Wiretapping Could Be Costly
GRAND RAPIDS — In the basement of Calvin College’s Hekman Library, the school’s information technology department had turned into a nervous war room.
Roughly a dozen school administrators and technicians were gathered to watch a Nov. 17 teleconference on the potential impact of the Federal Communication Commission’s declaration that an 11-year-old wiretapping law now applied to “any type of broadband Internet access service.”
On the bottom of the projection screen was a scroll of questions posted from across the country. Over the course of the hour, the mood digressed from caution and concern to a frustrated hilarity. Throughout, most questions were some form of “How do we comply?”
To this, one of the panelists, Doug Carlson of New York University, flatly and consistently responded: “We just don’t know.”
Toward the end of the discussion, a question of another sort popped onto the screen, “What happens if we don’t comply?”
At Calvin, an echo: “It’d probably be cheaper to just take the fine.”
From what little information he had, Henry DeVries II, Calvin vice president for administration, finance and information services, prepared himself to walk into a budget meeting later that afternoon with the proclamation that the school could be faced with a minimum $1 million upgrade to its IT infrastructure.
“I have about 45 days to build this into the budget, and every single dollar is going to come out of someone’s tuition,” DeVries said.
For the fiscal year beginning July 1, 2006, DeVries had earmarked $4.5 million for the IT department, roughly $250,000 of that amount for equipment upgrades. The $1 million guess — four times normal expenditures — assumes that the school would need to replace all network routers and switches. Under that same scenario, Terry Hartle of the American Council on Education (ACE), who called the new rules the “mother of all unfunded mandates,” estimated the cost nationally at over $7 billion.
How accurate that assumption is, no one knows.
“I’ve never seen anything like this,” Carlson said. “You get a sense of confusion surrounding this that is really quite amazing.”
The 1994 passage of the Communications Assistance for Law Enforcement Act (CALEA) required telephone companies to rewire networks and switches to facilitate court-authorized wiretaps by law enforcement agencies. The law did not initially apply to Internet service providers, but at the request of the Justice Department, the FCC expanded the law’s scope this past August, with no guidance as to how ISPs, educators, libraries, airports, municipalities or any of a host of other entities offering broadband Internet access should comply.
Since then, the ACE filed a lawsuit in the U.S. Court of Appeals in Washington, D.C., asking the court to overturn the regulations. It is joined in the legal action by the Center for Democracy and Technology, the Electronic Frontier Foundation and a host of nonprofit organizations and ISPs.
The group’s complaint is multifaceted. Beyond the cost and administrative burden the regulation places on providers, including the 17-month compliance timeline, the suit questions whether the FCC even has the authority to impose the mandate. The law was originally written to not include the Internet, and the act has a specific exemption for private networks and information services.
On top of that, there are concerns about the necessity and technical possibility of compliance. According to Hartle, of the 1,800 federal wiretaps conducted in 2004, none were conducted on college campuses and only a dozen were for computer communications. A survey of 131 members of the Association for Communications Professionals in Higher Education reported only one wiretap request from any jurisdiction.
“It’s going to cost a lot of money, and most people in the higher education community don’t believe it’s justified,” said Ed Bardelli, co-chair of Warner Norcross & Judd LLP’s Education Law Group. “It’s like buying a belt and suspenders for something you’re never going to wear.”
Calvin IT technician Jeff Green questioned the feasibility of the request.
“They want to have this identifiable to one person, and that’s not even available on a telephone network,” he said. “There, you don’t know who it is — it’s just a number.”
At Calvin, for instance, a user can gain access to the Web on thousands of ports throughout the campus, on public computers in the library and in the halls, or via a wireless connection. It can be accessed through a PC, laptop, PDA or other device; and used for e-mail, Instant Messenger, peer-to-peer connections and Voice and/or Video over Internet Protocol.
Green believes that picking a single user out of that entanglement of communication is by today’s standards all but impossible, and as the large transmissions associated with research collaboration become more common, it will be even more difficult. Plus, there is no technology vendor with a product that does so.
Worse yet, no one involved knows if that is what the FCC is asking for. The comment period for the regulation runs though December, and until then, universities expect little guidance.
“It’s looming out there,” said Sue Korzinek, director of IT for Grand Valley State University. “We’re all concerned about how fast and how far we’ll have to go.”