CALEA Revisited

Remember CALEA? In 2005 higher education government affairs and information technology specialists held forth against the potential for configuration requirements under a revision of this legislation and ultimately prevailed in federal court in the case in a case brought by the American Council on Higher Education. http://www.acenet.edu/AM/Template.cfm?Section=Search&template=/CM/HTMLD… Because our networks are private, even in state schools, so long as a school neither sold services to the public nor had direct connections to the Internet (unmediated by commodity networks), higher education networks were found to be exempt under the law.

CALEA is back, although this time the buzz is in the wider world, not higher ed. The New York Times has an editorial today about it: http://www.nytimes.com/2010/11/03/opinion/03wed1.html?_r=1&emc=tnt&tnte… Overreaching, futility and privacy are the principal concerns.

I am grateful for the work that the privacy lobby is doing in this area because without these watchdogs the security extremists would trend us toward the police state even if that is not exactly how they see the endgame. But I confess that I am not so worked up this time about the issue. In part it is because higher education is exempt from it. In part, given the damage done largely by the Bush Administration, (detailed in the editorial), I have capitulated trust in the current law to redress the wrongs. The little bit of the technologist in me also recognized that the encryption issue goes so much deeper than the legal community recognizes. It is a bit like a viable concern over gun control: make it too strick and only the criminals will have guns! Criminals, always on the cutting edge of technology, will avail themselves of encryption sooner and more pervasively than mere mortal users. Only small fry of the criminal world would be detectable, which would be okay too but for the legitimate worry over the myriad false positives. As a statistical term it does not reflect how this regime would increase the likelihood of the prosecution of innocent people.

One legal nit remains, however, and it is buried in this editorial instead of being shown in the spotlight. CALEA is a subset of the very broken umbrella ECPA, the Electronic Communications Privacy Act. The collapse of data networking technology into the legal paradigm built for telephony is at the root of virtually every electronic privacy legal concern, whether it be about the USA-Patriot Act of 2001 or CALEA. Fourth Amendment jurisprudence draws a line between "content" and billing or "conversational detail" (a misnomer unless you think of the conversation ongoing between routers, not people) information. That line made sense for dedicated phone lines because little (900 numbers) to no (person to person) content can leak through what is collectable with that technology (phone numbers, time and duration of call). Data networking is different. Depending on how they are configured, routers can offer Internet Protocol address that resolve to content in the case of web pages as well as subject lines in email header information, among other tidbits. Therefore, when the Patriot Act lowered the showing by which law enforcement could obtain that content to virtually nothing (filing a letter with a clerk, essentially), it raised alarms but often misunderstood as legal access to content without a warrant not as a legal matter but as a failure of ECPA to track to digital networking technology.

The organization Digital Due Process speaks directly to this issue. As one can see if you visit their website, they have some heavy hitters working on this issue. http://www.digitaldueprocess.org/index.cfm?objectid=DF652CE0-2552-11DF-… About this issue I can still get excited, and if federal law enforcement can direct Congress's attention to it via CALEA then I am all for it. But let's be sure that we keep our eye on the right ball. Otherwise we will be wasting time nipping at the heels of a much larger and far more important reform that offers the possibility to set the government privacy compass right in the electronic age.