CALEA Panel

1
CALEA Panel

• Internet2 Member Meeting
• December 6, 2006

2
Panel Members

• Eric Boyd (moderator) - Internet2
• Email eboyd_at_internet2.edu
• Matt Brill - Latham Watkins
• Email Matthew.Brill_at_lw.com
• Doug Carlson - New York University
• Email doug.carlson_at_nyu.edu
• Shaun Abshere WiscNet
• Email sabshere_at_mail.wiscnet.net
• Steve Wallace - Internet2
• Email ssw_at_anml.iu.edu

3
CALEA

• Communications Assistance for Law Enforcement Act
  (CALEA)
• The FCC recently extended CALEA to apply to
  broadband Internet access and interconnected
  Voice over IP
• Deals with the manner in which assistance must be
  provided to Law Enforcement - not whether
  assistance must be provided

4
Early Concerns

• Concern within the higher education community
  about its impact on campuses on higher education
  networks
• Who is covered?
• What constitutes CALEA compliance?
• What are the risks (legal and technical)?
• What are the costs (financial and philosophical)?

5
CALEA

• Cost to universities was initially thought to be
  enormous
• American Council on Education (ACE) led a
  coalition to challenge the FCC over the
  application of CALEA to higher ed.
• Latham Watkins (especially Matt Brill) were
  engaged to assist

6
Agenda

• Introductions - Eric Boyd
• Legal Issues - Matt Brill
• Campus perspective - Doug Carlson
• State and regional networks perspective - Shaun
  Abshere
• Internet2 perspective - Steve Wallace
• QA and prepared questions

7
CALEA and Higher Education Networks

• Presented to Internet2 Fall Member Meeting
• Matthew A. Brill
• Partner, Latham Watkins, LLP

8
The FCCs August 2005 Order

• In response to a petition filed by DOJ and the
  FBI, the FCC adopted an order extending the scope
  of CALEA to include all facilities-based
  providers of broadband Internet access and
  interconnected VoIP services.
• The FCC relied on the Substantial Replacement
  Provision to subject providers of
  facilities-based broadband and interconnected
  VoIP services to the assistance-capability
  requirements in CALEA.
• The FCC established a compliance deadline of May
  2007.

9
Applicability of CALEA to Private Networks

• The FCCs Order recognized that private
  broadband networks or intranets that enable
  members to communicate with one another and/or to
  receive information from shared data libraries
  not available to the general public . . . appear
  to be private networks for purposes of CALEA,
  and thus exempt.
• At the same time, however, the Order suggested
  that the exemption could be lost if such private
  networks connect to the Internet, as virtually
  all higher education networks do. The Order
  stated To the extent that . . . private
  networks are interconnected with a public
  network, either the PSTN or the Internet,
  providers of the facilities that support the
  connection of the private network to the public
  network are subject to CALEA under the SRP.
• In subsequent meetings and press statements, the
  FCC declined to elaborate on the meaning of this
  statement.

10
Court Appeal

• A coalition of parties representing higher
  education as well as providers of broadband and
  VoIP services, privacy groups, and other public
  interest organizations appealed the FCC Order.
• The appeal contended that the FCCs Order
  violated CALEAs exemption of information
  services and private networks.
• In response to our opening brief, the Government
  briefs acknowledged a key limitation on the
  application of CALEA to higher education
  networks. In particular, the FCC clarified that
  its Order applies to private network operators
  that provide their own connection to the
  Internet, which are subject to CALEA with
  respect to that connection, but does not apply to
  those that contract with an ISP for that
  connection. The Department of Justice agreed
  that CALEA applies at most to Internet gateway
  facilities, rather than to the internal portions
  of private networks.

11
Court Decision

• On June 9, the court of appeals issued an opinion
  upholding the FCC Order. (A petition for
  rehearing filed by certain petitioners was later
  denied.)
• The court ruled that differences in the
  structures and purposes of CALEA and the
  Communications Act made it reasonable for the FCC
  to construe the term information services
  differently under the two statutes.
• More favorably, the court made clear that CALEA
  expressly excludes private networks from its
  reach. The court also found that the FCC had
  not yet attempted to apply CALEA obligations to
  the internal portions of private networks. But
  the court did not address the circumstances under
  which Internet gateways are subject to CALEA.

12
What Does This Mean for Higher Education?

• There are still unanswered questions, but the
  Order, the Government briefs, and the court
  decision taken together suggest two factors that
  will determine whether colleges and universities
  have any obligations under CALEA.
• These factors are (1) whether the campus
  network supports the connection to the
  Internet, and (2) whether the campus network
  qualifies as a private network.

13
Does the Campus Network Support the Connection
to the Internet?

• While the language in the FCC Order is cryptic,
  the FCCs court brief sets forth a more workable
  test Colleges and universities that provide
  their own connection to the Internet are subject
  to CALEA (at least with respect to those Internet
  connection facilities), while institutions that
  rely on a third party for this connection are
  exempt.
• This still leaves some gray areas, but the FCC
  most likely would conclude that an institution
  provides its own Internet connection when it
  constructs, purchases, leases, or otherwise
  operates fiber optic or other transmission
  facilities and associated switching equipment
  that link the campus network to an ISPs point of
  presence.
• In contrast, the FCC most likely would conclude
  that an institution is exempt if it obtains
  access to the Internet by (1) contracting with an
  ISP or regional network to pick up Internet
  traffic from a campus border router, (2)
  purchasing a private line or other transmission
  service from a telecommunications carrier on a
  contractual or tariffed basis (as opposed to
  leasing dark fiber or other facilities), or (3)
  relying on some combination of these approaches.

14
Is the Campus Network a Private Network?

• If a campus network is closed (i.e., does not
  connect to the Internet), it is clearly exempt
  from CALEA under the private network exemption.
• Interconnected networks that support their own
  Internet connection appear to enjoy a limited
  exemption if they otherwise qualify as private.
  Specifically, only the gateway equipment itself
  is subject to CALEA the Internet portions of a
  private network remain exempt.
• The FCC did not expressly define private
  network, but the touchstone appears to be
  limited availability to specific members or
  constituents of an organization. Thus, a campus
  network that is available only to students,
  faculty, and administrators should be considered
  a private network, which means CALEA applies at
  most to the Internet gateway equipment.
• In contrast, networks that provide general public
  access and support a connection to the Internet
  may well be subject to CALEA obligations
  throughout the network, rather than only at the
  gateway.

15
Compliance Obligations Under the Second Report
and Order

• For entities that appear to be covered by CALEA,
  the next steps under the Second Report and Order
  are
• Must submit report to FCC on system security
  requirements which concern employee
  supervision and recordkeeping at a date TBD
  (likely in March 2007).
• Also must submit compliance status form to FCC at
  a date TBD.
• Must be in full compliance by May 14, 2007. This
  will require (1) installing new CALEA-compliant
  gateway equipment, (2) contracting with a
  trusted third party to provide the requisite
  surveillance capabilities, or (3) developing a
  customized network solution.

16
CALEA PanelUniversity Perspective

• Internet2 Member Meeting
• December 6, 2006

17
Ambiguity and CALEA
It is the mark of an instructed mind to rest
satisfied with the degree of precision which the
nature of the subject admits and not to seek
exactness when only an approximation of the truth
is possible.                         -
Aristotle
18
Whats the status?

• Uncertainty about which networks and institutions
  are exempt from CALEA
• Uncertainty about exactly what compliance means
• Uncertainty about systems and services available
  to implement compliance

19
Existing Obligation Title 18

• USC Title 18 provides the framework which
  requires colleges and universities to assist law
  enforcement with communications intercepts
• An order authorizing the interception of a
  wire, oral, or electronic communication under
  this chapter shall, upon request of the
  applicant, direct that a provider of wire or
  electronic communication service, landlord,
  custodian or other person shall furnish the
  applicant forthwith all information, facilities,
  and technical assistance necessary to accomplish
  the interception unobtrusively and with a minimum
  of interference with the services that such
  service provider, landlord, custodian, or person
  is according the person whose communications are
  to be intercepted.

20
(No Transcript)
21
Exempt/Non-Exempt Tests(as Matt mentioned)

• Does the organization support the connection to
  the Internet?
• Support is undefined
• What is meant by Internet is unclear
• Is it a private network?
• Private network is not well-defined

22
What is compliance?

• Not yet completely defined
• FCC/DOJ looking to industry and Law Enforcement
  to work together to develop safe harbor
  standards

23
Recent News
Alliance for Telecommunications Industry
Solutions (ATIS) Working Document for Lawfully
Authorized Electronic Surveillance (LAES)for
Internet Access and Services Abstract Personal
communications has traditionally been carried via
wireline circuits pursuant to an arrangement with
a LEC. Recent advances in technology have
increased the variety and prevalence of more
flexible access arrangements. Internet Access and
Services can be obtained by establishing a
subscription based arrangement. This standard
provides capabilities to lawfully intercept
communications of subscription-based Internet
Access and Services arrangements. http//contribu
tions.atis.org/UPLOAD/PTSC/LAES/PTSC-LAES-2006-084
R6.doc
24
Options for Compliance

• Institution complies using own equipment
• Intercept capabilities (routers, probes)
• Format and send to Law Enforcement Agencies
  (mediation device)
• Trusted Third Parties (e.g., Apogee, NeuStar,
  VeriSign, etc.) handle as a service
• EDUCAUSE CALEA Tech. group gathering information
  on what is available and/or planned by vendors

25
Recent News

• Oct. 19thOffice of Management and Budget seeking
  comments by November 20th on information
  collection associated with CALEA system security
  requirements
• The FCC is expected to announce soon a new filing
  date for institutions and organizations which
  need to comply with CALEA expected to be in
  late February

26
Suggestions for actions

• As Matt mentioned, meet with your legal
  department and come to agreement on
  exempt/non-exempt status
• If not exempt, follow-up on compliance
  requirements and options when available
• Filing - date TBD
• Complete technical and procedural compliance
  activities by May 2007
• Watch EDUCAUSE web site for best practices for
  complying with existing Title 18 requirements and
  consider implementing

27
Good information source

• http//www.educause.edu/calea

28
State Research Education Network Perspective on
CALEA

• Shaun Abshere
• WiscNet

29
Law Enforcement StateNets

• Subpoenas are most common (by far)lawful orders
  served on StateNets
• Wiretap and search warrants, national security
  letters, FISA court orders are very, very rare
• Handling almost always leads to delegationto
  member institution

30
Private Network Test

• K-20, library, government health institutions
  are primary customers/members of StateNets
• Institutions authenticate users
• Very few StateNets support accessby general
  public subscribers
• Most StateNets pass private network test

31
Connection Test

• Does a StateNet support the connection to the
  Internet at its gateway facilities?
• Both within and among StateNets,the answer to
  this ambiguous test will vary by gateway
  location and commodity I1 provider(multiple
  gateway facilities gt ambiguity)
• If a StateNet supports even one
  connection,must it CALEA-comply at all gateway
  facilities?
• Failing connection test still leaves ambiguity

32
Diverse Opinion on Compliance

• Legal opinion on connection support private
  network varies among StateNets
• CENIC (California) Assert exemption
• UEN (Utah) Expect to comply at gateway
  facilities (GF)
• MOREnet (Missouri) Expect to comply at GF TTP?
• ENA (IN TN K-12) Expect GF-compliance maybe
  site
• Merit (Michigan) Custom compliance at GF
• WiscNet (Wisconsin) Expect to comply at GF

33
StateNets as Trusted 3d Parties

• FCC Broadband CALEA Order permitstrusted 3d
  party intercept providers
• Much discussion in StateNet communityabout this
  business opportunity,either based on custom
  solutionor in partnership with for-profit vendors

34
CALEA PanelInternet2 Perspective

• Internet2 Member Meeting
• December 6, 2006

35
Internet2 Perspective

• Goals
• Comply as required
• Support Membership
• Current thinking
• Internet2 not last mile provider, so not covered
  by CALEA
• Forming ideas about how to best support
  membership. Ideas?

36
CALEA PanelQuestions

• Internet2 Member Meeting
• December 6, 2006

37
Question
How can you get the most out of your campus
legal team? - Legal opinion on CALEA
applicability what legal and technical
elements must an adequate legal opinion
address? - Handling lawful electronic
surveillance orders what are basic
considerations that determine an order's
validity and accuracy, and what confidentiality-
level is required?
38
Question
What are your "cultural" norms and practices that
make internally-managed CALEA-compliance
difficult? That make CALEA-compliance via a
trusted third party vendor difficult?
39
Question

• Gateway facilities
• How many "gateway facilities" do you operate?
  
• Connected at what maximum bit-rate?
• What's the current peak bit-rate for traffic
  passing
• through those gateways
• Absent CALEA, when next will you "refresh" your
• gateway facilities?
• Given CALEA, how did your refresh plans change?

40
Question
Under what circumstances do the costs and
benefits of maintaining CALEA exempt status
exceed the benefits?