From: Mike Godwin <mnemonic@eff.org>
Date: Wed, 23 Feb 94 20:25:54 PST
To: IFREEDOM@SNOOPY.UCIS.DAL.CA (Forum on Censorship and Intellectual Freedom)
Subject: Digital Telephony--Section-by-section analysis
Message-ID: <199402240425.XAA05748@eff.org>
MIME-Version: 1.0
Content-Type: text/plain




Section-by-section Analysis of the 1994 draft
of the Digital Telephony legislation

Mike Godwin
EFF



TITLE

>                        A BILL
>
>   To ensure continued law enforcement electronic surveillance access to
>the content of wire and electronic communications and call setup
>information when authorized by law, to improve communications privacy
>protection, and for other purposes.

The "other purposes" are, apparently, the correction of a drafting error
in ECPA that led to an anomaly in 18 USC 2511. See Section 4 below.


SECTION 2

>SEC. 2. PURPOSE.  The purpose of this Act is to clarify and define the
>responsibilities of common carriers, providers of common carrier support
>services, and telecommunications equipment manufacturers to provide the
>assistance required to ensure that government agencies can implement
court
>orders and lawful authorizations to intercept the content of wire and
>electronic communications and acquire call setup information under
>chapters 119 and 206 of title 18 and chapter 36 of title 50.

Chapter 119 is the communications-interception chapter, commonly called
"Title III."
Chapter 206 is the pen-register/trap-and-trace chapter.
Title 50 includes interception provisions of the Foreign Intelligence
Surveillance Act.

Note that Chapter 121 of Title 18, the stored-communications chapter of
the U.S. criminal code, is not mentioned. It may, however, be affected by
some of the amendments suggested in the Digital Telephony bill. 

>Otherwise,
>except for the provisions in section 4, nothing in this Act is intended
to
>alter any provision contained in the Federal electronic surveillance, pen
>register, or trap and trace statutes, or those of any state or other
>jurisdiction. In particular, nothing herein is intended to enlarge or
>reduce the government's authority to lawfully intercept the content of
>communications or install or use pen register or trap and trace devices,
>or to increase or decrease any criminal penalties for unlawfully
>intercepting the content of communications or installing or using pen
>register or trap and trace devices, or to alter the provisions regarding
>service provider assistance, payment for assistance, causes of action,
>civil liability, or good faith defenses.

This is essentially a deceptive statement about the effect of the Act.
Although 18 USC 2518(4) allows applicants for authorization orders to
request that the order "direct that a provider of wire or electronic
communication service ... furnish the applicant forthwith with all
information, facilities, and technical assistance necessary to accomplish
the interception...", this provision has not widely been interpreted to
hold that service providers must actively create solutions to interception
problems if those solutions do not already exist. The FBI analysis says
government agencies "have been reluctant to pursue contempt or other legal
remedies to resolve this issue." The reason for this reluctance, in my
opinion, is that the language of 2518(4) does not unequivocally impose
such a burden on providers, and the government stands a good chance of
losing any fight in which it claims that such a burden does exist.

Thus, the FBI's solution is to create a *new* and *routine* obligation on
common carriers (but not small-scale providers) to generate technical
solutions to interception and "call setup" problems created by current
common-carrier networks. Moreover, this Act would require that common
carriers make manpower available on a 24-hour basis to handle
interceptions and the capture of call-setup information in the event of a
wiretap or pen-register/trap-and-trace order.

The FBI analysis asserts without quantification that "since the mid-1980s,
technological impediments have frustrated, in whole or in part, the
execution of a number of court orders." But among the "technological
impediments," apparently, has been the reluctance or inability of common
carriers to provide the kind of assistance that law
enforcement--specifically, guaranteed ability to capture communications
contents and "call setup" information.

The Act and the FBI analysis consistently use the language of
"clarification" in reference to the amendments contained in the Act, but
of course the vastly expanded authority of the Attorney General and the
FCC to supervise and punish common carriers is nothing if not "expanded
authority." This Act also creates many new legal obligations for common
carriers, "support services," and telecom equipment manufacturers.

>      The Act is further intended to improve communications privacy
>protection for cordless telephones, certain radio-based data
>communications and networks, communications transmitted using certain
>privacy-enhancing modulation techniques, and to clarify the lawfulness of
>quality control and service provision monitoring of electronic
>communications.

These are all addressed in Section 4 of the Act. This section corrects
four anomalies under the current statutes: 
1) It brings cordless telephones under the protection of Title III.
2) With respect to radio communications it creates Title III protection
for "an electronic communication" that is transmitted via radio.
3) It corrects an apparent omission by adding radio communications that
use "modulation techniques" for privacy to the interception penalty
provisions of 18 USC 2511(4).
4) It corrects a drafting error in ECPA by adding "electronic
communication" to a clause in 18 USC 2511 (2)(a)(i).

>SEC. 3.  COMMON CARRIER ASSISTANCE
>
>      (a) _New section_.  Chapter 109 of title 18, United States Code, is
>amended by adding the following new section:
>
>"Sec. 2237. Common carrier assistance to government agencies.
>      "(a) Assistance requirements. Common carriers shall be required to
>provide forthwith, pursuant to court order or lawful authorization, the
>following capabilities and capacities in order to permit the government
to
>conduct electronic surveillance and pen register and trap and trace
>investigations effectively:

Note that Chapter 109 is not part of Title III; instead, it's a chapter
including various penalty provisions for interference in the execution of
lawful searches and seizures and for violating the Constitutionally
mandated requirements for such procedures. The chapter is does not amount
to a statutory scheme--it's basically a collection of somewhat related
individual search-and-seizure statutes.

Why isn't this Act part of Title III? Perhaps because it uses a different
definition of "intercept" than is used in the wiretap statute. See
discussion below.

This Section of the Act outlines and specifies just what the government
wants the phrase "information, facilities, technical assistance" in 18 USC
2518 to mean. Note that a major component of these obligations is the
requirement that common carriers *create* new information and facilities
and devise new means of technical assistance.

The FBI analysis makes clear that the drafters of this Act developed a
wish list in consultation with other  federal, state, and local
law-enforcement agencies. Although the FBI analysis states that "The
Government intentionally eschewed setting any technical standards because
it does not desire to 'dictate' particular technological solutions, it is
apparent that the government hopes to gain the authority to dictate
*functional* solutions. Given the penalties for noncompliance and other
enforcement powers this Act creates, "dictate" is not too strong a verb
for the kind of prerogative the government is seeking.
 
>      "(1) The ability to execute expeditiously and simultaneously within
>a common carrier's system all court orders and lawful authorizations for
>the interception of wire and electronic communications and the
acquisition
>of call setup information related to the facilities or services of
>subscribers of such common carrier;

Note that in this iteration of the Act, there is a new emphasis on "call
setup information," which is, basically, origination and destination
information for wire or electronic communications. It has been claimed by
law enforcement that such current features as call forwarding often thwart
their ability to implement wiretaps, pen registers, or traps and traces.
This Act, if passed, would require common carriers to redesign calling
features if necessary to be ble to provide "call setup" information, or,
in the alternative, to cease providing calling features that thwarted the
capture of such transactional information.

It is unclear how such a requirement would play out in cases where
communications are transmitted using both common carriage networks and
enhanced service providers. On its face, the statute may require that a
common carrier be able, for example,  to tell not only which subscriber is
sending e-mail over the phone lines to the CompuServe Packet Network, but
also where that e-mail's ultimate destination is.

The FBI analysis stresses that common carriers can perform a capacity
analysis, based on their prior records of assisted intercepts, etc., to
determine how much wiretap capacity to provide in order to minimize the
costs of compliance.   The FBI claims that "a number of court orders and
authorizations were not fully executed, or were not even sought" because
of "capacity shortfalls, such as insufficient 'port' capacity in the
cellular mobile switching offices." The FBI analysis states that "at any
particular time, a number of Federal, state, and local government agencies
may be competing" for capacity, and that "it is critical that there be
sufficient capacity to accommodate completely the concomitant needs of all
government agencies."

>      "(2) the ability to intercept the content of communications and
>acquire call setup information concurrent with the transmission of the
>communication to or from the subscriber's facility or service that is the
>subject of the court order or lawful authorization, to the exclusion of
>any wire or electronic communication or call setup information of any
>other subscriber, notwithstanding the mobile nature of the facility or
>service that is the subject of the court order or lawful authorization or
>the use by the subscriber who is the subject of the court order or lawful
>authorization of any features offered by the common carrier;

This section requires that common carriers, including cellular and any
other mobile-phone service, be able to single out individual
communications and capture both contents and call-setup information, that
they be able to do this "live," or else immediately after the
transmission, with a preference for the former. This is the meaning of
"concurrent."

The FBI analysis justifies this requirement in terms of "minimization" of
intrusion on the communications of innocent parties; of course, the
requirement would enhance the efficiency and speed with which the
government could effect a wiretap.

>      "(3) the ability to intercept the content of communications and
>acquire call setup information unobtrusively and with a minimum of
>interference with any subscriber's telecommunications service; and

No strange clicking on the line, in other words.

>      "(4) the ability to receive, in a generally available format, the
>intercepted content of communications and acquired call setup information
>at a location identified by the government distant from the facility that
>is the subject of the interception, from the interception access point,
>and from the premises of the common carrier (except where emergency or
>exigent circumstances such as those described in 18 U.S.C. 2518(7),
>2518(11)(b), or 3125, or in 50 U.S.C. 1805(e), necessitate monitoring at
>the common carrier's premises).

Not only must communications and call-setup info be captured "live" or
immediately post-transmission, but it also must be routable  to a remote,
designated government-operated location. Whether the routing is done by
the carrier or the government is unclear.

The exceptions to this "routability requirement" occur when a criminal or
intelligence emergency pre-empts the normal process of seeking an order,
or when there is an attempt by the person committing an offense to thwart
interception by changing facilities. These types of situations are
provided for under current law.

>      "(b) Systems security. The government shall notify a common carrier
>of any interception of wire or electronic communications or any
>acquisition of call setup information that is to be effected within the
>premises of such common carrier pursuant to court order or lawful
>authorization. After notification, such common carrier shall designate an
>individual or individuals to activate such interception or acquisition
>forthwith. Such individual(s) shall be available at all times to activate
>such interceptions or acquisitions. Such interceptions or acquisitions
>effected within the premises of a common carrier may be activated only by
>the affirmative intervention of such individual(s) designated by such
>common carrier.

The FBI analysis justifies this "drafting" of personnel as a way of
mollifying common carriers who don't want non-personnel handling their
equipment or operating their facilities. Of course, this section also
means that a common carrier must budget for such personnel to be at the
service of law enforcement for on-premises intercepts and call-setup
captures.

>      "(c) Compliance date. To the extent that common carriers providing
>service within the United States currently cannot fulfil the requirements
>set forth in subsection (a) of this section, they shall fulfil such
>requirements within three years from the date of enactment of this Act.

The time limit for compliance has not changed since the last iteration of
the Act.

Note that only large-scale communications providers are included in the
scope of this version of the Act. The FBI analysis states that PBXs,
computer-network providers, and other entities that do not qualify as
common carriers are not to be obligated by the passage of this act to add
these new capabilities, but will be obligated to cooperate under the
general provisions of 18 USC 2518(4) to the extent possible. *Note
especially that this distinction undercuts the claim that the government
is merely "clarifying" a pre-existing obligation under 18 USC 2518(4)--if
that were true, these clarifications would apply to *all* "providers of
wire or electronic communications services" and not just "common
carriers."*

>      "(d) Cooperation of support service providers and equipment
>manufacturers. Common carriers shall consult, as necessary, in a timely
>fashion with appropriate providers of common carrier support services and
>telecommunications equipment manufacturers for the purpose of identifying
>any services or equipment, including hardware and software, that may
>require modification so as to permit compliance with the provisions of
>this Act. A provider of common carrier support services or a
>telecommunications equipment manufacturer shall make available to a
common
>carrier on a timely and priority basis, and at a reasonable cost, any
>support service or equipment, including hardware or software, which may
be
>required so as to permit compliance with the provisions of this Act.

This section imposes an obligation on common carriers to instruct support
services and equipment providers that they need "wiretap-friendly"
services and equipment, and it imposes an obligation on the service and
equipment providers to comply.

Note that the statute does not itself outline remedies for noncompliance
by support services and equipment providers. The FBI analysis, however,
states that the Attorney General "may apply for an order, such as a writ
of mandamus" mandating the compliance of such entities.

>      "(e) Enforcement. The Attorney General shall have authority to
>enforce the provisions of subsections (a), (b), (c), and (d) of this
>section. The Attorney General may apply to the appropriate United States
>District Court for an order restraining or enjoining the provision of
>service of any common carrier who violates subsection (a), (b), (c), or
>(d) of this section. The District Courts shall have jurisdiction to issue
>such restraining order or injunction. The Attorney General may also
>request the Federal Communications Commission to assist in enforcing the
>provisions of this Act.

The "may apply" language implies that this is not an exhaustive list of
the remedies available to the Attorney General, who is granted general
"authority to enforce."

In the first version of this Act, enforcement authority was to be given to
the FCC; in the second version, enforcement was the responsibility of the
Attorney General and the DOJ.  This section apparently combines the best
of both worlds, empowering either the FCC or the AG to enforce the Act's
provisions.

>      "(f) Penalties. Any common carrier that violates any provision of
>subsection (a) of this section shall be subject to a civil penalty of
>$10,000 per day for each day in violation. The Attorney General may file
a
>civil action in the appropriate United States District Court to collect,
>and the United States District Courts shall jurisdiction to impose, such
>penalties. After consultation with the Attorney General, the Federal
>Communications Commission may also impose regulatory sanctions or fines
>otherwise authorized by law.

Essentially, this section allows non-compliant common carriers to be
challenged on two fronts.

>      "(g) Consultation. The Attorney General is encouraged to consult
>with the Federal Communications Commission and common carrier
>representatives and to utilize common carrier standards bodies,
>associations, or other such organizations to discuss details of the
>requirements, such as those related to capacity, in order to facilitate
>compliance with the provisions of this Act.

This language apparently is merely precatory; apparently, the Attorney
General need not consult with the FCC or the other entities mentioned
here.

>      "(h) Funding. Notwithstanding any other provision of law, the
>Federal Communications Commission shall implement promptly methods and
>procedures that allow each common carrier to be remunerated by the
Federal
>Government for all reasonable costs incurred in the course of complying
>with the requirements of this Act.

We may reasonably anticipate that there would be significant litigation on
the issue of remuneration for "reasonable costs."

>      "(i) Definitions. -- As used in this Section --
>          (1) 'common carrier' means any person or entity engaged as a
>common carrier for hire, as defined by section 3(h) of the Communications
>Act of 1934, and includes a commercial mobile service or interconnected
>service, as defined in section 6002(b) of Public Law 103-66;
>          (2) 'provider of common carrier support services' means any
>person or entity who provides services to a common carrier that are
>integral to processing, directing, forwarding, or completing telephone
>calls or electronic communication transmissions;
>          (3) 'wire communication' shall have the same meaning as set
>forth in subsection 2510(1) of title 18, United States Code;
>          (4) 'electronic communication' shall have the same meaning as
>set forth in subsection 2510(12) of title 18, United States Code;
>          (5) 'intercept' shall have the same meaning as set forth in
>subsection 2510(4) of title 18, United States Code, except that with
>regard to a common carrier's transmission of a communication encrypted by
>a subscriber, the common carrier shall not be responsible for ensuring
the
>government agency's ability to acquire the plaintext of the
communications
>content, unless the encryption was provided by the common carrier and the
>common carrier possesses the information necessary to decrypt the
>communication;

Normally, "intercept" means capture the contents of a communication. 18
USC 2510(4).  But the government here is exempting common carriers from
providing the plaintext versions of encrypted communications that were
encrypted be the subscriber through some method other than an encryption
service offered by the common carrier and to which the carrier retains the
encryption keys or some equivalent capability to decrypt the
communications.

Interestingly, this definition seems to gut the meaning of the definition
in 18 USC 2510(4), which focuses only on the content of the communication.
"Interception" legally means "capturing the content" in Title III. If
you're not capturing the content, it's not, strictly speaking, an
interception according the statutory definition.

>          (6) 'concurrent with the transmission of the communication,' as
>used in section 3(a)(2) of this Act, means contemporaneous with the
>transmission; but it shall include, with regard to electronic
>communications, the ability of a government agency to acquire such
>communications at the conclusion of the transmission, and, with regard to
>call set up information, the ability to acquire such information either
>before, during, or immediately after the transmission of the
>communication;

The FBI analysis states that law enforcement's preference is for such
information to be captured *before* transmission.

>          (7) 'call set up information' shall mean the information
>generated which identifies the origin and destination of a wire or
>electronic communication placed to, or received by, the facility or
>service that is the subject of a court order or lawful authorization,
>including information associated with any telecommunication system
dialing
>or calling features or services; and

This provision would create an immensely powerful tool for message traffic
analysis, which has significance wholly independent of the ability to
capture the content of communications.

The government's prerogative to capture such transactional information is
conditioned on a much lower standard of proof than that for
wiretaps--rather than making a showing of probable cause, the government
need only "certify" to the issuing magistrate that "the information likely
to be obtained by such installation and use is relevant to an ongoing
criminal investigation." 18 USC 3123.

>          (8) 'government' means the Government of the United States and
>any agency or instrumentality thereof, the District of Columbia, any
>commonwealth, territory or possession of the United States, and any state
>or political subdivision thereof authorized by law to conduct electronic
>surveillance."

This simply makes clear that the prerogative to require these new services
from common carriers extends to all levels of law enforcement, and not
just to the federal law-enforcement and intelligence agencies. 

>SEC. 4. COMMUNICATIONS PRIVACY IMPROVEMENT AND MONITORING CLARIFICATION.
>
>      Chapter 119 of title 18 is amended by making the following changes:
>      (1) Cordless telephones.
>      (a) _Definitions_. - Section 2510 of title 18, United States Code,
>is amended - 
>          (1) in paragraph (1), by striking ", but such term does not
>include" and all that follows through "base unit"; and 
>          (2) in paragraph (12), by striking subparagraph (A) and
>redesignating subparagraphs (B) through (D) as subparagraphs (A) through
>(C), respectively.
>      (b) _Penalty_. - Section 2511 of title 18, United States Code, is
>amended - 
>          (1) in subsection (4)(b)(i), by inserting "a cordless telephone
>communication that is transmitted between a cordless telephone handset
and
>the base unit," after "cellular telephone communication,"; and
>          (2) in subsection (4)(b)(ii), by inserting "a cordless
telephone
>communication that is transmitted between a cordless telephone handset
and
>the base unit," after "cellular telephone communication,".

In the early days of cordless telephones, it was easy for the radio
transmissions between handsets and base units to be intercepted by
scanners and, occasionally, by ordinary transistor radios. Congress did
not want to felonize such trivially easy interceptions. Current cordless
phone technology, however, makes such interceptions more difficult,
according to the FBI analysis, and therefore it makes sense to extend
wiretap protections to cordless phones.

Note that this would resolve a long-standing anomaly in the protections
offered by Title III.

>      (2) Radio based data communications.
>      Section 2510(16) of title 18, United States Code, is amended by
>striking the word "or" at the end of subparagraph (D) and inserting an
>"or" at the end of subparagraph (E) and adding the following new
>subparagraph:
>          "(F) an electronic communication;".

This adds "electronic communications" (such as e-mail or data
communications) to the class of radio communications whose privacy is
protected by Title III. The FBI analysis states that this amendment is
designed to make clear that data communications over radio are also
protected under Title III.

>      (3) Penalties for monitoring radio communications that are not
>scrambled, encrypted, or non-public.
>      Section 2511(4)(b) of title 18, United States Code, is amended by
>deleting the phrase "or encrypted, then--" and inserting the following:
>          ", encrypted, or transmitted using modulation techniques whose
>essential parameters have been withheld from the public with the
intention
>of preserving the privacy or such communication, then--".

This amendment adds a penalty for modulation-protected communications,
which are already defined as not "readily accessible to the general
public" under the current language of 18 USC 2510(16)(B).

>      (4)Technical correction.
>      Section 2511(2)(a)(i) of title 18, United States Code, is amended
by
>striking out "used in the transmission of wire communication" and
>inserting in lieu thereof "used in the transmission of a wire or
>electronic communication.".

This simply corrects a drafting error left over from the Electronic
Communications Privacy Act, by adding the term "electronic communications"
to those communications that a provider can intercept or disclose in the
course of protecting its service. The amended section already included the
language "provider of wire or electronic communications service," but
seemed to allow only the interception and disclosure of "wire
communications."