The following text is copyright 2007 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.
CALEA: Expensive data gathering
By: Scott Bradner
A report about the deployment of telecommunications equipment that is compliant with the Communications Assistance for Law Enforcement Act (CALEA) and another report about the use of legal wiretaps in the U.S. have just been published. Both were just in time to help explain the costs and usefulness of CALEA before the May 14, 2007 CALEA compliance deadline for the extension of CALEA to facilities-based broadband Internet access and interconnected voice-over-IP providers. (http://www.fcc.gov/calea/)
It is still less than clear just who has to comply with this extension. (see Do you have to be ready to be tapped? http://www.networkworld.com/columnists/2006/061906bradner.html) But those organizations that must comply must have already done so by the time you are read this column. But if all of those facilities-based broadband Internet access and interconnected voice-over-IP providers that are supposed to be in compliance actually are in compliance it will be a big change from CALEA compliance in the phone world.
The Office of the Inspector General of the U.S. Department of Justice Audit Division just published the results of an audit of the state of "The Implementation of the Communications Assistance for Law Enforcement Act." (http://www.usdoj.gov/oig/reports/FBI/a0613/final.pdf) This report notes that CALEA compliance in the telephone world is rather less than total with the FBI estimating that only 10% to 20% of wireline switches phone switches are currently CALEA compliant. The state of compliance in the wireless world is better with 50% of the pre 1995 and 90% of the post 1995 switches in compliance, and that is after the U.S. government spent over $450 million on the problem (mostly to pay for software licenses). Note that the new extension to CALEA does not come along with government money to support compliance like the original CALEA rules did.
Compliance is not cheap. The DoJ audit report includes the example of a VoIP provider paying out $100,000 to a third party just to be ready to comply. In addition the VoIP provider has to pay for the modification of its own software. If all of the US facility-based ISPs, facilities owing enterprises and VoIP providers have to pay the same we are talking about very big money. The DoJ audit also notes that there is currently no technical standard for CALEA implementation that the FBI has agreed to so that anyone who has already paid out to get compliant may have to shell out still more when a standard finally gets approved.
So what are we getting for all this money? Coincidentally, the Administrative Office of the United States Courts has just published the 2006 edition of its annual "Wiretap Report" that details the use on legal wiretaps in the U.S. (http://www.uscourts.gov/wiretap06/contents.html) This report covers wiretaps authorized by U.S. State and Federal Courts but not wiretaps authorized by the Foreign Intelligence Surveillance Act (FISA) Court. The main thing that stands out in this report is that there are not all that many legal wiretaps per year in the U.S. There were only 1,839 authorized wiretaps that completed in 2006 and for which reports got filed (and reports are supposed to be filed for all wiretaps -- but some reports can take a while). The US rate is about 1.6 per 100,000 people -- a very small number compared with, for example, Italy. (http://www.theregister.co.uk/2007/03/07/wiretap_trends_ss8/).
In spite of the repeated assertions by US government law enforcement officials that the US needs wiretapping (as well as ISP monitoring of your and my Internet use) to prevent child porn, the Wiretap Report makes it clear that this is a very small target of wiretaps. Most wiretaps (80%) relate to drug offences with homicide and assault a distant second (%6.5%). No stats are given for child porn so it must be included in "other" (3.5%). The report also shows that the distribution of wiretaps is very uneven with large chunks of the US having few if any.
These stats make it clear than many, if not most, facilities-based broadband Internet access and interconnected voice-over-IP providers will never have to make use of the expensive abilities they are now mandated to install. But, it would make far too much sense to first figure out where wiretapping abilities are needed before mandating universal adherence and the spending of vast sums of money that will mostly benefit a few equipment or software vendors.
disclaimer: The ability to combine common sense with planning is a desired feature of Harvard students (clearly not everyone in government comes from Harvard) but the above combination is mine not the university's.