<<< Date Index >>>     <<< Thread Index >>>

[IP] CALEA and Colleges





Begin forwarded message:

From: Bruce Schneier <schneier@xxxxxxxxxxxxxxx>
Date: October 22, 2005 2:40:49 PM EDT
To: EPIC_IDOF@xxxxxxxxxxxxxxxx
Subject: [EPIC_IDOF] CALEA and Colleges


New York Times
October 23, 2005

Colleges Protest Call to Upgrade Online Systems
http://www.nytimes.com/2005/10/23/technology/23college.html? hp&ex=1130040000&en=82e2a961640ae05b&ei=5094

By SAM DILLON
and STEPHEN LABATON

The federal government, vastly extending the reach of an 11-year-old law, is requiring hundreds of universities, online communications companies and cities to overhaul their Internet computer networks to make it easier for law enforcement authorities to monitor e-mail and other online communications.

The action, which the government says is intended to help catch terrorists and other criminals, has unleashed protests and the threat of lawsuits from universities, which argue that it will cost them at least $7 billion while doing little to apprehend lawbreakers. Because the government would have to win court orders before undertaking surveillance, the universities are not raising civil liberties issues.

The order, issued by the Federal Communications Commission in August and first published in the Federal Register last week, extends the provisions of a 1994 wiretap law not only to universities, but also to libraries, airports providing wireless service and commercial Internet access providers.

It also applies to municipalities that provide Internet access to residents, be they rural towns or cities like Philadelphia and San Francisco, which have plans to build their own Net access networks.

So far, however, universities have been most vocal in their opposition.

The 1994 law, the Communications Assistance for Law Enforcement Act, requires telephone carriers to engineer their switching systems at their own cost so that federal agents can obtain easy surveillance access.

Recognizing the growth of Internet-based telephone and other communications, the order requires that organizations like universities providing Internet access also comply with the law by spring 2007.

The Justice Department requested the order last year, saying that new technologies like telephone service over the Internet were endangering law enforcement's ability to conduct wiretaps "in their fight against criminals, terrorists and spies."

Justice Department officials, who declined to comment for this article, said in their written comments filed with the Federal Communications Commission that the new requirements were necessary to keep the 1994 law "viable in the face of the monumental shift of the telecommunications industry" and to enable law enforcement to "accomplish its mission in the face of rapidly advancing technology."

The F.C.C. says it is considering whether to exempt educational institutions from some of the law's provisions, but it has not granted an extension for compliance.

Lawyers for the American Council on Education, the nation's largest association of universities and colleges, are preparing to appeal the order before the United States Court of Appeals for the District of Columbia Circuit, Terry W. Hartle, a senior vice president of the council, said Friday.

The Center for Democracy and Technology, a nonprofit civil liberties group, has enlisted plaintiffs for a separate legal challenge, focusing on objections to government control over how organizations, including hundreds of private technology companies, design Internet systems, James X. Dempsey, the center's executive director, said Friday.

The universities do not question the government's right to use wiretaps to monitor terrorism or criminal suspects on college campuses, Mr. Hartle said, only the order's rapid timetable for compliance and extraordinary cost.

Technology experts retained by the schools estimated that it could cost universities at least $7 billion just to buy the Internet switches and routers necessary for compliance. That figure does not include installation or the costs of hiring and training staff to oversee the sophisticated circuitry around the clock, as the law requires, the experts said.

"This is the mother of all unfunded mandates," Mr. Hartle said.

Even the lowest estimates of compliance costs would, on average, increase annual tuition at most American universities by some $450, at a time when rising education costs are already a sore point with parents and members of Congress, Mr. Hartle said.

At New York University, for instance, the order would require the installation of thousands of new devices in more than 100 buildings around Manhattan, be they small switches in a wiring closet or large aggregation routers that pull data together from many sites and send it over the Internet, said Doug Carlson, the university's executive director of communications and computing services.

"Back of the envelope, this would cost us many millions of dollars," Mr. Carlson said.

F.C.C. officials declined to comment publicly, citing their continuing review of possible exemptions to the order.

Some government officials said they did not view compliance as overly costly for colleges because the order did not require surveillance of networks that permit students and faculty to communicate only among themselves, like intranet services. They also said the schools would be required to make their networks accessible to law enforcement only at the point where those networks connect to the outside world.

Educause, a nonprofit association of universities and other groups that has hired lawyers to prepare its own legal challenge, informed its members of the order in a Sept. 29 letter signed by Mark A. Luker, an Educause vice president.

Mr. Luker advised universities to begin planning how to comply with the order, which university officials described as an extraordinary technological challenge.

Unlike telephone service, which sends a steady electronic voice stream over a wire, the transmission of e-mail and other information on the Internet sends out data packets that are disassembled on one end of a conversation and reassembled on the other.

Universities provide hundreds of potential Internet access sites, including lounges and other areas that offer wireless service and Internet jacks in libraries, dorms, classrooms and laboratories, often dispersed through scores of buildings.

If law enforcement officials obtain a court order to monitor the Internet communications of someone at a university, the current approach is to work quietly with campus officials to single out specific sites and install the equipment needed to carry out the surveillance. This low-tech approach has worked well in the past, officials at several campuses said.

But the federal law would apply a high-tech approach, enabling law enforcement to monitor communications at campuses from remote locations at the turn of a switch.

It would require universities to re-engineer their networks so that every Net access point would send all communications not directly onto the Internet, but first to a network operations center where the data packets could be stitched together into a single package for delivery to law enforcement, university officials said.

Albert Gidari Jr., a Seattle lawyer at the firm Perkins Coie who is representing Educause, said he and other representatives of universities had been negotiating with lawyers and technology officials from the Federal Bureau of Investigation, the Department of Homeland Security and other agencies since the spring about issues including what technical requirements universities would need to meet to comply with the law.

"This is a fight over whether a Buick is good enough, or do you need a Lexus?" Mr. Gidari said. "The F.B.I. is the lead agency, and they are insisting on the Lexus."

Law enforcement has only infrequently requested to monitor Internet communications anywhere, much less on university campuses or libraries, according to the Center for Democracy and Technology. In 2003, only 12 of the 1,442 state and federal wiretap orders were issued for computer communications, and the F.B.I. never argued that it had difficulty executing any of those 12 wiretaps, the center said.

"We keep asking the F.B.I., What is the problem you're trying to solve?" Mr. Dempsey said. "And they have never showed any problem with any university or any for-profit Internet access provider. The F.B.I. must demonstrate precisely why it wants to impose such an enormously disruptive and expensive burden."

Larry D. Conrad, the chief information officer at Florida State University, where more than 140 buildings are equipped for Internet access, said there were easy ways to set up Internet wiretaps.

"But the wild-eyed fear I have," Mr. Conrad said, "is that the government will rule that this all has to be automatic, anytime, which would mean I'd have to re-architect our entire campus network."

He continued, "It seems like overkill to make all these institutions spend this huge amount of money for a just-in-case kind of scenario."

The University of Illinois says it is worried about the order because it is in the second year of a $20 million upgrade of its campus network. Peter Siegel, the university's chief information officer, estimated that the new rules would require the university to buy 2,100 new devices, at a cost of an additional $13 million, to replace equipment that is brand new.

"It's like you buy a new car, and then the E.P.A. says you have to buy a new car again," Mr. Siegel said. "You'd say, 'Gee, could I just buy a new muffler?' "

_______________________________________________
EPIC_IDOF mailing list
EPIC_IDOF@xxxxxxxxxxxxxxxx
https://mailman.epic.org/cgi-bin/mailman/listinfo/epic_idof


-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/