Educause Security Discussion mailing list archives
FCC Releases CALEA Order
From: Rodney Petersen <rpetersen () EDUCAUSE EDU>
Date: Fri, 30 Sep 2005 07:49:27 -0600
Please excuse the cross-posts. However, I thought that many of you would be interested in the information below because of the relationship to security and law enforcement investigations. Rodney Petersen Security Task Force Coordinator, EDUCAUSE _____ September 29, 2005 EDUCAUSE Members and Partners, On September 23, the Federal Communications Commission released an Order and Further Notice of Public Rule Making applying for the first time the Communications Assistance for Law Enforcement Act (CALEA) to facilities-based broadband Internet access providers, including higher education institutions, K-12 schools, libraries, and interconnected Voice over Internet Protocol (VoIP) service providers. The Order requires these entities to facilitate lawful requests for surveillance of specific communications on their data networks through a combination of new equipment, trained personnel, policies, and procedures, to be in place within 18 months of the filing of the ruling in the Federal Register. This would impose substantial new costs on the institutions involved. (The old CALEA rules applied to telephone companies and focused on modifications in telephone equipment to assist with lawful surveillance of telephone calls.) Note that institutions of higher education have always provided prompt assistance in response to lawful requests for surveillance of both voice and data communications in the past, and they will continue to do so in the future. A significant issue here is one of cost effectiveness. It is not cost effective, nor in the public interest, to overhaul the networks of all institutions just in case a lawful surveillance may be required in the future at one of them. And, there are effective alternative solutions to the problem that do not impose such a substantial burden of cost to the community. While requiring compliance of all institutions in 18 months, this FCC order also seeks to identify procedures through which exemptions from some of the CALEA requirements might be granted to certain types of organizations in the future. The FCC also proposes to issue another order in the future to discuss the exact nature of the CALEA capabilities for Internet access, appropriate compliance extensions, the absence of cost recovery, and how enforcement will be addressed. EDUCAUSE Response (To Date) In response to the initial Notice of Public Rule Making on this issue last year, EDUCAUSE organized a coalition representing higher education, K-12 schools, and public libraries, and hired Al Gidari, a noted legal expert on CALEA. The coalition filed comments arguing that CALEA does not cover Internet access, but if the FCC extended it to do so, asking for an exemption from CALEA because it is not in the public interest to require that every college, school, and library redesign their networks just in case a lawful request for surveillance may arise in the future. (There have been very few such requests in the past.) We argued that requiring full compliance with the proposed new rules would impose an unreasonable financial burden, increasing the costs of education and impacting innovation, with no guarantee of better security for our nation. (See our formal comments at http://www.educause.edu/ir/library/pdf/EPO0420.pdf <http://www.educause.edu/ir/library/pdf/EPO0420.pdf> ) The FCC listened to our arguments and asked our coalition to try to reach an agreement with the Department of Justice. We currently have a proposal before the DOJ that better meets the requirements of law enforcement, but at a lower cost and administrative burden to our community. CALEA Timeline and Next Steps The new FCC CALEA ruling will go into effect when published in the Federal Register, which is expected within the next two weeks. After that, our institutions will have 18 months to comply with the Order, unless it is stayed by lawsuits or if we reach an agreement with DoJ for an exemption by the FCC. We are continuing our dialogue with the DOJ, which is giving our CALEA-alternative proposal serious consideration. Along with its CALEA Order, the FCC issued a Further Notice of Proposed Rulemaking that seeks public comment on procedures to determine whether certain classes of broadband providers, including providers of broadband networks for educational and research institutions, should be exempt from some or all of CALEA's requirements. The ruling language explicitly states that the FCC has reached no conclusions in their CALEA Order on whether an exemption might be warranted, and that more information is necessary before making a final decision. In response to this latest ruling, EDUCAUSE plans to submit further comments to the FCC regarding our proposed approach to any exemption. Public comments are due within 30 days of publication of the FNPRM in the Federal Register. (Note again, though, that the new NPRM and our discussions with DOJ do NOT exempt our institutions from the requirement of compliance in 18 months at this time.) EDUCAUSE will continue to keep you abreast of any new information and our progress with the Department of Justice. We welcome your comments and questions. Best regards, Mark Luker, Vice President EDUCAUSE Resources For more information on CALEA and EDUCAUSE's actions to date: EDUCAUSE Policy Program Website (scroll down to CALEA): http://www.educause.edu/policy <http://www.educause.edu/policy> EDUCAUSE Comments on CALEA (under Telecommunications): http://www.educause.edu/AdvocacyLibrary/1297 <http://www.educause.edu/AdvocacyLibrary/1297 > FCC's CALEA Order and Related NPRM (released 9/23/05): http://www.fcc.gov/ <http://www.fcc.gov/>
Current thread:
- FCC Releases CALEA Order Rodney Petersen (Sep 30)