To assist in campus-based discussions following the ACE statement (see citation below) on the Communications Assistance Law Enforcement Act (CALEA) and its applicability to academic institutions, ARL and ALA requested a legal opinion on whether libraries were exempt from CALEA wiretap obligations. That opinion, prepared by Al Gidari of Perkins Coie, is included below.
Recent news articles relating to the application of the Communications Assistance for Law Enforcement Act ("CALEA") to colleges and universities have implied that access by the general public or unauthenticated Internet access in academic libraries could result in the loss of the CALEA private network exemption for academic institutions. Libraries, whether in an academic institution or not, are exempt from CALEA.
When the Federal Communications Commission ("FCC") extended CALEA to all facilities-based broadband Internet access providers in September 2005, it deemed it not to be in the public interest at this time to extend CALEA to libraries "that acquire broadband Internet access service from a facilities-based provider to enable their patrons or customers to access the Internet." Thus, any library that acquires its Internet access from another provider has no CALEA obligation whatsoever. The access provider may be a commercial ISP or a state or local network operator, or a university or college. It does not matter which under the FCC’s reasoning—libraries are exempt.
Academic institutions are exempt from CALEA for a different reason. As the Court of Appeals for the District of Columbia confirmed on June 9, 2006, when an academic institution qualifies as a private network, it too is exempt from CALEA. The FCC has described private networks as systems that enable members of an organization or community to communicate with one another and/or to retrieve information from shared databases not available to the general public.
Some academic libraries permit access to the general public and indeed, in some instances, are required to do so by law. But such access will have no effect on whether or not an academic institution is a private network. The FCC excluded libraries from CALEA coverage whenever access was obtained from a third party. By definition, a private network does not provide access to the Internet. When an exempt academic library is part of an exempt private network, the obligation for CALEA compliance falls on the entity that provides the facilities that support connection to the Internet.
In many cases, the connecting entity with the CALEA obligation will be the commercial Internet Service Provider from whom the academic institution obtains access. In other cases, academic Internet traffic may be routed by other exempt private networks such as the advanced regional or national networks who in turn exchange traffic with the public Internet at various peering points in the Nation’s communications infrastructure. And in some cases yet again, it may be the academic institution itself that supports a direct public Internet connection, but then, by definition, the academic institution would not be a private network regardless of whether the academic library permitted the public to use its facilities to access the Internet.
Thus, whether or not an exempt academic library permits the public to access the Internet has no bearing on whether or not a academic institution remains an exempt private network. That question will be determined by how the academic institution obtains its Internet connection.Indeed, the FCC made it clear that public access is not a determining factor in CALEA coverage. The FCC likewise exempted retail establishments such as Starbucks that make Internet access from a third party provider available to their patrons. The FCC required the third party facilities owner to meet CALEA's requirements. There is no CALEA obligation to authenticate users or otherwise require user identities to access the service. In sum, public access to the Internet in otherwise exempt academic libraries will have no effect on any private network determination for institutions, and requiring authentication of library users is neither required by CALEA nor necessary to retain a private network exemption.
Al Gidari, Perkins Coie
For more information about CALEA's impact on libraries, see: http://www.ala.org/ala/washoff/WOissues/techinttele/calea/calea.htm
ACE * Analysis of U.S. Court of Appeals for the District of Columbia Circuit Decision on Federal Communications Commission Order Extending the Communications Assistance for Law Enforcement Act (CALEA) to the Internet, July 13, 2006: http://www.acenet.edu