DOJ Proposal for CALEA Expansion is Back: Is it a RIPA Repeat?
The news media is reporting that the Administration is moving closer to acting on its long in the works plans for expanding wiretapping capability requirements under the Communications Assistance to Law Enforcement Act (“CALEA”), 42 U.S.C. § 1001 et seq., and the request the Administration makes to Congress may have a British accent. The Department of Justice (“DOJ”) is reportedly planning to steer clear of its prior plans to expand CALEA’s language to bring in all manner of communications systems and applications and is going to instead focus on seeking greater enforcement authority for non-compliance with wiretap orders. Under this proposal, fines could be imposed on companies that receive wiretap orders with which they are technically unable to comply or on companies who have not yet been served with any orders but whom the government has notified that it may receive orders and therefore should build intercept capability into their services in preparation.
Under the current Wiretap Act , service providers are only required to provide “technical assistance” to allow an intercept order to be implemented by law enforcement. Such “technical assistance” does not encompass building new technical capabilities. Only those providers currently subject to CALEA are required to build intercept capability into their products and services. CALEA was originally put in place in 1994 to ensure law enforcement’s ability to conduct wiretaps on telecommunications during the move from analog to digital communications. But expanding CALEA to apply to a broader range of providers has long been on the FBI’s agenda. Its “Going Dark” agenda has specifically targeted online service providers who provide messaging capabilities through instant messaging and web-based email.
The current proposal bears a resemblance to the United Kingdom’s Regulation Investigatory Powers Act of 2000 (“RIPA”) intercept capability requirements. Under RIPA, UK authorities may issue a notice to a service provider that they must build intercept capability within a specific time frame or be subject to fines. Many U.S.-based providers are already familiar with RIPA given that the UK authorities have been aggressive in arguing its applicability to U.S. services used by UK residents. Critics of DOJ’s proposal point out that one of the negative impacts of the U.S. passing a similar law would be reticence of technology companies to develop services in the U.S., harming innovation, the economy, and, counter-productively, U.S. law enforcement’s ability to access data collected by such providers.
With recent movement on ECPA reform, law enforcement may now see its opportunity to bring its request for expanded powers to Congress.