FCC Details CALEA Obligations of Facilities-based Broadband Internet Access Providers and Interconnected VoIP Service Providers
On Friday, May 12, 2006, the FCC released its Second Report and Order concerning the application of the Communications Assistance for Law Enforcement Act (“CALEA”) to facilities-based broadband Internet access providers and providers of interconnected Voice over Internet Protocol (“VoIP”) services. This is the latest order in a process that began in early 2004 when, at the behest of the FBI and other law enforcement agencies (“LEAs”), the FCC began considering whether and how to expand CALEA to include broadband Internet access and VoIP providers. The FCC’s September 2005 First Report and Order held CALEA does apply. Last Friday’s Second Report and Order confirms that conclusion and provides additional details and implementation guidance.
Various parties had challenged the First Report and Order. See News Update dated Nov. 3, 2005. Ironically, the D.C. Circuit heard argument on that challenge just two days after it adopted the Second Report and Order. Press reports suggest that at least one judge took a very skeptical view of the FCC’s rationale for extending CALEA to broadband Internet access providers: Judge Harry Edwards called the FCC’s arguments “gobbledygook.” The court as a whole appeared more willing to accept that CALEA might apply to interconnected VoIP service providers. A court reversal or remand of the FCC’s decision to extend CALEA to VoIP and/or broadband Internet access providers would almost certainly interfere with the implementation schedule contemplated by the FCC, described below. Such a ruling may also provide a basis for interested parties to ask the FCC to suspend or stay the May 14, 2007, compliance deadlines. Moreover, given the controversy surrounding government surveillance of communications, we believe that challenges to the Second Report and Order are likely as well. We will provide an update addressing such developments as they occur.
Assuming that no party succeeds in obtaining a stay of its terms, the Second Report and Order makes a number of specific decisions regarding the requirements and technical solutions necessary to comply with the statute; sets forth cost recovery mechanisms; describes future enforcement processes; and, imposes certain reporting obligations on covered entities. Key components of the FCC’s decision are as follows:
- The FCC affirmed that the deadline for facilities-based broadband Internet access and interconnected VoIP services to comply with CALEA obligations is May 14, 2007. The FCC believes that this gives such providers enough time to develop compliance solutions, based upon its belief that the development of compliance standards and technologies are already “well underway.” Given the FCC’s statements that it will not grant extensions for facilities deployed after October 25, 1998 and the burdens the FCC has placed on the process of demonstrating that compliance is not presently reasonably achievable, service providers should immediately start the process of identifying how they will become compliant, what technologies are available, etc., in order to be able to document those efforts later should extending the May 2007, deadline become necessary.
- The May 14, 2007, deadline applies to all facilities-based broadband Internet access and interconnected VoIP services. The FCC believes that establishing a single compliance deadline for all services will help to prevent migration of criminal activity onto networks with delayed compliance dates.
- The FCC will continue to rely on industry standard-setting bodies to establish specific technological standards that will constitute “safe harbors” for compliance. The FCC also explained that it will not intervene in such proceedings unless an interested party shows that the industry-standard solution will not comply with the statute.
- Affected providers may use “Trusted Third Parties” (“TTPs”), such as Neustar and VeriSign, to help meet CALEA obligations. A TTP acts as an intermediary between LEAs and the service provider by obtaining access to the provider’s network and then remotely managing the surveillance and data delivery functions. Note that a TTP is a means by which a provider can meet its own CALEA obligations; but the use of a TTP does not shift the legal obligations and burden of compliance to the TTP.
- The FCC concluded that the agency itself may take enforcement action under Section 229(a) of the Communications Act against entities that fail to comply with CALEA, and adopts the requirements of CALEA as agency rules. This seemingly bureaucratic move may be significant: CALEA contemplates that a noncompliant entity could be fined, after a court proceeding, up to $10,000 per day. By converting CALEA violations into FCC rule violations, the maximum fine increases to $100,000 per day/$1,000,000 per violation. The potential consequences of noncompliance are therefore significantly greater under the FCC’s new regime than they were before.
- The FCC determined that affected entities are responsible for CALEA development and implementation costs for all equipment and facilities deployed after Jan. 1, 1995. Because VoIP and mass-market broadband Internet access did not really exist prior to Jan. 1, 1995, this decision essentially means that service providers are completely responsible for the investments needed to comply with CALEA.
- The FCC requires all affected entities to submit interim reports to the Commission to ensure that they will be CALEA-compliant by the deadline May 14, 2007. It will issue a later Public Notice setting a deadline for these reports.
- Affected entities must comply with the system security requirements in the Commission’s rules within 90 days of the effective date of the Order (which normally is about a month after an order is issued). This means that newly covered providers must establish policies and procedures for employee supervision and control and for maintaining secure and accurate records for responses to lawfully authorized surveillance requests. Each affected entity must also file its current policies and procedures with the FCC within the same 90 day timeframe.
- Finally, the FCC declined to adopt a mechanism to identify future services and technologies that may be subject to CALEA. In so doing the FCC rejected the Department of Justice’s suggestion that the FCC affirmatively review the application of CALEA to future services and technologies, before they can be marketed. Recognizing the inherent flaws of such a scheme, the FCC instead concluded that it would consider such questions only after an interested party sought a declaratory ruling from the FCC. It is noteworthy, however, that LEAs as well as private entities may seek a declaratory ruling. One can imagine a situation in which LEAs might pressure service providers to build CALEA capabilities into new services or technologies by threatening to bring a declaratory ruling action if the service provider refuses.