My friend Dave Taht, who battles bufferbloat for us all, pointed me today to a document from the Wireless Internet Service Provider Association. It’s the WISPA CALEA Compliance Guide, which details most of the rules that wireless ISPs are required to follow by CALEA — the Communications Assistance for Law Enforcement Act of 1994. These rules, variants of which apply to all telcos and to ISPs of all kinds (not just wireless), say what those companies are required to do to comply with the law. More directly, it specifies how they can be required to intercept customer communications and relay that content to law enforcement agencies.
Read it if you have a moment. The document, which is chilling, explains a lot both in what it says and what it doesn’t say.
If you think your Internet communications are private, they aren’t. To be compliant with the law ISPs have to be able to isolate target communication, record it, decrypt it, gather metadata and associated out-of-band communication, figure out what parts of the communication aren’t from the target named in the court order, remove those and not give them to law enforcement but still save them for five years just in case, then hand the rest over to the cops, FBI, etc.
If you wonder where privacy appears in this document, here it is: 1) the ISP is not allowed to tell you that you are being snooped on (enforcing the privacy of law enforcement); 2) if multiple law enforcement agencies want to read your e-mails or listen to your VoIP calls (both are specifically covered) the ISP is required to not tell any of those law enforcement agencies about the others, and 3: there is no three. Customer privacy is never mentioned in the document.
Nor are there any requirements for who at the ISP is allowed to do this snooping and decrypting or what else they can do with the data requested by law enforcement.
I found it especially concerning that the ISP, not the law enforcement agency, is required to decrypt all intercept communications and look at, listen, or read them since these would seem to be the only ways to determine if that’s you on the phone or your nine year-old.
Most ISPs I know hire as many folks as they can at or near the minimum wage, which is not to say that poorer people are less ethical (heck, they are probably more ethical). But in mandating CALEA compliance ISPs are required to have on-hand all the snooping tools you can imagine and the knowledge of how to use them without being detected.
Late at night can’t you imagine that somewhere some tech is reading his girlfriend’s e-mail?
Maybe they have another document saying not to do that, but I couldn’t find it.
Privacy is dead. Don’t we all feel so much safer for that?