210 likes | 229 Views
This discussion explores the obligations and exemptions of the Communications Assistance for Law Enforcement Act (CALEA) for higher education networks. It provides an overview of the recent court case and clarifications from the FCC, along with recommendations for institutions.
E N D
CALEA Discussion Internet2 Joint Techs July 19, 2006 Doug Carlson Executive Director, Communications & Computing Services New York University doug.carlson@nyu.edu
Caveats • I’m not a Communications Lawyer! • Opinions and interpretations – not undisputed facts • Each institution/organization needs to evaluate if it is, or is not, exempt from CALEA
The Basics • CALEA • Communications Assistance for Law Enforcement Act • Imposes specific obligations on “telecommunications carriers” to build certain "assistance capabilities" into their networks by May 14, 2007 • Other reporting and actions required sooner • Title 18 and associated regulations provide obligations to assist Law Enforcement Agencies with Lawful Intercepts
The Basics – Title 18 USC Title 18 provides the framework which requires colleges and universities to assist law enforcement with communications intercepts: “An order authorizing the interception of a wire, oral, or electronic communication under this chapter shall, upon request of the applicant, direct that a provider of wire or electronic communication service, landlord, custodian or other person shall furnish the applicant forthwith all information, facilities, and technical assistance necessary to accomplish the interception unobtrusively and with a minimum of interference with the services that such service provider, landlord, custodian, or person is according the person whose communications are to be intercepted.”
The Basics (continued) • Via CALEA, the government would like in-place mechanisms to quickly initiate comprehensive intercepts of Internet communications (e.g., CALEA compliant equipment installed and operational) • An initial interpretation of CALEA suggested that most of the network equipment in all colleges and universities might need to be replaced – no longer the prevailing opinion
Recent Events • American Council on Education (ACE) takes the FCC to court • FCC clarifies in court brief that CALEA at most appliesto gateway equipment and cannot apply to the internal portions of private networks • FCC issues the Second Report and Order • http://www.educause.edu/ir/library/pdf/EPO0634.pdf • Establishes actions and reporting requirements for “telecommunications carriers”
Recent Events (continued) • Court rejects most ACE arguments, but there appear to be some positive clarifications from this action by ACE • Court agreed that private networks cannot be required to comply with CALEA • ACE issues memo on the “Application of CALEA to Higher Education Networks” – particularly focusing on colleges and universities • http://www.educause.edu/ir/library/pdf/EPO0654.pdf
Court case results( Current thinking on broadband ) • Still not clear!!! Opinions • Many colleges and universities are likely, at most, to need to make the “gateway” between the campus and the Internet CALEA compliant • Two tests to determine if exempt • Private network • Institution doesn’t provide its own facilities to the Internet (Service Provider)
FCC First Report and Order- Footnote 100 “To the extent [that] private networks are interconnected with a public network, either the [public voice network] or the Internet, providers of the facilities that support the connection of the private network to a public network are subject to CALEA under the [Substantial Replacement Provision].”
Private Network • Offer network access to a well-defined set of users (e.g., students, faculty and staff) • Incidental other usage might be OK? • Open (non-authenticated) wireless?
Providing access to the Internet • Does the institution provide access to the Internet • What does “provide” mean? • One thought: Does the campus or the ISP own/provide connections between the campus network and the ISP’s Point of Presence (PoP)?
Other Issues • Further appeals? • Status of state/regional Research & Education networks? Same as universities? Not studied in detail by ACE. • Congress may consider new regulations • For example, draft legislation distributed recently by the FBI
What ACE has done recently • Coordinated overall Higher Ed. actions on CALEA (with EDUCAUSE providing assistance) • Analyzed the Court’s decision • Created a document on the impact of the Court’s decision
What EDUCAUSE will do • Continue dialog with Law Enforcement on guidelines for Title 18 compliance • CALEA Technical Group and EDUCAUSE Security Task Force collaborating on the development of guidelines for handling Lawful Intercepts for campuses • CALEA Technical Group will evaluate options for technical implementations of CALEA • Equipment • Trusted Third Parties (e.g., NeuStar, VeriSign) • Will continue to engage in analysis and discussion with the higher education community
What should institutions do? • Review the recent ACE memo • http://www.educause.edu/ir/library/pdf/EPO0654.pdf • Evaluate if the university appears to have a “private network” and is not responsible for providing the connection to the Internet • If don’t have a private network, CALEA obligations could be daunting • If do have responsibility for connection to your ISP, it could increase chances that gateway would need to be CALEA-compliant
What should institutions do? • If the institution determines that it is subject to CALEA • Begin to take the actions specified in the Second Report and Order (including preparing to file required paperwork – due >90 days out) • Evaluate technical options for CALEA compliance (but see next slide)
CALEA compliance challenges • As yet, no clear definition of what CALEA compliance means • FCC is looking for industry, working with the Law Enforcement Agencies (LEAs), to develop standards • Two ways to implement CALEA compliance • Institution installs equipment, creates procedures, etc., but verified equipment solution not yet available • Engage a Trusted Third Party to act as agent, but will need to define the service
How might a LI request work Access Function Telecommunication Service Provider (Switch collects Lawful Intercept data) Service Provider Administration (Turn on Lawful Intercept feature of switch) Delivery Function Lawful Authorization (Securely deliver information to LEA) (Order generated) Law Enforcement Administration Collection Function Law Enforcement
Some Vocabulary (ref. TIA J-STD-025-B) • Access Function(s) (provided by campus) • Provides unobtrusive intercept access points to intercept subject’s communications and passes to Delivery Function • Delivery Function (provided by campus) • Responsible to delivering intercepted communications to the Law Enforcement Agency (LEA) Collection Function • Collection function (provided by LEA) • Responsible for collecting lawfully authorizedcommunications
Related Issues • Network authentication of terminals on campus (e.g., 802.1x) • Data retention of logs and other records
Good information source http://www.educause.edu/calea