required records. 30 Section 64.2105 requires carriers to file with the Commission their SSI policies and procedures, and prescribes Commission review of the filings." 31 32 10. Moreover, we are not persuaded that the additional measures the FBI proposes are necessary to ensure the security and integrity of CALEA operations and records, as the statute requires." Indeed, the FBI argues only that the proposals would be a useful way for it to oversee carriers' SSI efforts, not that they are necessary in order to implement the requirements of CALEA." In the Report and Order, consistent with this standard, we adopted "a minimum set of requirements intended to allow carriers to develop their own policies and procedures that assure the maintenance of their systems security and integrity.' "34 The FBI's proposals would depart significantly from this statute-based approach. 11. 38 37 36 Further, while the proposals in the FBI's reconsideration petition are somewhat narrower than those it originally made" in response to the CALEA Notice of Proposed Rule Making, we previously considered and largely declined to adopt such measures in the Report and Order. Although it may well be reasonable for carriers to adopt many of the measures advocated by the FBI as part of their SSI policies and procedures, we are not persuaded that they are universally necessary, such that we should impose them as requirements on all carriers. Carriers subject to CALEA range in size from very small to very large, and many have little or no intercept activity. Under these circumstances, imposing the FBI's generic precautionary scheme on all carriers is inconsistent with the Commission's decision to accord carriers substantial discretion to devise SSI policies and procedures they deem appropriate to their particular situations.39 12. Finally, the FBI's proposals appear to present practical difficulties as rigid, across-the-board requirements. For example, how often would a background check be required, and what would constitute 30 47 C.F.R. § 64.2104. 31 47 C.F.R. § 64.2105. 32 47 U.S.C. § 229(a). See supra para. 8. 33 See, e.g., BAM at 2-4. For example, the FBI argues that section 105 calls for a balancing of invasiveness with the need to protect the public from unwarranted searches, and describes its proposals for lists of designated employees and background checks as a means of verifying the trustworthiness of those conducting the surveillance. FBI reply at 4-8. 36 Communications Assistance for Law Enforcement Act, CC Docket No. 97-213, Notice of Proposed Rulemaking, 13 FCC Rcd 3149 (1997) (NPRM). 37 We declined to require carriers to maintain and provide to LEAS records of each designated employee's name, personal identifying information, official title and contact numbers, concluding that such requirements could be invasive to carrier personnel and could compromise a carrier's ability to maintain a secure system, by identifying personnel charged with effectuating surveillance functions. We also declined to adopt rules concerning mandatory background checks and non-disclosure agreements, determining that carriers would take sufficient measures to ensure the lawful implementation of electronic surveillance without our dictating particular measures. Report and Order, at paras. 25-26. 38 See, e.g., SBC at 2. 39 For example, it is likely the case that many carriers already designate those employees with intercept responsibilities. See FBI petition at 4 n.4, FBI reply at 7. This does not mean, however, that all carriers should formally do so. a sufficient background check? What would constitute an unfavorable check? What would be the result of an unfavorable background check? Would it bar an employee from performing certain job functions, or affect his or her promotion potential? We are concerned that having to promulgate regulations to address these and similar questions could inject the Commission and LEAs into private employment matters to an extent not envisioned by CALEA. 40 13. We remain confident that carriers will assume the mantle of responsibility assigned to them by CALEA to establish appropriate SSI policies and procedures without micro-management oversight by law enforcement or the Commission. As noted earlier, we ourselves are obligated to review carriers' policies and procedures for compliance with the statute and our regulations. Should we find that a particular carrier's policies and procedures are insufficient to safeguard security and privacy, we will order modifications to that carrier's policies and procedures." Moreover, if the FBI brings to our attention specific problems of a generic nature with carrier implementation of these measures, we will consider amending our rules to address those problems. At this time, however, we do not think the case has been made for more extensive rules in this area. 14. Accordingly, for all the reasons discussed above, we deny the FBI's request that we mandate the personnel security measures listed above. We encourage carriers, however, to consider voluntarily adopting, as internal procedures, measures to respond to the concerns presented by the FBI, as appropriate, and making them part of their SSI policies and procedures. B. Surveillance Status Message 15. Background. The FBI also asks us to require carriers to generate an automated message that would permit LEAS "to confirm periodically that the software used to conduct an interception is working correctly and is accessing the equipment, facilities, or services of the correct subscriber." Information in such a message would include the date, time, and location of the wiretap; identification of the subscriber whose facilities were under surveillance; and identification of all voice channels connected to that subscriber." The FBI argues that the surveillance status message "falls squarely within the mandate of § 105" because it "is specifically designed to minimize... unauthorized interceptions, and thus to protect the interests that underlie § 105 by “facilitating the discovery and termination of interceptions that lack lawful authorization."45 43 9944 16. Discussion. We find that this proposal suffers the same fundamental infirmity as the FBI's personnel security proposals: the FBI does not argue that surveillance status messages are necessary to ensure systems security and integrity, as CALEA requires, only that they would be useful for LEAS 46 047 U.S.C. § 229(c). 41 Id. 42 FBI petition at 8-9. We note the FBI originally raised this challenge to the Commission's technical standards that were resolved in the Third Report and Order, where the Commission determined that the surveillance status message did not fall within section 103 of CALEA. 43 Third Report and Order, at para. 97. 44 FBI petition at 8. 45 FBI reply at 14. 46 '47 U.S.C. 229(a). See also supra paras. 8 and 10. 47 seeking to oversee carriers' SSI activities. Such measures could provide a carrier with an additional means of protection against unauthorized surveillance, and could generate records on authorized surveillance. However, several commenters renew their argument that surveillance status messages would be both technically difficult and costly to implement, an objection the FBI does not here rebut. 17. 48 In considering this proposal, we find that neither the language of section 105 nor the legislative history of CALEA contemplates LEA oversight of carrier SSI measures." Sections 105 and 301(b) of CALEA require carriers to safeguard the security and integrity of their intercept activities, but do not specify how they must do so. As noted previously, we leave decisions about SSI matters to the discretion of carriers, who remain responsible in case of any security breach. We therefore deny the FBI's request that we mandate the use of automated surveillance status messages. As we noted in the Third Report and Order, however, "there is nothing that would prevent carriers from providing this capability either on a voluntary basis, or with compensation from LEAS." 18. C. Reporting Suspected Compromises of System Security 50 Background. In response to the CALEA NPRM, the FBI proposed that the Commission should adopt a rule requiring carriers to report breaches of systems security within two hours.52 In the Report and Order, we declined to impose a specific reporting time frame. Instead, we decided that carriers must report acts of unauthorized electronic surveillance that occur on their premises and compromises of their SSI procedures involving the execution of electronic surveillance “within a reasonable time upon discovery."" The FBI now asks us to modify the rule to require reporting "as soon after discovery as is reasonable in light of privacy and safety concerns and the needs of law enforcement." It maintains that specifying what interests underlie the reasonability standard is necessary so carriers will not "seek to justify substantial delays by reference to an unlimited... reserve of 'flexible'... explanations," to the detriment of law enforcement. 19. Discussion. We share the FBI's concern about the importance of prompt reporting of systems security breaches and expect carriers to exercise their duty to report breaches with due diligence and dispatch. We do not believe, however, that the proposed language would provide appreciably better guidance as to how rapidly a carrier should act in reporting security breaches. We agree with commenters that focusing on only three reasonableness factors ignores others that may be significant in some cases, such as the nature or cause of the breach, the timing of the discovery in relation to the 47 See, e.g., AT&T at 6-8, CTIA at 5-6, WorldCom at 1-2, Motorola at 2-6, PCIA at 2-5, SBC at 2-3, TIA at 2-5, USTA at 3-4. The FBI itself admits that manually checking the status of interceptions "would have essentially the same functionality" as automated surveillance status messages. FBI reply at 14. 48 See, e.g., BellSouth at 14-15, PCIA at 4-5, TIA at 4-5, US West at 8-9. 49 50 See AT&T at 7-8. In light of our disposition of this issue, we need not reach arguments about whether this FBI proposal is properly raised on reconsideration of an order that did not address it in the first place. See, e.g., BellAtlantic at 34, CTIA at 5-6, PCIA at 2, TIA at 2, USTA at 3-4, FBI reply at 10-12, US West at 8. See supra para. 3. pendency of the intercept (i.e., is the breach discovered during or long after the intercept is in place), the amount of time required to determine whether a suspected breach is in fact a breach, and the amount of time required for the person discovering the breach to report to the carrier's point of contact with law enforcement. Moreover, some commenters contend that the FBI's short list of factors skews the balance of interests to favor law enforcement." Others oppose any attempt to further define "reasonable" as unwarranted because there have not been any problems to date." 56 58 20. In the end, absent evidence of significant problems, we prefer to leave the test of reasonableness subject to case-by-case determination. As NTCA points out, if there is a dispute between a carrier and an LEA over the reasonableness of the reporting time, it would be left to a court to resolve the issue of reasonableness, and courts have extensive experience in evaluating a reasonableness standard based on "all relevant and available information, including the needs of law enforcement.' We therefore will not adopt additional factors to further define how quickly a carrier should report a security breach to law enforcement. D. Opening of the Circuit for Law Enforcement 1959 21. Background. The FBI also seeks a modification of the Commission's record keeping requirement pertaining to the commencement of interceptions. Section 64.2104(a)(1) of the Commission's rules requires that: A telecommunications carrier shall maintain a secure and accurate record of each The FBI claims that this language "might be susceptible to an interpretation whereby, if a circuit to law enforcement were to be kept open for the duration of multiple intercepts, the carrier's records of these various intercepts would all show the same 'start date and time,"" rather than recording individual interceptions. The FBI asks us to preclude this anomalous result by modifying the phrase "date and time of the opening of the circuit" to read “date and time at which the interception of communications or access to call identifying information was enabled."2 61 22. Discussion. This proposal on the part of the FBI drew few comments, and those that were filed reflect some confusion about the FBI's request. We find it reasonable to require a carrier to record the date and time it completes whatever steps are involved in initially establishing LEA access to call information (i.e., call identification information and/or call content) and delivering it to the requesting LEA. We also find it reasonable to require that such information be recorded for each separate telephone number or circuit identification number intercepted, not simply for the activation of a delivery channel 56 See, e.g., AT&T at 8-9, Bell Atlantic at 4-5, BellSouth at 16, SBC at 3-4. 57 See AT&T at 8-9, NTCA at 8-9, USTA at 4-5, US West at 7. 58 See BellSouth at 15-16, CTIA at 6-7, NTCA at 9. that may be used for multiple interceptions. This requirement does not require that a carrier obtain information beyond the ordinary scope of its knowledge, such as when the LEA begins the actual interception, nor does it entail recording the start time of each communication that occurs on an intercepted circuit.65 64 23. AT&T opposes the FBI's request, arguing without explanation that the proposal "would require significant technical modifications to [its] networks and their vendors' equipment—another 'assistance capability' not required by section 103," and would be unnecessary because "carriers routinely maintain, in the ordinary course of business, records necessary to demonstrate good faith compliance with a surveillance order in the event a civil or criminal claim is brought under 18 U.S.C. § 2520." The FBI disputes AT&T's assessment of what the proposal would entail, and maintains that requiring carriers to include in their surveillance records information they already routinely record would not be unduly burdensome. 67 24. We hereby modify the language of section 64.2104(a)(1) of the rules to require carrier interception certifications to include "the start date and time that the carrier enables the interception of communications or access to call identifying information." This language makes the clarifying change the FBI has requested, but goes further to clarify that the event to be recorded is the carrier's action making the interception available to the LEA. These clarifications do not create a new or additional record keeping requirement beyond what we contemplated in the Report and Order, but merely clarify the proper interpretation of this requirement as requested by the FBI. In view of this clarification, we believe AT&T's concern that complying with this requirement would constitute a significant burden is overstated. E. Point of Contact 25. Background. In its Petition for Reconsideration and/or Clarification, NTCA first asks us to clarify an inconsistency it sees between the Report and Order and the language of section 64.2103 of the rules, "to make obvious that a single person is not responsible for being law enforcement's point of contact [for CALEA matters], 24 hours a day, 7 days a week. 1968 63 Under section 64.2104(a), a record is required for "each interception of communications or access to callidentifying information." 47 C.F.R. § 64.2104(a) (emphasis added). 64 See CTIA comments at 8, SBC comments at 4. Both CTIA and SBC note that carriers are in a position to record information within their knowledge (e.g., when the carrier implements an interception or places a translation in its switch related to the surveillance target). The FBI responds that these commenters' views are consistent with its proposal, in that both "translation" and "implementation" refer to the event the Bureau describes as "enabled." FBI reply at 16-17. See also US West at 7 n.25. See generally Report and Order, at paras. 39-48. 65 As we have noted, federal electronic surveillance laws merely direct carriers to provide the technical assistance necessary to aid law enforcement in making intercepts, not to conduct the intercepts themselves. See Communications Assistance for Law Enforcement Act, CC Docket No. 97-213, Order on Reconsideration, FCC 99-184, at para. 3. |