Law Enforcement and Technology: The “Lawful Access” Debate




Updated January 16, 2024
Law Enforcement and Technology: the “Lawful Access” Debate
Technological advances present both opportunities and
CALEA
challenges for U.S. law enforcement. For example, some
The simultaneous opportunities and challenges that
developments have increased the quantity and availability
evolving technology present to law enforcement have
of digital content and information for investigators and
received congressional attention for several decades and
analysts. Some observers say law enforcement’s
have been a central point of contention between law
investigative capabilities may be outpaced by the speed of
enforcement and technology companies.
technological change, preventing investigators from
accessing certain information they may otherwise be
The 1990s brought concerns that digital and wireless
authorized to obtain. Specifically, law enforcement officials
communications made it more difficult for law enforcement
cite strong, end-to-end encryption, or what they have called
agencies to execute authorized surveillance. In response,
warrant-proof encryption, as preventing lawful access to
Congress passed the Communications Assistance for Law
certain data. Companies employing such strong encryption
Enforcement Act (CALEA; P.L. 103-414) to help law
have stressed they do not hold encryption keys. This means
enforcement maintain its ability to execute authorized
they may not be readily able to unlock, or decrypt, the
electronic surveillance. Among other things, CALEA
devices or communications—not even for law enforcement
requires that telecommunications carriers assist law
presenting an authorized search warrant or wiretap order.
enforcement in efforts to intercept electronic
communications for which it has a valid court order to carry
Front Door or Back Door Access
out. There are several noteworthy exceptions to this
Rhetoric around the encryption debate has focused on the
requirement:
notion of preventing or allowing back door access to
communications or data. Many view a back door as the
• Law enforcement cannot require (or prohibit) providers
ability for an entity, including a government agency, to
of wire or electronic communications services (as well
access encrypted data without the user’s explicit
as manufacturers of equipment and providers of support
authorization. However, back door access can be a security
services) to implement “specific design of equipment,
vulnerability. Despite this concern, a number of encrypted
facilities, services, features, or system configurations.”
products and services have built-in back doors and thus can
In other words, they cannot require providers to build in
comply with law enforcement requests for information. For
access points.
instance, many email service providers encrypt email
communications and also maintain a key to those
• Telecommunications carriers are not responsible for
communications stored on their servers. This is also the
decrypting any encrypted communications (or ensuring
case for cloud providers that maintain keys to the data
that the government has the ability to do so), unless the
stored on their servers. Strong, end-to-end encryption where
company already has the ability to do so.
companies do not maintain keys, however, does not contain
the same opportunities for access. Also, unintended back
• CALEA applies to telecommunications carriers but
doors, or vulnerabilities, may be discovered by technology
specifically does not apply to “information services”
companies, security researchers, government investigators,
such as websites and internet service providers.
malicious actors, or others.
(Notably, the Federal Communications Commission
administratively expanded CALEA’s requirements to
Law enforcement contends that they want front door
also apply to certain broadband and Voice over Internet
access, where there is a clear understanding of when they
Protocol [VoIP] providers.)
are accessing a device, as the notion of a back door sounds
secretive. This front door could be opened by whomever
Proposed expansions of CALEA generally fall into two
holds the key once investigators have demonstrated a lawful
broad categories. Some proposed expansions may broaden
basis for access, such as probable cause that a crime is
the range of communications or information service
being committed. Whether front or back, however, building
providers covered by CALEA. Some have been interested
in an encrypted door that can be unlocked with a key—no
in making CALEA more technology neutral, such that it
matter who maintains the key—adds a potential
could, given the rapidly changing technology landscape,
vulnerability to exploitation by hackers, criminals, and
apply to a wider range of communications or information
other malicious actors. Researchers have yet to demonstrate
service providers. Other expansions may broaden the
how it would be possible to create a door that could only be
requirements placed on telecommunication carriers—such
accessed in lawful circumstances.
as maintaining the ability to decrypt communications—
placed on entities covered by CALEA.
https://crsreports.congress.gov

Law Enforcement and Technology: the “Lawful Access” Debate
Crypto Wars
telephone numbers, whether or not the call was completed,
Around the time that policymakers were passing CALEA, a
call duration, and which cell towers were used to make or
larger discussion on encryption was taking place. The so-
receive the call. These may be available retrospectively or
called crypto wars pitted the government against data
sometimes in real time. Companies vary in the length of
privacy advocates in a debate on the use of data encryption.
time they maintain call detail records and other data such as
This tension was highlighted by law enforcement proposals
global positioning system (GPS) location information.
to build back doors to certain encrypted communications
Notably, call detail records do not contain the content of
devices as well as to block the export of strong encryption
telephone calls.
code.
Stored Data. With a warrant or subpoena, law enforcement
Clipper Chip. During the Clinton Administration,
may attempt to obtain data stored in the cloud or on a
encryption technology, known as the Clipper Chip, was
device.
introduced. This technology used a concept referred to as
key escrow. The idea was that the Clipper Chip would be
• Ease of law enforcement access to cloud-based data may
inserted into a communications device, and at the start of
depend on factors including the location of the cloud
each encrypted communication session, the chip would
server, the service provider, and length of time
copy the encryption key and send it to the government to be
information has been stored in the cloud. If the server is
held in escrow, essentially establishing a back door for
located overseas, for instance, law enforcement can
access. With authorization—such as a court authorized
employ the Mutual Legal Assistance process to try to
wiretap—government agencies would then have the ability
obtain the data from a partner nation. Factors that may
to access the key to the encrypted communication.
limit the scope of data stored in the cloud (and
Vulnerabilities in the system design were later discovered,
subsequently, availability to law enforcement) include
showing that the system could be breached and the escrow
whether individuals store data in or back up their
capabilities disabled; as such, this system was not adopted.
devices to the cloud and whether cloud storage space
and backup schedules capture the full range of data.
Encryption Export. Pretty Good Privacy (PGP) encryption
software was a widely used email encryption platform and
• With respect to devices, access to devices and the
was considered a milestone because it made military-grade
content on them may be locked and encrypted. Various
cryptography available to the public. PGP proliferated when
factors can affect law enforcement’s efforts to gain
someone released a copy of it on the internet, sparking a
access to a device and its contents. For instance, law
federal investigation into whether PGP’s creator was
enforcement attempting to unlock a device with brute
illegally exporting cryptographic software (then considered
force would likely use software to try every possible
a form of “munitions” under U.S. export regulations)
combination of keys in an attempt to unlock the device.
without a specific munitions export license. Ultimately, the
The success of this method may depend, among other
case was resolved without an indictment.
things, on the amount of time available to try and unlock
a device, device limits on passcode attempts, and the
Renewed Crypto Wars?
number of keys used in the passcode.
The debate over law enforcement’s lawful access to
encrypted information originally focused on data in motion,
Going Forward
or real-time communications. More recent technology
Policymakers may evaluate the extent to which end-to-end
changes have potentially affected law enforcement
encryption affects law enforcement investigations and
capabilities to access not only real-time communications
public safety. They may weigh this against privacy and data
but stored content, or data at rest. A central element of the
security concerns as they consider whether to expand or
debate now involves determining what types of information
curtail law enforcement’s lawful access to certain
law enforcement is able to access and under what
information. Changes could involve incentives or
circumstances.
requirements for communications and technology
companies to provide specified information to law
Communications content. Wiretap requests are submitted
enforcement, enhanced investigative tools, bolstered
by law enforcement to judges, requesting permission to
financial and manpower resources to help law enforcement
intercept certain wire, oral, or electronic communications in
better leverage existing authorities, or combinations of
transit. According to data reported to the Administrative
these and other options.
Office of the U.S. Courts, federal and state judges
authorized 2,406 wiretaps in 2022. Over half of these (51%)
For additional resources, see CRS Report R44481,
were used in narcotics investigations. Of the 2,406
Encryption and the “Going Dark” Debate; CRS Report
wiretaps, encrypted communications were encountered in
R44187, Encryption and Evolving Technology:
478 instances. Law enforcement could not decrypt the
Implications for U.S. Law Enforcement Investigations; and
content in 441 (approximately 92%) of the cases where they
CRS Report R44827, Law Enforcement Using and
encountered encrypted communications.
Disclosing Technology Vulnerabilities.
Call Detail Records. Law enforcement may request, with a
Kristin Finklea, Specialist in Domestic Security
subpoena or valid court order, certain call detail records
from telecommunications providers. These records can
IF11769
include information such as the sending and receiving
https://crsreports.congress.gov

Law Enforcement and Technology: the “Lawful Access” Debate


Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.

https://crsreports.congress.gov | IF11769 · VERSION 2 · UPDATED