1 / 21

CALEA Discussion

This discussion explores the obligations and exemptions of the Communications Assistance for Law Enforcement Act (CALEA) for higher education networks. It provides an overview of the recent court case and clarifications from the FCC, along with recommendations for institutions.

amargaret
Télécharger la présentation

CALEA Discussion

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CALEA Discussion Internet2 Joint Techs July 19, 2006 Doug Carlson Executive Director, Communications & Computing Services New York University doug.carlson@nyu.edu

  2. Caveats • I’m not a Communications Lawyer! • Opinions and interpretations – not undisputed facts • Each institution/organization needs to evaluate if it is, or is not, exempt from CALEA

  3. The Basics • CALEA • Communications Assistance for Law Enforcement Act • Imposes specific obligations on “telecommunications carriers” to build certain "assistance capabilities" into their networks by May 14, 2007 • Other reporting and actions required sooner • Title 18 and associated regulations provide obligations to assist Law Enforcement Agencies with Lawful Intercepts

  4. The Basics – Title 18 USC Title 18 provides the framework which requires colleges and universities to assist law enforcement with communications intercepts: “An order authorizing the interception of a wire, oral, or electronic communication under this chapter shall, upon request of the applicant, direct that a provider of wire or electronic communication service, landlord, custodian or other person shall furnish the applicant forthwith all information, facilities, and technical assistance necessary to accomplish the interception unobtrusively and with a minimum of interference with the services that such service provider, landlord, custodian, or person is according the person whose communications are to be intercepted.”

  5. The Basics (continued) • Via CALEA, the government would like in-place mechanisms to quickly initiate comprehensive intercepts of Internet communications (e.g., CALEA compliant equipment installed and operational) • An initial interpretation of CALEA suggested that most of the network equipment in all colleges and universities might need to be replaced – no longer the prevailing opinion

  6. Recent Events • American Council on Education (ACE) takes the FCC to court • FCC clarifies in court brief that CALEA at most appliesto gateway equipment and cannot apply to the internal portions of private networks • FCC issues the Second Report and Order • http://www.educause.edu/ir/library/pdf/EPO0634.pdf • Establishes actions and reporting requirements for “telecommunications carriers”

  7. Recent Events (continued) • Court rejects most ACE arguments, but there appear to be some positive clarifications from this action by ACE • Court agreed that private networks cannot be required to comply with CALEA • ACE issues memo on the “Application of CALEA to Higher Education Networks” – particularly focusing on colleges and universities • http://www.educause.edu/ir/library/pdf/EPO0654.pdf

  8. Court case results( Current thinking on broadband ) • Still not clear!!! Opinions • Many colleges and universities are likely, at most, to need to make the “gateway” between the campus and the Internet CALEA compliant • Two tests to determine if exempt • Private network • Institution doesn’t provide its own facilities to the Internet (Service Provider)

  9. FCC First Report and Order- Footnote 100 “To the extent [that] private networks are interconnected with a public network, either the [public voice network] or the Internet, providers of the facilities that support the connection of the private network to a public network are subject to CALEA under the [Substantial Replacement Provision].”

  10. Private Network • Offer network access to a well-defined set of users (e.g., students, faculty and staff) • Incidental other usage might be OK? • Open (non-authenticated) wireless?

  11. Providing access to the Internet • Does the institution provide access to the Internet • What does “provide” mean? • One thought: Does the campus or the ISP own/provide connections between the campus network and the ISP’s Point of Presence (PoP)?

  12. Other Issues • Further appeals? • Status of state/regional Research & Education networks? Same as universities? Not studied in detail by ACE. • Congress may consider new regulations • For example, draft legislation distributed recently by the FBI

  13. What ACE has done recently • Coordinated overall Higher Ed. actions on CALEA (with EDUCAUSE providing assistance) • Analyzed the Court’s decision • Created a document on the impact of the Court’s decision

  14. What EDUCAUSE will do • Continue dialog with Law Enforcement on guidelines for Title 18 compliance • CALEA Technical Group and EDUCAUSE Security Task Force collaborating on the development of guidelines for handling Lawful Intercepts for campuses • CALEA Technical Group will evaluate options for technical implementations of CALEA • Equipment • Trusted Third Parties (e.g., NeuStar, VeriSign) • Will continue to engage in analysis and discussion with the higher education community

  15. What should institutions do? • Review the recent ACE memo • http://www.educause.edu/ir/library/pdf/EPO0654.pdf • Evaluate if the university appears to have a “private network” and is not responsible for providing the connection to the Internet • If don’t have a private network, CALEA obligations could be daunting • If do have responsibility for connection to your ISP, it could increase chances that gateway would need to be CALEA-compliant

  16. What should institutions do? • If the institution determines that it is subject to CALEA • Begin to take the actions specified in the Second Report and Order (including preparing to file required paperwork – due >90 days out) • Evaluate technical options for CALEA compliance (but see next slide)

  17. CALEA compliance challenges • As yet, no clear definition of what CALEA compliance means • FCC is looking for industry, working with the Law Enforcement Agencies (LEAs), to develop standards • Two ways to implement CALEA compliance • Institution installs equipment, creates procedures, etc., but verified equipment solution not yet available • Engage a Trusted Third Party to act as agent, but will need to define the service

  18. How might a LI request work Access Function Telecommunication Service Provider (Switch collects Lawful Intercept data) Service Provider Administration (Turn on Lawful Intercept feature of switch) Delivery Function Lawful Authorization (Securely deliver information to LEA) (Order generated) Law Enforcement Administration Collection Function Law Enforcement

  19. Some Vocabulary (ref. TIA J-STD-025-B) • Access Function(s) (provided by campus) • Provides unobtrusive intercept access points to intercept subject’s communications and passes to Delivery Function • Delivery Function (provided by campus) • Responsible to delivering intercepted communications to the Law Enforcement Agency (LEA) Collection Function • Collection function (provided by LEA) • Responsible for collecting lawfully authorizedcommunications

  20. Related Issues • Network authentication of terminals on campus (e.g., 802.1x) • Data retention of logs and other records

  21. Good information source http://www.educause.edu/calea

More Related