140 likes | 156 Views
Gain insights on the challenges and costs of becoming CALEA compliant for campuses. Understand the vocabulary and regulations involved in lawful surveillance. Discover the implications, impacts, and responsibilities universities face in meeting CALEA requirements.
E N D
CALEACommunications Assistance for Law Enforcement Act Current Campus Perspective of Implementation Issues November 17, 2005 Doug Carlson – New York University
CALEA:A Campus Perspective • What do we know for sure? • Not much!!! • But sooner or later, some regulations requiring additional activity by universities in lawful surveillance seem very possible • Cost to become CALEA compliant could be HUGE!!!
Some Vocabulary (ref. TIA J-STD-025-B) • Access Function(s) (provided by campus) • Provides unobtrusive intercept access points to intercept subject’s communications and passes to Delivery Function • Delivery Function (provided by campus) • Responsible to delivering intercepted communications to the Law Enforcement Agency (LEA) Collection Function • Collection function (provided by LEA) • Responsible for collecting lawfully authorizedcommunications
How a request might work Telecommunication Service Provider (Campus?) Access Function (Switch collects Lawful Intercept data) Service Provider Administration (Turn on/off Lawful Intercept feature of switch) Delivery Function Lawful Authorization (Securely deliver information to LEA) (Order generated) Law Enforcement Administration Collection Function Law Enforcement
CALEA FAQ Thanks to Al Gidari (Perkins Coie LLP) and Wendy Wigen (Educause) for assistance! Disclaimer: Current understanding – subject to change quickly • Who pays for what? • Campus must pay for equipment, systems and people to perform Service Provider Administration, Access Function and Delivery Function • Law Enforcement pays for leased lines (if necessary) to campus and Collection function
CALEA FAQ • What do I need to buy for my campus to be CALEA-compliant? • Don’t know - detailed specifications not yet available • Current CALEA regulations seem to require significant equipment upgrades or replacements • When will FCC clarify requirements so we can start upgrading network? • Not known
CALEA FAQ • Might CALEA regulations related to the Internet be declared invalid? • Yes, but universities will still need to support surveillance requests in the future • Is the university responsible for decrypting or decompressing message content? • No, not unless the university did the compressing/encrypting and has keys to decrypt
CALEA FAQ • Is more than just Voice over IP covered by CALEA? • Yes – all communications will need to be forwarded, and (as of now) the VoIP packets will need to be decoded if the university provides the VoIP service, otherwise decoding responsibility is unclear
CALEA FAQ • Is surveillance of intra-campus traffic necessary (e.g., between two computers hooked to the same card on the same ethernet switch)? • Yes……if the switch has the potential of passing traffic forward to the public Internet
CALEA FAQ • What might a LEA ask for? • All communications associated with an IP address or jack • All communications associated with a person!!! • Wired – specific location • Wired – any authenticated access!!! • Wireless!!!
CALEA FAQ • Do the LEAs want to be able to turn on and perform surveillance remotely? • University personnel would be turning on, maintaining and turning off the wiretap, but the data would be sent to the designated LEA facility • It seems like some of the CALEA requirements will be very difficult (or impossible) to implement with commonly deployed systems and technology. Sound right? • Yes
CALEA FAQ • Do campuses need to do anything beyond network upgrades to satisfy CALEA? • Yes - universities will need do training and background checks, have 7/24 point of contact for LEAs, create and document processes for interfacing with LEAs and file documentation attesting to CALEA compliance
CALEA FAQ • Any other impacts? • Is E911 now extended to university VoIP systems? • If nothing changes with CALEA, when do we need to be compliant? • ~17 months; Spring 2007 • Short timeframe is a real concern • Major cost factor (can’t use normal renewal cycle) • Find funds, acquire equipment (when available) and install!!!
CALEA:A Campus Perspective Higher Ed. has, and will continue to, support lawful surveillance, but effective, less costly alternatives should be explored