Susan Crawford: Five BIG Problems with CALEA

by Bruce Stewart

Susan Crawford has just posted a very scary analysis of the DOJ's proposed draft amendment to CALEA, highlighting 5 major problems she sees with it and asking that we all start paying closer attention to this legislation and take appropriate action.

We've been talking about how the new backdoor access and reporting requirements for VoIP services are sure to stifle innovation for awhile around here (that was the theme of Brad Templeton's talk at this year's Emerging Telephony conference in January), but Susan points out some other very big red flags to this legislation.

For instance, I had no idea that the proposed language would force all online services to have a point of presence in the U.S. As Susan points out this has very serious implications:

This is a very big deal. This means that any entity that allows people here in the U.S. to communicate has to have servers here. Remember ICQ? They started in Israel. They didn't have servers here. This means that no startup in any other country can help us communicate without being subject to the design desires of U.S. law enforcement. What?

This point of presence requirement is now found in China -- they, too, want to make it easy for law enforcement to listen in and then arrest people.

It's a gripping read. Please take the time to at least inform yourself about the possible ramifications of what's being considered in this new, but definitely not improved, CALEA act. The EFF has posted a PDF of the proposed language.


2006-08-31 22:25:33
I hate to say this because I do NOT want it to be 'easy' for personal communications to be intercepted - by anybody. But ummmmmm, everything spoken of on both sides of this issue seem to be missing an obvious solution - simple packet capture requirements for ISPs. No 'proxies' would be required in the US by any online company, and 10,000+ internet communications applications won't have to adjust a thing.

Once the ISP is able to identify which port/IP goes to which location - capturing traffic is easily done. Having this accomplished by serveral hundred ISPs is MUCH easier than asking those 10,000+ application writers to change everything. No regulation of tens of thousands of applications, just a simple ISP requirement.

Now that I think more about this it seems to easy a solution - I must be missing something.