February 22, 2021
Law Enforcement and Technology: the “Lawful Access” Debate
Technological advances present both opportunities and
CALEA
challenges for U.S. law enforcement. For example, some
The simultaneous opportunities and challenges that
developments have increased the quantity and availability
evolving technology present to law enforcement have
of digital content and information for investigators and
received congressional attention for several decades and
analysts. Some observers say law enforcement’s
have been a central point of contention between law
investigative capabilities may be outpaced by the speed of
enforcement and technology companies.
technological change, preventing investigators from
accessing certain information they may otherwise be
The 1990s brought concerns that digital and wireless
authorized to obtain. Specifically, law enforcement officials
communications made it more difficult for law enforcement
cite strong, end-to-end encryption, or what they have called
agencies to execute authorized surveillance. In response,
warrant-proof encryption, as preventing lawful access to
Congress passed the Communications Assistance for Law
certain data. Companies employing such strong encryption
Enforcement Act (CALEA; P.L. 103-414) to help law
have stressed they do not hold encryption keys. This means
enforcement maintain its ability to execute authorized
they may not be readily able to unlock, or decrypt, the
electronic surveillance. Among other things, CALEA
devices or communications—not even for law enforcement
requires that telecommunications carriers assist law
presenting an authorized search warrant or wiretap order.
enforcement in efforts to intercept electronic
communications for which it has a valid court order to carry
Front Door or Back Door Access
out. There are several noteworthy exceptions to this
Rhetoric around the encryption debate has focused on the
requirement:
notion of preventing or allowing back door access to
communications or data. Many view a back door as the
Law enforcement cannot require (or prohibit) providers
ability for an entity, including a government agency, to
of wire or electronic communications services (as well
access encrypted data without the user’s explicit
as manufacturers of equipment and providers of support
authorization. However, back door access can be a security
services) to implement “specific design of equipment,
vulnerability. Despite this concern, a number of encrypted
facilities, services, features, or system configurations.”
products and services have built-in back doors and thus can
In other words, they cannot require providers to build in
comply with law enforcement requests for information. For
access points.
instance, many email service providers encrypt email
communications and also maintain a key to those
Telecommunications carriers are not responsible for
communications stored on their servers. This is also the
decrypting any encrypted communications (or ensuring
case for cloud providers that maintain keys to the data
that the government has the ability to do so), unless the
stored on their servers. Strong, end-to-end encryption where
company already has the ability to do so.
companies do not maintain keys, however, does not contain
the same opportunities for access. Also, unintended back
CALEA applies to telecommunications carriers but
doors, or vulnerabilities, may be discovered by technology
specifically does not apply to “information services”
companies, security researchers, government investigators,
such as websites and internet service providers.
malicious actors, or others.
(Notably, the Federal Communications Commission
administratively expanded CALEA’s requirements to
Law enforcement contends that they want front door
also apply to certain broadband and Voice over Internet
access, where there is a clear understanding of when they
Protocol [VoIP] providers.)
are accessing a device, as the notion of a back door sounds
secretive. This front door could be opened by whomever
Proposed expansions of CALEA generally fall into two
holds the key once investigators have demonstrated a lawful
broad categories. Some proposed expansions may broaden
basis for access, such as probable cause that a crime is
the range of communications or information service
being committed. Whether front or back, however, building
providers covered by CALEA. Some have been interested
in an encrypted door that can be unlocked with a key—no
in making CALEA more technology neutral, such that it
matter who maintains the key—adds a potential
could, given the rapidly changing technology landscape,
vulnerability to exploitation by hackers, criminals, and
apply to a wider range of communications or information
other malicious actors. Researchers have yet to demonstrate
service providers. Other expansions may broaden the
how it would be possible to create a door that could only be
requirements placed on telecommunication carriers—such
accessed in lawful circumstances.
as maintaining the ability to decrypt communications—
placed on entities covered by CALEA.
https://crsreports.congress.gov
Law Enforcement and Technology: the “Law ful Access” Debate
Crypto Wars
telephone numbers, whether or not the call was completed,
Around the time that policymakers were passing CALEA, a
call duration, and which cell towers were used to make or
larger discussion on encryption was taking place. The so-
receive the call. These may be available retrospectively or
called crypto wars pitted the government against data
sometimes in real time. Companies vary in the length of
privacy advocates in a debate on the use of data encryption.
time they maintain call detail records and other data such as
This tension was highlighted by law enforcement proposals
GPS location information. Notably, call detail records do
to build back doors to certain encrypted communications
not contain the content of telephone calls.
devices as well as to block the export of strong encryption
code.
Stored Data. With a warrant or subpoena, law enforcement
may attempt to obtain data stored in the cloud or on a
Clipper Chip. During the Clinton Administration,
device.
encryption technology, known as the Clipper Chip, was
introduced. This technology used a concept referred to as
Ease of law enforcement access to cloud-based data may
k ey escrow. The idea was that the Clipper Chip would be
depend on factors including the location of the cloud
inserted into a communications device, and at the start of
server, the service provider, and length of time
each encrypted communication session, the chip would
information has been stored in the cloud. If the server is
copy the encryption key and send it to the government to be
located overseas, for instance, law enforcement can
held in escrow, essentially establishing a back door for
employ the Mutual Legal Assistance process to try to
access. With authorization—such as a court authorized
obtain the data from a partner nation. Factors that may
wiretap—government agencies would then have the ability
limit the scope of data stored in the cloud (and
to access the key to the encrypted communication.
subsequently, availability to law enforcement) include
Vulnerabilities in the system design were later discovered,
whether individuals store data in or back up their
showing that the system could be breached and the escrow
devices to the cloud and whether cloud storage space
capabilities disabled; as such, this system was not adopted.
and backup schedules capture the full range of data.
Encryption Export. Pretty Good Privacy (PGP) encryption
With respect to devices, access to devices and the
software was a widely used email encryption platform and
content on them may be locked and encrypted. Various
was considered a milestone because it made military-grade
factors can affect law enforcement’s efforts to gain
cryptography available to the public. PGP proliferated when
access to a device and its contents. For instance, law
someone released a copy of it on the internet, sparking a
enforcement attempting to unlock a device with brute
federal investigation into whether PGP’s creator was
force would likely use software to try every possible
illegally exporting cryptographic software (then considered
combination of keys in an attempt to unlock the device.
a form of “munitions” under U.S. export regulations)
The success of this method may depend, among other
without a specific munitions export license. Ultimately, the
things, on the amount of time available to try and unlock
case was resolved without an indictment.
a device, device limits on passcode attempts, and the
number of keys used in the passcode.
Renewed Crypto Wars?
The debate over law enforcement’s lawful access to
Going Forward
encrypted information originally focused on data in motion,
Policymakers may evaluate the extent to which end-to-end
or real-time communications. More recent technology
encryption affects law enforcement investigations and
changes have potentially affected law enforcement
public safety. They may weigh this against privacy and data
capabilities to access not only real-time communications
security concerns as they consider whether to expand or
but stored content, or data at rest. A central element of the
curtail law enforcement’s lawful access to certain
debate now involves determining what types of information
information. Changes could involve incentives or
law enforcement is able to access and under what
requirements for communications and technology
circumstances.
companies to provide specified information to law
enforcement, enhanced investigative tools, bolstered
Communications content. Wiretap requests are submitted
financial and manpower resources to help law enforcement
by law enforcement to judges, requesting permission to
better leverage existing authorities, or combinations of
intercept certain wire, oral, or electronic communications in
these and other options.
transit. In 2019, federal and state judges authorized 3,225
wiretaps, of which there were 464 instances reported to the
For additional resources, see CRS Report R44481,
Administrative Office of the U.S. Courts in which
Encryption and the “Going Dark” Debate; CRS Report
encrypted communications were encountered. Law
R44187, Encryption and Evolving Technology:
enforcement could not decrypt the content in 438
Implications for U.S. Law Enforcement Investigations; and
(approximately 94%) of the cases where they encountered
CRS Report R44827, Law Enforcement Using and
encrypted communications.
Disclosing Technology Vulnerabilities.
Call Detail Records. Law enforcement may request, with a
Kristin Finklea, Specialist in Domestic Security
subpoena or valid court order, certain call detail records
from telecommunications providers. These records can
IF11769
include information such as the sending and receiving
https://crsreports.congress.gov
Law Enforcement and Technology: the “Law ful Access” Debate
Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permissio n of the copyright holder if you
wish to copy or otherwise use copyrighted material.
https://crsreports.congress.gov | IF11769 · VERSION 1 · NEW