Information Technology Services (ITS) is currently making changes to ensure that the University’s network and internet access are exempt from Federal Communications Commission (FCC) regulations that seek to make it easier for law enforcement agencies to wiretap electronic sources.
The need for changes stems from the 1994 Communications Assistance for Law Enforcement Act (CALEA), which requires providers of communications services to engineer networks in such a way that makes it easier for law enforcement to execute wiretap orders. The FCC amended the 1994 act in 2005 to comprise facilities-based internet service providers, which includes the vast majority of American universities. Formerly, universities were classified as ‘private networks’ and therefore exempt from CALEA compliance.
EDUCAUSE, a nonprofit association that supports the use of information technology in higher education, and the American Council on Education (ACE) developed two criteria by which universities may decide whether or not they are CALEA-compliant. First, a university may not own the hardware that connects its network to the public internet. Second, it must operate a private network.
As the University does not own the hardware that connects it to the internet—this is owned by the Connecticut Education Network—the only changes it has to make are those that will allow its network to be classified as private. These changes must be made by May 12, the date by which CALEA compliance is mandated by the FCC.
However, difficulty has arisen in defining what constitutes a private network.
“’Private Network’ definitions have been interpreted differently by different groups,” said Associate Vice President for ITS Ganesan Ravishanker, on his blog. “In simple terms, it is to be interpreted as a network where all access to the internet is identifiable—or that all access is controlled by some form of authentication.” Ravishanker’s blog can be read at blogs.wesleyan.edu/ravisblog.
Changes that ITS is making will be immediately visible on campus. All internet access points will ask for authentication, requiring each user to be registered and to log on with a unique name and password. This is currently the procedure for computers in areas such as PAC Lab and the Language Resource Center (LRC) in Fisk, but log-on will be extended to formerly public kiosks, such as those in the Davenport Campus Center and Olin Library.
In addition, guest access to the wireless network will be prohibited. This presents problems for visitors who require online access.
“How does a sibling or parent get on?” Ravishanker asked.
ITS has developed a system of temporary guest accounts to remedy this problem. Students and faculty will be able to request up to five accounts through their e-portfolios. The system will issue a temporary ID and password that will be valid for three days, after which it may not be reused.
The changes will place a greater burden on ITS, which will have to set up accounts for longer term visitors such as summer program participants, who formerly logged on as guests.
Olin presented a particularly difficult case for how to make the changes, being a government document repository and therefore being required to provide public access to these resources. A private network of the kind that the University is transitioning to would undermine this responsibility.
Furthermore, American Library Association lawyers have interpreted that libraries are exempt from CALEA regulations. Based on these factors, University Librarian Barbara Jones objected to the ITS plans for a private campus network.
Together they reached a compromise whereby they will reduce the number of public computers in the library to seven. These machines will only be semi-open and visitors’ access will be limited to government documents and library catalogues.
ITS consulted extensively with attorney Joe Fortner of Hartford-based Halloran and Sage LLP and decided that these measures would ensure that the University be considered CALEA compliant in the case of further subpoenas of its users.
If the school has to replace its hardware, as opposed to altering current network configurations and policies, costs would be extensive.
EDUCAUSE estimated that if all universities changed their hardware to comply with the law, total costs would range from $8-12 billion.
Leave a Reply