Communications - July 2011

Judge Orenstein foundh that a cellphone was in fact a tracking device, and that a showing of probable cause was necessary to obtain prospective cell site data. On Sept. 7, 2010 the United States Court of Appeals for the Third Circuit upheld a lower court’s opinion that a cellular telephone was in fact a tracking device, and further ruled that it is within a magistrate judge’s discretion to require a showing of probable cause before granting a request for historical cell site data.i

CALEA and the USA PATRIOT Act. Clearly the information made available by the cellular architecture has motivated law enforcement to pursue it. And having gotten used to this massive source of personal information, law enforcement would like to keep the data conduits open. The development and commercialization of new telephone technologies in the 1980s and 1990s caused concern that less sur-veillance-friendly architectures were becoming the norm. This prompted law enforcement to ask Congress for legislation that would require service providers to provide a common means for surveillance regardless of the technology in use. The Director of the FBI made the point quite clearly in testimony before Congress:

The purpose of this legislation, quite simply, is to maintain technological capabilities commensurate with existing statutory authority; that is, to prevent advanced telecommunications technology from repealing, de facto, statutory authority now existing and conferred to us by the Congress.

Former FBI Director Louis Freeh18

The result of this effort—the Communications Assistance for Law Enforcement Act (CALEA4)—was passed on the last night of the 1994 congressional session. CALEA requires that service providers “facilitat[e] authorized communications interceptions and access to call-identifying information unobtrusively and with a minimum of interference with any subscriber’s tele- h 384 F. Supp.2d 562 (E.D.N. Y. 2005)

communications service.”j
Perhaps the most significant im-
pact of CALEA on cellular systems will
be through its amended provisions
affecting voice-over-IP (VoIP). Under
CALEA, VoIP service providers cannot
release IP calls to travel freely between
subscriber terminal adapters; instead,
the service provider must anchor most
calls, creating a fixed point that must
be traversed by call packets in both di-
rections.k Upon the presentation of an
appropriate warrant, a duplicate call
stream is generated at this fixed point
and passed to a law enforcement agen-
cy. Such restrictions will almost cer-
tainly apply to 4G cellular platforms,
which will implement all-IP solutions
for voice and data.l
Several of the provisions of the USA
PATRIOT Actm also have current and fu-
ture implications for cellular systems.
The PATRIOT Act amended much of
the legislation discussed earlier,n the
following provides a brief summary of
a few key elements.

˲ ˲ Section 204 amended Title II of the ECPA so that stored voicemail can be obtained by the government through a search warrant rather than through the more stringent process of obtaining a wiretap order.o

˲ ˲ Section 216 expanded the pen reg-
ister and trap and trace provisions of
the ECPA to explicitly cover the context
j 47 U.S.C. Section 1002(a)
k The fixed point often takes the form of a Ses-
sion Border Controller (SBC). See, for exam-
ple, The Benefits of Router-Integrated Session
Border Control, White paper, Juniper Net-
works, http://www.juniper.net/us/en/local/pdf/
whitepapers/2000311-en.pdf and http://tools.
ietf.org/html/draft-ietf-sipping-sbc-funcs-00.
l For a discussion of potential vulnerabilities of
CALEA monitoring systems, see Pfitzmann et
al. 35 and Sherr et al. 41
m Uniting and Strengthening America by Provid-
ing Appropriate Tools Required to Intercept
and Obstruct Terrorism Act of 2001, signed
into law Oct. 26, 2001.
n A detailed discussion can be found at http://
epic.org/privacy/terrorism/usapatriot/#history.
Many of the provisions discussed here had as-
sociated sunset clauses, but as recently as Mar.
1, 2010, Congress has continued to provide ex-
tensions to these clauses.

of Internet traffic. The URLs visited from a cellular platform, for example, thus receive the low level of protection provided by Title III of the ECPA.

˲ ˲ Section 217 permits government interception of the “communications of a computer trespasser” if the owner or operator of a “protected computer” authorizes the interception.

The last of the provisions, commonly referred to as the “computer trespasser” provision, has caused concern as it appears to allow interception of all traffic through intermediate routers and switches if the owners of the equipment authorize the interception. This could, for example, include all traffic through a gateway GPRS support node—the interface between 3G cellular networks and the Internet. Given that the service providers have been granted immunity from lawsuits filed in response to their cooperation with intelligence agencies, 27 this provision was particularly troubling to some privacy advocates.p

It should be noted that some researchers have argued that the PATRIOT Act has simply clarified existing policy. Orin Kerr, for example, has provided a detailed argument that “none of the changes altered the basic statutory structure of the Electronic Communications Privacy Act of 1986.” 26

The Right to Market. Thus far, I have focused on the laws and regulations that limit law enforcement’s access to the data collected by cellular service providers. But what of the service providers themselves? A quick tour through some recent case law is interesting in that it shows how the carriers view their right to use this information, and the commercial value that they place on it. In what follows there will be two basic questions: Are the carriers limited in how they may use the data for their own marketing? Are they limited in their ability to sell the data to third parties?

On January 3, 1996 Congress passed the Telecommunications Act of 1996, the first major restructuring of telecom law since 1934. Section 222 of the Act states that “[e]very telecommunications carrier has a duty to protect the confidentiality of proprietary information of, and relating p See, for example, http://epic.org/privacy/ter-rorism/usapatriot/.