CALEA

Communications Assistance for Law Enforcement Act

October 20, 2005

A brief history of wiretapping

1960’s : Wiretapping was easy; one phone company; basic technology

1980’s: Deregulation means multiple carriers; cell phones; analog to digital transition begins

1994: CALEA passed with several compromises; specifically no Internet; no private networks

2004: VoIP: Wiretapping isn’t getting any easier…

How many wiretaps are there?

Real Time Historical

ContentTitle III

“Wiretap Order”

Warrant/Subpoena

Other information: subscriber; transactional data

Warrant/Subpoena

Subpoena/Court Order

Federal, State, Local and FISA Wiretap Orders for 2004

1,712 regular court

1,754 under FISA

http://www.uscourts.gov/wiretap04/Table4-04.pdf http://www.epic.org/privacy/wiretap/stats/fisa_stats.html

What is CALEA?

CALEA is the Communications Assistance for Law Enforcement Act. It requires providers of commercial voice services to engineer their networks in such a way as to assist law enforcement agencies in executing wiretap orders.

Until August 5, 2005 that is…..

CALEA: New Report and Order

On August 5, 2005, in response to a request by law enforcement, the FCC voted to extend CALEA to include facilities-based Internet service providers.

Facilities-based Internet service providers are defined as: "entities that provide transmission or switching over their own facilities between the end user and the Internet Service Provider."

Private Networks are still exempt, but….

Private Networks are now defined as networks that do not allow access to the “public” Internet or the public switched telephone network (PSTN).

If your network provides access to the “public” Internet you are no longer exempt as a private network.

Arguments for/against extending CALEA to ISPs

Law EnforcementThe Internet is increasingly the communication of choice for criminal activityLegal intercepts need to be easier and less expensive for LEAn “exempt” system is a magnet for criminal activity

Education and LibrariesCongress should decide not the FCC or DoJLE has sufficient access nowCost to comply can’t be justifiedWill slow innovation

Legal Justification: Substantial Replacement Provision

The term “Telecommunications Carrier” includes a person or entity engaged in providing wire or electronic communication switching or transmission service to the extent that the Commission finds that such service is a replacement for a substantial portion of the local telephone exchange service and that it is in the public interest …..

(Section 102. 8B(ii) CALEA)

Substantial Replacements

1. Broadband Internet access substantially replaces Dial-up (a portion of the local exchange service)

2. Interconnected VoIP substantially replaces POTS

3. Therefore, Broadband and Interconnected VoIP providers are “Telecommunications Providers”.

Two Part Decision

Part #1: Decided: CALEA does apply to ISPs and all facilities-based Internet service providers are covered. Full compliance is required in 18 months..

Part #2: Still to be decided: What will be required (standards of compliance) and will there be an “special cases” allowed (i.e. small rural providers or education and research networks).

What is EDUCAUSE doing?

April 2004 in response to the original petition by LE, EDUCAUSE formed a coalition of 16 education and library associations and filed comments. EDUCAUSE has been actively engaged in talks with Congress, the FCC, and the DoJ ever since.We continue to hold out hope for a “special case” compromise that will mitigate the expense of changing our equipment.

Current Proposal: Some examples

Single point-of-contact on every campusStandard procedures established24x7 assistance available Personnel trained in procedural, legal and technical demands of assisting legal intercepts.Some gateway equipment would be replaced, but only under the normal replacement cycle

Prediction

Law enforcement will want more concessions

Our community will have to seriously consider the options

CALEA:A Campus Perspective

What do we know for sure?Not much!But sooner or later, some regulations requiring additional activity by universities in lawful surveillance seems likely

Cost to become CALEA compliant could be HUGE!!!

How might a request work

Lawful Authorization

Law Enforcement

Telecommunication Service ProviderService Provider Administration

(Turn on Lawful Intercept feature of switch)

Delivery Function

Collection Function

Access Function

Law Enforcement Administration

(Switch collects Lawful Intercept

data)

(Securely deliver information to LEA)

(Order generated)

Some Vocabulary (ref. TIA J-STD-025-B)

Access Function(s) (provided by campus)Provides unobtrusive intercept access points to intercept subject’s communications and passes to Delivery Function

Delivery Function (provided by campus)Responsible to delivering intercepted communications to the Law Enforcement Agency (LEA) Collection Function

Collection function (provided by LEA)Responsible for collecting lawfully authorizedcommunications

CALEA FAQThanks to Al Gidari and Wendy Wigen for

assistance!

Disclaimer: Current understanding – subject to change quickly

Who pays for what?

Campus must pay for equipment, systems and people to perform Service Provider Administration, Access Function and Delivery FunctionLaw Enforcement pays for leased lines (if necessary) to campus and Collection function

CALEA FAQ

What do I need to buy for my campus to be CALEA-compliant?

Don’t know - detailed specifications not yet availableCurrent CALEA regulations seem to require significant equipment upgrades or replacements

When will FCC clarify requirements so we can start upgrading network?

Not known

CALEA FAQ

Might CALEA regulations related to the Internet be declared invalid?

Yes, but universities will still need to support surveillance requests in the future

Is the university responsible for decrypting or decompressing message content?

No, not unless the university did the compressing/encrypting and has keys to decrypt

CALEA FAQ

Is more than just Voice over IP covered by CALEA?

Yes – all communications will need to be forwarded, and (as of now) the VoIP packets will need to be decoded if the university provides the VoIP service, otherwise decoding responsibility is unclear

CALEA FAQ

What might a LEA ask for?

All communications associated with an IP address or jack

All communications associated with a person!!!•Wired – specific location•Wired – any authenticated access!!!

•Wireless!!!

CALEA FAQ

Is surveillance of intra-campus traffic necessary (e.g., between two computers hooked to the same card on the same ethernet switch)?

Yes……if the switch has the potential of passing traffic forward to the public Internet

CALEA FAQDo the LEAs want to be able to turn on and perform surveillance remotely?

University personnel would be turning on, maintaining and turning off the wiretap, but the data would be sent to the designated LEA facility

It seems like some of the CALEA requirements will be very difficult (or impossible) to implement with commonly deployed systems and technology. Sound right?

Yes

CALEA FAQ

Do campuses need to do anything beyond network upgrades to satisfy CALEA?

Yes - universities will need do training and background checks, have 7/24 point of contact for LEAs, create and document processes for interfacing with LEAs and file documentation attesting to CALEA compliance

Any other impacts?Is E911 now extended to university VoIP systems?

CALEA:A Campus Perspective

Higher Ed. has, and will continue to, support

lawful surveillance, but effective, less costly

alternatives should be explored

CALEA FAQ

Where can I find out more?Educause

• http://www.educause.edu

AskCALEA• http://www.askcalea.net/

FCC• http://www.fcc.gov/calea/

Selected vendor information • “Cisco Service Independent Intercept

Architecture” (sign on required to access on Cisco web site)

• RFC 3924– http://www.apps.ietf.org/rfc/rfc3924.html

Discussion

Questions or

Discussion?

Call Content Channels and Call Data Channels

Delivery

Collection

CDCsCCCs

Some More Vocabulary (ref. TIA J-STD-025-B)

Call Content Channel:Logical link to LEA Delivery Function carrying call content

Call Detail ChannelLogical link to LEA Delivery Function carrying call-identifying information