Law Enforcement's Access to Communications System in the Digital Age

Marcus C. Thomas
Deputy Assistant Director, Investigative Technology Division
Federal Bureau of Investigation
Before the United States House of Representatives Committee on Energy and Commerce Subcommittee on Telecommunications and the Internet
Washington DC
September 08, 2004

Good morning, Chairman Upton, Ranking Member Markey, and Members of the Subcommittee, I am grateful for this opportunity to discuss this important national security and public safety issue: law enforcement’s access to communications systems in the digital age. I would like to start by briefly outlining a historical framework of court-authorized electronic surveillance in highly-complex communications networks, then discussing the situation in which the law enforcement community currently finds itself, and some of the problems with which we are currently dealing. Lastly, I would like to briefly discuss some of our ongoing efforts intended to address a number of these problems.
Background

Prior to delving into the subject of electronic surveillance, I believe it is important to state that the FBI and the law enforcement community recognize the importance of the continued development and consumer adoption of innovative technologies to ensure the United States remains a leader in today's competitive, global marketplace. One of the fundamental requirements for preserving national security, the privacy of our citizens, and public safety is ensuring that United States national security and law enforcement agencies are able to securely and effectively use lawful process to gather evidence and intelligence during investigations. We remain extremely concerned about the very serious, public safety and national security threat posed by the misuse of technologies that hamper lawfully-authorized electronic surveillance of communications occurring over their systems. I believe that public safety, national security, and technological innovations can be served by good policy.

I do not think anyone seriously challenges the need for the law enforcement and national security communities to be able to conduct court-authorized electronic surveillance. There is no doubt wiretaps produce powerful intelligence and evidence against the most dangerous criminals and terrorists. When police cannot use other investigative techniques to safely and successfully collect evidence and intelligence, they often use wiretaps to catch and convict criminals with words uttered from their own mouths. Concerns regarding this serious threat are not limited to the United States law enforcement and national security communities. Worldwide, new laws are being implemented that are intended to require network providers to furnish communications interception services to government agencies.

The issue I have just described may be too complex for one remedy to solve. Like so many issues we try to deal with today, the future success of lawful electronic surveillance will depend on a multi-pronged approach. In some instances, responsibilities mandated of a service provider are the appropriate course of action. In others, to meet the exigent needs of law enforcement, industry cooperation can be the most constructive avenue of pursuit. Finally, any approach would be incomplete without considering law enforcement’s own abilities. I am here today, mere days before the third anniversary of September 11th, to stress the importance of the outcome of our discussion: law enforcement’s continued ability to conduct lawful electronic surveillance to ensure national security and public safety.

Title III specifies that a “service provider, landlord, custodian, or other person shall furnish the applicant forthwith all information, facilities, and technical assistance necessary to accomplish the interception unobtrusively and with a minimum of interference . . .” upon the request of the applicant (specifically, law enforcement). In practice, judges sign two orders: one order authorizing the law enforcement agency to conduct the electronic surveillance, and a second (abbreviated) assistance order directed to the service provider specifying, for example, the telephone number(s) of the subject that are the object of the order and directing the provision of necessary assistance.

In 1994, as a result of the emergence of an ever?increasing array of new services and features, many of which would have impeded, if not precluded, normal electronic surveillance efforts by obstructing lawful access, Congress passed, and the President signed into law, the aforementioned CALEA legislation. In the House Report accompanying CALEA, the purpose of the legislation was clearly identified: "to make clear a telecommunications carrier's duty to cooperate in the interception of communications for law enforcement purposes . . .". That is to say that a primary purpose of CALEA was to clarify and strengthen the statutory requirement that service providers furnish "all" technical assistance necessary to accomplish the interception -- meaning to design and build into their networks the capability and capacity requirements needed by law enforcement. It is not enough just to be willing to assist; rather, service providers must actually be capable of making that assistance possible in a rapidly changing technological world. In short, CALEA’s intent was to mandate access where advancing technology would otherwise preclude it.

Despite the fact that in the years since the enactment of CALEA there have been technological advancements few of us could have foreseen, CALEA has proven essential to law enforcement successes. In the most recent Wiretap Report (published annually by the Administrative Office of the United States Courts), 80 percent of wiretap authorizations were for cellular or mobile telephones. Of that number, I am pleased to tell you approximately 90 percent were conducted using technical solutions developed specifically in response to the assistance capability requirements identified in CALEA. In other words, more than 70 percent of all criminal wiretap authorizations were “CALEA-compliant.” Looking to the future, our success with CALEA’s application to cellular telephones can be seen as a model. Prior to the passage of CALEA the 1991 Wiretap Report identified that cellular phones accounted for approximately one percent of wiretap authorizations. CALEA provided a framework to ensure law enforcement’s lawful access as criminals migrated to the new technology. I believe we are at the point with Voice over Internet Protocol (VoIP) today that we were with cellular telephones in the early 1990s - with one significant difference: all service providers, both wireline and wireless, have an incentive to migrate their networks to an IP platform. What that means is the transition to a VoIP infrastructure is occurring very quickly. In recognition of this rapid change, we have petitioned the Federal Communications Commission to make clear that CALEA applies to certain forms of I.P. telephony services. We feel this is critical to protecting law enforcement interests.

It is important to note that the requirement for service provider assistance under 18 U.S.C. 2518(4) remains in full force and effect, notwithstanding the applicability of CALEA, and requires service providers to do whatever reasonably can be done to comply with assistance court orders issued by judges. In other words, even when CALEA does not apply, the service provider (or "landlord, custodian, or other person”) served with a court order for surveillance is legally required to do whatever can reasonably be done to implement the order.

Current Technology and Policy Issues

Perhaps the most significant technological challenges in the area of electronic surveillance faced by the law enforcement and national security communities have been those challenges brought on by convergence. Convergence refers to the blurring of lines among traditionally distinct communications products, services, and regulatory structures and can be thought of as the ability (technically and legally) of different network platforms to carry essentially the same kinds of services (so-called network-independence) as well as the ability of a single network platform to carry many different kinds of services (so-called service-independence). Such network/service independence is perhaps most evident in the blurring of wireless and wireline network services, but also in the blurring of data and voice services. The most relevant instrument of change with regard to such convergence has been the emergence of IP networks.

In recent years, the FBI has found that there are greater and more diverse challenges in effectuating electronic surveillance orders within modern networks than with "conventional" telephony networks operated by traditional telecommunications carriers. In order to implement electronic surveillance orders in these diverse networks, the FBI has relied on elaborate and costly technical approaches to ensure that only messages for which there is probable cause to intercept are, in fact, intercepted and that all such authorized messages are intercepted. As a result, it has become increasingly common for the FBI to seek, and for judges to issue, orders for Title III or FISA interceptions which are much more complex and detailed, and much more likely to be directed to multiple network operators and service providers, than earlier orders, which were ordinarily directed against a single “plain old telephone services” provider.

It is important to point out that, when CALEA was passed in 1994, the Internet was a nascent consumer technology, the World Wide Web was only really coming into existence in the laboratory, and wireless telephones were largely voice-only devices and not the web-enabled devices we see today. Nevertheless, the Congress, with CALEA, was attempting to address the complex and varied communications services that we now see.

Law Enforcement Response

In response to the challenges presented by rapid technological advances, law enforcement has been using all available means to implement its mission to protect national security and public safety. First, law enforcement has sought to ensure compliance with CALEA. In keeping with the spirit of Congress’s intent when enacting CALEA, the FBI has not sought to apply its requirements either recklessly or broadly to those to whom it should not apply. Because neither CALEA, nor any other single approach, is viewed as the absolute solution for law enforcement’s electronic surveillance problems, the FBI and other law enforcement agencies have worked continually to augment CALEA requirements with government capabilities. In this regard, we have worked to develop close liaison relationships with the Information Technology industry as a means of addressing the public safety and national security issues associated with electronic surveillance and the use of technologies which tend to hamper our legitimate interception efforts.

Over the past several years, we have been aggressively pursuing an industry outreach strategy to inform the Information Technology industry of law enforcement's needs in the area of electronic surveillance, to continue to encourage the development of interception capabilities that meet law enforcement's needs, and to seek industry's assistance regarding the development of law enforcement tools and capabilities when complex technologies are encountered during the course of lawful investigation. As a result of this strategy, we have seen a number of significant advancements which should be further pursued and emulated.

First, we have seen a number of technological developments which have led to the marketing of comprehensive technical tools designed, in part, to perform electronic surveillance within the complex environment of the Internet. These tools, which are designed to be implemented and operated by a service provider, have greatly extended the capability to effectuate lawful electronic surveillance on ISP networks. Several companies have aggressively developed and marketed such tools.

Second, the FBI and the law enforcement community have always, as a first instinct, sought to work cooperatively and closely with computer network service providers and their software and equipment manufacturers to develop lawful interception capabilities, especially where legal, evidentiary, and investigative imperatives require special purpose tools. As a result, a number of network operators and service providers have acquired and implemented lawful interception capabilities.

Third, we have seen the emergence of so-called “third-party services” - companies, largely utilizing the tools mentioned above, marketing electronic surveillance services to both the network operator community and the law enforcement community. One such third party service provider provides telecommunications network operators, cable operators, and ISPs with a streamlined service to help meet requirements for assisting government agencies with lawful interception and subpoena requests for subscriber records. With respect to third-party service providers, law enforcement sees them as one potential avenue for telecommunications network operators, cable operators, and ISPs to meet their obligations under Title III and/or FISA. Employing a third party may, for example, make a service provider’s processes more efficient, but in no way should be seen as relieving the service provider of its electronic surveillance obligations. I liken third-party services to other out-sourced services such as payroll administration, where the third party handles the paperwork, but the buck stops with the company that pays the bill.

Fourth, we have seen a truly commendable effort on the part of CableLabs, an industry trade consortium representing many cable companies, along with Time-Warner, Comcast, CableVision and Cox Communications, to develop and publish a set of technical standards which, on their face, meet law enforcement needs with regard to electronic surveillance capabilities. This standard was developed in a spirit of cooperation which began by recognizing the legitimacy of law enforcement’s needs and duties and the unique position industry is in to ensure that our public safety and national security missions are fulfilled.

Fifth, as always, we have seen the law enforcement community pull together in the face of this issue. Speaking for the FBI, I can say that many of our technologies, systems, and processes developed for our own use have been made available, to the extent possible, to the greater law enforcement community, including other federal law enforcement agencies as well as state and local agencies. Nonetheless, the challenges are daunting, and the federal government cannot shoulder this burden alone. Even with federal assistance, state and local law enforcement are currently having significant problems effectuating their interception orders, and the situation will only grow worse.

Finally, another important issue regarding lawful interception which must be addressed is that of cost. One inescapable fact is that lawful electronic surveillance in this modern “digital age” is increasingly complex and rapidly changing. Both of these circumstances have the effect of increasing the overall cost of electronic surveillance. Unfortunately, on this issue, there is no returning to the “days of old” where policemen hunkered down in panel vans on the street corner recording wiretaps on reel-to-reel tape. For now, and for evermore, there is a new baseline for costs associated with this work.

I will leave you with a last thought regarding the capability of law enforcement agencies to lawfully access communications in a “digital age,” and that is this: without the “high tech” industry assisting the government in this effort, our challenge will be greater. Law enforcement must have the continued ability to cost-effectively conduct lawful electronic surveillance to ensure national security and public safety. As I mentioned earlier, this is a complex issue that needs a multi-pronged solution. Industry must be engaged and must involve itself in that solution. I would encourage this Subcommittee and the rest of Congress, when discussing the issue, to keep in mind the need for continued access by U.S. law enforcement to our nation’s communications infrastructures. Experience has proven that statutorily-imposed responsibilities must necessarily be one element of the solution but not the only element. As such, we must continue to have statutory mandates such as CALEA and build on them, using varied tools, including incentives.

In conclusion, I would like to say that over the last ten years or more, we have witnessed continuing, steady growth in computer and Internet-related crimes, including extremely serious acts in furtherance of terrorism, espionage, infrastructure attack, as well as more conventional serious and violent crimes. These activities which even now are being planned or carried out, in part using the Internet and other complex networks and services, pose challenges to the national security and law enforcement communities that we dare not fail to meet. In turn, the ability of the FBI and the law enforcement community to effectively investigate and prevent these serious crimes is, in part, dependent upon our ability to lawfully and effectively intercept and acquire vital intelligence and evidence of crimes and our ability to promptly respond to these threats to the American public. As the networks become more complex, so too does the challenge placed upon us to keep pace.

I look forward to working with the Subcommittee staff to provide more information and welcome your suggestions on this important national security and public safety issue: law enforcement’s access to communications systems in the digital age. I will be happy to answer any questions that you may have. Thank you.

Sections