Key Provisions of the NPRM
Most significantly, the NPRM "tentatively" imposes CALEA obligations upon broadband Internet access services and certain voice over Internet protocol (VoIP) services. While phrased as a clarification of the law, the NPRM amounts to a change in the law, going beyond what Congress intended.
The NPRM did not give Law Enforcement everything they asked for. FCC declined to set a procedure forcing new technologies to be submitted to, and approved by, the FCC, correctly seeing this as a significant threat to innovation, which would make the FCC a gatekeeper to future technologies.
The FCC suggested allowing third parties to provide CALEA compliance services, asking for comment on whether privatizing this traditionally government function would sufficiently protect the privacy and security of information not authorized to be intercepted.
The NPRM seeks further comment on how to define call-identifying information in packet technologies, and how much of that information is "reasonably available" to broadband access and VoIP providers without "significantly modifying a network."
In addition, the NPRM seeks comment on whether industry standards for packet technologies are deficient and should not serve as a safe harbor for telecommunications providers.
Finally, the FCC issued a Declaratory Ruling that commercial wireless "push-to-talk" services are subject to CALEA.
New Scope of CALEA
Broadband Internet Access Services
The NPRM tentatively determines that all "facilities-based providers of any type of broadband Internet access service" are subject to CALEA, including "wireline, cable modem, satellite, wireless and broadband access by powerline." Broadband is defined as any connectivity providing more than 200 kbs downstream.
By "facilities-based," the FCC refers to "entities that provide transmission or switching over their own facilities between the end user and the Internet Service Provider." The FCC interprets "switching" to "include routers, softswitches, and other equipment that may provide addressing and intelligence functions." This significantly broadens the understanding of "switches" in a telecommunications environment, as the term was previously thought to mean circuit-based switches.
On its face, it would seem that any entity with a router that provides high speed access to the Internet must comply with CALEA, which could include home users with wireless routers, cybercafes, schools, libraries, and a host of other services. However the FCC notes "that establishments acquiring broadband internet access to permit their patrons to access the Internet do not appear to be covered by CALEA."
Managed Voice over Internet Protocol
The NPRM holds that "providers of managed VoIP services, which are offered to the general public as a means of communicating with any telephone subscriber, including parties reachable only through the PSTN, are subject to CALEA." However, "managed" is not directly defined, with the FCC adopting the Law Enforcement description of "those services that offer voice communications calling capability whereby the VoIP provider acts as a mediator to manage the communication between end points and to provide" call management information. For example, Vonage, 8x8 and Level 3 are specifically noted as managed VoIP.
However, the FCC tentatively determined that providers of non-managed communications will not be subject to CALEA, and the NPRM declined to adopt the Law Enforcement's regulate by "business model" approach. The NPRM specifically exempts Instant Messaging and peer-to-peer VoIP systems, such as Free World Dialup, that involve communications set up and managed by the end user's computer. This is not to say that these services cannot be subject to surveillance — by tapping broadband access providers, Law Enforcement will have access to the packets sent by non-managed communications tools.
The FCC reasoned, in part, that non-managed VoIP was akin to private networks, which are exempted form CALEA compliance. However, the FCC seeks further comment on whether non-managed communications might be subject to regulation at "some point at which certain 'private' networks, because of an unlimited number of users, may be found to be more 'public' than 'private.'" Regulation of non-managed VoIP may just be a matter of time.
Tortured Legal Reasoning
CALEA only applies to "telecommunications carriers," and expressly exempts "information services, " such as email and Internet access. However, it also allows the FCC to regulate additional entities if their service is "a replacement for a substantial portion of the local telephone exchange service."
To support its sweeping expansion of CALEA, the FCC expands the substantial replacement clause by giving it a new interpretation inconsistent with the plain meaning of the statute, and creates an understanding of "telecommunications carriers" inconsistent with the long standing definition in the Communications Act. The FCC is not troubled by the inconsistency, contending that Congress intended the two acts to have widely divergent definitions of the same term.
Furthermore, since Law Enforcement was unable to provide any examples of broadband actually replacing the local exchange service, the NPRM reads "substantial" out of the clause, finding it means any portion, and suggesting that broadband replaces the "portion" where home computer users used to dial-up (via POTS) to their ISP.
As FCC Commissioner Michael Copps put it [PDF], "it strains credibility to suggest that Congress intended 'a replacement for a substantial portion of the local telephone exchange' to mean the replacement of any portion of any individual subscriber's functionality."
The NPRM interprets the statute to mean that where a service provider is determined to fall within the substantial replacement clause, it can no longer qualify for the "information services" exemption. Contrary to the structure of the statute, it finds the substantial replacement clause trumps Congress' effort to keep the Internet free from the requirements of CALEA.
The substantial replacement clause also requires that the FCC determine that "it is in the public interest to deem such a person or entity to be a telecommunications carrier for purposes of" CALEA. However, the NPRM does not focus on a key purpose of the statute: the public interest "to protect privacy in the face of increasingly powerful and personally revealing technologies." Instead, the FCC places the Law Enforcement interest in increased surveillance over the public interest in continued innovation, data security, and personal privacy.
The expansive reading proposed by the FCC opens up many new technologies to the possibility of "tappability" requirements, which will limit creativity and innovation. To the extent that the substantial replacement clause interpretation is insufficient, the FCC also suggests that it may have authority under "Section 151 of the Communications Act [which] charges the Commission with carrying out its obligations for a number of stated purposes, including 'for the purpose of the national defense' and 'for the purpose of promoting safety of life and property.'" If that language was sufficient, there would be no limit on the FCC's power to regulate and impose controls over the Internet.
What's Next?
The NPRM is a series of tentative conclusions, with numerous requests for comments on particular issues.
Key Comments Requested:
Initial comments on the NPRM are due 45 days after publication of a notice in the Federal Register and reply comments are due 75 days after publication.
