Friday, November 25, 2005

Verisign on Net CALEA compliance

Susan Crawford castigates Versign for their declaration that the FCC have not gone far enough in demanding that digital networks be architected for easy law enforcement interception.

"Within the last ten days or so, the key vendor of CALEA compliance services (VeriSign) has taken a very stern tone [pdf] with the FCC, saying that the Commission has read CALEA far too narrowly. VeriSign wants any SIP-using service to be part of the program, and suggests that interconnection with the traditional telephone network shouldn't necessarily be the standard for compliance. Translation: any possible multimedia application (whether connected to the phone network or not) and all connections to the internet should be designed in advance so as to be easily tappable by law enforcement.

(What's a SIP-based service? It's any service using the Session Initiation Protocol, an IETF signaling protocol that can be used in connection with any multimedia or voice or gaming application. GoogleTalk will use SIP; MSN Messenger already does; a host of VoIP applications already do. It's a very broadly used peer-to-peer protocol.)

VeriSign is also arguing that the rest of the world is moving smoothly along the vendor-assisted interception path, and that "the only impediment to implementation domestically principally lies in the Commission's actions" in the CALEA proceeding. We are ready, sayeth VeriSign (describing itself as a member of the "entrepreneurial and innovative global lawful interception industry") to provide these compliance services at minimal cost, but the Commission is getting in the way...

What's extraordinary about all this firmness on the part of the sole listener (DOJ) and the key vendor (VeriSign) is that the FCC has reached very far indeed to do their bidding already. By virtue of a less-than-weak reading of CALEA (which doesn't apply to "information services"), the Commission has gotten up the nerve to act like Congress and proclaim that a huge range of actors have to be CALEA compliant within 18 months, without saying what compliance means. Non-compliant firms will be subject to fines of $10,000 a day. So entities have to start complying without knowing what to do, and they won't even know whether they're covered -- because the FCC is sometimes flip about whether they are. Enormous, arbitrary, capricious, and aggressive confusion is in the air.

It's all pretty astonishing and pretty abusive...

But if you listen to VeriSign, we're all being silly, the world has moved on, and we should just shape up and get with the program. I feel sorry for the well-meaning professional staff at the Commission. They're under tremendous pressure."

No comments: