calea - Internet2

Download Report

Transcript calea - Internet2

CALEA Panel
Internet2 Member Meeting
December 6, 2006
Panel Members
• Eric Boyd (moderator) - Internet2
 Email: [email protected]
• Matt Brill - Latham & Watkins
 Email: [email protected]
• Doug Carlson - New York University
 Email: [email protected]
• Shaun Abshere – WiscNet
 Email: [email protected]
• Steve Wallace - Internet2
 Email: [email protected]
2
CALEA
• Communications Assistance for Law
Enforcement Act (CALEA)
• The FCC recently extended CALEA to apply to
broadband Internet access and interconnected
Voice over IP
• Deals with the manner in which assistance must
be provided to Law Enforcement - not whether
assistance must be provided
3
Early Concerns
Concern within the higher education
community about its impact on campuses
on higher education networks
 Who is covered?
 What constitutes CALEA compliance?
 What are the risks (legal and technical)?
 What are the costs (financial and
philosophical)?
4
CALEA
• Cost to universities was initially thought to be enormous
• American Council on Education (ACE) led a coalition to
challenge the FCC over the application of CALEA to
higher ed.
• Latham & Watkins (especially Matt Brill) were engaged
to assist
5
Agenda
• Introductions - Eric Boyd
• Legal Issues - Matt Brill
• Campus perspective - Doug Carlson
• State and regional networks perspective - Shaun Abshere
• Internet2 perspective - Steve Wallace
• Q&A and prepared questions
6
CALEA and Higher Education
Networks
Presented to Internet2 Fall Member Meeting
Matthew A. Brill
Partner, Latham & Watkins, LLP
Latham & Watkins operates as a limited liability partnership worldwide with an affiliate in the United Kingdom and Italy, where
the practice is conducted through an affiliated multinational partnership ©Copyright 2005 Latham & Watkins. All Rights Reserved.
The FCC’s August 2005 Order
•
In response to a petition filed by DOJ and the FBI, the
FCC adopted an order extending the scope of CALEA to
include all facilities-based providers of broadband Internet
access and interconnected VoIP services.
•
The FCC relied on the Substantial Replacement Provision
to subject providers of facilities-based broadband and
interconnected VoIP services to the assistance-capability
requirements in CALEA.
•
The FCC established a compliance deadline of May 2007.
8
Applicability of CALEA to Private Networks
•
The FCC’s Order recognized that “private broadband networks or
intranets that enable members to communicate with one another
and/or to receive information from shared data libraries not available
to the general public . . . appear to be private networks for purposes
of CALEA,” and thus exempt.
•
At the same time, however, the Order suggested that the exemption
could be lost if such private networks connect to the Internet, as
virtually all higher education networks do. The Order stated: “To the
extent that . . . private networks are interconnected with a public
network, either the PSTN or the Internet, providers of the facilities that
support the connection of the private network to the public network
are subject to CALEA under the SRP.”
•
In subsequent meetings and press statements, the FCC declined to
elaborate on the meaning of this statement.
9
Court Appeal
•
A coalition of parties representing higher education as well as
providers of broadband and VoIP services, privacy groups, and other
public interest organizations appealed the FCC Order.
•
The appeal contended that the FCC’s Order violated CALEA’s
exemption of information services and private networks.
•
In response to our opening brief, the Government briefs
acknowledged a key limitation on the application of CALEA to higher
education networks. In particular, the FCC clarified that its Order
applies to “private network operators that provide their own
connection to the Internet,” which are subject to CALEA with respect
to that connection, but does not apply to “those that contract with an
ISP for that connection.” The Department of Justice agreed that
CALEA applies at most to “Internet gateway” facilities, rather than to
the internal portions of private networks.
10
Court Decision
•
On June 9, the court of appeals issued an opinion upholding the FCC
Order. (A petition for rehearing filed by certain petitioners was later
denied.)
•
The court ruled that differences in the structures and purposes of
CALEA and the Communications Act made it reasonable for the FCC
to construe the term “information services” differently under the two
statutes.
•
More favorably, the court made clear that CALEA “expressly excludes
‘private networks’ from its reach.” The court also found that the FCC
had not yet attempted to apply CALEA obligations to the internal
portions of private networks. But the court did not address the
circumstances under which Internet gateways are subject to CALEA.
11
What Does This Mean for Higher Education?
•
There are still unanswered questions, but the Order, the
Government briefs, and the court decision taken together
suggest two factors that will determine whether colleges
and universities have any obligations under CALEA.
•
These factors are: (1) whether the campus network
“supports” the connection to the Internet, and (2) whether
the campus network qualifies as a “private network.”
12
Does the Campus Network “Support” the Connection
to the Internet?
•
While the language in the FCC Order is cryptic, the FCC’s court brief
sets forth a more workable test: Colleges and universities that
“provide their own connection to the Internet” are subject to CALEA
(at least with respect to those Internet connection facilities), while
institutions that rely on a third party for this connection are exempt.
•
This still leaves some gray areas, but the FCC most likely would
conclude that an institution provides its own Internet connection when
it constructs, purchases, leases, or otherwise operates fiber optic or
other transmission facilities and associated switching equipment that
link the campus network to an ISP’s point of presence.
•
In contrast, the FCC most likely would conclude that an institution is
exempt if it obtains access to the Internet by (1) contracting with an
ISP or regional network to pick up Internet traffic from a campus
border router, (2) purchasing a private line or other transmission
service from a telecommunications carrier on a contractual or tariffed
basis (as opposed to leasing dark fiber or other facilities), or (3)
relying on some combination of these approaches.
13
Is the Campus Network a “Private” Network?
•
If a campus network is closed (i.e., does not connect to the Internet),
it is clearly exempt from CALEA under the private network exemption.
•
Interconnected networks that support their own Internet connection
appear to enjoy a limited exemption if they otherwise qualify as
“private.” Specifically, only the gateway equipment itself is subject to
CALEA – the Internet portions of a private network remain exempt.
•
The FCC did not expressly define “private network,” but the
touchstone appears to be limited availability to specific members or
constituents of an organization. Thus, a campus network that is
available only to students, faculty, and administrators should be
considered a private network, which means CALEA applies at most to
the Internet gateway equipment.
•
In contrast, networks that provide general public access and support
a connection to the Internet may well be subject to CALEA obligations
throughout the network, rather than only at the gateway.
14
Compliance Obligations Under the
Second Report and Order
•
For entities that appear to be covered by CALEA, the next
steps under the Second Report and Order are:
•
Must submit report to FCC on “system security requirements” –
which concern employee supervision and recordkeeping – at a
date TBD (likely in March 2007).
•
Also must submit compliance status form to FCC at a date TBD.
•
Must be in full compliance by May 14, 2007. This will require: (1)
installing new CALEA-compliant gateway equipment,
(2) contracting with a “trusted third party” to provide the requisite
surveillance capabilities, or (3) developing a customized network
solution.
15
CALEA Panel
University Perspective
Internet2 Member Meeting
December 6, 2006
Ambiguity and CALEA
It is the mark of an instructed mind to rest
satisfied with the degree of precision which
the nature of the subject admits and not to
seek exactness when only an approximation
of the truth is possible.
- Aristotle
17
What’s the status?
• Uncertainty about which networks and
institutions are exempt from CALEA
• Uncertainty about exactly what “compliance”
means
• Uncertainty about systems and services
available to implement compliance
18
Existing Obligation – Title 18
USC Title 18 provides the framework which requires
colleges and universities to assist law enforcement with
communications intercepts:
“An order authorizing the interception of a wire, oral, or
electronic communication under this chapter shall, upon
request of the applicant, direct that a provider of wire or
electronic communication service, landlord, custodian or
other person shall furnish the applicant forthwith all
information, facilities, and technical assistance
necessary to accomplish the interception unobtrusively
and with a minimum of interference with the services that
such service provider, landlord, custodian, or person is
according the person whose communications are to be
intercepted.”
19
20
Exempt/Non-Exempt Tests
(as Matt mentioned)
• Does the organization “support” the
connection to the Internet?
 “Support” is undefined
 What is meant by Internet is unclear
• Is it a “private network”?
 “Private network” is not well-defined
21
What is compliance?
• Not yet completely defined
• FCC/DOJ looking to industry and Law
Enforcement to work together to develop
“safe harbor” standards
22
Recent News
Alliance for Telecommunications Industry Solutions (ATIS)
Working Document
for
Lawfully Authorized Electronic Surveillance (LAES)
for Internet Access and Services
Abstract
Personal communications has traditionally been carried via wireline circuits
pursuant to an arrangement with a LEC. Recent advances in technology have
increased the variety and prevalence of more flexible access arrangements.
Internet Access and Services can be obtained by establishing a subscription
based arrangement. This standard provides capabilities to lawfully intercept
communications of subscription-based Internet Access and Services
arrangements.
http://contributions.atis.org/UPLOAD/PTSC/LAES/PTSC-LAES-2006084R6.doc
23
Options for Compliance
• Institution complies using own equipment
 Intercept capabilities (routers, probes)
 Format and send to Law Enforcement Agencies
(mediation device)
• Trusted Third Parties (e.g., Apogee, NeuStar,
VeriSign, etc.) handle as a service
• EDUCAUSE CALEA Tech. group gathering
information on what is available and/or planned
by vendors
24
Recent News
• Oct. 19th
Office of Management and Budget seeking
comments by November 20th on information
collection associated with CALEA system
security requirements
• The FCC is expected to announce soon a new
filing date for institutions and organizations
which need to comply with CALEA – expected to
be in late February
25
Suggestions for actions
• As Matt mentioned, meet with your legal
department and come to agreement on
exempt/non-exempt status
 If not exempt, follow-up on compliance requirements
and options when available
 Filing - date TBD
 Complete technical and procedural compliance activities by
May 2007
• Watch EDUCAUSE web site for best practices
for complying with existing Title 18 requirements
and consider implementing
26
Good information source
http://www.educause.edu/calea
27
State Research & Education Network
Perspective on CALEA
Shaun Abshere
WiscNet
Law Enforcement & StateNets
• Subpoenas are most common (by far)
lawful orders served on StateNets
• Wiretap and search warrants,
national security letters,
& FISA court orders are very, very rare
• Handling almost always leads to delegation
to member institution
29
“Private Network” Test
• K-20, library, government & health institutions
are primary customers/members of StateNets
• Institutions “authenticate” users
• Very few StateNets support access
by general public “subscribers”
• Most StateNets pass “private network” test
30
“Connection” Test
• Does a StateNet “support” the connection
to the Internet at its “gateway facilities?”
• Both within and among StateNets,
the answer to this ambiguous test will vary
by gateway location and commodity I1 provider
(multiple gateway facilities => ambiguity)
• If a StateNet “supports” even one connection,
must it CALEA-comply at all gateway facilities?
“Failing” connection test still leaves ambiguity
31
Diverse Opinion on Compliance
• Legal opinion on connection support
& private network varies among StateNets
•
•
•
•
•
•
CENIC (California): Assert exemption
UEN (Utah): Expect to comply at gateway facilities (GF)
MOREnet (Missouri): Expect to comply at GF; TTP?
ENA (IN & TN K-12): Expect GF-compliance; maybe site
Merit (Michigan): Custom compliance at GF
WiscNet (Wisconsin): Expect to comply at GF
32
StateNets as Trusted 3d Parties
• FCC Broadband CALEA Order permits
“trusted 3d party” intercept providers
• Much discussion in StateNet community
about this “business opportunity,”
either based on custom solution
or in partnership with for-profit vendors
33
CALEA Panel
Internet2 Perspective
Internet2 Member Meeting
December 6, 2006
Internet2 Perspective
• Goals
 Comply as required
 Support Membership
• Current thinking
 Internet2 not last mile provider, so not covered by
CALEA
 Forming ideas about how to best support
membership. Ideas?
35
CALEA Panel
Questions
Internet2 Member Meeting
December 6, 2006
Question
How can you get the most out of your campus legal team?
- Legal opinion on CALEA applicability: what legal and
technical elements must an adequate legal opinion
address?
- Handling lawful electronic surveillance orders:
what are basic considerations that determine an
order's validity and accuracy, and what confidentialitylevel is required?
37
Question
What are your "cultural" norms and practices that make
internally-managed CALEA-compliance difficult? That
make CALEA-compliance via a trusted third party vendor
difficult?
38
Question
Gateway facilities:
- How many "gateway facilities" do you operate?
- Connected at what maximum bit-rate?
- What's the current peak bit-rate for traffic passing
through those gateways
- Absent CALEA, when next will you "refresh" your
gateway facilities?
- Given CALEA, how did your refresh plans change?
39
Question
Under what circumstances do the costs and benefits of
maintaining CALEA exempt status exceed the benefits?
40