Lecture2 LegalRequirements Sept10 by yTx9N4J2





CALEA passed in 1994 to ensure LEAs had ability to tap phones as had been done for
many years from a provider’s central switching office.

Original law actually provided funding to help carries put in place required equipment.
The original bill did not include the Internet.

The FCC is charged with interpreting and making rules governing CALEA.

CALEA now applies to many form of communication including Internet and Broadband.

Expansion to Internet - 2004

Dramatically expanded in 2004 by FCC in response to DOJ, FBI and DEA petition to
extend monitoring to variety of Internet services. (FCC Notice of Proposed Rule Making
– NRPM). http://w2.eff.org/Privacy/Surveillance/CALEA/?f=index.html

FCC defines what is meant by “substantial replacement” of phone service
Concluded that Broadband ISPs and VoIP providers replace local telephone exchanges

Existing Laws allow LEAs to monitor Internet users, CALEA is there to make it
practical. Note, focus of CALEA is tracking in real time. In particular, want capability
to monitor VoIP and IM converstations.

FCC supported FBI’s “Tappability Principle” – is it is legally searchable sometimes,
should be physically searchable all the time.

EFF concerns

Internet not like POTs. Phones are dumb devices, the intelligence is in the network
(circuit switched networks.) In the Internet the core is dumb (minimal processing), the
intelligence is at the edges (devices and ISPs that connect to customer). Surviellance
cabability needed in edge devices and local ISP equipment. Stifling innovation a
concern. Undue costs to ISPs.

FCC explores mechanism by which costs are passed onto consumers – a tax

More points at which system tappable; more vulnerabilities and threats to security.
CALEA devised to regulate phone systems (closed systems); not Internet and broadband
that are essentially open system.

Wiretapping and Suveillance are getting easier and there is no need for expansion of

The Big Rub – Whos is an ISP

Now CALEA applies to not only phone system provides but ISPs. Which ISPs are
subject to CALEA? Verizon and ATT (sure). John Jay College? CUNY.

Many entities such as unversities receive subpoenas for information all the time.
However, real time wiretaps are a different issue. The have never had to provide this
service to law enforcement. Now they do and under CALEA may have to make it easy.

Wiretaps in 2004: 1714 in from local, state and federal courts; 1754 from FISA court;
only a few on universities under FISA court.

All two way conversations on Internet are covered. If university provides VoIP, they
must provide decoding.

LEAs could request all communications to a specific IP address or individual. Access to
a campus wide network without login?

Capability Requirements for Telecommunications Carriers

Section 103 of CALEA sets forth the assistance capability requirements that
telecommunications carriers need to maintain to support law enforcement in the conduct
of lawfully-authorized electronic surveillance. Specifically, CALEA directs the
telecommunications industry to design, develop, and deploy solutions that meet certain
assistance capability requirements.

Pursuant to a court order or other lawful authorization, carriers must be able to:

 (1) expeditiously isolate all wire and electronic communications of a target transmitted
by the carrier within its service area;

(2) expeditiously isolate call-identifying information of a target;

(3) provide intercepted communications and call-identifying information to law
enforcement; and

(4) carry out intercepts unobtrusively, so targets are not made aware of the electronic
surveillance, and in a manner that does not compromise the privacy and security of other
Electronic Surveillance


wiretap – device used to intercept telephone or telegraph communication
bug – device to transmit conversations


          - wiretaps used during Civil War
          - first police wiretaps in early 1890s
          - use of wiretaps increased dramatically during WWI
          civil unrest due to economic conditions, enforce prohibition

Olmstead vs. United States (1928)

          -petitioners convicted of conspiracy to violate National Prohibition Act
          -phones tapped outside defendants residences
          -defendants claimed 4th amendment right against unreasonable search and seizure
          -court stated 4th amendment covers “…search of a man’s house, his person, his
          papers, and his effects, and prevents seizure agaist his will.”
          -court stated wire transmissions, unlike a sealed letter, are not an effect and are
          not protected. There was no searching or seizure.
          -court said the “language of the amendment cannot be extended.”
          -Brandies dissenting wrote that the 4th and 5th amendments must be reinterpreted
          to reflect that discovery and invention were giving the government powerful new
          tools in which to discover “what is whispered in the closet.”
          -the Olmstead act prompted 25 states to enact legislation making wiretapping a

Section 605 of the Federal Communication Act of 1934

          -restricted use of wiretaps
          -courts upheld the exclusionary rule for wiretaps
          -only applied to wire communications not eavesdropping (bugs OK)
          -did not apply to states or individuals
          -FBI prohibited wiretaps in 1940
          -Hoover reintroduced it during WWII for security reasons.
          Used extensively during 50s and 60s by FBI
          -state level wiretap laws were routinely ignored.
          -605 disliked by all, prevented LEAs from using electronic surveillance, did not
          protect privacy since individuals could wiretap
Title III of the Omnibus Crime Control Act of 1968

       -applied to wiretaps by federal and state officials as well as private parties
       -required a warrant for wiretaps (probable cause)
       -if one part agreed, communications could be recorded
       -excluded taps for national security purposes
       -courts limited it to foreign threats only
       -applied to aural surveillance, not visual or other types of electronic

Electronic Communications Privacy Act of 1986

       -amends title III
       -includes 3 ACTs: 1) Wiretap Act, 2) Stored Communications Act, 3) Pen
       Register Act
       -applies to individuals, states and federal government
       -identifies 3 forms of communication 1) aural transmissions through wires 2) oral
       communications (bugs) 3) electronic communications (non wire and non oral,
       e.g., email) and protects each differently
       -wire and oral stringently protected
       -exclusion rule does not apply to electronic communications

Wiretap Act

       -applies to the interception of any communication contemporaneously with its
       transmission (protects different types of communications differently).
       -phone conversations are primary target
       -harsh criminal penalties
       -strict requirement for court ordered wiretap (details of criminal activity, only
       prosecuting attorney may apply, specific place of interception, probable cause
       offense will be found through interception, alternatives to wiretapping failed.)
       -interception must be minimized
       -does not apply if one party agrees
       -many states have wiretap laws (both parties must agree, Linda Tripp)

Stored Communications Act

       -protects communications in storage (email, other data)
       -does not apply to service providers
       -but forbids disclosures of stored communications by providers
       -allow providers to disclose to provide service or protect property of provider
       -protects disclosures to law enforcement under certain conditions
       -ISPs contracts usually provide for disclosure to law enforcement
       -less severe criminal penalties
       - For communication held 180 days or less, court order required (no probable
       - For communication held more than 180 days, provide notice to subscriber and
       get administrative subpoena (no notice requires a court order)
       -Subscriber records: warrant, court order, consent of subscriber
       -emails stored by ISP generally come under SCA not Wiretap Act
       (a tricky issue: interception contemporaneously with communication or after it
       communication is stored, court opinions seem to vary)
       -content versus envelope information (increasing amount of information in
       envelope information)

Foreign Intelligence Service Act (FISA)

       -standards and procedures for collecting foreign intelligence within the US
       -permits electronic surveillance, covert searches, pen registers and trap and trace
       -enhanced by US Patriot Act of 2001 (foreign intelligence gathering no longer
       need be primary purpose)
       -court orders require only that probable cause be shown that party is a foreign
       -warrants issued by a FISA court made up of US District court justices.
       -under certain circumstances FISA allows surveillance without getting a court
       order first.
       -1758 FISA court orders in 2004, about the same number wiretaps under ECPA.

U.S Patriot Act 2001

       -Modified many existing laws including ECPA, FISA, FERPA, immigration and
       money laundering statutes if terrorism involved.
       -new definition of terrorism
       -delayed notice of search warrants
       -shifted stored communications to SCA (e.g., stored voice mail)
       -allows more subscriber records to be obtained from service providers (records of
       session times and duration, temporarily assigned network address
       -enhanced ability to obtain business records under FISA
       -roving wiretaps (beyond specific person)
       -criticism: removal of an impartial and detached magistrate from review of LEA
       surveillance operations
       -expired in 2005, modified version passed in 2006
Computer Fraud and Abuse Act (Title 18, Part I, Chapter 47, § 1030)


-Prohibits unauthorized access to a “protected computer”
-Subject of most federal computer abuse/misuse prosecutions in US
-felony sentencing guidelines apply if damages exceed $5000 in one year period
(other conditions as well, e.g., access to computer in most financial institutions, causing
physical injury, disruption essential services)
-applies to virtually all computers today
-Covers many forms of hacking, e.g., trafficking in passwords, distributing malicious
code, extortion, denial of service, exceeding authorized access.
-have been attempts to apply it in cases where individuals exceed terms of service
-when passed in 1984, the act had far more limited scope.
-states have similar legislation

CAN SPAM Act of 2003

       Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003

       What is it? http://email-marketing-service-review.toptenreviews.com/what-is-the-

       FTC Reported back to congress on the effectiveness of the law in 2005
       (as required by legislation). FTC reported that law is working and limiting the
       amount of unwanted e-mails and pornographic material.

       Commonly referred to as the “You Can Spam Act.” Does not require marketers
       to get permission before sending e-mail.

       The bill preempts all state laws.

       The bill permits e-mail marketers to send unsolicited commercial e-mail as long
       as it adheres to 3 basic types of compliance defined in the CAN-SPAM Act:
       unsubscribe, content and sending behavior compliance:

       Unsubscribe Compliance

              A visible and operable unsubscribe mechanism is present in all emails.

              Consumer opt-out requests are honored within 10 days.
      Opt-out lists also known as suppression lists are only used for compliance

Content compliance

      Accurate from lines (including "friendly froms")
      Relevant subject lines (relative to offer in body content and not deceptive)
      A legitimate physical address of the publisher and/or advertiser is present.
      A label is present if the content is adult.

Sending behavior compliance

      A message cannot be sent through an open relay
      A message cannot be sent to a harvested email address
      A message cannot contain a false header

Does not apply to religious, political or national security messages. Does not
applty to a company e-mailing its existing customers. SPAM vs any commercial

Act includes: Liabilities for companies using affiliates to SPAM
              Bounties for informers (none yet awarded)

ISP repsonsibilites:

       Sue ISPs if they do not deliver you advertisements

       Providers of Internet Access Services can bring law suits if their business
       are adversely affected.

       Recent court decision in CAN SPAM case defines access provider very
       broadly. Thus many more can sue for damages.

D.Solove, M. Rotenberg, and P. Schwatz. Privacy, Information and Technology,
Aspen Publishers, 2006.

(see links in text)

To top