CALEA — Communications Assistance for Law Enforcement Act
Every time law enforcement intercepts a phone call or internet communication under a court order, the technical infrastructure making that intercept possible was built to order by the telecommunications company — not by the government. The Communications Assistance for Law Enforcement Act (CALEA), enacted in 1994 and codified at 47 U.S.C. §§ 1001–1010, requires all telecommunications carriers in the United States to design their networks with built-in, government-accessible wiretap capability. Congress passed CALEA after the FBI reported that the shift from analog to digital telephony was making court-authorized wiretaps technically impossible to execute — carriers simply didn't have systems that could isolate and deliver a single subscriber's communications to law enforcement. CALEA solved that problem by making surveillance-ready infrastructure a legal requirement for being a telecommunications carrier. It does not authorize any surveillance — wiretaps and intercepts still require independent legal authority (a Title III wiretap order, a FISA order, etc.). CALEA simply ensures that when law enforcement arrives with valid legal process, the carrier can comply technically. The FCC extended CALEA to broadband internet providers and VoIP services in 2006 — meaning your internet provider is legally required to have the same wiretap infrastructure as your phone company.
Current Law (2026)
| Parameter | Value |
|---|---|
| Governing statute | 47 U.S.C. §§ 1001–1010 (CALEA, 1994); extended to broadband/VoIP by FCC order (2006) |
| Who is covered | Telecommunications carriers; broadband internet access providers; VoIP providers (interconnected VoIP per 2006 FCC order) |
| Core obligation | Carriers must ensure they have capability to intercept communications, access call-identifying information, and deliver intercepted content and data to law enforcement |
| Legal authority required | CALEA does NOT authorize surveillance — separate legal authority required (Title III court order, FISA order, pen register order, etc.) |
| Who pays for capability | Carriers bear cost of building intercept capability into their systems |
| Who pays for actual intercepts | Government pays reasonable costs of individual interception assistance |
| Compliance standards | Industry standards (ATIS/TIA J-STD-025 and derivatives) meet CALEA requirements; carriers may petition FCC for alternative compliance |
| Enforcement | DOJ/FBI may petition FCC to order compliance; FCC may assess fines |
| Exclusions | Information services and private networks not classified as telecom carriers are generally not covered (though 2006 order expanded scope) |
Legal Authority
- 47 U.S.C. § 1001 — Findings (Congress found that telephone network changes were making court-authorized wiretaps difficult to execute; stated intention not to expand government surveillance authority but to preserve existing capability in the digital age)
- 47 U.S.C. § 1002 — Assistance capability requirements (telecommunications carriers must ensure they can: (1) expeditiously isolate and enable government interception of communications; (2) expeditiously isolate and enable government access to call-identifying information; (3) provide intercepted communications and call-identifying information to the government; (4) carry out intercepts in a way that is undetectable to the target and other users)
- 47 U.S.C. § 1003 — FBI as lead agency for standards (FBI designated as lead agency to consult with carriers and establish technical requirements; FBI publishes "Electronic Surveillance Technology Needs" documents identifying capability requirements)
- 47 U.S.C. § 1004 — Systems security and integrity (carriers must protect the privacy and security of communications not authorized to be intercepted; intercept capability must not degrade service; capability must be activated only when authorized)
- 47 U.S.C. § 1005 — Cooperation of equipment manufacturers and telecommunications support services (suppliers of equipment and support services are required to make their products and services compliant; DOJ may bring action against non-compliant suppliers)
- 47 U.S.C. § 1006 — Technical requirements and standards (FCC may establish technical requirements if industry standards are inadequate; carriers may use industry standards as safe harbor for compliance)
- 47 U.S.C. § 1007 — Expedited proceedings (parties may petition the FCC for rulings on compliance disputes; FCC must act within 180 days)
- 47 U.S.C. § 1008 — Payment of costs (government reimburses carriers for reasonable costs of providing interception assistance; carriers bear cost of building and maintaining capability in their systems)
- 47 U.S.C. § 1010 — Definitions (defines "telecommunications carrier," "call-identifying information," "content," "government," and other key terms; the scope of "telecommunications carrier" has been the central battleground in coverage disputes)
How It Works
CALEA was a carefully negotiated compromise between the FBI, the telecommunications industry, and civil liberties groups. The FBI got guaranteed technical access. The industry got cost reimbursement for actual intercepts (though not for building the capability). Civil liberties groups got explicit language limiting CALEA to existing legal authority — CALEA itself authorizes nothing.
Carriers subject to CALEA must maintain "lawful intercept" (LI) capability — technical systems that can, on activation, isolate a target subscriber's communications and deliver them to law enforcement in real time without the target's knowledge. This means intercepting both content (the actual communication) and call-identifying information (who communicated with whom, when, for how long). The capability must be built into core switching and routing infrastructure so it can be activated on short notice when a court order arrives. When CALEA was enacted in 1994, "telecommunications carrier" covered traditional phone companies; as communications migrated to the internet, the FCC ruled in 2006 that CALEA also applied to broadband internet access providers and interconnected VoIP providers — covering companies like Comcast, AT&T Broadband, and Vonage.
Pure internet applications — encrypted messaging apps, web-based email, peer-to-peer platforms — are generally not "telecommunications carriers" under CALEA and are not subject to its requirements. This is the "going dark" problem the FBI has raised for years: services like Signal, end-to-end encrypted iMessage, and WhatsApp don't fall under CALEA, and even with a court order and a cooperating provider, decrypted content cannot be produced from end-to-end encrypted communications. CALEA explicitly states it doesn't require carriers to decrypt communications they don't hold the keys to — proposals for "lawful access backdoors" extending CALEA to encrypted platforms have been consistently proposed and consistently rejected, with security researchers warning that backdoors weaken security for all users.
CALEA is the infrastructure law — it defines what capability must exist. The authorization for actually using that capability comes from separate statutes: the Wiretap Act (18 U.S.C. §§ 2510–2522) for real-time content intercepts, the Electronic Communications Privacy Act for stored communications, and FISA for foreign intelligence surveillance. Carriers must build and maintain lawful intercept infrastructure at their own expense; the government reimburses only per-intercept costs, not the infrastructure itself. For large carriers, this means dedicated lawful intercept teams and systems; for new market entrants, CALEA compliance is a meaningful barrier to entry.
How It Affects You
<!-- pria:personalize type="impact" -->If you use any telephone or internet service from a U.S. carrier: Your carrier has built-in capability to intercept your communications and deliver them to law enforcement — that capability exists in the network right now, activated only when a court order is presented. CALEA does not make your communications less secure under normal circumstances; the capability is dormant and must be activated by legal process. But CALEA does mean that the technical barrier to surveillance, once a court order is issued, is near-zero.
<!-- /pria:personalize --> <!-- pria:personalize type="eligibility" -->If you use encrypted messaging apps (Signal, WhatsApp, iMessage): End-to-end encrypted applications are generally outside CALEA's current scope. When you communicate through these platforms, even if law enforcement has a court order, the platform typically cannot provide decrypted content because the encryption keys exist only on your device and your recipient's device. This is the "going dark" problem from law enforcement's perspective — and the reason why these platforms have become preferred for sensitive communications.
<!-- /pria:personalize --> <!-- pria:personalize type="eligibility" -->If you work in telecommunications or build communications products: CALEA compliance is a legal requirement, not optional. New carriers, VoIP services, and broadband providers must have lawful intercept capability from day one. The FBI publishes technical assistance documents; industry standards (ATIS/TIA J-STD-025) provide a compliance safe harbor. Non-compliance can result in DOJ petitioning the FCC to order compliance — and ultimately fines.
<!-- /pria:personalize --> <!-- pria:personalize type="impact" -->If you're concerned about government surveillance: CALEA is the infrastructure, but the legal safeguards against misuse are in the Wiretap Act, FISA, and the Fourth Amendment. A CALEA intercept without legal authority would be an illegal wiretap under 18 U.S.C. § 2511. The real civil liberties debates around CALEA concern: (1) whether it should be extended to encrypted apps; (2) whether the "going dark" problem justifies requiring backdoors; and (3) whether foreign governments or hackers could exploit CALEA infrastructure (a concern raised when Chinese actors accessed AT&T's lawful intercept systems in the 2024 Salt Typhoon hack).
<!-- /pria:personalize -->State Variations
CALEA is exclusively federal law. States cannot impose separate wiretap infrastructure requirements on telecommunications carriers (though states can regulate the legal process required for state law enforcement to use CALEA-enabled intercepts). The interaction between CALEA infrastructure and state wiretap laws is largely procedural.
Implementing Regulations
-
28 CFR Part 100 — Cost Recovery Regulations, Communications Assistance for Law Enforcement Act: the DOJ/FBI rules governing how telecommunications carriers get reimbursed for the costs of providing individual intercepts — the "per-intercept" reimbursement Congress authorized under Section 109(e) of CALEA (as opposed to the capability-building costs, which carriers bear themselves under § 109(b)):
- § 100.9 — General framework: carriers that incur reasonable costs in providing assistance with lawful wiretap orders — call routing, isolation of the target's communications, transmission to law enforcement — are entitled to reimbursement; the FBI administers the reimbursement program through cooperative agreements with carriers; the cost recovery rules apply only to the incremental costs of each individual intercept, not to the general CALEA infrastructure (dedicated interception equipment, lawful intercept interfaces, capacity) which carriers must fund themselves
- § 100.11 — Allowable costs: reimbursable costs include all reasonable plant costs directly associated with modifications required to comply with individual court-ordered intercepts under CALEA Sections 103 and 104; allowable categories include: direct labor for personnel who physically implement the intercept, equipment rental, materials consumed, direct overhead allocated on a rational basis, and costs of providing the content to law enforcement in usable format; costs must be documented and allocable to the specific intercept activity
- § 100.13 — Directly assignable costs: a cost is directly assignable if it is a plant cost incurred specifically for CALEA compliance — the FBI pays 100% of these; costs that would have been incurred anyway (routine network operations, general maintenance) are not directly assignable even if they benefit the intercept
- § 100.15 — Disallowed costs: general and administrative (G&A) costs are explicitly disallowed — management overhead, executive salaries, legal fees, and similar overhead cannot be charged to CALEA cost recovery; the FBI pays for the incremental cost of implementing the specific intercept, not for the carrier's general cost of doing business; this limitation has been contentious — carriers argue that G&A costs are genuinely allocable to CALEA compliance work; the FBI argues they are preexisting overhead unrelated to any specific lawful intercept
- § 100.16–100.17 — Cost estimation and payment requests: carriers must submit cost estimates before performing modifications (when possible) and detailed payment requests with supporting documentation after work is completed; FBI reviews costs for reasonableness and consistency with the approved cost recovery framework; the FBI's right to review carrier cost documentation creates an ongoing relationship between the FBI and carrier compliance teams for each major intercept deployment
- § 100.18 — Audit rights: FBI and government representatives may examine and audit all carrier records related to CALEA cost reimbursement claims; this audit right is a standard government contracting provision ensuring that claimed costs are accurate and allowable; the audit right is one reason CALEA cost recovery requires dedicated record-keeping by carrier CALEA compliance teams separate from normal billing systems
The cost recovery framework reflects CALEA's compromise structure: Congress required carriers to bear the cost of capability but agreed to reimburse per-intercept costs to avoid creating a financial disincentive for cooperation with lawful orders. In practice, most CALEA cost recovery claims are relatively modest (covering labor to provision the intercept and route communications to the government's collection point), but carriers with high intercept volumes (major national carriers) have significant ongoing CALEA compliance staffing whose cost is only partially recovered under Part 100. The Salt Typhoon compromise revealed in 2024 — Chinese state actors accessing carrier CALEA infrastructure — was enabled partly by the centralized, persistent nature of CALEA systems that Part 100 reimbursement supports.
Pending Legislation
The "going dark" debate continues as of 2026. Proposals to extend CALEA-style requirements to encrypted messaging platforms and device manufacturers (requiring "lawful access" capabilities in encryption) have been introduced periodically (the EARN IT Act, the LAED Act) but have not advanced. The 2024 Salt Typhoon hack of U.S. carrier lawful intercept systems — attributed to Chinese state actors — significantly complicated the law enforcement argument for expanding mandated surveillance infrastructure, as it demonstrated that CALEA-required capabilities can themselves become security vulnerabilities.
Recent Developments
The 2024 Salt Typhoon cyberattack on U.S. telecommunications infrastructure — in which Chinese state actors reportedly gained access to the lawful intercept systems that CALEA requires carriers to maintain at AT&T, Verizon, Lumen, and others — was a defining moment in the CALEA debate. The FBI had long argued that CALEA-required intercept infrastructure was secure and necessary; Salt Typhoon demonstrated that the mandated backdoors could be exploited by foreign adversaries. CISA and the FBI issued a joint advisory in late 2024 recommending that Americans use encrypted communications — a remarkable advisory given the FBI's simultaneous advocacy for laws requiring access to encrypted communications.