The Court of Appeals for the District of Columbia has upheld the Federal Communications Commission’s Order extending the assistance capability obligations of the Communications Assistance for Law Enforcement Act (“CALEA”) to facilities-based, broadband Internet access providers and Voice over IP services (“VoIP”). These newly-covered entities have much to do in the coming months because the Commission has set May 2007 as the compliance date and has warned that extensions of time will be rare and hard to get. This Update first examines the decision and then discusses its immediate ramifications.
CALEA’s obligations extend only to telecommunications carriers, which by CALEA definition includes any entity that is a substantial replacement for local telephone exchange service and which the Commission deems it to be in the public interest to cover. CALEA excludes information services from that definition. The Commission decided that the telecommunications component of broadband Internet access and VoIP service was covered notwithstanding that under the Telecommunications Act, the Commission had deemed Internet access to be an information service and has yet to classify VoIP.
Applying the classic Chevron test (if a statute is ambiguous and the agency’s construction reasonable, a federal court is bound to adopt the agency’s construction), the court simply deferred to the Commission’s disparate treatment of the ambiguous term “information services” under CALEA, finding that although “a bit of a stretch . . . [the Commission] offered a reasonable interpretation of CALEA.” Why? CALEA is a different statute than the Telecommunications Act; the definition of telecommunications carrier is broader under CALEA and gives the Commission discretion to decide who is and is not a carrier; and, CALEA in the end “is a law-enforcement statute.”
The outcome was perhaps presaged by last year’s Supreme Court decision in NCTA v. BrandX Internet Svcs., 467 U.S. 837 (2005), where the Court gave broad deference to the Commission’s decision under the Telecommunications Act to treat the telecommunications component as one with the information service – just the opposite of what the Commission did under CALEA. The moral of BrandX and now this CALEA decision is that if Congress is not unequivocally clear about its intent in the statutory language, courts will defer to the agency if rules reflect a plausible or reasonable interpretation. And that threshold apparently is low. Had the review been de novo where the court could have analyzed how Congress interpreted the term information service in 1994, the court here hinted that the outcome may well have been different.
The court hastened to emphasize that CALEA’s information services exclusion retains vitality. CALEA does not apply, for example, to the storage functions of email, Web hosting, or domain name lookup services. It only applies to the “switching and transmission” component of the ISP or VoIP service. Thus, a provider of Web-based email service has no CALEA obligation whereas the Internet access provider (e.g., the local DSL provider) does have compliance obligations. The scope of those obligations, as noted below, remain unclear.
In regard to private networks, the court likewise emphasized that CALEA excludes them. It dismissed appellants’ concerns as not ripe that the Commission’s coverage of facilities that support connection of private networks to public networks actually implicate private network components. The decision suggests that the court may reject future attempts by the Commission to require CALEA compliance for border or gateway routers of private network operators that connect to the Internet. The private network issue affects not only universities and colleges that provide Internet access to students and faculty, but also private businesses who, for example, operate global wide area networks and then provide their own connections to the Internet for employees or other users.
The appeal options are limited. Motions for rehearing en banc are disfavored and may be granted only when there is a conflict of decisions within or among the circuits or if the proceeding involves a matter of exceptional importance. While there are no conflicting decisions, the parties may well consider CALEA’s application to the Internet to be a question of preeminent importance. Beyond rehearing, the parties would be left to seek a writ of certiorari to the U.S. Supreme Court, which would be unlikely to be granted. In short, absent a rehearing, the Commission’s Order likely will stand.
Now that we know who is a covered entity, the Commission’s Second Report and Order on what must be done andwhen it must be accomplished takes on new importance. The Second Order was released on May 12, 2006, and resolved a myriad of administrative CALEA issues. Newly-covered entities must be aware of the following:
Compliance Deadline: May 14, 2007. Extensions of the compliance date are only available for equipment, facilities or services “installed or deployed” before October 1998.
Immediate Security Requirements: All newly-covered entities must meet the Section 105 system security and integrity requirements within 90 days of publication of the Second Order in the Federal Register (pending publication). In short, newly-covered entities must create a security office, train personnel to receive and implement legal process for surveillance, and provide contact information for such personnel to the Commission. Monitoring Reports: The Commission will issue a future public notice that will require covered entities to submit compliance progress reports describing their compliance status and progress towards the May 2007 deadline. Newly-covered entities must coordinate with manufacturers immediately to avoid future enforcement actions by the Commission.
Cost Recovery: The cost of CALEA compliance is on the newly-covered entity and the hurdle is high to show that the costs are unreasonable and that compliance cannot be achieved.
Technical Requirements: There remain unanswered questions concerning what constitutes communications identifying information or “CII” and how it must be provided to law enforcement. The Commission has deferred to industry standards bodies to define it in the first instance, and has permitted trusted third parties to provide solutions.
The Commission asked in October 2005 what procedures, if any, it should establish to consider exemptions from CALEA’s obligations, as permitted under CALEA in consultation with the Attorney General. The Commission asked for comment on whether, short of a complete exemption, something less-than-full compliance with CALEA could be required. Finally, the Commission asked whether any other forms of VoIP service should be covered such as one-way or peer-to-peer services. The FCC acknowledged that these were important questions and stated its intention to resolve them expeditiously in a forthcoming order.
The impact of the court’s decision on the legislation being “shopped” by the Department of Justice remains to be seen. The proposed legislation, although not made public yet, would have codified the Commission’s Order and made other changes to CALEA long desired by law enforcement. The Department may well be more than satisfied with the court’s decision and the favorable venue it now has at the Commission for future changes to CALEA, whereas industry may look to the legislative process to address its concerns about the scope of the now validated Commission Order. Coupled with data retention legislation, industry should closely track legislative efforts regarding surveillance obligations.