IT Policy Office

Cornell's Response to the Federal Communications Commission (FCC)'s Proposal to Amend the Communications Assistance for Law Enforcement Act (CALEA), November 2005

In 1994 Congress passed the Communications Assistance Law Enforcement Act (CALEA) which provided the authority of the Federal Bureau of Investigation (FBI) to impose technical specifications and oversight on commodity public telephone networks for the purpose of obtaining data communications under warrant automatically and from remote locations. Data networks of all kinds, public or private, were explicitly exempted from this legislation.

In 2003 the Department of Justice (DOJ) sent a formal request to the Federal Communications Commission (FCC) to use administrative rule-making as the means to amend CALEA to include data networks. Efforts on the part of higher education through a coalition established by EDUCAUSE to exempt higher education from this amendment notwithstanding, the FCC published the regulation in the Federal Register in August of 2005 without an express exemption. The notice, which is the last stage of administrative rule making, did, however, include three additional specific questions for comment. These questions may be pertinent to higher education and pose the potential for additional comment.

The Government Affairs Office, University Counsel and the Office of Information Technologies have collaborated on a formal response to the FCC on these questions from Cornell University. Vice President Polley McClure is the official signer for Cornell University and has provided a cover letter to frame the issues surrounding this comment.

---

COVER LETTER

November 10, 2005

Marlene H. Dortch
Office of the Secretary
Federal Communications Commission
445 12th Street, SW
Washington, D.C. 20554
ATTN: RM 10865

Re: Comment on the Federal Communications Commission amendment of the Communications Assistance Law Enforcement Act of 1994 as it applies to teaching and research institutions. (ET Docket No. 04-295 (Rel. Sept. 23, 2005), published 70 Fed. Reg. 59,664 (Oct. 13, 2005) ("Broadband CALEA Order" RM 10865)

This memorandum is a response to the request for comments on the proposed Federal Communication Commission regulation of the Communications Assistance Law Enforcement Act of 1994. I am deeply concerned about the interpretive implications this proposed regulation might have on private higher education data networks generally and for Cornell University's system in particular. This proposed regulation suffers from a number of defects. A plain text reading of the law renders incorrect the imposition of this regulation on a private network. Unclear drafting invites speculation about uncertain legal liabilities and inexact administrative and financial burdens. Some interpretations even raise serious questions of technical feasibility and security. I am also aware that the technical modifications do not occur in a political vacuum but in the context of an unstable relationship between new communications technologies and the existing Fourth Amendment framework that may have an adverse effect on civil liberties and personal privacy. Additionally, this regulation is redundant as to purpose. University officials currently provide law enforcement with electronic communications under warrant.

Perhaps most important to Cornell University, if not higher education overall, are the potential unintended deleterious consequences this proposed regulation might have on our missions. Not for profit accredited educational institutions contribute uniquely to American society by exploring and sharing knowledge for its own sake. Teaching, research and outreach rely fundamentally on principles of unimpeded communications and open inquiry. If the uncertain administrative, financial and technical expenditures suspect in this regulation do not alone exacerbate the many burdens that currently challenge the autonomy of higher education, the technical oversight provision is plainly inconsistent with our missions. Were no other means available to achieve its purpose, the government could argue a compelling interest. But the alternative exists. Cornell University already provides this kind of information when properly served. Therefore there is no compelling government interest in this specific surveillance technique and it most certainly is not a narrowly tailored method for compliance. It therefore should fail as applied to private, higher education networks such as the one operated by Cornell University. Whatever its value for commodity public networks, it is inappropriately applied to higher education. Moreover, given its defects, its value does not compare to the value that would be lost in creativity, innovation and the other unique contributions that higher education makes to American society.

Finally, procedural considerations enter into this matter as well. The Department of Justice has chosen to advance this objective through administrative rulemaking even though the law originated in Congress. While it is not unusual for federal agencies to amend federal law, in this case rulemaking does not provide adequate forum to address the legal scope, technical and civil liberties issues that have emerged in the comment period at least insofar as the FCC intends it to include not for profit educational institutions. These complex, multidimensional issues demand attention from the legislative process. I therefore urge the Federal Communications Commission to turn the matter back to Congress where hearings can speak comprehensively to these vital and important matters. To do so would not merely benefit higher education and Cornell University but all of American society.

Sincerely,



Dr. Polley Ann McClure
Vice President of Information Technologies
318 Day Hall
Cornell University
Ithaca, New York 14853

---

In the Matter of Communications Assistance for Law Enforcement Act and Broadband Access and Services

)     )     )     )     )     )     )     )

ET Docket No. 04-295 RM-10865 FCC 05-153

To: The Commission

COMMENTS OF CORNELL UNIVERSITY

The Federal Communications Commission ("Commission") has found it to be in the public interest to deem facilities-based providers of broadband Internet access to be "telecommunications carriers" subject to the requirements of the Communications Assistance for Law Enforcement Act ("CALEA")¹. However, Cornell University neither believes that its network system falls under the definition of a data network nor holds that it is appropriate for Cornell, or other higher education institutions, to have to comply with this regulation.

I. CALEA ONLY APPLIES TO COMMON CARRIERS

CALEA compliance should not be required of Cornell University and other institutions of higher education because they operate private networks and are not common carriers for hire. Imprecise wording in the Commission's October 13, 2005 Final Rule (Final Rule) has resulted in potentially overbroad statements regarding the reach of CALEA.

Section 103 of CALEA provides:

"... a telecommunications carrier shall ensure that its equipment, facilities, or services that provide a customer or subscriber with the ability to originate, terminate, or direct communications are capable of [a list of required forms of assistance to law enforcement]"

CALEA defines "telecommunications carrier" as follows:

Sec. 102. DEFINITIONS.

(8) The term "telecommunications carrier"--

(A) means a person or entity engaged in the transmission or switching of wire or electronic communications as a common carrier for hire; and

(B) includes--

(i) a person or entity engaged in providing commercial mobile service (as defined in section 332(d) of the Communications Act of 1934 (47 U.S.C. 332 (d)); or

(ii) a person or entity engaged in providing wire or electronic communication switching or transmission service to the extent that the Commission finds that such service is a replacement for a substantial portion of the local telephone exchange service and that it is in the public interest to deem such a person or entity to be a telecommunications carrier for purposes of this title; . . .

47 U.S.C §1001 [emphasis added]

The structure of the statutory definition and the use of the word "and" logically requires that the first set of prerequisites i.e., "as a common carrier for hire," be satisfied in all cases.

The Commission asserts that the broad Congressional intent of CALEA was to preserve -- and not expand -- the government's surveillance capabilities in the face of changing technologies.² The wording of the Final Rule would appear to bring Cornell within the ambit of regulations that never before applied to it as the operator of a private network by fundamentally altering the statutory definition of a "telecommunications carrier" and arrogating to the Commission vastly expanded regulatory authority.

At ¶19, the Final Rule concludes: "In this Section, we find that facilities-based providers of any type of broadband Internet Access Service . . . are subject to CALEA." The erroneous foreshortening of the requisite analysis is repeated in the section addressing VoIP: "We find that providers of interconnected VoIP satisfy the three prongs of the SRP under CALEA's definition of "telecommunications carrier."

While the Final Rule concludes that the definition of "telecommunications carrier" is broader under CALEA than under the Communications Act, the only difference discussed is with respect to the Substantial Replacement Provision (SRP) (sec.102(8)(B)(ii)). That provision addresses the functional equivalence of technologies, i.e., "commercial mobile service" or "replacement for a substantial portion of the local telephone exchange" and not the status of the service provider. The first part of the definition of "telecommunication carrier" -- Section 8(A) (the "common carrier for hire" requirement) should still have to be satisfied when an SRP analysis is performed.³ By failing to do so, the Commission appears to have grossly overstated the reach of CALEA.

The plain statutory language compels the conclusion that the person or entity engaging in the surrogate communication service must also ("and") be engaging in such activity "as a common carrier for hire." If Cornell is not providing services for hire, it should be exempt from CALEA. We also submit that an entity cannot be construed to be a substitute for a substantial portion of the local telephone exchange (a common carrier) without also offering communication services as a common carrier to those customers.

Cornell University, like many other colleges and universities, provides telecommunications services to students, faculty and staff in order to satisfy its educational and research missions. It is not offering such service "for hire" or in the capacity of a "common carrier." We therefore ask the Commission to remedy the existing confusion and ambiguity and expressly declare CALEA inapplicable in such entities.

CALEA does not apply to private networks.

Congress expressly excluded "private networks" from CALEA's reach. Section 103(b)(2)(B)⁴, 47 U.S.C. §⁴ 1002(b)(2). The August 9, 2004 Notice of Proposed Rulemaking and Declaratory Ruling (NPRMDR) acknowledged this limitation at paragraph 10: "there are certain limitations on the assistance capability requirements in Section 103(a) [of CALEA]. For example, they do not apply to information services or equipment, facilities or services that support the transport or switching of communications for private networks . . ." [citing 47 U.S.C. § 1002(b)(2)].

While the NPRMDR asked for comment on when a private network may be too big to be deemed truly private based on an "availability to all users"⁵, this topic is not even addressed in the October 13, 2005 Final Rule. Cornell's private network has a limited number of users. It is far smaller than the networks of many corporate entities and in no way approaches the outer boundaries of what might be considered a private network under existing precedent.

Paragraph 27 of the Final Rule provides "we conclude that establishments that acquire broadband Interest Access Service from a facilities-based provider to enable their patrons or customers to access the Internet from their respective establishments are not considered facilities-based broadband Internet Access Service Providers subject to CALEA." This would appear to clearly cover university-provided Internet access to its faculty, staff and students. There being no further discussion of this issue in the record, and the Commission having articulated no basis upon which to reverse this conclusion, it would, presumably, be incorporated into the Final Rule. Such an outcome is, however, belied by the inconsistent concurrent request that providers of broadband networks for educational and research institutions file comments to justify an exemption from CALEA.

Cornell and other colleges and universities were not provided a meaningful opportunity to comment on the profound changes enacted in the Final Rule.

The NPRMDR failed to provide notice of the fact that the Commission was contemplating an expanded reading of CALEA that would eliminate the concept of common carrier from the definitions of telecommunications carrier. It therefore deprived many potentially affected entities from the opportunity to provide meaningful comment on that proposal.

The NPRMDR used the terms "telecommunications carrier" and "common carrier" interchangeably. See, e.g., ¶17 Implementation, the August 9, 2004 NPRMDR the August 9, 2004 NPRMDR ¶22 and footnote 55 thereto (regarding system security and integrity requirements) and ¶23 regarding cost recovery "by common carriers"). These usages demonstrate an assumption that all telecommunications carriers subject to CALEA would be common carriers.

The statement in the August 9, 2004 NPRMDR of the position that the Commission was proposing to adopt, and upon which comment was sought, retained the status of common carrier as a prerequisite to CALEA applicability. At paragraph 47, the Commission stated its tentative conclusion as follows:

. . . we tentatively conclude that facilities-based providers of any type of broadband Internet access . . . whether provided on a wholesale or retail basis, are subject to CALEA. (emphasis added)

Similarly, at ¶56, the Commission preserved the common carrier notion in the statement of its tentative conclusion: "we tentatively conclude that providers of managed VoIP Services, which are offered to the general public . . . are subject to CALEA" [emphasis added].

Finally, at footnote 133 of the NPRMDR, the Commission reassuringly stated:

We note that establishments acquiring broadband Internet access to permit their patrons to access the Internet do not appear to be covered by CALEA (assuming they were otherwise "telecommunications carriers" under CALEA). Examples of these entities include schools, libraries, hotels, coffee shops, etc. . . .

The Commission's broad interpretation of CALEA potentially conflicts with the Family Education Rights and Privacy Act (FERPA).

Institutions of higher education are, under the Family Education Rights and Privacy Act, 20 U.S.C. §1232g which obligates them to protect education records from disclosure except in conformance with the dictates of that federal statute. It is quite possible that some of the communications sought by law enforcement under the auspices of CALEA would constitute "education records" as that term is broadly defined in FERPA, i.e. identifiable to an individual student and maintained by the educational institution. The proposed regulation would, in effect, circumvent FERPA and its requirement that notice be provided to a student before education records are released, even when such release is pursuant to a subpoena. This inconsistency with the intent and purpose of FERPA must be resolved through legislation as was done in the case of the USA PATRIOT Act and cannot be dealt with through regulatory interpretation. Other federal privacy legislation, such as the Health Insurance Portability Accountability Act and the Financial Services Act, is also implicated in this problem, although less significantly than educational records under FERPA.

In conclusion, the proposed re-interpretation of CALEA goes beyond the intent of the statute that the Commission purports to be implementing and is therefore beyond the authority of the FCC to impose through rulemaking.

II. IT IS INAPPROPRIATE TO EXPECT AN EDUCATIONAL AND RESEARCH INSTITUTION TO COMPLY WITH THE TECHNICAL REGULATIONS OF AN AMENDED CALEA.

We believe that educational and research institutions should be exempt from CALEA because as drafted these provisions could impose undue burden, and, as a measure of that undue burden, costs disproportionate to the goal of the regulation. Cornell University has always provided prompt compliance with legal papers for electronic communications. University personnel always have been and will remain available to respond to requests in a timely fashion.

The regulation is unclear as to what the scope, technical modifications and burden of full compliance entails for higher education.

As currently drafted the regulations create uncertain meaning about the scope of technology required for compliance. If the intent of the regulations is for the Department of Justice to effectively capture electronic communications from Cornell¹s data network at its connection to the commodity Internet, then regular refresh technology will accomplish this goal without undue technological or financial burden on the university. These standard upgrades are then in keeping with the university¹s history of ready compliance to properly served compulsory legal papers requesting electronic communications. Cornell University does not require unfunded CALEA mandates in order to accomplish this goal, and therefore should be exempted from it.

However, if the intent of the regulations is to require more internally ubiquitous modifications of the university¹s Intranet, then the regulation likely becomes technologically infeasible and financially burdensome. As a practical matter it is nearly impossible to establish technologies that would provide automatic and remote access to traffic on the thousands of individual devices connected throughout the packet-switched, wired network at Cornell while maintaining, as CALEA requires, the assured privacy of all those using the network and not under investigation. Not only do the configurations of the various subnets that run upon the backbone system present specific challenges to the goal of remote, real-time surveillance, but the protocols and operation standards upon which packet switching technologies increasingly rely compound the surveillance problem. For example, the widely used dynamic host configuration protocols often utilize a pool of Internet Protocol addresses that are dynamically assigned to individuals to establish network connections. Therefore an Internet Protocol address is not an effective proxy to preemptively identify communications of an individual and will not be the full representation of an individual¹s actual use of data communications networks.

Unlike telephony, where a dedicated shared line may be tapped to capture communications, data networking interconnects dynamic and diffuse technologies at both the physical and logical layer. Therefore it is unreasonable to expect existing technologies, no matter how deeply deployed in the internal data networking system to accomplish the surveillance goals that law enforcement has achieved for traditional telephone communications. In short, surveillance technologies for Intranet data networking are unable to achieve the same degree of singular, precise and surgical surveillance currently practicable for PBX telephony systems.

If the intent is to require ubiquitous modifications of the university¹s Intranet, the cost of attempting to comply with a regulation that establishes an unachievable and poorly conceived standard, represents undue legal and financial burden on Cornell University. If technology does not exist to achieve the goal, then the University may be confronted with unwarranted and inequitable legal liability. If the second interpretation is the intent of the regulation, then it also presents a financial burden that differs from the first interpretation by several orders of magnitude. Unlike commodity networks, which can pass the costs of legislative requirements down to their customers, not-for-profit institutions like Cornell University cannot so readily absorb unfunded mandates, especially ones with such an uncertain outcome. In this case, the interpretation of the regulation is unclear. The technical means to comply may not even exist. No matter how much money is pressed into a good faith attempt to obey the regulation the goal may not be able to be achieved. It is unfair to expect a not-for-profit educational institution to spend scarce and precious funds on potential chimeras.

Further, the vagaries of the technical requirements of this regulation set against the fundamentally insecure nature of Internet protocols do not instill confidence that such a system is or could be made to be appropriately secure. This technical fact contrasts sharply with the protection the law affords the material under warrant and therefore invites an argument from technical security and privacy considerations as well. (Although important, a discussion of civil liberties privacy concerns involved in the tension between the newer data networking technologies and the Fourth Amendment framework of the Electronic Communications Privacy Act, amended by the USA Patriot Act, is omitted from this comment.)

Moreover, as a target for "hackers," this system could well add to the substantial challenges that the university already faces in addressing matters of Internet security. In short, this system could create a new class or quantity of vulnerabilities. Until the government provides clear technical specifications that could be warranted to guarantee the security of those communications, this regulation exacerbates the university¹s liability. It does not take much imagination to envision that this regulation could make compliance with legal and other regulatory responsibilities stemming from privacy laws such as the Family Educational Rights Privacy Act, Health Insurance Portability Accountability Act or the Financial Services Act, as well as the state, and perhaps even future federal data breach notification laws exceptionally difficult. Thus, this regulation raises technical security issues that act as both a symptom and a cause of the problem. Vaguely drafted, this proposal presents an uncertain picture of the government¹s technical security program to preserve the privacy of the communications under warrant. That lack of clarity could result in additional vulnerabilities for the Cornell network system, as well as compounded liabilities as it attempts to comply with existing and future privacy legislation.

Government oversight of new data networking technologies hinders innovation and contravenes the research mission of higher education institutions.

Finally, the regulations require that the Department of Justice review the deployment of all future technologies for compliance with its surveillance goals. This regulation suggests an unprecedented and extraordinary degree of oversight on the part of the federal government that portends to have a profoundly deleterious effect on the missions of a research and teaching university. Higher education, unlike virtually all other infrastructures, uniquely relies upon open, unimpeded inquiry for the pursuit of knowledge. Cornell University cherishes this mission as a part of its institutional identity and contributions to American society. Cornell University was among some of the select research institutions involved with the Department of Defense and National Science Foundation that helped to develop the Internet. The Internet as we know it may well never have been developed if such oversight as is suggested by this regulation were a component of the research conducted by computer scientists and engineers in the founding era of the Internet. This limited oversight contravenes the very core of the research enterprise. It augurs ill for future innovation upon which this country relies to remain economically vibrant and globally competitive.

The procedures that the Commission should adopt for exempting entities.

Cornell University already provides timely response to compulsory legal papers for electronic communications. As an exempted institution, it would continue to respond appropriately to law enforcement requests. As an exempted entity, it would also expect that the current period of compliance under the regulation of eighteen-months be extended to a full four years. In that time Cornell University will conduct regularly scheduled technical upgrades at the commodity Internet connection that augment compliance with law enforcement requests for capture of electronic communications without undue financial burden to the institution.

III. CONCLUSION

This regulation is inappropriate to the educational and research environment of Cornell University. First, Cornell University is not a common carrier, and therefore does not fall under the scope of CALEA. Second, unclear drafting creates any number of possible outcomes. The regulation could entail unnecessary and untimely compulsory technological alterations. The university will accomplish those same goals in time without the regulation and without undue financial burden expended in order to meet expedited deadlines. Alternatively, this regulation could be interpreted to encompass technologically infeasible goals that would result in unwarranted legal and financial liabilities. Finally, the oversight aspect of the regulation could generate a chilling effect on research. Therefore, institutions of higher education generally, Cornell University in particular, should be exempt from CALEA.

Dated:
November 10, 2005