The Legal Line
Dear Ed:I have been reading all the press coverage on telephone call surveillance in connection with the Patriot Act and CALEA and have a few questions in connection with my company’s prepaid cellular and VoIP calling products. What are prepaid providers required to give to investigators? It seems to be the trend to give full out access and information about my consumers, no questions asked, if asked. Is this the “safest harbor” for providers or am I missing something? I know that there are privacy issues for my consumers, but where does it begin and end?Private-LineDear PL:It sounds as if you trying to pin me down on a general answer for all access and information requests from law enforcement investigators. Although I would like to oblige with a generic answer, the law related to privacy and lawful access to communications records/content is comprised of fine shades of gray that prevent such an answer. Perhaps it is best to first consider some of the following rights clearly retained by consumers of prepaid services commonly sold or provided by readers of The Prepaid Press:•Telephony (TDM, VoIP or otherwise) at 18 USC § 2510 et seq. An individual has a right of privacy for contents of telephone conversations, telegraph messages, or electronic data by wire.•Wireless and Radio Frequency at 47 USC §605 et. seq. An individual has a right of privacy for content of radio messages.•Financial records related to SVC with Bank accounts at 12 USC §3401 et seq. Bank records are confidential.•E-mails at 18 USC § 2702(a). Content of e-mail in public systems is confidential.Your consumers hold certain rights and expectations of the protection of privacy from unlawful intrusions. While service providers hold certain rights to review records/service for purposes of determining if usage is fraudulent, or, if there is a technical service problem, consumers hold a basic expectation of privacy. Privacy advocates generally find this to occur in telephone conversations when people “believe that the conversation is private and cannot be heard by others who are acting in an lawful manner.” Am.Jur.2d Telecommunications § 209 (1974). Needless to say, there is extensive federal constitutional case law framing the limits and scope of these rights and dictating what providers must protect from unlawful monitoring, taping, recording, or access to private consumer information.The heart of your specific question goes to the issue of lawful requests by law enforcement or federal agencies conducting investigations (Patriot Act or otherwise). Lawful access is access by law enforcement supported by a court order, or a subpoena supported by specific statutory power or authority. Simply giving information to a state or federal agency or any other person (no questions asked) without the required documentation may in fact place you, as the provider, in the position of infringing on your own consumer’s rights. You need to be mindful of this as most statutes protecting privacy rights carry civil remedies for unlawful access and infringement.There has been some confusion in the prepaid industry as to the nature and difference between CALEA and the Patriot Act, so it may be worth some clarification. CALEA or Communications Assistance for Law Enforcement Act, 18 USC § 2510 et. al. purpose is to provide law enforcement agencies (LEAs) with assurance that they will be able to have access to records and content of any communications incorporating new technologies. The Act itself focuses on assisting LEAs investigating major state or federal crimes and includes provisions for both voice communications transmitted in digital format as well as text and data transmissions between computers, or computer networks, using a modem or similar system. (Yes, this implicates VoIP.) CALEA requires all telecommunications providers to make digital communications available to LEAs in the same way that voice transmissions are accessible. CALEA does not abridge constitutional requirements of “probable cause” or the need for court orders. Likewise, providers are not required to decrypt encrypted communications – just to provide access upon court order or subpoena. The federal government must also reimburse telecommunications providers for any physical or technical modifications that were necessarily undertaken in the process of obtaining access through CALEA.On May 14th 2006, the FCC ordered compliance by telecommunication providers with CALEA requirements by May 14th 2007 – less than one year away. This will likely mean that CALEA will be on the tip of the tongue of many in the prepaid industry in this next coming year. I recommend that you sit with your legal counsel and begin planning CALEA compliance now as apposed to later. It would probably be a good idea to have an action plan to handle CALEA requests just in case you may be asked in the future as a proof of compliance.The Patriot Act is distinct from CALEA in scope and the documentation needed for compliance. As is common knowledge, the Patriot Act targets potential acts of terrorism or internal or external threats of mass violence for political or ideological motive. Requests for information or access from providers may or may not have time for court order, and may be based solely on a subpoena from federal law enforcement or intelligence agencies. Because of the more fluid nature of these requests, providers should work closely with their legal counsel to ensure compliance and protection of domestic privacy interests. Time will usually be of the essence in these requests, so having a pre-set plan for coordinating these issues with legal counsel will be key. It might also be wise to have your legal counsel read the recent changes under the new revised Act, as some parts related to electronic communication providers have change a bit.In conclusion PL, I don’t have a “safe harbor” generic answer for your question. I believe that lawful requests of records and access will be an ongoing issue for may providers. It is my recommendation though that you educate yourself and plan ahead as much as possible because May 15, 2007 is less than one year away. It is always better to be safe than sorry.Good Luck and Success in the Industry.Send your questions firstname.lastname@example.org.