Higher ed fears wiretapping law

Institutions of higher education are up in arms over an FCC ruling on wiretapping they say could cost them billions of dollars in upgrades, expose their networks to more attacks, and jeopardize rights to privacy and freedom of speech.

Discuss: We’ve set up a CALEA forum.

A petition in the U.S. Court of Appeals for the District of Columbia could determine if higher-education networks – and perhaps private corporate networks – will be required to allow wiretapping by law enforcement agencies as soon as next year.

Oral arguments will be heard late this week in the petition of the American Council on Education (ACE) vs. the FCC, which was submitted in mid-March to the court. The petition is part of an ongoing appeal of the FCC’s Sept. 23, 2005, ruling that extends the 1994 Communications Assistance for Law Enforcement Act (CALEA) wiretapping order to broadband Internet providers and “interconnected” VoIP providers next year.

The higher-education community is concerned the FCC ruling does not distinguish between public and private networks, and could potentially extend the CALEA compliance requirement to university and enterprise networks.

“For university networks, the worst-case scenario . . . would mean potentially replacing every switch and router in our system,” says Wendy Wigen, policy analyst at Educause, a nonprofit association promoting the use of IT in higher education. “Just for the hardware cost, we’re looking at $400 to $500 per student, which is about a $7 billion price tag for all of the colleges in the United States.”

Last fall’s ruling does not state specifically that institutions of higher learning need comply with CALEA. It does not rule that out either. Because it extends the wiretapping order to facilities-based Internet access providers, CALEA by default includes colleges and universities, Wigen says. Broadband Internet access and VoIP providers have to be CALEA-compliant by May 14, 2007, the FCC says.

“Under the old CALEA . . . universities were exempt because they were considered a private network,” she says. “But when law enforcement wanted CALEA extended to Internet service providers, they did not distinguish between private and public – they said anyone who supplies a connection to the public Internet will have to be CALEA-compliant. Well, on university campuses that’s one of our main functions.”

A spokesman at the FCC said the commission has reached no conclusion on the issue of university compliance. Some college network officials, however, see the binary digits on the wall.

“It seems to me at some point it will have to apply to us because we look somewhat like an ISP to the university,” says Brian Jones, manager of network engineering at Virginia Polytechnic Institute and State University’s Tech’s Communications Network Services unit in Blacksburg. “I don’t know how it could not apply to us at some point.”

That prompts officials to want to dissect the law thoroughly to assess its full impact.

“The position that it would be an onerous financial burden . . . we are cost-conscious, academic freedom is a cornerstone of the higher [education] ethos, and we are profoundly network-dependent,” says Lesley Tolman, director of networks and telecom at Tufts University in Medford, Mass. “Those three qualities alone make us look at CALEA very critically. We take its implications very seriously.”

Cost is only one concern university officials have regarding CALEA compliance. Others are that opening networks to wiretapping provides another conduit by which hackers could infiltrate a network, and that institutions of higher education and research are particularly squeamish about anything perceived as a possible compromiser of privacy and freedom of speech and research.

“There may be some concern about hindering research,” Jones says. “There’s research funded by corporations or whomever that is very competitive and has to be guarded closely. There are patents involved, a lot of money and a lot of years spent on various projects.”

“With any broadening of federal power, sometimes those kinds of issues hang in the balance,” Tolman says. “There’s an additional level of skepticism that gets applied to an analysis of a situation when we’re talking about broadening or deepening federal powers of surveillance.”

Wigen says talks are ongoing between Educause and other higher-education associations and the Department of Justice, in an effort to reach a wiretapping compromise that would not be as financially burdensome – or an all-out exemption. Offers of compromise by Educause include changing out only the gateway router to the service provider, which Wigen says is turned over at regular maintenance intervals anyway. “If we did it in the natural replacement cycle, that would not be too terribly burdensome,” she says of that option.

Some of the worst-case scenarios being mulled by the Justice Department, she says, include making all equipment down to laptops CALEA-compliant. That would be the most expensive and burdensome option for schools.

The best-case scenario would be an all-out exemption, which is what the ACE vs. FCC petition seeks. It argues Congress 10 years ago exempted Internet “information services” from CALEA and the FCC has no right to reverse that.

Educause, one of the petitioners, expects a ruling from the court by the end of the summer. The Justice Department referred requests for comment to its formal responses posted on the FCC and AskCALEA Web sites.

“[Department of Justice] notes that it is willing to work with representatives of certain classes of service providers, such as schools, libraries and research networks, on solutions that would apply to narrowly tailored and well-defined categories of providers and would clearly identify sufficient alternative means of addressing the needs of law enforcement,” the Justice Department replied in a comment dated Dec. 21, 2005. The department continues, “arguments about exemptions being justified by the alleged costs of CALEA compliance should also be examined critically. Service providers’ arguments have glaringly lacked specifics.”

These same challenges could befall enterprise networks, or effectively any organization that provides facilities to connect its constituents to the Internet. According to the Enterprise Network Technology Users Association (ENTUA), however, CALEA is not first and foremost on the minds of enterprise network executives.

“I don’t think it was something on our radar screen,” says Jay Shell, acting chair of ENTUA’s government issues and policy committee. “Once I did look into it, my interest was piqued, particularly from what my business is, which is debt collection. So there could be some ramifications there that I need to pay attention to.”

Some analysts who consult for companies say CALEA and wiretapping are currently non-issues.

“Ninety-nine percent of the enterprises I work with don’t have any idea what CALEA actually requires in the broadest sense, let alone of them,” says Johna Till Johnson of Nemertes Research and a Network World columnist. “I haven’t heard a single enterprise come back and say, ‘Hey, what do we need to do about CALEA?'”

Johnson says enterprises are more concerned with a broader set of risks, such as exposure of confidential or sensitive data by external infiltrators. That’s not to say companies shouldn’t be aware also of the implications of electronic eavesdropping for lawful and unlawful purposes.

“Any time you can architect a system to be wiretapped by X, it can be wiretapped by Y,” Johnson says. “Anytime you build in a security breach by design, you open yourself up to an unintended security breach.”

This presents a Catch-22 for vendors as well. The $7 billion upgrade figure presented by Educause no doubt has them salivating. But providing another potential conduit for hackers in their products, or stunting privacy and freedom of research could lead to some embarrassing and disruptive episodes.

Sources say industry leader Cisco is passionately debating these issues internally. Repeated requests for interviews with Cisco public policy and legal officials were fruitless.

The only comment a Cisco spokesman would offer is that the company intends to comply with CALEA. Cisco already has published an informational IETF RFC, No. 3924, on an “architecture for lawful intercept in IP networks.”

Juniper Networks also declined a request for an interview about CALEA. Nortel did not reply by press time.