Wednesday, February 16, 2011

CALEA: It is about the money

Cash Rules Everything Around Me
C.R.E.A.M.
Get the money
Dollar, dollar bill y'all
-- Wu Tang Clan
Tomorrow, the House Judiciary Committee will hold a hearing on the topic of CALEA, and the FBI's desire to get backdoors in modern services like Skype, Google, Facebook and RIM's Blackberry. The mass adoption of these services, the FBI claims, is leading to a situation where law enforcement agencies have "gone dark," and lost the ability to intercept the communications of suspects in real time.

This is not the first time that the FBI has come to Congress to ask for increased surveillance powers -- The FBI spent a good part of the 90s sending people to Capitol Hill, asking for backdoors in encryption.

What does surprise me is that the tech companies are nowhere to be seen, and have not deployed anyone publicly to fight this proposal. Compare this, for a moment, to the cloud computing privacy hearing held by the same House Committee last September, where Google, Microsoft, Amazon, Rackspace and Salesforce all sent executives to argue for stronger privacy laws.

Last year, those companies were vocally asking for stronger privacy laws that would make it more difficult for law enforcement agencies to access their customers' data. Now, these same firms are being asked to put backdoors in their services, and make it easier for the government to snoop on their customers. Are they fighting this? No.

Instead, they are hiding behind industry-funded advocacy groups, like the Center for Democracy and Technology, which has written a softly-worded statement of concern.

Google, Microsoft and Facebook have excellent, well-funded teams of lobbyists. The fact that they are not appearing at the hearing tomorrow and have not issued any public statements about the topic is a clear sign that these companies are doing everything possible to keep a low profile on this issue.

If I had to guess why, I suspect that they don't want to do anything to upset Congress, particularly now that topic of commercial privacy is very much on the legislative agenda. If they put their foot down on CALEA, they may find themselves with few friends when members start considering bills to limit behavioral advertising.

Priority #1: Gotta get paid

When Congress passed CALEA in 1994, it set aside $500 million to help with the cost of designing and deploying wiretap capable networking equipment. Unfortunately, as 2008 DOJ Inspector General report (pdf) revealed, it was not possible to tell if the money was well-spent, since neither the telecoms nor the switch makers were willing to share the necessary information.

With that in mind, this bullet point from CDT's statement of concern caught my eye:
"Avoid unfunded mandates: The costs of implementing any new proposals should be borne by the government."
While tech companies aren't particularly crazy about adding new snooping capabilities into their services, they are even less excited about having to eat the financial cost of developing and deploying those backdoors.

Even though CDT seems to think otherwise, there are strong policy advantages to sticking companies with these costs. The most important one being that Google and Facebook are far more likely to take a strong position against CALEA II if they are going to get stuck with the check. If these firms know they are going to get millions of dollars for upfront surveillance development, they are far less likely to fight, and will instead spend more of their time haggling over the details, and in particular, lobbying for a larger payout with less oversight.

Charging the government for individual requests is good
"When I can follow the money, I know how much of something is being consumed - how many wiretaps, how many pen registers, how many customer records. Couple that with reporting, and at least you have the opportunity to look at and know about what is going on.
-- Albert Gidari Jr., Keynote Address: Companies Caught in the Middle, 41 U.S.F. L. Rev. 535, Spring 2007.
This is not to say that I am opposed to companies making the government pay for the assistance they are legally required to provide. I just think that the payment should be associated with specific investigations and requests, rather than a huge cash payment for developing and deploying surveillance capabilities.

The reason for this is that invoices for surveillance serve as a fantastic paper trail documenting the scope and scale of government snooping. Through Freedom of Information Act requests, I have obtained invoices from both Google and Yahoo, which detailed the kinds of requests they were getting, and helped me to discover that the US Marshals have essentially granted themselves a new surveillance power that is not in the law.

Charging for law enforcement assistance also tends to limit their use to only those records necessary. As Al Gidari told the House Judiciary Committee in testimony last year:
When records are "free," such as with phone records, law enforcement over consumes with abandon. Pen register print outs, for example, are served daily on carriers without regard to whether the prior day's output sought the same records. Phone record subpoenas often cover years rather than shorter, more relevant time periods. But when service providers charge for extracting data, such as log file searches, law enforcement requests are more tailored.

It is for these reasons that I have pleaded with attorneys at Microsoft and Facebook to start charging the government. Even though the law permits them to do so, both firms currently deliver user data to law enforcement agencies for free.

Recoup the high costs of surveillance technology though high per-request fees

A 2006 report from the DOJ Inspector General revealed that:
One carrier informed us that most of the costs it billed to law enforcement are for overtime and recovery of capitalized hardware and software costs. These representatives stated that capital costs are the major costs incurred by a carrier, and that these costs are entirely proper for carriers to recover.
For once, I actually agree with the carriers. If they had to spend millions of dollars deploying CALEA compliant intercept equipment, then it is only reasonable that they recoup it by charging $3500 for a 30 day wiretap (as Cox communications does).

The problem with charging $3500 for a wiretap, is that the police will complain, as this money comes out of their budget. The same 2006 Inspector General report confirmed this:
Law enforcement's biggest complaint regarding CALEA is the relatively high fees charged by carriers to conduct electronic surveillance. A traditional wiretap costs law enforcement approximately $250. However, a wiretap with CALEA features costs law enforcement approximately $2,200 according to law enforcement officials and carrier representatives we interviewed. A law enforcement official noted that, "[w]ith CALEA, the carriers do less work but it costs approximately 10 times as much to do a CALEA-compliant tap versus a traditional tap."

If Congress is considering spending another $500 million on CALEA II (and I hope it doesn't), it should give it out in grants to state and local law enforcement agencies. Give them each a pool of money, and let them decide how they want to spend it. If they want to use it to hire more officers, or buy body armor, that is their choice. If they want to pay for CALEA II wiretaps provided by Google, Facebook and Skype, well, that is their choice too. In the real world, there are opportunity costs associated with every purchase, and the police should have to experience these too. Surveillance should be expensive -- that is the best way to make sure these powers are not overused, or abused. Unfortunately, at just $25 for an individual user's account, Google and Yahoo are not charging nearly enough.

No comments: