CALEA Discussion

EDUCAUSE MARC Conference

Wilson Dillaway, Tufts University

Doug Carlson, New York University

January 18th, 2007

2

CALEA

• Communications Assistance for Law Enforcement Act (passed in

1994)

• Deals with the manner in which assistance must be provided to Law Enforcement - not whether assistance must be provided (see USC Title 18)

• The FCC recently extended CALEA to apply to broadband Internet access and interconnected Voice over IP (2004, 2005 and 2006)

3

Good information source

http://www.educause.edu/calea

“…Document your decision process and include the names of those involved,

in case your decision is ever challenged.”

4

What’s the status?

• Uncertainty about which networks and institutions are exempt from CALEA

• Uncertainty about exactly what “compliance” means

• Uncertainty about systems and services available to implement compliance

5

Network Policy Council

• Formed in February 2006

• Memo to community issued August 2006

• “…has concluded that, with rare possible exceptions, universities, colleges, and libraries are exempt from CALEA. While this opinion does not comprise legal advice…”

http://www.educause.edu/ir/library/pdf/EPO0656.pdf

6

American Council on Education

• The Application of CALEA to Higher Education Networks, ACE, July 13, 2006

http://www.nacua.org/documents/ACECalea.pdf

• Thinking Through the CALEA Exempt/Non-Exempt Issue, August 2006

http://www.educause.edu/ir/library/pdf/CSD4607.pdf

(http://events.internet2.edu/speakers/speakers.php?go= people&id

=1933)

7

Exempt/Non-Exempt Tests

• Does the organization “support” the connection to the Internet? “Support” is undefined What is meant by Internet is unclear

• Is it a “private network”? “Private network” is not well-defined

8

What is compliance?

• Not yet completely defined

• FCC/DOJ looking to industry and Law Enforcement to work together to develop “safe harbor” standards

9

Options for Compliance

• Institution complies using own equipment Intercept capabilities (routers, probes) Format and send to Law Enforcement

Agencies (mediation device)

• Trusted Third Parties (e.g., Apogee, NeuStar, VeriSign, Subsentio, etc.) handle as a service

• EDUCAUSE CALEA Tech. group gathering information on what is available and/or planned by vendors

10

Compliance Datesif You Are Not Exempt…

• May 14th, 2007 – must be in full compliance

• March 12th, 2007 – System Security and Integrity

(SSI) Plan for your staff filed How can you be contacted 24 x 7 ? How will you respond ?

• February 12th, 2007 – Monitoring Report filed Will you be ready by May 14th? If not, why not? Which parts?

• But you may be exempt !!

11

Suggestions for actions

• Meet with your legal department and come to agreement on exempt/non-exempt status If not exempt, follow-up on compliance requirements

and options when available Observe the February and March filing dates Complete technical and procedural compliance by May 2007

• Watch the EDUCAUSE web site for best practices (also web sites for NACUA, ACUTA, ACE, etc.)

• Do not file unless you need to !!

12

Extra material below

13

How might a LI request work

Lawful Authorization

Law Enforcement

Telecommunication Service Provider

Service Provider Administration

(Turn on Lawful Intercept feature of switch)

Delivery Function

Collection Function

Access Function

Law Enforcement Administration

(Switch collects Lawful Intercept

data)

(Securely deliver information to LEA)

(Order generated)