the Administrative Office of the U.S. Courts indicates, more wiretaps are being conducted than ever before. It should be noted that this growth is taking place on today's existing network facilities. We are proud to do our part to assist in the many successful prosecutions the FBI and other law enforcement agencies have made using legally authorized wiretaps, traps and traces, and pen register information provided by telephone companies.
1994: CALEA's Balance of Priorities
CALEA represents a careful balance between law enforcement, industry, and American citizens' Constitutional rights to privacy and freedom from government intrusion. CALEA provides both safeguards and obligations for each of these interests.
For law enforcement, CALEA grants for the first time in our history, a statutory requirement that industry will design electronic surveillance capabilities for future telecommunications network equipment. (47 USC 1002.) The Attorney General also is granted enforcement authority, including the power to seek $10,000 a day penalties for non-compliance. (18 USC 2522.)
Industry's obligations are to design and develop electronic surveillance capabilities and capacities for future network-deployed facilities. (47 USC 1002.) However, realizing that it is punitive to require retrofitting of existing network technologies with CALEA technology that has not yet been developed, CALEA protects existing network facilities (i.e., those installed or deployed prior to January 1, 1995) by deeming them in compliance with the law, unless the government reimburses the carrier to bring them into compliance, or unless they are replaced or "significantly upgraded" or modified by the carrier. Equipment deployed after January 1, 1995 is subject to a determination by the Federal Communications Commission of whether compliance is "reasonably achievable." (47 USC 1008.) In short, industry would deploy--at industry expense--reasonably achievable CALEA technology solutions after they become available, while existing facilities were to be grandfathered unless the government pays for bringing facilities it identifies into compliance.
CALEA also grants specifically to industry the authority to develop technical standards which provide a safe harbor to carriers and manufacturers that install or deploy equipment which complies with such standards. (47 USC 1006.) While the Attorney General may consult with the industry standards-setting bodies, the government may not impose any design specifications. (47 USC 1002.) Further, even as CALEA requires industry to develop CALEA capabilities for future deployments in their networks, it provides a standard of reasonable achievability. This means that if compliance cannot be reasonably achieved, a carrier may nevertheless deploy facilities and such facilities would be deemed in compliance with CALEA. (47 USC 1002, 1008.) CALEA also provides protections against enforcement orders when compliance is not reasonably achievable with available technology. (47 USC 1008.) Finally, CALEA grants the ability to seek from the Federal Communications Commission extensions of compliance deadlines under various circumstances. (47 USC 1006.)
Individuals' rights to privacy and protection from government intrusion are protected as well. CALEA specifically requires the development of surveillance capabilities that protect the privacy and security of communications not authorized to be intercepted. (47 USC 1002, 1006, 1008.) CALEA's legislative history also clearly states that the law is intended to be narrowly interpreted by industry and law enforcement and the FCC to preserve, and not expand, surveillance authority. Further, CALEA grants the ability to any individual to petition the FCC if technical standards are deemed deficient. (47 USC 1006.)
1997: Implementation Off Balance and Delayed
1. Cost Reimbursement and Reasonable Achievability During the Transition Period
Since it has taken longer than anticipated in 1994 to develop both capacity and capability requirements, the conditions that existed when CALEA was enacted have not changed. Existing equipment in 1997 is equally as non-CALEA capable as it was in 1994. (It also is equally as capable of providing electronic surveillance as it was in 1994 too, albeit in a non-CALEA manner.) Nowhere in CALEA is there a requirement that carriers must "retrofit" existing equipment. Nonetheless, the FBI is threatening carriers with the possibility of having to go back into their networks and retrofit them with potentially extremely expensive CALEA upgrades, contrary to the intent of CALEA.
In March, 1997, the FBI adopted rules for CALEA cost reimbursement. Most significantly, the rules fail to differentiate between the terms, "installed or deployed," as required by CALEA. Instead, the rules dictate that the costs of modifying or retrofitting only such equipment that has been "installed" prior to January 1, 1995 may be eligible for reimbursement. Any equipment, features or services placed in service after January 1, 1995--according to the FBI's interpretation--would be the carrier's responsibility to retrofit, potentially at tremendous cost to the carrier and its customers. The rules, in short, attempt to force carriers, in contravention of CALEA, to retrofit existing equipment.
CALEA states that the government will reimburse carriers to bring into compliance such embedded-base equipment it needs to retrofit during the four-to-six-year transition period following enactment. Indeed, the legislative history states:
The bill requires the Federal government, with appropriated funds, to pay all reasonable costs incurred by industry over the next four years to retrofit existing facilities...In the event that the $500 million [authorized] is not enough or is not appropriated, the legislation provides that any equipment, features or services deployed on the date of enactment, which government does not pay to retrofit, shall be considered in compliance until the equipment, feature, or service is replaced or significantly upgraded or otherwise undergoes major modification.
After the four year transition period, which may be extended an additional two years...industry will bear the cost of ensuring that new equipment and services meet the legislated requirements, as defined by standards and specifications promulgated by the industry itself. (H. Rept. 103-827, p.16.)A four-to-six-year transition period was provided to enable the development of CALEA technology while carriers continue to modernize their networks to meet increasingly competitive market forces. The transition period was intended to protect not only equipment already installed by 1995, but equipment "in the pipeline," (i.e., equipment already designed, developed, and utilized in the industry, but not yet installed). Both the statute and legislative history assure that "if a service or technology cannot reasonably be brought into compliance with the interception requirements, then the service or technology can be deployed." (H.Rept.103-827, p.19.) The four/six year transition period and the Act's provisions allowing for continued deployment of network facilities therefore were intended to assure carriers that their networks would be deemed compliant with CALEA unless the government reimbursed the carrier to bring certain facilities into compliance with CALEA. After CALEA-compliant technology becomes available, the carrier would be required to deploy only CALEA-compliant equipment, facilities and services in the ordinary course of performing network upgrades.
Because of delays in implementing CALEA, there is no difference between a switch being installed or deployed today and a switch installed or deployed prior to January 1, 1995. Both would be deemed in compliance with CALEA. The pre-1995-installed switch would be deemed in compliance because it was installed prior to January 1, 1995. The post-1995-installed switch would be deemed in compliance because compliance is not reasonably achievable; and in any event, the switch had been deployed in the network. Among the factors the FCC is required to consider in determining reasonable achievability are cost to the carrier and its customers, and the extent to which such equipment is designed or developed prior to January 1, 1995. (47 USC 1008.) While one switch was "installed" prior to January 1, 1995, the other was "deployed" (i.e., designed and developed) prior to January 1, 1995. USTA believes that Congress specifically used the words, "installed or deployed" (not "installed and deployed") to capture this distinction.
Thus, USTA contends that CALEA intended to treat such equipment installed or deployed since January 1, 1995, and prior to the availability of CALEA solutions (assumed at the time to be four to six years hence) as not reasonably achievable. Such equipment would be deemed in compliance with CALEA, unless the government reimbursed the carrier to bring it into compliance. Any other interpretation would force carriers to seek individual determinations of reasonable achievability from the FCC during the transition period for "any equipment, facility, or service installed or deployed after January 1, 1995." This would inundate the FCC with requests for determining reasonable achievability; cost carriers both time and expense in pursuing regulatory remedies; and delay even further the implementation of CALEA. Moreover, if the FCC were to determine that carriers must retrofit post-1995 installed or deployed equipment at their own expense--despite the fact that nothing in CALEA requires carriers to retrofit equipment-- a Constitutional challenge could be initiated on the grounds that forcing carriers to provide a government service without reimbursement constitutes unlawful taking under the Fifth Amendment. This only adds to the prospects of additional expense and further implementation delay.
2. Significant Upgrades and Major Modifications
The FBI sought comments last year on the definition of the terms, "significant upgrade" and "major modification." A final definition has not yet been proposed. However, USTA and many others have expressed their concerns, based on the FBI's comments at industry meetings and its reimbursement rules, that a narrow interpretation of these terms will only further threaten inappropriately to shift costs to carriers, and effectively force retroactive, ubiquitous retrofitting of the nation's telecommunications infrastructure, contrary to the intent of CALEA and in contradiction of comments made by FBI Director Freeh before this Committee in 1994.
Mr. Neel mentioned that the passage of the statute and enactment of these mechanisms would be an invitation for the ubiquitous use...of wiretaps. I think that this is just not valid...We do not propose...rewiring America...(FBI Director, Louis Freeh, at Joint Hearings of the House and Senate Judiciary Committees, August 11, 1994.)CALEA is intended to grandfather embedded-base equipment that cannot have been installed or deployed with CALEA technology, since CALEA technology does not yet exist, unless the Attorney General agrees to reimburse the carrier to bring it into compliance. Also, CALEA intends to allow carriers to deploy facility modifications and upgrades without penalty.
Therefore, USTA believes the only practical definition of significant upgrade or major modification, consistent with the intent of the law, must allow for network modernizations to continue to be made prior to the availability of CALEA technology. In other words, existing telecommunication network facilities installed, deployed or modified prior to the availability of CALEA solutions must be deemed in compliance with CALEA. Upgrades or modifications to such existing equipment in the ordinary course of business, and prior to the availability of CALEA solutions cannot be considered "significant upgrade" or "major modification" for purposes of CALEA.
Carriers not only are installing new equipment in their networks regularly, they more frequently upgrade facilities, much as personal computer owners upgrade their word processing programs with the latest editions. With the enactment of the Telecommunications Act of 1996, competition has increased dramatically, requiring even more intensive, and frequent, modernization of telecommunications networks. Indeed, entirely new companies and technologies are being introduced in the telecommunications market. Since practically all telecommunications equipment at least has been upgraded with new software since 1995, the definitions of "significant upgrade" or "major modification" become extremely important. If these terms were defined to apply to any or all modifications or upgrades since 1995, virtually no equipment would be deemed in compliance, despite the fact that none of it can be considered reasonably achievable. All of it would be considered the carrier's responsibility to retrofit.
3. Capability Standards Are Not Available
CALEA grants the authority to industry standards-setting bodies to develop standards which constitute a safe harbor for any manufacturer or carrier that builds to or installs equipment that complies with the standard. (47 USC 1006.) It also prohibits the government from requiring any design specifications or the adoption of any particular features. (47 USC 1002.) Further, CALEA anticipates a four (to six, including a two year extension) year transition period during which it was assumed that standards would be developed and manufacturers would design and develop CALEA capabilities for installation in telephone networks.
All has not gone exactly as anticipated. Industry standards-setting bodies comprising of representatives of carriers and manufacturers, began drafting technical solutions even before CALEA was enacted. Industry also sought law enforcement suggestions concerning its interpretation of CALEA technical requirements. A final version of government recommendations was delivered to industry last Summer (1996) in a document called the Electronic Surveillance Interface (ESI). Through the Fall and Winter of last year, industry standards-setting bodies evaluated the ESI and worked with law enforcement to accommodate ESI recommendations.
After hundreds of meetings between law enforcement and industry, a proposed industry national standard, to be sanctioned by the American National Standards Institute (ANSI), was released for approval by interested parties earlier this Spring. However, law enforcement effectively prevented approval of this standard, claiming it did not go far enough in adopting all of the ESI's recommendations.
The industry standards represent a consensus among wireless and wireline carriers and manufacturers that comply 100% with CALEA. The proposed industry standards implement over 90% of the functionalities requested by the ESI, leaving only 11 items that law enforcement has identified (referred to as the "punch list," or by law enforcement as "missing capabilities") that are not included in the proposed industry standard. In some cases, "punch list" items may violate CALEA's clear protections of the privacy of communications not authorized to be intercepted, such as being able to listen in on a conference call even after the target has left the call. Other items on the punch list are not required by CALEA. They do not pertain to the isolation and delivery of call content or call identifying information. Many of these present serious technical feasibility issues. An example is the ability to deliver automatically and immediately notification to law enforcement of a change in services provided by a surveillance target when other, less expensive alternatives are available. Other examples include notification of specific buttons pushed on a telephone handset, or delivery of certain information within a half-second, which is faster than many switches deliver such data. These items, while possibly desirable for law enforcement to obtain, would be expansive, and expensive, to develop and install. As such, the punch list imposes additional technical requirements and potentially significant, unnecessary costs on carriers and their customers.
A second proposed ANSI-sanctioned industry standard is currently being circulated for ballot, with a deadline by the end of October. If law enforcement again attempts to defeat adoption of this proposed standard under ANSI rules, industry may adopt an interim standard of limited duration and subject to renewal and eventual ANSI approval. It is time to release a safe harbor standard, as CALEA intended, that manufacturers will be able to use in initiating the design and development of CALEA technologies.
In short, law enforcement has impeded the adoption of necessary standards by insisting that the ESI must be adopted by industry. The wireline industry has attempted to accommodate law enforcement in an effort to implement the law efficiently and to avoid protracted proceedings at the FCC. Thus, despite CALEA's clear prohibition against government design of capabilities, law enforcement's management of the implementation process effectively is requiring specific designs or system configurations to be adopted by industry, resulting in continued delay in releasing an industry standard.
4. Capacity Notices Are Not Available
CALEA requires the Attorney General to issue a notice of capacity requirements to industry not later than one year after enactment, (i.e., by October 25, 1995). (47 USC 1003.) Carriers would have three years after notification by the Attorney General to install capacity that meets the notification requirements. It is now three years after enactment, and a final capacity notice has yet to be issued. The first two proposed notices issued by the FBI have met with widespread criticism. USTA's comments to the FBI pointed out that the proposed notices both were: 1) expansive, requiring far more capacity than can be historically justified--a potential waste of taxpayer money; and, 2) technically deficient, failing to provide carriers with the type of technical information about channel requirements, different types of surveillance activity required (e.g., trap and trace, pen register, or call content), or interface delivery requirements which carriers need to be able adequately to engineer capacity loads in their networks. We understand that law enforcement is nearing completion of a third notice. We hope our suggestions, and those of many other commenters, will be adopted in this latest version.
Costs of CALEA Compliance Call for Law Enforcement Prioritization
CALEA authorizes $500 million, subject to appropriation, for law enforcement to use in bringing existing equipment into compliance with CALEA. USTA argued that depending on design requirements, retrofitting the nation's telephone network would cost more like $2 billion, a figure we believe remains accurate today, as more information comes in from manufacturers now able to provide estimates based on the proposed industry standard. Thus, CALEA requires law enforcement to identify such facilities it determines warrant upgrades, and to prioritize its spending to upgrade those facilities most in need of modification. We continue to believe that $500 million is not enough to retrofit existing facilities, given what we currently know about developing switched based solutions conforming to proposed industry standards.
In submitting its Implementation Plan to the House and Senate Appropriations and Judiciary Committees earlier this year, pursuant to the FY97 Appropriations Act, the FBI simply states that there are 35 switching platforms in use today in wireline and wireless networks, 19 of which it describes as "priority switching platforms," representing 97 percent of all wireline and 96 percent of all wireless interceptions.
Three major wireline switching platforms (the Lucent 5ESS, Siemens EWSD, and Nortel DMS100) deployed today account for roughly three-quarters of all the access lines in use in the nation's wireline network. One large carrier wireline representing several high surveillance activity areas in the U.S. deploys nearly 100% of its access lines with these three switches. However, the percentage of lines served by these switches decreases particularly with USTA's smaller member companies where a wider variety of switches and switch manufacturers are found. Given the cost of developing CALEA software solutions for just these three switches (see below), the FBI needs to consider the diminishing marginal returns of retrofitting more platforms. Also, many of the other switching platforms in the embedded telecommunications network base are older generation switching platforms that do not require the same level of technical solution for electronic surveillance.
Price estimates supplied by equipment manufacturers indicate that software development only for the three "major" wireline platforms will be between a low of $240 and a high of $620 million. This range represents only the cost of software development of those capabilities contained in the proposed industry standard. It assumes manufacturers' discounted prices for a single, nation-wide software solution. It does not include the cost of wireline software development of any "punch list" items, which estimates predict would cost an additional $217 to $602 million. It does not include any wireless technology solutions. This estimate further does not include additional costs incurred by carriers to test, engineer, and install CALEA software in their existing networks. These costs are estimated to range between $150 million and $200 million. Further, CALEA upgrades may often require carriers to purchase and install additional hardware to preserve switch processing capacity and maintain network integrity. This estimate does not include any of these related hardware costs directly associated with CALEA implementation. The estimate also does not include any capacity related costs.
The need for prioritization was emphasized by Director Freeh during the August, 1994 hearings before this Committee:
So I would take issue with the idea that this is going to spawn more wiretaps simply by the use of capability and access and that I think we have a pretty good idea where we need to build to protect...[If Congress] made a finding that...the money stops[,] I would still be in a better place if I could have access to half of the criminal conversations than none of the criminal conversations...I think over a long-term period, if...we are talking now about designing switches for 1998 and 1999, it seems to me that there will be a much more expansive benefit and a permeating benefit by starting early, particularly with the larger systems which will work to the benefit of upgrading the smaller systems.In short, the assumption in 1994 was that development of CALEA solutions was a long term process, that would focus on higher priority, larger systems first, and that it would not seek 100% near-term ubiquitous capability. Given the implementation delays and problems that have been encountered, a 1998-1999 switch deployment time frame now appears to have been a highly ambitious assumption. However, the recognition of CALEA as a process and the Director's tone of reasonableness is as appropriate today as it was in 1994.
Moreover, the fact that the $500 million may be spent on software development only, and only on the three major wireline switching platforms currently deployed, further illustrates two additional concerns. First, the effects of CALEA may be disproportionately burdensome on small telephone carriers. It is these carriers who more frequently, although not exclusively, deploy a variety of switches other than the 5ESS, EWSD or DMS100. Second, if CALEA solutions are reimbursed for the three major platforms, but not for the others currently deployed, CALEA in effect could create a dichotomy between those carriers who would receive "free" CALEA upgrades whose development and installation costs are reimbursed by the government, and those who do not. The latter certainly would seek a determination from the FCC that compliance is not reasonably achievable.
Compliance Date (October 25, 1998) is Now Impossible to Meet:
Given the fact that industry safe harbor standards will not be available until late 1997, the October, 1998 compliance date is impossible to meet. CALEA grants the authority to the FCC to grant an extension of the compliance date for any "facility, service or feature" for up to two years. There are over 26,000 wireline switches alone in the country. These switches each deploy a wide variety of services or features. Clearly, compliance is not reasonably achievable, and an extension of the compliance deadline for every facility, service or feature in the country would be appropriate. The FCC faces potentially thousands of requests for compliance deadline extensions. (Again, smaller telephone carriers may face an equal if not even greater burden in pursuing legal/regulatory remedies.)
Time Line for Implementation
If implementation is put back on track, we believe CALEA technology can begin to be deployed in the nation's telecommunications networks in a timely manner. Industry standards should be adopted in November, 1997. Manufacturers will then need 18 to 30 months to develop software solutions. Deployment in carrier networks, therefore, conceivably could begin between May, 1999 and May, 2000. Finally, the nation's major wireline carriers install routine software upgrades on their network facilities every six to 18 months. Thus, if law enforcement funds the development of solutions to bring existing equipment into compliance with CALEA, this technology could be deployed within 18 months of the CALEA solutions' availability during carriers' normal course of business upgrade deployment.
USTA Recommendations to Put CALEA Back on Track
USTA believes that implementation of CALEA can be put back on track simply by returning to the standard of reasonableness that prevailed during consideration and passage of CALEA three years ago. Because of the interrelationship between capability, cost reimbursement, capacity, and the compliance date, all four implementation issues must be resolved concurrently for implementation to proceed without further delay.
1. CALEA's grandfather date should be clarified so that existing equipment (deployed, installed or upgraded since January, 1995) is deemed in compliance with CALEA until CALEA-based technical solutions are available for installation in carriers' networks and such equipment is retrofitted at government expense.
The government may, based on its priorities and the availability of funds, reimburse carriers to bring currently-deployed equipment into compliance. However, currently deployed or installed facilities cannot be considered reasonably achievable since CALEA technology is not available; therefore, it should be deemed in compliance. If not deemed in compliance, carriers would be forced to seek individual determinations of reasonable achievability, or seek court remedies, both of which will only further delay implementation of CALEA.2. Safe harbor industry standards must be allowed to be adopted.
Proposed industry standards have been drafted by industry standards setting bodies, in consultation with law enforcement, as provided for under CALEA. These proposed standards represent a consensus among manufacturers and carriers, and, but for a few items, adopt nearly all of law enforcement's recommendations. Industry stands by its proposed standards as 100 percent CALEA-compliant. Any further opposition to the proposed standards will only delay their availability to manufacturers, preventing timely deployment of new CALEA-based upgrades in the nation's networks. For those items not included in the proposed industry standard (i.e., the so-called "punch list," or "missing capabilities"), government may contract with carriers or manufacturers to develop and install such capabilities, to the extent they do not violate provisions of CALEA or other legal principles. Moreover, CALEA provides that any person may petition the FCC if standards are deemed to be deficient. Further intervention in the standards process will only lead to unnecessary delay.3. CALEA's compliance date (10/25/98) should be moved to enable sufficient time in which to install CALEA solutions in carriers' networks.
Estimates range between 18 and 30 months for the manufacturers need to convert technical standards into products and services ready for installation and deployment in carriers' networks. While CALEA allows carriers to request from the FCC extensions of this deadline, the FCC could be inundated with such requests from thousands of carriers, serving tens of thousands of facilities and services for which an extension would be required. Instead, since implementation has taken longer than anticipated when CALEA was drafted, and compliance by 1998 therefore is not reasonably achievable, the compliance date should be moved.4. Capacity requirements must be issued for carriers to be able to fulfill both their capacity and capability obligations.
Capacity requirements must be consistent with historic electronic surveillance trends and must provide sufficient technical description to enable carriers and manufacturers to develop and install compliant hardware and software solutions.Conclusion:
Telecommunications carriers look forward to continuing to work with law enforcement agencies in executing legally authorized electronic surveillance. While existing telecommunications facilities are providing electronic surveillance capabilities for law enforcement purposes, the industry recognizes its future responsibilities to design, develop and install surveillance capabilities as specified in CALEA. It is essential, however, in making the transition from present network facilities to future CALEA-compliant networks, that carriers are allowed to modernize their networks without CALEA coming back to haunt these carriers and their customers with potentially hundreds of millions of dollars of retrofitting expenses. By removing the clouds of uncertainty from the implementation of CALEA as recommended by USTA, CALEA can be implemented in a timely fashion.