"(3) Encryption
A telecommunications carrier shall not be responsible for decrypting, or ensuring the government’s ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication."
Also, declan, I was in the room during meetings with the FBI when I worked for a large telecommunications carrier. I integrated the CALEA mediation platform with the IP network and I'm well aware of what is required and not required to be present in the network regarding CALEA.
IANAL, but you would be wise to consider that the FBI considers the former "information service providers" to be "telecommunications providers" to the extent that they can convince a judge that they are acting as one. I wouldn't think I was safe because I was using any kind of messaging where I couldn't control the keys, the software that uses them, and the distribution and verification of said keys.
Thanks for your response! I don't disagree with your representation of the law (or the practice of the FBI) as it applies to traditional telecommunications carriers. They're clearly covered by CALEA.
But Apple, Google, Facebook, Twitter, etc. are simply not telecommunications carriers. That's the whole point. CALEA as enacted in 1994 doesn't apply to them, and even the FCC didn't try to apply CALEA to them when subsequently expanding the law. This is why both the FBI director and the FBI general counsel said in the last two weeks they want Congress to rewrite the law to cover those companies.
CALEA applies to "facilities-based broadband Internet
access providers and providers of interconnected Voice over Internet Protocol (VoIP)." Pure TCP/IP services are not "interconnected." See page #2 of the FCC's order: http://hraunfoss.fcc.gov/edocs_public/attachmatch/FCC-06-56A...
If you're saying that the FBI sometimes gets judges and companies to go beyond what the law allows, you may be right. On the other hand, companies are under no obligation to comply, as we see in this new lawsuit: http://news.cnet.com/8301-13578_3-57577958-38/google-fights-...
It's worth noting that I got dragged into this project when the District Court ruled that "information service providers" were subject to regulation under CALEA. This kicked off a huge project to bring the IP network into compliance.
It's not a stretch to imagine an situation where a company decides to fight and loses, thus looping in a huge number of companies that might imagine that they aren't telecom providers, but a court decides they are.
There is a very fine line between SMS and iMessage. Apple provides servers that store and forward messages, and it'd be hard to argue with a straight face that a court should "think different" when comparing AT&T and Apple. Judges aren't dumb and they will pay close attention to the "substance test" when deciding if a company is providing a "telecommunications service" in a ruling.
So then, how long before there is an open-source, distributed key management system, that lets you store public keys of all your friends' phones, and end encrypted texts/etc with them, and which acts basically as only a key exchange service?
... I guess CALEA could be made to force them to MITM anyone doing key exchanges. Damn.
"(3) Encryption A telecommunications carrier shall not be responsible for decrypting, or ensuring the government’s ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication."
More info: http://paranoia.dubfire.net/2011/02/deconstructing-calea-hea...
Also, declan, I was in the room during meetings with the FBI when I worked for a large telecommunications carrier. I integrated the CALEA mediation platform with the IP network and I'm well aware of what is required and not required to be present in the network regarding CALEA.
IANAL, but you would be wise to consider that the FBI considers the former "information service providers" to be "telecommunications providers" to the extent that they can convince a judge that they are acting as one. I wouldn't think I was safe because I was using any kind of messaging where I couldn't control the keys, the software that uses them, and the distribution and verification of said keys.