Bargains for Under $25 HP Envy 34 All-in-One PC Review Best Fitbits T-Mobile Data Breach Settlement ExpressVPN Review Best Buy Anniversary Sale Healthy Meal Delivery Orville 'Out Star Treks' Star Trek
Want CNET to notify you of price drops and the latest stories?
No, thank you

Wiretap rules for VoIP, broadband coming in 2007

FCC approves sweeping set of wiretapping rules for broadband and Net phone providers. But it's not clear what happens next.

Broadband providers and Internet phone services have until spring 2007 to follow a new and complex set of rules designed to make it easier for police to seek wiretaps, federal regulators have ruled.

It's clear from the Federal Communications Commission's 59-page decision (click for PDF), released late Friday evening, that any voice over Internet Protocol, or VoIP, provider linking with the public telephone network must be wiretap-ready. That list would include companies such as Vonage, SkypeOut and Packet 8.

But what remains uncertain is what the Communications Assistance for Law Enforcement Act (CALEA) ruling means for companies, universities, nonprofits--and even individuals offering wireless or other forms of Internet access.

"Because of that very fundamental difference between the Internet and the public switched network, the commission has had a hard time defining who, exactly, is covered, and they have in this order completely punted on the question of who is responsible for what," Jim Dempsey, executive director of the Center for Democracy and Technology, said Monday.

Terrorism and homeland security concerns make such regulations necessary, the FCC said, echoing the arguments of Bush administration officials who have warned of VoIP services becoming a "haven" for terrorists, criminals and spies. "It is clearly not in the public interest to allow terrorists and criminals to avoid lawful surveillance by law enforcement agencies by using broadband Internet access services," the FCC said.

Even though the FBI has been lobbying on this topic since at least mid-2003, and regulators have been formally considering the request since March 2004, the rules remain fuzzy. The FCC's order says, for instance, that "we reach no conclusions" about whether universities, and small and rural broadband providers, must cease providing Net connectivity until their networks comply with police requirements.

The FCC's 59-page rule applies to any "Internet access service" that offers upstream or downstream speeds of at least 200kbps--which would easily cover Wi-Fi hot spots operated by individuals or businesses. In a footnote, however, the FCC suggests that its regulations "are not intended" to cover hotels, coffee shops and bookstores that provide Wi-Fi service.

Some answers are likely to come in a second regulation that the FCC promises to release by the end of the year. That's also expected to address whether taxpayers will pay for the cost of equipment upgrades and yield more details about deadlines. (The requirements kick in 18 months from the formal publication of the rules in the Federal Register--which has not happened yet--yielding a deadline of about April 2007.)

An FCC representative who did not want to be identified by name said Monday that "whoever operates the system" would be subject to federal wiretap requirements. The representative said someone who "actually has a network"--as opposed to a cafe that just buys Internet service--would be responsible for complying.

Representatives from the National Cable & Telecommunications Association and the Voice On the Net Coalition said they would work with the FCC to ensure that their services complied with the requirements, though they acknowledged that important questions remained unanswered.

"Not without legal risk"
Injecting additional uncertainty is whether the FCC's action is legal. It represents what critics call an unreasonable extension of 1994's CALEA--which was designed to address telephone features such as three-way calling and call waiting--to the Internet.

A House of Representatives committee report prepared in October 1994 emphatically says CALEA's requirements "do not apply to information services such as electronic-mail services; or online services such as CompuServe, Prodigy, America Online or Mead Data (Central); or to Internet service providers."

When Congress was debating CALEA, then-FBI Director Louis Freeh reassured nervous senators that the law would be limited to telephone calls. "So what we are looking for is strictly telephone--what is said over a telephone?" Sen. Larry Pressler, R-S.D., asked during one hearing.

Freeh replied: "That is the way I understand it. Yes, sir."

Two of the four FCC commissioners who voted for the extension on Friday acknowledged that the federal government was on shaky legal ground. The FCC's regulation is based on arguing that the law's definition of "telecommunications carrier" applies to broadband and VoIP providers.

Kathleen Abernathy said: "Because litigation is as inevitable as death and taxes, and because some might not read the statute to permit the extension of CALEA to the broadband Internet access and VoIP services at issue here, I have stated my concern that an approach like the one we adopt today is not without legal risk."

Michael Copps warned that if a court case leads to the rules being struck down, Friday's move may have done "more harm than good." The FCC's logic, he said, was "built on very complicated legal ground."

The FCC is no stranger to having its decisions rejected by a federal appeals court that can be hostile to what it views as regulatory overreaching. In May, for instance, the FCC's "broadcast flag" was unceremoniously tossed out by the U.S. Court of Appeals for the D.C. Circuit.

"They basically rewrote the statute," said Dempsey of the Center for Democracy and Technology, referring to the application of CALEA to the Internet. "After a year or more of studying this question, the commission has failed to answer some basic questions. I'm afraid that the FBI will step into the vacuum and start claiming that it needs this or that."