Embed Size (px)
Citation preview
CALEA Discussion
Internet2 Joint TechsJuly 19, 2006
Doug CarlsonExecutive Director, Communications & Computing
ServicesNew York University
2
Caveats
I’m not a Communications Lawyer!
Opinions and interpretations – not undisputed facts
Each institution/organization needs to evaluate if it is, or is not, exempt from CALEA
3
The Basics CALEA
Communications Assistance for Law Enforcement Act
Imposes specific obligations on “telecommunications carriers” to build certain "assistance capabilities" into their networks by May 14, 2007
Other reporting and actions required sooner
Title 18 and associated regulations provide obligations to assist Law Enforcement Agencies with Lawful Intercepts
4
The Basics – Title 18 USC Title 18 provides the framework which requires
colleges and universities to assist law enforcement with communications intercepts:
“An order authorizing the interception of a wire, oral, or electronic communication under this chapter shall, upon request of the applicant, direct that a provider of wire or electronic communication service, landlord, custodian or other person shall furnish the applicant forthwith all information, facilities, and technical assistance necessary to accomplish the interception unobtrusively and with a minimum of interference with the services that such service provider, landlord, custodian, or person is according the person whose communications are to be intercepted.”
5
The Basics (continued) Via CALEA, the government would like in-
place mechanisms to quickly initiate comprehensive intercepts of Internet communications (e.g., CALEA compliant equipment installed and operational)
An initial interpretation of CALEA suggested that most of the network equipment in all colleges and universities might need to be replaced – no longer the prevailing opinion
6
Recent Events American Council on Education (ACE) takes the
FCC to court
FCC clarifies in court brief that CALEA at most appliesto gateway equipment and cannot apply to the internal portions of private networks
FCC issues the Second Report and Order http://www.educause.edu/ir/library/pdf/EPO0634.pdf Establishes actions and reporting requirements for
“telecommunications carriers”
7
Recent Events (continued) Court rejects most ACE arguments, but
there appear to be some positive clarifications from this action by ACE Court agreed that private networks cannot
be required to comply with CALEA
ACE issues memo on the “Application of CALEA to Higher Education Networks” – particularly focusing on colleges and universities
http://www.educause.edu/ir/library/pdf/EPO0654.pdf
8
Court case results ( Current thinking on broadband )
Still not clear!!! Opinions Many colleges and universities are likely, at
most, to need to make the “gateway” between the campus and the Internet CALEA compliant
Two tests to determine if exempt Private network Institution doesn’t provide its own facilities to the
Internet (Service Provider)
9
FCC First Report and Order- Footnote 100
“To the extent [that] private networks are interconnected with a public network, either the [public voice network] or the Internet, providers of the facilities that support the connection of the private network to a public network are subject to CALEA under the [Substantial Replacement Provision].”
10
Private Network
Offer network access to a well-defined set of users (e.g., students, faculty and staff)
Incidental other usage might be OK?
Open (non-authenticated) wireless?
11
Providing access to the Internet Does the institution provide access
to the Internet What does “provide” mean?
One thought: Does the campus or the ISP own/provide connections between the campus network and the ISP’s Point of Presence (PoP)?
12
Other Issues Further appeals?
Status of state/regional Research & Education networks? Same as universities? Not studied in detail by ACE.
Congress may consider new regulations For example, draft legislation distributed
recently by the FBI
13
What ACE has done recently
Coordinated overall Higher Ed. actions on CALEA (with EDUCAUSE providing assistance)
Analyzed the Court’s decision
Created a document on the impact of the Court’s decision
14
What EDUCAUSE will do Continue dialog with Law Enforcement on guidelines for
Title 18 compliance
CALEA Technical Group and EDUCAUSE Security Task Force collaborating on the development of guidelines for handling Lawful Intercepts for campuses
CALEA Technical Group will evaluate options for technical implementations of CALEA
Equipment Trusted Third Parties (e.g., NeuStar, VeriSign)
Will continue to engage in analysis and discussion with the higher education community
15
What should institutions do? Review the recent ACE memo
http://www.educause.edu/ir/library/pdf/EPO0654.pdf
Evaluate if the university appears to have a “private network” and is not responsible for providing the connection to the Internet If don’t have a private network, CALEA
obligations could be daunting If do have responsibility for connection to
your ISP, it could increase chances that gateway would need to be CALEA-compliant
16
What should institutions do?
If the institution determines that it is subject to CALEA Begin to take the actions specified in
the Second Report and Order (including preparing to file required paperwork – due >90 days out)
Evaluate technical options for CALEA compliance (but see next slide)
17
CALEA compliance challenges As yet, no clear definition of what CALEA
compliance means FCC is looking for industry, working with the Law
Enforcement Agencies (LEAs), to develop standards
Two ways to implement CALEA compliance Institution installs equipment, creates procedures,
etc., but verified equipment solution not yet available
Engage a Trusted Third Party to act as agent, but will need to define the service
18
How might a LI request work
Lawful Authorization
Law Enforcement
Telecommunication Service Provider
Service Provider Administration
(Turn on Lawful Intercept feature of switch)
Delivery Function
Collection Function
Access Function
Law Enforcement Administration
(Switch collects Lawful Intercept
data)
(Securely deliver information to LEA)
(Order generated)
19
Some Vocabulary (ref. TIA J-STD-025-B)
Access Function(s) (provided by campus) Provides unobtrusive intercept access points to
intercept subject’s communications and passes to Delivery Function
Delivery Function (provided by campus) Responsible to delivering intercepted
communications to the Law Enforcement Agency (LEA) Collection Function
Collection function (provided by LEA) Responsible for collecting lawfully authorized
communications
20
Related Issues
Network authentication of terminals on campus (e.g., 802.1x)
Data retention of logs and other records
21
Good information source
http://www.educause.edu/calea
