Statement
for the Record of Marcus C. Thomas
Deputy Assistant Director, Investigative Technology Division
Federal Bureau of Investigation
Before the United States House of Representatives Committee on Energy and Commerce
Subcommittee on Telecommunications and the Internet
Washington, D.C.
September 8, 2004
Good
morning, Chairman Upton, Ranking Member Markey,
and Members of the Subcommittee, I am grateful
for this opportunity to discuss this important
national security and public safety issue: law
enforcement’s access to communications systems
in the digital age. I would like to start by briefly
outlining a historical framework of court-authorized
electronic surveillance in highly-complex communications
networks, then discussing the situation in which
the law enforcement community currently finds itself,
and some of the problems with which we are currently
dealing. Lastly, I would like to briefly discuss
some of our ongoing efforts intended to address
a number of these problems.
Background
Prior to delving into the subject of electronic surveillance, I believe it
is important to state that the FBI and the law enforcement community recognize
the importance of the continued development and consumer adoption of innovative
technologies to ensure the United States remains a leader in today's competitive,
global marketplace. One of the fundamental requirements for preserving national
security, the privacy of our citizens, and public safety is ensuring that United
States national security and law enforcement agencies are able to securely
and effectively use lawful process to gather evidence and intelligence during
investigations. We remain extremely concerned about the very serious, public
safety and national security threat posed by the misuse of technologies that
hamper lawfully-authorized electronic surveillance of communications occurring
over their systems. I believe that public safety, national security, and technological
innovations can be served by good policy.
I
do not think anyone seriously challenges the need
for the law enforcement and national security communities
to be able to conduct court-authorized electronic
surveillance. There is no doubt wiretaps produce
powerful intelligence and evidence against the
most dangerous criminals and terrorists. When police
cannot use other investigative techniques to safely
and successfully collect evidence and intelligence,
they often use wiretaps to catch and convict criminals
with words uttered from their own mouths. Concerns
regarding this serious threat are not limited to
the United States law enforcement and national
security communities. Worldwide, new laws are being
implemented that are intended to require network
providers to furnish communications interception
services to government agencies.
The issue I have just described may be too complex for one remedy to solve.
Like so many issues we try to deal with today, the future success of lawful
electronic surveillance will depend on a multi-pronged approach. In some instances,
responsibilities mandated of a service provider are the appropriate course
of action. In others, to meet the exigent needs of law enforcement, industry
cooperation can be the most constructive avenue of pursuit. Finally, any approach
would be incomplete without considering law enforcement’s own abilities.
I am here today, mere days before the third anniversary of September 11th,
to stress the importance of the outcome of our discussion: law enforcement’s
continued ability to conduct lawful electronic surveillance to ensure national
security and public safety.
Technical
Assistance Requirements
As
the Subcommittee is aware, there are two federal
statutory regimens pertaining to electronic surveillance
?? one regarding criminal investigations; the other
regarding foreign intelligence, counterintelligence,
and terrorism investigations. The former is derived
from Title III of the Omnibus Crime Control and
Safe Streets Act of 1968 (commonly referred to
as "Title III"), as amended, and portions
of the Electronic Communications Privacy Act of
1986 (ECPA), as amended. The latter is derived
from the Foreign Intelligence Surveillance Act
of 1978 (FISA), as amended. Regardless of the statutory
regimen, Congress took action in 1994 to mandate
telecommunications carriers, and others as identified
by the FCC, to ensure their networks were capable
of conducting electronic surveillance.
The
technical assistance of communications service
providers in helping a law enforcement agency execute
an electronic surveillance order is always important,
and in many cases it is absolutely essential. This
circumstance has proven to be the case increasingly
with the advent, over the past ten years or so,
of advanced communications services and features.
Accordingly, Title III and FISA, as well as most
state electronic surveillance laws, mandate service
provider assistance incidental to law enforcement's
execution of electronic surveillance orders.
Title III specifies that a “service provider, landlord, custodian, or
other person shall furnish the applicant forthwith all information, facilities,
and technical assistance necessary to accomplish the interception unobtrusively
and with a minimum of interference . . .” upon the request of the applicant
(specifically, law enforcement). In practice, judges sign two orders: one order
authorizing the law enforcement agency to conduct the electronic surveillance,
and a second (abbreviated) assistance order directed to the service provider
specifying, for example, the telephone number(s) of the subject that are the
object of the order and directing the provision of necessary assistance.
Historically,
assistance sought by law enforcement agencies was
rather straightforward and basic. For example,
law enforcement agencies sought and received service
provider assistance to identify line appearance
information (i.e., locating the physical appearance
of a subject’s line) and to establish leased
lines running from the point of interception to
a monitoring facility of the law enforcement agency.
This model was very effective prior to the advent
of advanced calling features and the introduction
of mobile communications. Likewise, law enforcement
agencies have historically paid reasonable expenses
for such administrative assistance.
In 1994, as a result of the emergence of an ever?increasing array of new services
and features, many of which would have impeded, if not precluded, normal electronic
surveillance efforts by obstructing lawful access, Congress passed, and the
President signed into law, the aforementioned CALEA legislation. In the House
Report accompanying CALEA, the purpose of the legislation was clearly identified: "to
make clear a telecommunications carrier's duty to cooperate in the interception
of communications for law enforcement purposes . . .". That is to say
that a primary purpose of CALEA was to clarify and strengthen the statutory
requirement that service providers furnish "all" technical assistance
necessary to accomplish the interception -- meaning to design and build into
their networks the capability and capacity requirements needed by law enforcement.
It is not enough just to be willing to assist; rather, service providers must
actually be capable of making that assistance possible in a rapidly changing
technological world. In short, CALEA’s intent was to mandate access where
advancing technology would otherwise preclude it.
Despite
the fact that in the years since the enactment
of CALEA there have been technological advancements
few of us could have foreseen, CALEA has proven
essential to law enforcement successes. In the
most recent Wiretap Report (published annually
by the Administrative Office of the United States
Courts), 80 percent of wiretap authorizations were
for cellular or mobile telephones. Of that number,
I am pleased to tell you approximately 90 percent
were conducted using technical solutions developed
specifically in response to the assistance capability
requirements identified in CALEA. In other words,
more than 70 percent of all criminal wiretap authorizations
were “CALEA-compliant.” Looking to
the future, our success with CALEA’s application
to cellular telephones can be seen as a model.
Prior to the passage of CALEA the 1991 Wiretap
Report identified that cellular phones accounted
for approximately one percent of wiretap authorizations.
CALEA
provided a framework to ensure law enforcement’s
lawful access as criminals migrated to the new
technology. I believe we are at the point with
Voice over Internet Protocol (VoIP) today that
we were with cellular telephones in the early 1990s
- with one significant difference: all service
providers, both wireline and wireless, have an
incentive to migrate their networks to an IP platform.
What that means is the transition to a VoIP infrastructure
is occurring very quickly. In recognition of this
rapid change, we have petitioned the Federal Communications
Commission to make clear that CALEA applies to
certain forms of I.P. telephony services. We feel
this is critical to protecting law enforcement
interests.
It is important to note that the requirement for service provider assistance
under 18 U.S.C. 2518(4) remains in full force and effect, notwithstanding the
applicability of CALEA, and requires service providers to do whatever reasonably
can be done to comply with assistance court orders issued by judges. In other
words, even when CALEA does not apply, the service provider (or "landlord,
custodian, or other person”) served with a court order for surveillance
is legally required to do whatever can reasonably be done to implement the
order.
Current
Technology and Policy Issues
Perhaps
the most significant technological challenges in
the area of electronic surveillance faced by the
law enforcement and national security communities
have been those challenges brought on by convergence.
Convergence refers to the blurring of lines among
traditionally distinct communications products,
services, and regulatory structures and can be
thought of as the ability (technically and legally)
of different network platforms to carry essentially
the same kinds of services (so-called network-independence)
as well as the ability of a single network platform
to carry many different kinds of services (so-called
service-independence). Such network/service independence
is perhaps most evident in the blurring of wireless
and wireline network services, but also in the
blurring of data and voice services. The most relevant
instrument of change with regard to such convergence
has been the emergence of IP networks.
In recent years, the FBI has found that there are greater and more diverse
challenges in effectuating electronic surveillance orders within modern networks
than with "conventional" telephony networks operated by traditional
telecommunications carriers. In order to implement electronic surveillance
orders in these diverse networks, the FBI has relied on elaborate and costly
technical approaches to ensure that only messages for which there is probable
cause to intercept are, in fact, intercepted and that all such authorized messages
are intercepted. As a result, it has become increasingly common for the FBI
to seek, and for judges to issue, orders for Title III or FISA interceptions
which are much more complex and detailed, and much more likely to be directed
to multiple network operators and service providers, than earlier orders, which
were ordinarily directed against a single “plain old telephone services” provider.
It
is important to point out that, when CALEA was
passed in 1994, the Internet was a nascent consumer
technology, the World Wide Web was only really
coming into existence in the laboratory, and wireless
telephones were largely voice-only devices and
not the web-enabled devices we see today. Nevertheless,
the Congress, with CALEA, was attempting to address
the complex and varied communications services
that we now see.
Law
Enforcement Response
In response to the challenges presented by rapid technological advances, law
enforcement has been using all available means to implement its mission to
protect national security and public safety. First, law enforcement has sought
to ensure compliance with CALEA. In keeping with the spirit of Congress’s
intent when enacting CALEA, the FBI has not sought to apply its requirements
either recklessly or broadly to those to whom it should not apply. Because
neither CALEA, nor any other single approach, is viewed as the absolute solution
for law enforcement’s electronic surveillance problems, the FBI and other
law enforcement agencies have worked continually to augment CALEA requirements
with government capabilities. In this regard, we have worked to develop close
liaison relationships with the Information Technology industry as a means of
addressing the public safety and national security issues associated with electronic
surveillance and the use of technologies which tend to hamper our legitimate
interception efforts.
Over the past several years, we have been aggressively pursuing an industry
outreach strategy to inform the Information Technology industry of law enforcement's
needs in the area of electronic surveillance, to continue to encourage the
development of interception capabilities that meet law enforcement's needs,
and to seek industry's assistance regarding the development of law enforcement
tools and capabilities when complex technologies are encountered during the
course of lawful investigation. As a result of this strategy, we have seen
a number of significant advancements which should be further pursued and emulated.
First,
we have seen a number of technological developments
which have led to the marketing of comprehensive
technical tools designed, in part, to perform electronic
surveillance within the complex environment of
the Internet. These tools, which are designed to
be implemented and operated by a service provider,
have greatly extended the capability to effectuate
lawful electronic surveillance on ISP networks.
Several companies have aggressively developed and
marketed such tools.
Second,
the FBI and the law enforcement community have
always, as a first instinct, sought to work cooperatively
and closely with computer network service providers
and their software and equipment manufacturers
to develop lawful interception capabilities, especially
where legal, evidentiary, and investigative imperatives
require special purpose tools. As a result, a number
of network operators and service providers have
acquired and implemented lawful interception capabilities.
Third, we have seen the emergence of so-called “third-party services” -
companies, largely utilizing the tools mentioned above, marketing electronic
surveillance services to both the network operator community and the law enforcement
community. One such third party service provider provides telecommunications
network operators, cable operators, and ISPs with a streamlined service to
help meet requirements for assisting government agencies with lawful interception
and subpoena requests for subscriber records. With respect to third-party service
providers, law enforcement sees them as one potential avenue for telecommunications
network operators, cable operators, and ISPs to meet their obligations under
Title III and/or FISA. Employing a third party may, for example, make a service
provider’s processes more efficient, but in no way should be seen as
relieving the service provider of its electronic surveillance obligations.
I liken third-party services to other out-sourced services such as payroll
administration, where the third party handles the paperwork, but the buck stops
with the company that pays the bill.
Fourth,
we have seen a truly commendable effort on the
part of CableLabs, an industry trade consortium
representing many cable companies, along with Time-Warner,
Comcast, CableVision and Cox Communications, to
develop and publish a set of technical standards
which, on their face, meet law enforcement needs
with regard to electronic surveillance capabilities.
This standard was developed in a spirit of cooperation
which began by recognizing the legitimacy of law
enforcement’s needs and duties and the unique
position industry is in to ensure that our public
safety and national security missions are fulfilled.
Fifth, as always, we have seen the law enforcement community pull together
in the face of this issue. Speaking for the FBI, I can say that many of our
technologies, systems, and processes developed for our own use have been made
available, to the extent possible, to the greater law enforcement community,
including other federal law enforcement agencies as well as state and local
agencies. Nonetheless, the challenges are daunting, and the federal government
cannot shoulder this burden alone. Even with federal assistance, state and
local law enforcement are currently having significant problems effectuating
their interception orders, and the situation will only grow worse.
Finally,
another important issue regarding lawful interception
which must be addressed is that of cost. One inescapable
fact is that lawful electronic surveillance in
this modern “digital age” is increasingly
complex and rapidly changing. Both of these circumstances
have the effect of increasing the overall cost
of electronic surveillance. Unfortunately, on this
issue, there is no returning to the “days
of old” where policemen hunkered down in
panel vans on the street corner recording wiretaps
on reel-to-reel tape. For now, and for evermore,
there is a new baseline for costs associated with
this work.
I will leave you with a last thought regarding the capability of law enforcement
agencies to lawfully access communications in a “digital age,” and
that is this: without the “high tech” industry assisting the government
in this effort, our challenge will be greater. Law enforcement must have the
continued ability to cost-effectively conduct lawful electronic surveillance
to ensure national security and public safety. As I mentioned earlier, this
is a complex issue that needs a multi-pronged solution. Industry must be engaged
and must involve itself in that solution. I would encourage this Subcommittee
and the rest of Congress, when discussing the issue, to keep in mind the need
for continued access by U.S. law enforcement to our nation’s communications
infrastructures. Experience has proven that statutorily-imposed responsibilities
must necessarily be one element of the solution but not the only element. As
such, we must continue to have statutory mandates such as CALEA and build on
them, using varied tools, including incentives.
In
conclusion, I would like to say that over the last
ten years or more, we have witnessed continuing,
steady growth in computer and Internet-related
crimes, including extremely serious acts in furtherance
of terrorism, espionage, infrastructure attack,
as well as more conventional serious and violent
crimes. These activities which even now are being
planned or carried out, in part using the Internet
and other complex networks and services, pose challenges
to the national security and law enforcement communities
that we dare not fail to meet. In turn, the ability
of the FBI and the law enforcement community to
effectively investigate and prevent these serious
crimes is, in part, dependent upon our ability
to lawfully and effectively intercept and acquire
vital intelligence and evidence of crimes and our
ability to promptly respond to these threats to
the American public. As the networks become more
complex, so too does the challenge placed upon
us to keep pace.
I
look forward to working with the Subcommittee staff
to provide more information and welcome your suggestions
on this important national security and public
safety issue: law enforcement’s access to
communications systems in the digital age. I will
be happy to answer any questions that you may have.
Thank you.