Policing the Internet:Higher Education Law and Policy

Rodney Petersen, Policy Analyst

Wendy Wigen, Policy Analyst

EDUCAUSE

Introduction

• How is law enforcement going to operate in an electronic and interconnected world?

• What role will institutions of higher education play conducting monitoring and surveillance on behalf of the government?

• What is the legal framework that will govern law enforcement and intelligence access to information?

Current Legal Framework• Bush Administration Policy• U.S. Constitution

– 4th Amendment: protection against “unreasonable search and seizure”

• Federal Law– Foreign Intelligence Surveillance Act (FISA)– Title 18 of U.S. Code– Electronic Communications Privacy Act (ECPA)– FERPA, HIPAA, GLB Act, etc.

• State Law

USA PATRIOT Act• Uniting and Strengthening America (USA)

by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (PATRIOT)

• Sunset Provisions:– e.g., emergency disclosures of email without a court

order, interception of computer trespasser communications without a court order, lowering standard for pen registers and trap and trace devices under FISA, access to business records under FISA, etc.

• Permanent Provisions– e.g., pen registers for the Internet, National Security

Letter exceptions to privacy laws, definition of domestic terrorism, sneak and peek searches, etc.

Communications Assistance for Law Enforcement Act (CALEA)

• Requires facilities based internet service providers to standardize their equipment to facilitate wiretaps.

• By Court decision: private networks are exempt:– Are you a private network?– Do you support the connection to the

commercial ISP?

To comply or not to comply?

Don’t support the connection

Support the connection

Private Network

Exempt

Compliance required at gateway

Public Network

Exempt * Full compliance required

Mandatory Data Retention

• Why is data retention necessary or desirable? (i.e., what is the problem we are trying to solve?)

• Scope:– What data is to be retained?– Who should data retention requirements apply

to?

• How do we accomplish the desired goals?

Policy Issues

Do these laws:

1. Pose a threat to personal privacy and security?

2. Undermine public trust in the Internet?

3. Impact competitiveness and innovation?

4. Show promise of being effective?

5. Create undue burden and expense?

Practice Implications

• Take stock of logging and monitoring practices

• Establish privacy policies and practice “data minimization”

• Secure information captured and retained

• Develop and enforce internal policies and procedures for use of information

Responding to “Compulsory Legal Requests for Information”

• Designate or person or office to receive all requests and coordinate responses– Not just an IT issue!– Someone knowledgeable of basic issues– Develop working relationships with others

• Types of compulsory legal requests• Common issues• Reference Guide• Resources

CALEA Technical Requirements

• Status of Trusted Third Party Providers

• Status of equipment venders

• Standards process

“Without standards, there is no safe harbor”

CALEA Security and Personnel Requirements

A (telecommunications carrier) shall:

1. Appoint a single point of contact

2. Establish standard operating procedures

3. Report any act of compromise

4. Maintain secure and accurate records

Conclusion

• How law enforcement will operate in an electronic and interconnected world

• The role that institutions of higher education will play in conducting monitoring and surveillance on behalf of the government

• The emerging legal framework that will govern law enforcement and intelligence access to information

Discussion

For more information, contact:

Rodney Petersen, rpetersen@educause.edu

Wendy Wigen, wwigen@educause.edu

www.educause.edu/policy