CALEA: one university view

1
CALEA one university view

• Terry Gray
• University of Washington
• Agora Meeting
• 2 December 2005

2
Important Safety Tip 1

• I'm just a techie. But
• Here we are at the intersection of IT and
  policy

3
University Environment

• Like any 2B/yr enterprise, except we have
  hospitals, classified research, students
• Aggressively decentralized
• Trickle-down technology
• Extreme net/computing diversity
• Approx 100K devices on net
• Multiple high-speed research nets
• Global initiatives, e.g. ResearchChannel

4
Status Quo

• Subpoenas received
• Subpoenas complied with
• Fairly rare
• Whats the problem?

5
CALEA Issues

• Who will be affected?
• What will be required?
• Will it work?
• Cost?
• Impact on operations?
• Impact on users?
• Does it make sense?

6
Worst Case Scenario

• Real-time wiretap of any UW traffic
• Even if it doesnt go thru a router
• Even if carried on gt10Gbps link
• Wiretap by user identity, not just IP address
• HUGE impact on users
• HUGE impact on network managers
• Wiretrap trigger by application behavior
• As per wireline rules, e.g. notify when phone
  rings
• Immense performance and Ops issues

7
Reality Check will it work?

• For dumb criminals, but not even all of them
• 62 of outbound dorm traffic Skype
• All encrypted
• Is it file sharing, voice, video, or ???

8
Technical Limitations on Wiretapping

• Encryption
• Technology is always a 2-edged sword
• Very high-speed networks
• Consider SC05 scenario
• VOIP
• Lots of flavors can be hard to identify
• Wireless
• Anonymous hot-spot access

9
Cost

• Depends totally on final rules!
• Potentially huge (millions of )
• Replacement of all switches/routers
• Network admission control SW/ops
• 40G/s routers with dynamic port mirroring?
• Significant non-economic costs
• Inconvenience of additional network login
• Impact on innovation e.g. ultra-high-speed comm

10
Winners

• Equipment vendors Cisco, Juniper, ...
• Common carriers shift/share burden
• LE Easier to catch dumb criminals

11
Losers

• Users (NAC inconvenience and indirect costs)
• Institutions (cost of unfunded mandate)
• LE
• less effective than hoped
• risk of changing criminal behavior -badly
• risk of backlash from public against LE

12
Important Safety Tip 2

• Fear trumps reason
• People dont always make best decisions when they
  feel threatened
• This goes doubly for policy makers
• NB this is not an official UW observation ?

13
Summary

• We all want to be safe
• LE has a really tough job
• Balancing societal needs is hard, esp. post 9/11
• Cost-benefit of proposed rules is dubious
• Impact unknowable until details decided

14
Postscript notes from the panel

• NB UW does support/cooperate with LE!
• NB CALEA doesnt change when LE can tap
• Distinguish CALEA from PATRIOT issues
• At issue reasonableness of implementation
  requirements --cost/benefit
• Timeliness is a key factor in cost
• Do we need to pre-provision for instant response
  to any possible request? Or is on-demand
  provisioning satisfactory?