CALEA Update April 7, 2006 (Revised June 20, 2006)
CALEA Background Information
- H.R. 4922 passed in 1994
- Clarified a telecommunications carrier's duty to cooperate in the interception of communications for law enforcement
- Required telecommunications carriers to modify their equipment, facilities and services
- Original completion scheduled for October 1998
- Extended to be ``generally complete'' by June 30, 2000
- Cellular carriers and PCS carriers complete by September 2001
CALEA Background Information
- Telecommunications carriers allowed to increase prices to recover costs
- Petition the FCC who acts as arbitrator
- Passed-on uniformly
- Costs reasonable and ``consistent with public interest''
- Manufacturer and carrier specific
CALEA Background Information
- Carriers achieve compliance through normal upgrade cycles
- Difficult to argue ``not reasonably achievable''
- Rates would not go up as a result of CALEA
- Rates may also not go down as quickly...
- All carriers had similar exposure
- CALEA compliance being built-in and costs absorbed
Providers of commercial voice services
CALEA: New Report and Order
- ... until August 5, 2005
- CALEA extended to include facilities-based internet service providers
- Defined as: ``...entities that provide transmission or switching over their own facilities between the end user and the Internet Service Provider.''
Arguments for Extending CALEA to ISPs
- Law enforcement concerns
- Internet as ``communication of choice for criminal activity''
- Make legal intercepts easier
- Make legal intercepts less expensive
- Exempting a system creates ``a magnet'' for criminal activity
Arguments against extending CALEA to ISPs
- Higher Education and Library concerns
- Congress should decide about extending CALEA...
- ...Not the FCC or the DOJ
- Law enforcement has sufficient access now
- Cannot justify the cost of compliance
- Will slow innovation
CALEA Current Understanding
- Subject to change...
- CALEA does apply to ISPs and all facilities-based ISPs are covered.
- Compliance is required within 18 months (May 14, 2007)
- Standards of compliance are not known
- Not known whether there will be any exceptions for ``special cases
- Continued discussions with DOJ
- No common understanding regarding what is possible and what is required
- Oral arguments in lawsuit May 5, 2006
Compromise Proposed
- Single point-of-contact
- Standard procedures established
- 24x7 assistance available
- Personnel trained in procedural, legal and technical demands of assisting legal intercepts
- Some gateway equipment would be replaced, but only under the normal replacement cycle
Source: Doug Carlson (used with permission)
Doug's Big Four Questions
- What does my campus need to do to become CALEA compliant?
- What equipment should I buy?
- How much will it cost?
- Will we really need to do this within the 18 months?
The Big Four Answers
- What does my campus need to do to become CALEA compliant?
- What equipment should I buy?
- Don't know!
- If forced to comply, couldn't buy the equipment.
- How much will it cost?
- Will we really need to do this within the 18 months?
- Don't know! Form of putting pressure on the vendors.
- Not practical.
CALEA Court Decision
CALEA COURT DECISION MIXED FOR HIGHER EDUCATION
``Washington, D.C., June 9, 2006--The U.S. Court of Appeals for the District of Columbia Circuit has just issued a 2-1 decision denying the American Council on Education (ACE) appeal of the Federal Communications Commission's rules extending provisions of the Communications Assistance for Law Enforcement Act (CALEA) to include the Internet. While EDUCAUSE, ACE, and other higher education associations are still studying the decision of the three-judge panel, the court's opinion is mixed.''
On the one hand...
``...the higher education community will be disappointed that the court upheld the FCC's contention that CALEA provisions apply broadly to the Internet. ACE and other members of a coalition that EDUCAUSE formed around this issue believed they had established a strong legal case that CALEA did not apply to providers of facilities- based Internet access or voice-over-IP.''
On the other hand...
``... the court reaffirmed provisions within CALEA that specifically exempt private networks, such as those operated by many colleges and universities, from such regulation by the FCC. This is good news for higher education.''
``However, the language of the decision is complex, and further study will be required before determining the next steps in the process.''
In her spare time... (Courtesy of Doris Stock)
- Compliance deadline remains May 14, 2007 (despite the absence of compliance standards)
- Can use Trusted Third Parties (TTPs) to provide solutions. University still liable.
- Compliance ``at the gateway'' or throughout the network still an issue.
- Call Identifying Information required (CII). What is the standard? How is it defined?
- Regular reporting to the FCC required.
- Policies and Procedures addressing Systems Security and Integrity must be sent to FCC.
- A lot of ambiguity: at most gateway? As Private networks, exempt?
- ACE and EDUCAUSE position papers this week or next.
Issues from Net@EDU Meeting, Tempe
- Enterprise-level equipment generally doesn't support Lawful Intercept (LI)
- Seeing limited progress
- Vendors waiting for government to say what's needed
- Government expecting/waiting for vendors to take the lead in creating compliant equipment
- Software upgrades to provide LI functionality in existing equipment - especially low-end - appears unlikely
- Issues from Net@EDU Meeting, Tempe
- No centralized authentication required on many/most campuses (e.g., for departmental servers)
- Integration of authentication systems with servers and network equipment to initiate an Intercept would be difficult
- Authentication currently not uniformly required for wired/wireless network access
Issues from Net@EDU Meeting, Tempe
- On many campuses, the central networking organization does not run all the networks
- Network equipment may vary at the departmental level
- Firewall rules may vary
- Who can do what (central vs. department)? Easiest to isolate traffic when done close to ``target'' (e.g,, when done in nearest switch or access point)
Multi-user system problem
- Traffic from many people can be sent and received using a single IP address (e.g., email servers, NAT)
- Capture conversation between two computers on same switch or access point
Frequently Asked Questions (Gidari and Wigen)
- Who pays for what?
- Campus must pay for equipment, systems and people to perform Service Provider Administration, Access Function and Delivery Function
- Law Enforcement pays for leased lines (if necessary) to campus and Collection function
- What do I need to buy for my campus to be CALEA-compliant?
- Don't know - detailed specifications not yet available
- Current CALEA regulations seem to require significant equipment upgrades or replacements
- When will FCC clarify requirements so we can start upgrading network?
Frequently Asked Questions
- Might CALEA regulations related to the Internet be declared invalid?
**Yes, but universities will still need to support surveillance requests in the future
- Is the university responsible for decrypting or decompressing message content?
- No, not unless the university did the compressing/encrypting and has keys to decrypt
- Is more than just Voice over IP covered by CALEA?
- Yes - all communications will need to be forwarded, and (as of now) the VoIP packets will need to be decoded if the university provides the VoIP service, otherwise decoding responsibility is unclear
Frequently Asked Questions
- What might a LEA ask for?
- All communications associated with an IP address or jack
- All communications associated with a person
- Wired - specific location
- Wired - any authenticated access
- Wireless
- Is surveillance of intra-campus traffic necessary (e.g., between two computers hooked to the same card on the same ethernet switch)?
- Yes......if the switch has the potential of passing traffic forward to the public Internet
Frequently Asked Questions
- Do the LEAs want to be able to turn on and perform surveillance remotely?
**University personnel would be turning on, maintaining and turning off the wiretap, but the data would be sent to the designated LEA facility
- It seems like some of the CALEA requirements will be very difficult (or impossible) to implement with commonly deployed systems and technology. Sound right?
- Do campuses need to do anything beyond network upgrades to satisfy CALEA?
- Yes - universities will need do training and background checks, have 7/24 point of contact for LEAs, create and document processes for interfacing with LEAs and file documentation attesting to CALEA compliance
Some Vocabulary
- Access Function(s) (provided by campus)
- Provides unobtrusive intercept access points to intercept subject's communications and passes to Delivery Function
- Delivery Function (provided by campus)
- Responsible to delivering intercepted communications to the Law Enforcement Agency (LEA) Collection Function
- Collection function (provided by LEA)
- Responsible for collecting lawfully authorized communications
Campus Network Characteristics
- The networks are constantly evolving
- Support for a wide variety of uses - from high-speed research to traditional administrative (e.g,, email) connections
- New services such as VPN, VoIP, video
- On many campuses, the central networking organization does not run all the networks
- Network equipment may vary at the departmental level
- Firewall rules may vary
- Network access authentication rules and databases may vary
Campus Network Characteristics
- Authentication for network access is not uniformly required
- Wired
- Wireless
- Service-based authentication to university services is common (e.g., email, financial data, student information, portals)
CALEA Update
- The EDUCAUSE website is located at:| http://www.educause.edu/calea.
- The FCC CALEA brief for petitioners is on the web site.
- The EDUCAUSE letter to the Chronicle of Higher Education is also on the website under EDUCAUSE Actions and Resources, as is the February 10, 2006 Chronicle article.
- Next Steps