Presentation on theme: "CALEA Panel Internet2 Member Meeting December 6, 2006."— Presentation transcript:
CALEA Panel Internet2 Member Meeting December 6, 2006
2 Panel Members Eric Boyd (moderator) - Internet2 Email: firstname.lastname@example.org Matt Brill - Latham & Watkins Email: Matthew.Brill@lw.com Doug Carlson - New York University Email: email@example.com Shaun Abshere – WiscNet Email: firstname.lastname@example.org Steve Wallace - Internet2 Email: email@example.com
3 CALEA Communications Assistance for Law Enforcement Act (CALEA) The FCC recently extended CALEA to apply to broadband Internet access and interconnected Voice over IP Deals with the manner in which assistance must be provided to Law Enforcement - not whether assistance must be provided
4 Early Concerns Concern within the higher education community about its impact on campuses on higher education networks Who is covered? What constitutes CALEA compliance? What are the risks (legal and technical)? What are the costs (financial and philosophical)?
5 CALEA Cost to universities was initially thought to be enormous American Council on Education (ACE) led a coalition to challenge the FCC over the application of CALEA to higher ed. Latham & Watkins (especially Matt Brill) were engaged to assist
6 Agenda Introductions - Eric Boyd Legal Issues - Matt Brill Campus perspective - Doug Carlson State and regional networks perspective - Shaun Abshere Internet2 perspective - Steve Wallace Q&A and prepared questions
8 The FCC’s August 2005 Order In response to a petition filed by DOJ and the FBI, the FCC adopted an order extending the scope of CALEA to include all facilities-based providers of broadband Internet access and interconnected VoIP services. The FCC relied on the Substantial Replacement Provision to subject providers of facilities-based broadband and interconnected VoIP services to the assistance-capability requirements in CALEA. The FCC established a compliance deadline of May 2007.
9 Applicability of CALEA to Private Networks The FCC’s Order recognized that “private broadband networks or intranets that enable members to communicate with one another and/or to receive information from shared data libraries not available to the general public... appear to be private networks for purposes of CALEA,” and thus exempt. At the same time, however, the Order suggested that the exemption could be lost if such private networks connect to the Internet, as virtually all higher education networks do. The Order stated: “To the extent that... private networks are interconnected with a public network, either the PSTN or the Internet, providers of the facilities that support the connection of the private network to the public network are subject to CALEA under the SRP.” In subsequent meetings and press statements, the FCC declined to elaborate on the meaning of this statement.
10 Court Appeal A coalition of parties representing higher education as well as providers of broadband and VoIP services, privacy groups, and other public interest organizations appealed the FCC Order. The appeal contended that the FCC’s Order violated CALEA’s exemption of information services and private networks. In response to our opening brief, the Government briefs acknowledged a key limitation on the application of CALEA to higher education networks. In particular, the FCC clarified that its Order applies to “private network operators that provide their own connection to the Internet,” which are subject to CALEA with respect to that connection, but does not apply to “those that contract with an ISP for that connection.” The Department of Justice agreed that CALEA applies at most to “Internet gateway” facilities, rather than to the internal portions of private networks.
11 Court Decision On June 9, the court of appeals issued an opinion upholding the FCC Order. (A petition for rehearing filed by certain petitioners was later denied.) The court ruled that differences in the structures and purposes of CALEA and the Communications Act made it reasonable for the FCC to construe the term “information services” differently under the two statutes. More favorably, the court made clear that CALEA “expressly excludes ‘private networks’ from its reach.” The court also found that the FCC had not yet attempted to apply CALEA obligations to the internal portions of private networks. But the court did not address the circumstances under which Internet gateways are subject to CALEA.
12 What Does This Mean for Higher Education? There are still unanswered questions, but the Order, the Government briefs, and the court decision taken together suggest two factors that will determine whether colleges and universities have any obligations under CALEA. These factors are: (1) whether the campus network “supports” the connection to the Internet, and (2) whether the campus network qualifies as a “private network.”
13 Does the Campus Network “Support” the Connection to the Internet? While the language in the FCC Order is cryptic, the FCC’s court brief sets forth a more workable test: Colleges and universities that “provide their own connection to the Internet” are subject to CALEA (at least with respect to those Internet connection facilities), while institutions that rely on a third party for this connection are exempt. This still leaves some gray areas, but the FCC most likely would conclude that an institution provides its own Internet connection when it constructs, purchases, leases, or otherwise operates fiber optic or other transmission facilities and associated switching equipment that link the campus network to an ISP’s point of presence. In contrast, the FCC most likely would conclude that an institution is exempt if it obtains access to the Internet by (1) contracting with an ISP or regional network to pick up Internet traffic from a campus border router, (2) purchasing a private line or other transmission service from a telecommunications carrier on a contractual or tariffed basis (as opposed to leasing dark fiber or other facilities), or (3) relying on some combination of these approaches.
14 Is the Campus Network a “Private” Network? If a campus network is closed (i.e., does not connect to the Internet), it is clearly exempt from CALEA under the private network exemption. Interconnected networks that support their own Internet connection appear to enjoy a limited exemption if they otherwise qualify as “private.” Specifically, only the gateway equipment itself is subject to CALEA – the Internet portions of a private network remain exempt. The FCC did not expressly define “private network,” but the touchstone appears to be limited availability to specific members or constituents of an organization. Thus, a campus network that is available only to students, faculty, and administrators should be considered a private network, which means CALEA applies at most to the Internet gateway equipment. In contrast, networks that provide general public access and support a connection to the Internet may well be subject to CALEA obligations throughout the network, rather than only at the gateway.
15 Compliance Obligations Under the Second Report and Order For entities that appear to be covered by CALEA, the next steps under the Second Report and Order are: Must submit report to FCC on “system security requirements” – which concern employee supervision and recordkeeping – at a date TBD (likely in March 2007). Also must submit compliance status form to FCC at a date TBD. Must be in full compliance by May 14, 2007. This will require: (1) installing new CALEA-compliant gateway equipment, (2) contracting with a “trusted third party” to provide the requisite surveillance capabilities, or (3) developing a customized network solution.
CALEA Panel University Perspective Internet2 Member Meeting December 6, 2006
17 Ambiguity and CALEA It is the mark of an instructed mind to rest satisfied with the degree of precision which the nature of the subject admits and not to seek exactness when only an approximation of the truth is possible. - Aristotle
18 What’s the status? Uncertainty about which networks and institutions are exempt from CALEA Uncertainty about exactly what “compliance” means Uncertainty about systems and services available to implement compliance
19 Existing Obligation – Title 18 USC Title 18 provides the framework which requires colleges and universities to assist law enforcement with communications intercepts: “An order authorizing the interception of a wire, oral, or electronic communication under this chapter shall, upon request of the applicant, direct that a provider of wire or electronic communication service, landlord, custodian or other person shall furnish the applicant forthwith all information, facilities, and technical assistance necessary to accomplish the interception unobtrusively and with a minimum of interference with the services that such service provider, landlord, custodian, or person is according the person whose communications are to be intercepted.”
21 Exempt/Non-Exempt Tests (as Matt mentioned) Does the organization “support” the connection to the Internet? “Support” is undefined What is meant by Internet is unclear Is it a “private network”? “Private network” is not well-defined
22 What is compliance? Not yet completely defined FCC/DOJ looking to industry and Law Enforcement to work together to develop “safe harbor” standards
23 Recent News Alliance for Telecommunications Industry Solutions (ATIS) Working Document for Lawfully Authorized Electronic Surveillance (LAES) for Internet Access and Services Abstract Personal communications has traditionally been carried via wireline circuits pursuant to an arrangement with a LEC. Recent advances in technology have increased the variety and prevalence of more flexible access arrangements. Internet Access and Services can be obtained by establishing a subscription based arrangement. This standard provides capabilities to lawfully intercept communications of subscription-based Internet Access and Services arrangements. http://contributions.atis.org/UPLOAD/PTSC/LAES/PTSC-LAES-2006- 084R6.doc
24 Options for Compliance Institution complies using own equipment Intercept capabilities (routers, probes) Format and send to Law Enforcement Agencies (mediation device) Trusted Third Parties (e.g., Apogee, NeuStar, VeriSign, etc.) handle as a service EDUCAUSE CALEA Tech. group gathering information on what is available and/or planned by vendors
25 Recent News Oct. 19 th Office of Management and Budget seeking comments by November 20 th on information collection associated with CALEA system security requirements The FCC is expected to announce soon a new filing date for institutions and organizations which need to comply with CALEA – expected to be in late February
26 Suggestions for actions As Matt mentioned, meet with your legal department and come to agreement on exempt/non-exempt status If not exempt, follow-up on compliance requirements and options when available Filing - date TBD Complete technical and procedural compliance activities by May 2007 Watch EDUCAUSE web site for best practices for complying with existing Title 18 requirements and consider implementing
27 Good information source http://www.educause.edu/calea
State Research & Education Network Perspective on CALEA Shaun Abshere WiscNet
29 Law Enforcement & StateNets Subpoenas are most common (by far) lawful orders served on StateNets Wiretap and search warrants, national security letters, & FISA court orders are very, very rare Handling almost always leads to delegation to member institution
30 “Private Network” Test K-20, library, government & health institutions are primary customers/members of StateNets Institutions “authenticate” users Very few StateNets support access by general public “subscribers” Most StateNets pass “private network” test
31 “Connection” Test Does a StateNet “support” the connection to the Internet at its “gateway facilities?” Both within and among StateNets, the answer to this ambiguous test will vary by gateway location and commodity I1 provider (multiple gateway facilities => ambiguity) If a StateNet “supports” even one connection, must it CALEA-comply at all gateway facilities? “Failing” connection test still leaves ambiguity
32 Diverse Opinion on Compliance Legal opinion on connection support & private network varies among StateNets CENIC (California): Assert exemption UEN (Utah): Expect to comply at gateway facilities (GF) MOREnet (Missouri): Expect to comply at GF; TTP? ENA (IN & TN K-12): Expect GF-compliance; maybe site Merit (Michigan): Custom compliance at GF WiscNet (Wisconsin): Expect to comply at GF
33 StateNets as Trusted 3d Parties FCC Broadband CALEA Order permits “trusted 3d party” intercept providers Much discussion in StateNet community about this “business opportunity,” either based on custom solution or in partnership with for-profit vendors
CALEA Panel Internet2 Perspective Internet2 Member Meeting December 6, 2006
35 Internet2 Perspective Goals Comply as required Support Membership Current thinking Internet2 not last mile provider, so not covered by CALEA Forming ideas about how to best support membership. Ideas?
CALEA Panel Questions Internet2 Member Meeting December 6, 2006
37 Question How can you get the most out of your campus legal team? - Legal opinion on CALEA applicability: what legal and technical elements must an adequate legal opinion address? - Handling lawful electronic surveillance orders: what are basic considerations that determine an order's validity and accuracy, and what confidentiality- level is required?
38 Question What are your "cultural" norms and practices that make internally-managed CALEA-compliance difficult? That make CALEA-compliance via a trusted third party vendor difficult?
39 Question Gateway facilities: - How many "gateway facilities" do you operate? - Connected at what maximum bit-rate? - What's the current peak bit-rate for traffic passing through those gateways - Absent CALEA, when next will you "refresh" your gateway facilities? - Given CALEA, how did your refresh plans change?
40 Question Under what circumstances do the costs and benefits of maintaining CALEA exempt status exceed the benefits?