Section-by-Section Analysis of the 1994 Draft of the Digital Telephony Legislation Mike Godwin EFF TITLE >A BILL >To ensure continued law enforcement electronic surveillance access to the content of wire and electronic communications and call setup information when authorized by law, to improve communications privacy protection, and for other purposes. The "other purposes" are, apparently, the correction of a drafting error in ECPA that led to an anomaly in 18 USC 2511. See Section 4 below. SECTION 2 >SEC. 2. PURPOSE. The purpose of this Act is to clarify and define the responsibilities of common carriers, providers of common carrier support services, and telecommunications equipment manufacturers to provide the assistance required to ensure that government agencies can implement court >orders and lawful authorizations to intercept the content of wire and electronic communications and acquire call setup information under chapters 119 and 206 of title 18 and chapter 36 of title 50. Chapter 119 is the communications-interception chapter, commonly called "Title III." Chapter 206 is the pen-register/trap-and-trace chapter. Title 50 includes interception provisions of the Foreign Intelligence Surveillance Act. Note that Chapter 121 of Title 18, the stored-communications chapter of the U.S. criminal code, is not mentioned. It may, however, be affected by some of the amendments suggested in the Digital Telephony bill. >Otherwise, >except for the provisions in section 4, nothing in this Act is intended to >alter any provision contained in the Federal electronic surveillance, pen register, or trap and trace statutes, or those of any state or other jurisdiction. In particular, nothing herein is intended to enlarge or reduce the government's authority to lawfully intercept the content of communications or install or use pen register or trap and trace devices, or to increase or decrease any criminal penalties for unlawfully intercepting the content of communications or installing or using pen register or trap and trace devices, or to alter the provisions regarding service provider assistance, payment for assistance, causes of action, civil liability, or good faith defenses. This is essentially a deceptive statement about the effect of the Act. Although 18 USC 2518(4) allows applicants for authorization orders to request that the order "direct that a provider of wire or electronic communication service ... furnish the applicant forthwith with all information, facilities, and technical assistance necessary to accomplish the interception...", this provision has not widely been interpreted to hold that service providers must actively create solutions to interception problems if those solutions do not already exist. The FBI analysis says government agencies "have been reluctant to pursue contempt or other legal remedies to resolve this issue." The reason for this reluctance, in my opinion, is that the language of 2518(4) does not unequivocally impose such a burden on providers, and the government stands a good chance of losing any fight in which it claims that such a burden does exist. Thus, the FBI's solution is to create a *new* and *routine* obligation on common carriers (but not small-scale providers) to generate technical solutions to interception and "call setup" problems created by current common-carrier networks. Moreover, this Act would require that common carriers make manpower available on a 24-hour basis to handle interceptions and the capture of call-setup information in the event of a wiretap or pen-register/trap-and-trace order. The FBI analysis asserts without quantification that "since the mid-1980s, technological impediments have frustrated, in whole or in part, the execution of a number of court orders." But among the "technological impediments," apparently, has been the reluctance or inability of common carriers to provide the kind of assistance that law enforcement-- specifically, guaranteed ability to capture communications contents and "call setup" information. The Act and the FBI analysis consistently use the language of "clarification" in reference to the amendments contained in the Act, but of course the vastly expanded authority of the Attorney General and the FCC to supervise and punish common carriers is nothing if not "expanded authority." This Act also creates many new legal obligations for common carriers, "support services," and telecom equipment manufacturers. >The Act is further intended to improve communications privacy protection for cordless telephones, certain radio- based data communications and networks, communications transmitted using certain privacy-enhancing modulation techniques, and to clarify the lawfulness of quality control and service provision monitoring of electronic communications. These are all addressed in Section 4 of the Act. This section corrects four anomalies under the current statutes: 1) It brings cordless telephones under the protection of Title III. 2) With respect to radio communications it creates Title III protection for "an electronic communication" that is transmitted via radio. 3) It corrects an apparent omission by adding radio communications that use "modulation techniques" for privacy to the interception penalty provisions of 18 USC 2511(4). 4) It corrects a drafting error in ECPA by adding "electronic communication" to a clause in 18 USC 2511 (2)(a)(i). >SEC. 3. COMMON CARRIER ASSISTANCE >(a) _New section_. Chapter 109 of title 18, United States Code, is amended by adding the following new section: >"Sec. 2237. Common carrier assistance to government agencies. ""(a) Assistance requirements. Common carriers shall be required to provide forthwith, pursuant to court order or lawful authorization, the following capabilities and capacities in order to permit the government to >conduct electronic surveillance and pen register and trap and trace investigations effectively: Note that Chapter 109 is not part of Title III; instead, it's a chapter including various penalty provisions for interference in the execution of lawful searches and seizures and for violating the Constitutionally mandated requirements for such procedures. The chapter is does not amount to a statutory scheme--it's basically a collection of somewhat related individual search-and-seizure statutes. Why isn't this Act part of Title III? Perhaps because it uses a different definition of "intercept" than is used in the wiretap statute. See discussion below. This Section of the Act outlines and specifies just what the government wants the phrase "information, facilities, technical assistance" in 18 USC 2518 to mean. Note that a major component of these obligations is the requirement that common carriers *create* new information and facilities and devise new means of technical assistance. The FBI analysis makes clear that the drafters of this Act developed a wish list in consultation with other federal, state, and local law-enforcement agencies. Although the FBI analysis states that "The Government intentionally eschewed setting any technical standards because it does not desire to 'dictate' particular technological solutions, it is apparent that the government hopes to gain the authority to dictate *functional* solutions. Given the penalties for noncompliance and other enforcement powers this Act creates, "dictate" is not too strong a verb for the kind of prerogative the government is seeking. >"(1) The ability to execute expeditiously and simultaneously within a common carrier's system all court orders and lawful authorizations for the interception of wire and electronic communications and the acquisition >of call setup information related to the facilities or services of subscribers of such common carrier; Note that in this iteration of the Act, there is a new emphasis on "call setup information," which is, basically, origination and destination information for wire or electronic communications. It has been claimed by law enforcement that such current features as call forwarding often thwart their ability to implement wiretaps, pen registers, or traps and traces. This Act, if passed, would require common carriers to redesign calling features if necessary to be ble to provide "call setup" information, or, in the alternative, to cease providing calling features that thwarted the capture of such transactional information. It is unclear how such a requirement would play out in cases where communications are transmitted using both common carriage networks and enhanced service providers. On its face, the statute may require that a common carrier be able, for example, to tell not only which subscriber is sending e- mail over the phone lines to the CompuServe Packet Network, but also where that e-mail's ultimate destination is. The FBI analysis stresses that common carriers can perform a capacity analysis, based on their prior records of assisted intercepts, etc., to determine how much wiretap capacity to provide in order to minimize the costs of compliance. The FBI claims that "a number of court orders and authorizations were not fully executed, or were not even sought" because of "capacity shortfalls, such as insufficient 'port' capacity in the cellular mobile switching offices." The FBI analysis states that "at any particular time, a number of Federal, state, and local government agencies may be competing" for capacity, and that "it is critical that there be sufficient capacity to accommodate completely the concomitant needs of all government agencies." >"(2) the ability to intercept the content of communications and acquire call setup information concurrent with the transmission of the communication to or from the subscriber's facility or service that is the subject of the court order or lawful authorization, to the exclusion of any wire or electronic communication or call setup information of any other subscriber, notwithstanding the mobile nature of the facility or service that is the subject of the court order or lawful authorization or the use by the subscriber who is the subject of the court order or lawful authorization of any features offered by the common carrier; This section requires that common carriers, including cellular and any other mobile-phone service, be able to single out individual communications and capture both contents and call-setup information, that they be able to do this "live," or else immediately after the transmission, with a preference for the former. This is the meaning of "concurrent." The FBI analysis justifies this requirement in terms of "minimization" of intrusion on the communications of innocent parties; of course, the requirement would enhance the efficiency and speed with which the government could effect a wiretap. >"(3) the ability to intercept the content of communications and acquire call setup information unobtrusively and with a minimum of interference with any subscriber's telecommunications service; and No strange clicking on the line, in other words. >"(4) the ability to receive, in a generally available format, the intercepted content of communications and acquired call setup information at a location identified by the government distant from the facility that is the subject of the interception, from the interception access point, and from the premises of the common carrier (except where emergency or exigent circumstances such as those described in 18 U.S.C. 2518(7), 2518(11)(b), or 3125, or in 50 U.S.C. 1805(e), necessitate monitoring at the common carrier's premises). Not only must communications and call-setup info be captured "live" or immediately post-transmission, but it also must be routable to a remote, designated government-operated location. Whether the routing is done by the carrier or the government is unclear. The exceptions to this "routability requirement" occur when a criminal or intelligence emergency pre-empts the normal process of seeking an order, or when there is an attempt by the person committing an offense to thwart interception by changing facilities. These types of situations are provided for under current law. >"(b) Systems security. The government shall notify a common carrier of any interception of wire or electronic communications or any acquisition of call setup information that is to be effected within the premises of such common carrier pursuant to court order or lawful authorization. After notification, such common carrier shall designate an individual or individuals to activate such interception or acquisition forthwith. Such individual(s) shall be available at all times to activate such interceptions or acquisitions. Such interceptions or acquisitions effected within the premises of a common carrier may be activated only by the affirmative intervention of such individual(s) designated by such common carrier. The FBI analysis justifies this "drafting" of personnel as a way of mollifying common carriers who don't want non- personnel handling their equipment or operating their facilities. Of course, this section also means that a common carrier must budget for such personnel to be at the service of law enforcement for on-premises intercepts and call-setup captures. >"(c) Compliance date. To the extent that common carriers providing service within the United States currently cannot fulfil the requirements set forth in subsection (a) of this section, they shall fulfil such requirements within three years from the date of enactment of this Act. The time limit for compliance has not changed since the last iteration of the Act. Note that only large-scale communications providers are included in the scope of this version of the Act. The FBI analysis states that PBXs, computer-network providers, and other entities that do not qualify as common carriers are not to be obligated by the passage of this act to add these new capabilities, but will be obligated to cooperate under the general provisions of 18 USC 2518(4) to the extent possible. *Note especially that this distinction undercuts the claim that the government is merely "clarifying" a pre-existing obligation under 18 USC 2518(4)--if that were true, these clarifications would apply to *all* "providers of wire or electronic communications services" and not just "common carriers."* >"(d) Cooperation of support service providers and equipment manufacturers. Common carriers shall consult, as necessary, in a timely fashion with appropriate providers of common carrier support services and telecommunications equipment manufacturers for the purpose of identifying any services or equipment, including hardware and software, that may require modification so as to permit compliance with the provisions of this Act. A provider of common carrier support services or a telecommunications equipment manufacturer shall make available to a common >carrier on a timely and priority basis, and at a reasonable cost, any support service or equipment, including hardware or software, which may be >required so as to permit compliance with the provisions of this Act. This section imposes an obligation on common carriers to instruct support services and equipment providers that they need "wiretap-friendly" services and equipment, and it imposes an obligation on the service and equipment providers to comply. Note that the statute does not itself outline remedies for noncompliance by support services and equipment providers. The FBI analysis, however, states that the Attorney General "may apply for an order, such as a writ of mandamus" mandating the compliance of such entities. >"(e) Enforcement. The Attorney General shall have authority to enforce the provisions of subsections (a), (b), (c), and (d) of this section. The Attorney General may apply to the appropriate United States District Court for an order restraining or enjoining the provision of service of any common carrier who violates subsection (a), (b), (c), or (d) of this section. The District Courts shall have jurisdiction to issue such restraining order or injunction. The Attorney General may also request the Federal Communications Commission to assist in enforcing the provisions of this Act. The "may apply" language implies that this is not an exhaustive list of the remedies available to the Attorney General, who is granted general "authority to enforce." In the first version of this Act, enforcement authority was to be given to the FCC; in the second version, enforcement was the responsibility of the Attorney General and the DOJ. This section apparently combines the best of both worlds, empowering either the FCC or the AG to enforce the Act's provisions. >"(f) Penalties. Any common carrier that violates any provision of subsection (a) of this section shall be subject to a civil penalty of $10,000 per day for each day in violation. The Attorney General may file a >civil action in the appropriate United States District Court to collect, and the United States District Courts shall jurisdiction to impose, such penalties. After consultation with the Attorney General, the Federal Communications Commission may also impose regulatory sanctions or fines otherwise authorized by law. Essentially, this section allows non-compliant common carriers to be challenged on two fronts. >"(g) Consultation. The Attorney General is encouraged to consult with the Federal Communications Commission and common carrier representatives and to utilize common carrier standards bodies, associations, or other such organizations to discuss details of the requirements, such as those related to capacity, in order to facilitate compliance with the provisions of this Act. This language apparently is merely precatory; apparently, the Attorney General need not consult with the FCC or the other entities mentioned here. >"(h) Funding. Notwithstanding any other provision of law, the Federal Communications Commission shall implement promptly methods and procedures that allow each common carrier to be remunerated by the Federal >Government for all reasonable costs incurred in the course of complying with the requirements of this Act. We may reasonably anticipate that there would be significant litigation on the issue of remuneration for "reasonable costs." >"(i) Definitions. -- As used in this Section -- ((1) 'common carrier' means any person or entity engaged as a common carrier for hire, as defined by section 3(h) of the Communications Act of 1934, and includes a commercial mobile service or interconnected service, as defined in section 6002(b) of Public Law 103-66; ((2) 'provider of common carrier support services' means any person or entity who provides services to a common carrier that are integral to processing, directing, forwarding, or completing telephone calls or electronic communication transmissions; ((3) 'wire communication' shall have the same meaning as set forth in subsection 2510(1) of title 18, United States Code; ((4) 'electronic communication' shall have the same meaning as set forth in subsection 2510(12) of title 18, United States Code; ((5) 'intercept' shall have the same meaning as set forth in subsection 2510(4) of title 18, United States Code, except that with regard to a common carrier's transmission of a communication encrypted by a subscriber, the common carrier shall not be responsible for ensuring the >government agency's ability to acquire the plaintext of the communications >content, unless the encryption was provided by the common carrier and the common carrier possesses the information necessary to decrypt the communication; Normally, "intercept" means capture the contents of a communication. 18 USC 2510(4). But the government here is exempting common carriers from providing the plaintext versions of encrypted communications that were encrypted be the subscriber through some method other than an encryption service offered by the common carrier and to which the carrier retains the encryption keys or some equivalent capability to decrypt the communications. Interestingly, this definition seems to gut the meaning of the definition in 18 USC 2510(4), which focuses only on the content of the communication. "Interception" legally means "capturing the content" in Title III. If you're not capturing the content, it's not, strictly speaking, an interception according the statutory definition. >(6) 'concurrent with the transmission of the communication,' as used in section 3(a)(2) of this Act, means contemporaneous with the transmission; but it shall include, with regard to electronic communications, the ability of a government agency to acquire such communications at the conclusion of the transmission, and, with regard to call set up information, the ability to acquire such information either before, during, or immediately after the transmission of the communication; The FBI analysis states that law enforcement's preference is for such information to be captured *before* transmission. >(7) 'call set up information' shall mean the information generated which identifies the origin and destination of a wire or electronic communication placed to, or received by, the facility or service that is the subject of a court order or lawful authorization, including information associated with any telecommunication system dialing >or calling features or services; and This provision would create an immensely powerful tool for message traffic analysis, which has significance wholly independent of the ability to capture the content of communications. The government's prerogative to capture such transactional information is conditioned on a much lower standard of proof than that for wiretaps--rather than making a showing of probable cause, the government need only "certify" to the issuing magistrate that "the information likely to be obtained by such installation and use is relevant to an ongoing criminal investigation." 18 USC 3123. >(8) 'government' means the Government of the United States and any agency or instrumentality thereof, the District of Columbia, any commonwealth, territory or possession of the United States, and any state or political subdivision thereof authorized by law to conduct electronic surveillance." This simply makes clear that the prerogative to require these new services from common carriers extends to all levels of law enforcement, and not just to the federal law-enforcement and intelligence agencies. >SEC. 4. COMMUNICATIONS PRIVACY IMPROVEMENT AND MONITORING CLARIFICATION. >Chapter 119 of title 18 is amended by making the following changes: (1) Cordless telephones. >(a) _Definitions_. - Section 2510 of title 18, United States Code, is amended - >(1) in paragraph (1), by striking ", but such term does not include" and all that follows through "base unit"; and ((2) in paragraph (12), by striking subparagraph (A) and redesignating subparagraphs (B) through (D) as subparagraphs (A) through (C), respectively. >(b) _Penalty_. - Section 2511 of title 18, United States Code, is amended - >(1) in subsection (4)(b)(i), by inserting "a cordless telephone communication that is transmitted between a cordless telephone handset and >the base unit," after "cellular telephone communication,"; and ((2) in subsection (4)(b)(ii), by inserting "a cordless telephone >communication that is transmitted between a cordless telephone handset and >the base unit," after "cellular telephone communication,". In the early days of cordless telephones, it was easy for the radio transmissions between handsets and base units to be intercepted by scanners and, occasionally, by ordinary transistor radios. Congress did not want to felonize such trivially easy interceptions. Current cordless phone technology, however, makes such interceptions more difficult, according to the FBI analysis, and therefore it makes sense to extend wiretap protections to cordless phones. Note that this would resolve a long-standing anomaly in the protections offered by Title III. >(2) Radio based data communications. >Section 2510(16) of title 18, United States Code, is amended by striking the word "or" at the end of subparagraph (D) and inserting an "or" at the end of subparagraph (E) and adding the following new subparagraph: >"(F) an electronic communication;". This adds "electronic communications" (such as e-mail or data communications) to the class of radio communications whose privacy is protected by Title III. The FBI analysis states that this amendment is designed to make clear that data communications over radio are also protected under Title III. >(3) Penalties for monitoring radio communications that are not scrambled, encrypted, or non-public. >Section 2511(4)(b) of title 18, United States Code, is amended by deleting the phrase "or encrypted, then--" and inserting the following: "", encrypted, or transmitted using modulation techniques whose essential parameters have been withheld from the public with the intention >of preserving the privacy or such communication, then--". This amendment adds a penalty for modulation-protected communications, which are already defined as not "readily accessible to the general public" under the current language of 18 USC 2510(16)(B). >(4)Technical correction. >Section 2511(2)(a)(i) of title 18, United States Code, is amended by >striking out "used in the transmission of wire communication" and inserting in lieu thereof "used in the transmission of a wire or electronic communication.". This simply corrects a drafting error left over from the Electronic Communications Privacy Act, by adding the term "electronic communications" to those communications that a provider can intercept or disclose in the course of protecting its service. The amended section already included the language "provider of wire or electronic communications service," but seemed to allow only the interception and disclosure of "wire communications."