TLU’s
Position on the Communications Assistance for Law Enforcement Act (CALEA)
Purpose
The purpose of this position
statement is to detail our understanding of the Communications Assistance for
Law Enforcement Act (CALEA) and how it applies to TLU. The University believes
that it is exempt from CALEA and therefore is not subject to its filing or
other requirements. Below is an overview of the law, recent rulings and
interpretations along with the criteria used in making our decision.
(Much of what follows has been excerpted from Educause documents).
Background
On August 5, 2005 the Federal Communications
Commission (FCC) voted to extend the Communications Assistance for Law
Enforcement Act (CALEA), originally passed by Congress in 1994, to broadband Internet
and interconnected Voice-over-Internet Protocol (VoIP) providers. This includes
college and university campus networks, as well as state and regional
educational networks. The order required that providers come into compliance by
late spring of 2007. This compliance could potentially require the University
to provide equipment to detect and pass all traffic associated with an
individual user to the FBI at some remote location. This would involve
substantial costs which the FCC has stated would be borne by the institutions
with no available cost sharing.
On December 14, 2006, the FCC released a Public
Notice establishing filing deadlines for CALEA-mandated System Security and
Integrity (SSI) and Monitoring Reports. According to the Public Notice,
"facilities-based broadband Internet access and interconnected VoIP
service providers subject to CALEA must file" which means that exempt
institutions are not required to submit these reports. For those institutions that are subject to CALEA, the Monitoring report is due February
12, and the SSI report is due March 12. Since the University does provide
internet access to our internal network and its nodes it is necessary to
evaluate applicability and compliance requirements of this law.
In April 2004 and again in November
2004, EDUCAUSE formed a coalition of fifteen education and library associations
including the American Council on Education (ACE) and the American Library
Association (ALA). This coalition filed suit asking that educational
institutions should not be included in the law. The U.S. Court of Appeals for
the D.C. circuit upheld the FCC order on appeal. However, according to ACE
documents "... the Government's court briefs and the court's opinion
provided further guidance. Generally speaking, a higher education or research
instruction should be fully exempt from CALEA if it satisfies two criterions;
(1) its network qualifies as a "private network" and (2) it does not
"support" the connection of the private network to the
internet."
Criteria
Educause, ACE and the ALA have compiled a
series of questions to help institutions determine if they qualify for the
exemption based on these two criterions. Below are the questions and TLU's responses.
It is sufficient to answer any one of the questions within each criterion
affirmatively.
Criterion 1 - Private network
- It is a "private network" if the
network is NOT connected to the internet - No, TLU is connected to the
internet.
- It is a "private network" if the
network is limited to serving only faculty, staff and students – Yes,
TLU does not allow un-authenticated public users onto its network.
- It MAY be a "private network" if there
is incidental public usage - TLU will only provide authenticated
access to the network; this includes attendees (temporary guests) to special
events of the University.
Criterion 2 - Does not support the
connection to the internet
- The institution does “not support the internet
connection" if an ISP provides the physical connection and the
router/multiplexer for the campus - No. TLU’s Internet Service Provider
(AT&T) does not provide the physical connections or routers.
- The institution probably does “not support the
internet connection" if it leases a line (e.g. a tarriffed Verizon
circuit) - Yes, AT&T provides the leased tarriffed circuits to TLU.
- The institution may "not support the
internet connection" if the campus leases fiber to the ISP – No,
TLU does not own fiber that it then leases out to its Internet Service
Provider.
- The institution likely does "support the
internet connection" if the campus provides its own fiber -
No, TLU does not own its fiber connection to the internet.
- The institution likely does "support the
internet connection" if the "demarc" between the
campus-provided facilities and the ISP's facilities is off-campus. -
No, TLU's 'demarc" is on-campus in the Alumni
Student Center
& the Beck
Center.
Summary
As long as the Educause/ACE/ALA
interpretation is valid, TLU qualifies as exempt to CALEA because
1) its
network is not open to the general public and is intended to serve only
faculty, staff, students and authorized guests and 2) because it leases
tarriffed lines from AT&T.
Reviewed and endorsed by the
Information Technology Committee – 11/30/2007
Approved by the President’s Cabinet
– 2/5/2008
Resources
1. Communications Assistance for Law
Enforcement Act of 1994, HR 4922, 103d Cong., 2d: http://www.askcalea.net/calea.html
2. Comments submitted by the “Higher
Education Coalition” to the FCC on CALEA on November 14, 2005: http://www.educause.edu/ir/library/pdf/EPO0536.pdf
3. The Petition for Review: http://www.educause.edu/ir/library/pdf/CSD4263.pdf
4. The American Library Association
Web site: http://www.ala.org/ala/washoff/WOissues/techinttele/calea/calea.htm
5. CALEA capability requirements: http://www.educause.edu/ir/library/pdf/CSD4234.pdf
6. Educause CALEA Resource Page: http://www.educause.edu/Browse/645?PARENT_ID=698
7. ACE Application of CALEA to
Higher Education Networks: http://www.acenet.edu/AM/Template.cfm?Section=HENA&Template=/CM/ContentDisplay.cfm&ContentID=17276
8. Thinking through the CALEA
Exempt/Non-Exempt issue: http://www.educause.edu/ir/library/pdf/CSD4607.pdf
9. CALEA at TCU – James Mayne –
Director of Network Security, Texas
Christian University