This story appeared on Network World at

http://www.networkworld.com/columnists/2007/051507bradner.html

CALEA: Expensive data gathering

By Scott Bradner, Network World, 05/15/07

A report about the deployment of telecom equipment that is compliant with the Communications Assistance for Law Enforcement Act and another report about the use of legal wiretaps in the United States have just been published. Both come in time to help explain the costs and usefulness of CALEA before the May 14 compliance deadline for its extension to facilities-based broadband Internet access and interconnected VoIP providers.

It is still less than clear who has to comply with this extension, but those organizations that must comply should have done so by now.

(See "Do you have to be ready to be tapped?") If all the facilities-based broadband Internet access and interconnected VoIP providers that are supposed to be in compliance actually are, it will be a big change from CALEA compliance in the phone world.

The Office of the Inspector General of the Department of Justice Audit Division recently published the results of an audit of the state of “The Implementation of the Communications Assistance for Law Enforcement Act." This report notes that the FBI estimates only 10% to 20% of wireline phone switches are compliant with CALEA. In the wireless world, 50% of the pre-1995 and 90% of the post-1995 switches are in compliance, and that is after the U.S. government spent more than $450 million on the problem (mostly to pay for software licenses). Note that the new CALEA extension does not come along with government money to support compliance like the original rules did.

Compliance is costly. The Justice Department audit report includes the example of a VoIP provider paying out $100,000 to a third party just to be ready to comply. In addition, the VoIP provider has to pay for the modification of its own software. If all of the U.S. facility-based ISPs, facilities-owning enterprises and VoIP providers have to pay the same, we are talking about very big money. The audit also notes that there is no technical standard for CALEA implementation approved by the FBI so any provider that has paid to get compliant may have to shell out still more when a standard finally gets approved.

So what are we getting for all this money? Coincidentally, the Administrative Office of the U.S. Courts has just published the 2006 edition of its annual wiretap report that details the use on legal wiretaps in the United States. This report covers wiretaps authorized by U.S. State and Federal Courts but not those authorized by the Foreign Intelligence Surveillance Act Court.

The main thing that stands out in this report is that there are not many legal wiretaps per year in the United States. There were 1,839 authorized wiretaps completed in 2006 and for which reports were filed. The U.S. rate is about 1.6 per 100,000 people — a very small number compared with Italy, for example.

In spite of the repeated assertions by government law enforcement officials that the United States needs wiretapping (as well as ISP monitoring of Internet use) to prevent child porn, the report makes it clear that most wiretaps (80%) relate to drug offences with homicide and assault a distant second (6.5%). No statistics are given for child porn so it must be included in “other" (3.5%). The report also shows that the distribution of wiretaps is very uneven with large chunks of the United States having few if any.

These statistics make it clear than many facilities-based broadband Internet access and interconnected VoIP providers will never have to make use of the expensive abilities they are mandated to install. But, it would make far too much sense to first figure out where wiretapping abilities are needed before mandating universal adherence and the spending of vast sums of money that will mostly benefit a few equipment or software vendors.

Disclaimer: The ability to combine common sense with planning is a desired feature of Harvard students (clearly not everyone in government comes from Harvard). But the above combination is mine, not the university’s.