Wiretapping the WAN: It’s the law

You may have heard about the lawsuit that the Electronic Frontier Foundation is filing against AT&T for cooperating with the feds to wiretap its network. Apparently, AT&T has instrumented its network so that the feds can potentially monitor all traffic that flows across it.

In the immortal words of Captain Renault, I’m shocked, shocked, to find a carrier . . . obeying the law.

That’s right: Not only is AT&T tapping its network on behalf of the feds, so are Verizon, Sprint, Qwest, BellSouth and all the rest. They’d be in violation of federal law if they weren’t.

Remember the Communications Assistance for Law Enforcement Act (CALEA)? Passed in 1994, CALEA requires carriers to embed wiretapping capabilities into the fabric of their network infrastructure. (For details on what CALEA requires, check out www.fcc.gov/calea and www.askcalea.net). All the carriers have had to be CALEA compliant for years.

Whistle-blower Mark Klein, an AT&T technician who provided documents to the EFF, says a device was installed in AT&T’s network with the “ability to sift through large amounts of data looking for preprogrammed targets.”

Err – that’s exactly what CALEA requires. Specifically, CALEA requires carriers to be able to, upon request by law enforcement, intercept call-identifying information, defined in section 102(2) as “information that identifies the origin, direction, destination or termination of each communication generated or received by a subscriber.” In the packet-switched world, obtaining that information may require scanning hundreds of millions of traffic flows from millions of endpoints.

This poses a rather Zen conundrum: To figure out which traffic to monitor, you have to monitor some traffic.

Now, there’s an open question as to whether the feds – the National Security Agency, in particular – have the right to make such a request of any carrier, particularly without a warrant. So you can see why the feds are keeping mum about the whole issue: Not only does the NSA have no comment on the EFF lawsuit, the Department of Justice recently declined repeated requests by Congress to disclose wiretapping details, on the grounds that such information is “classified and sensitive.”

I have no idea whether the feds acted legally in making their requests. I’m not a lawyer, and I don’t play one on TV. For what it’s worth, I’ve never been much of a CALEA fan, either: Yes, law enforcement agents need the tools to do their jobs, but building networks that are inherently “tappable” seems to me to be fundamentally bad security design, because anything the good guys can do, the bad guys can do, too.

But that’s all irrelevant given that CALEA’s the law of the land, and has been so for years. Even if you think it’s a lousy law and the feds are way out of bounds to request wiretapping, that’s immaterial. The carriers are obliged to comply, unless the courts tell them otherwise.

Bottom line: If you have issues with wiretapping, don’t go after the carriers. Go after the folks who required it in the first place.

What do you think? Discuss wiretapping, CALEA and this column.