[Infowarrior] - CALEA: It doesn't apply to universities and libraries after all

Fri May 18 11:57:00 UTC 2007

CALEA: It doesn't apply to universities and libraries after all
http://arstechnica.com/news.ars/post/20070517-calea-it-doesnt-apply-to-unive
rsities-and-libraries-after-all.html
By Nate Anderson | Published: May 17, 2007 - 11:32PM CT

Back in 2005-2006, when CALEA was being expanded to cover broadband
providers and VoIP companies, libraries and universities raised a massive
ruckus over the plan. Their worry was that CALEA would require any network
that connected to the public Internet to comply with FBI wiretapping
guidelines; universities across the country would be faced with a
multibillion dollar bill for upgrading their networks. Now that the new
CALEA rules are in effect (the deadline for compliance was Monday), how are
universities and libraries handling the issue?

In large part, they aren't. That's because the FCC and the Department of
Justice clarified some of the CALEA provisions last year after several
educational library groups took them to court. Even after the various
rulings were handed down, "much information related to the CALEA order
remains confusing and incomplete," according to EDUCAUSE, one of the groups
involved in the cases. Despite the vagueness of several key provisions and
terms, this much became clear after the court decisions: "with rare possible
exceptions, universities, colleges, and libraries are exempt from CALEA."

Networks are exempt from the electronic surveillance rules if they meet two
tests: they must be private, and the institution that runs them must not
"support" the Internet connection. A "private" network is not actually
defined, but legal analysis by educational groups has concluded that
universities are private networks so long as they do not offer Internet
access to other groups in turn, like municipal organizations or local
communities. But this raises a question: how "private" does a private
network have to be?

Most of the network traffic on college and university networks is generated
by faculty, staff, and students of those institutions, but most schools also
provide some public access in libraries and other common spaces. Does this
mean that the schools lose their CALEA exemption? Most legal opinions we
have seen suggest that it does not, but because there is no hard and fast
guidance, some suggest erring on the side of caution. American University
stopped offering public Internet access in its library earlier this week for
exactly this reason.

Assuming that a school's network is private, the next question concerns the
Internet connection. If the line and routing hardware is maintained by a
telecommunications company, then the school remains exempt from CALEA. If
the school runs its own fiber links to another network or even manages its
own gateway router, it may incur obligations under CALEA.

If that happens, schools won't need to replace every router on campus, as
was once feared. The gateway router may need to be replaced in order to make
it easy to siphon off traffic from one IP address or user and funnel it to
the feds, but this work can also be handled by a Trusted Third Party (for a
fee, of course). In neither case will the entire network architecture need
to be reworked.

In 2005, when the new rules were being proposed, the FCC noted that CALEA
would not be extended to libraries "that acquire broadband Internet access
service from a facilities-based provider to enable their patrons for
customers to access the Internet." The American Library Association worries
that this isn't good enough, though, writing in January 2007 that "it is
possible the private network connections that serve libraries still could be
subject to CALEA obligations" though their connections to regional library
networks or universities. Currently, though, it does not appear that most
libraries believe they must comply.

Regardless of how CALEA is applied, libraries and universities both have an
obligation to comply with government wiretap requests; CALEA simply will
make those requests much easier for the feds to make (and it does not
currently expand reporting requirements to include e-mail or web browsing
information). 