Tuesday, September 28, 2010

CALEA and encryption

Reading through Charlie Savage's New York Times piece yesterday, which arguably marks the beginning of the 2nd crypto wars, one might get the impression that law enforcement officials are merely seeking to tweak the law, in order to maintain the existing status quo:

"We're talking about lawfully authorized intercepts," said Valerie E. Caproni, general counsel for the Federal Bureau of Investigation. "We're not talking expanding authority. We're talking about preserving our ability to execute our existing authority in order to protect the public safety and national security."


To counter such problems, officials are coalescing around several of the proposal’s likely requirements:

* Communications services that encrypt messages must have a way to unscramble them.

I think it is reasonable to assume that very few people have read the text of the Communications Assistance for Law Enforcement Act (CALEA), and so it is quite reasonable that the average layperson (or even interested technologist) might assume that existing US law has nothing to say about encryption, since, after all, Skype didn't exist when CALEA was passed in 1994. That is incorrect -- not only does the law speak about encryption, but it specifically protects the right of companies to build strong encryption for which only the customer has the decryption key into their products.

47 USC 1002(b)(3):
A telecommunications carrier shall not be responsible for decrypting, or ensuring the government’s ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication.

Also from the CALEA legislative history:

Finally, telecommunications carriers have no responsibility to decrypt encrypted communications that are the subject of court-ordered wiretaps, unless the carrier provided the encryption and can decrypt it. This obligation is consistent with the obligation to furnish all necessary assistance under 18 U.S.C. Section 2518(4). Nothing in this paragraph would prohibit a carrier from deploying an encryption service for which it does not retain the ability to decrypt communications for law enforcement access


Nothing in the bill is intended to limit or otherwise prevent the use of any type of encryption within the United States. Nor does the Committee intend this bill to be in any way a precursor to any kind of ban or limitation on encryption technology.
To the contrary, section 2602 protects the right to use encryption.”

If the FBI and other law enforcement agencies get their way, they will not be tweaking existing law to deal with new technologies, but fundamentally changing how the government regulates technology.


Tod Robbins said...

Thank you for this informative breakdown of the COICA/CALEA nightmare.

Jonathan Hansen said...

I second Tod's comment. I for one appreciate that someone who understands what's happening is keeping track of it and blogging about it. Given the inability of those given power to avoid abusing it (Power tends to corrupt; absolute power corrupts absolutely...) as shown by past experiences, there must be a way to communicate privately and "watch the watchers". It's what Constitutional balance of power mitigated - but we clearly don't have that government any longer.