The Communications Assistance for Law Enforcement Act: a Lesson from the Past

August 1, 2019

On a recent trip to Australia, I appeared on a National morning news show. It wasn’t long until the hosts were trying to get me to weigh in on a debate that was then raging in their legislature. The point of contention was the proper balance between privacy interests and the need for law enforcement and the intelligence community, in their battle against terrorism and other crimes, to intercept communications being shrouded with powerful encryption. [Sound familiar?] I acknowledged the consternation and hand-wringing then occurring in their country as familiar reactions.

Echoing the Philosopher George Santayana, I shared an experience from our U.S. past, when in 1994, the Voice-Over-Internet Protocol was emerging in the Telcom industry, engendering great concern on the part of Law Enforcement and the Intelligence Community that this new technology was going to undercut our ability to effectively monitor our adversaries. The Congress, the Private Sector, Law Enforcement, and Intelligence Community came together and worked collaboratively to formulate a solution about which there was considerable consternation – worries that if this legislation were enacted proverbial “dogs and cats” would start living together. The legislation, the Communications Assistance for Law Enforcement Act, or CALEA, was enacted; the provisions and oversight called out in the legislation engaged; and the feared consequences never experienced. Subsequently, CALEA has never been amended. However, in 2005 the Federal Communications Commission issued an order extending the coverage of CALEA to two-way interconnected VoIP and broadband Internet access, further preserving the ability of law enforcement to conduct lawful intercepts despite evolutions in network technology.

Under CALEA, a telecommunications carrier, including Internet Service Providers who provide paying subscribers with access to the public Internet, must essentially ensure that, when it is served with a court order for lawful surveillance, its network can isolate the communications of the criminal suspect, terrorist or spy identified, and deliver the communications to the law enforcement agency named in the order. The 1994 Congress was aware of the internet, but because the new computer-based medium was not at that time significantly used by criminals, and because political leaders wanted to let the nascent technology grow unfettered by regulation, they limited CALEA, exempting “information and electronic messaging services.” CALEA is now 25 years old and the internet – no longer a nascent service free from criminal or terrorist use. On the contrary, the nefarious actors now exploit the most advanced internet-based techniques in the planning and execution of their schemes – reason enough, for a public-safety minded community, to close the CALEA coverage divide, and something Congress could do by updating the old statute.

For those concerned about the possible encroachment on privacy interests, CALEA extends subscriber privacy protection at every stage of the intercept process:

The Technical Standard-Setting Stage. Industry lawyers and engineers craft intercept standards that limit solutions to delivering only the call content and call-identifying information required by CALEA Section 103. The standards also protect the privacy of non-suspect subscribers.

The Solution Development Stage. Equipment vendors design solutions that conform to industry standards or achieve the goals of CALEA Section 103 in other privacy-protective ways.

The Court Order Stage. Telecommunications carriers confirm the court order is properly authorized before implementing it.

The Implementation Stage. The intercept solution may be activated only when authorized by the carrier’s appointed officer or employee. When the solution is activated, the carrier controls the type of data transmitted to law enforcement and is required to employ security measures to prevent security breaches and privacy measures to keep the intercept confidential.

Shortly after my visit, the Australians passed new Encryption Laws. Now it may be time for the U.S. to take a lesson from our Australian friends.

John McClurg serves as Sr. Vice President, CISO and Ambassador-At-Large in BlackBerry's/Cylance’s Office of Security & Trust. McClurg previously was CSO at Dell; Vice President of Global Security at Honeywell International, Lucent Technologies/Bell Laboratories; and in the U.S. Intelligence Community, as a twice-decorated member of the Federal Bureau of Investigation.

You must login or register in order to post a comment.

ON DEMAND: DevSecOps creates an environment of shared responsibility for security, where AppSec and development teams become more collaborative. With the right training and tools, developers can become more hands-on with security and, with that upskilling, stand out among their peers... however, they need the security specialists on-side, factoring them into securing code from the start and championing this mindset across the company.

ON DEMAND: The insider threat—consisting of scores of different types of crimes and incidents—is a scourge even during the best of times. But the chaos, instability and desperation that characterize crises also catalyze both intentional and unwitting insider attacks. Learn how your workers, contractors, volunteers and partners are exploiting the dislocation caused by today's climate of Coronavirus, unemployment, disinformation and social unrest.

Security Magazine

2020 October

This month in Security magazine, we explore how Corning's global security group ensured business continuity and employee safety during the global COVID-19 pandemic. Also, we highlight the global security team at Uber and their recent security programs and initiatives. Industry experts discuss travel safety programs, career hackers, working for terrible bosses, group attribution error and more.

View More Create Account

The Communications Assistance for Law Enforcement Act: a Lesson from the Past

Recent Articles by John McClurg

Group attribution error – The most pervasive and potentially consequential threat of our day

It’s coming: National Cybersecurity Awareness Month

Securing our Democracy: The case for robust campaign cybersecurity

Zero trust further considered - another benefit of living in the times of AI

Unified Endpoint Security: Combating the Chaos, Complexity and Other Conundrums Plaguing Our Community

Security Magazine

2020 October

The Communications Assistance for Law Enforcement Act: a Lesson from the Past

Recent Articles by John McClurg

Related Articles

Related Products

Report Abusive Comment