The Energy Sciences Network (ESnet) is the US Department of Energy’s high-performance backbone network, engineered and optimized for large-scale science. Funded by the DOE Office of Science and managed by Lawrence Berkeley National Laboratory (Berkeley Lab), ESnet interconnects the entire national laboratory system, including its supercomputer centers and user facilities – enabling tens of thousands of scientists to transfer data, access remote resources, and collaborate productively.
ESnet operates an advanced network testbed and conducts networking and systems research independently, and also in collaboration with scientists from national laboratories, universities, and commercial entities.
Most of the network traffic transferred by ESnet consists of data generated by large scientific instruments, but ESnet also transfers traffic created by ordinary web browsing, email, and general Internet use. Most network traffic flows leave the DOE complex: they are created when users at a DOE-funded facility transfer data to or from a university, or when university users access data at a DOE Lab.
II. Scope of this Policy
This policy identifies:
● the information ESnet collects about data transferred by its infrastructure;
● the justification for this collection;
● the ways in which this information may be used and disclosed to third parties; and
● the security measures adopted to prevent unauthorized access to this information.
This policy does not apply to information ESnet collects about the amount of data it transfers, or the speed at which data is transferred. Like most research and education networks, ESnet publishes such information (its ‘utilization’ and ‘performance’ data) openly, and in real time. This data is highly aggregated, and does not contain information about traffic flows specific to individual users.
III. What Information Is Collected?
ESnet captures and collects network monitoring data (“flow data”) for operational and research purposes. This monitoring data consists of electronic records that concisely characterize network transmissions. The records include IP addresses, port numbers, protocols, bytes transferred, timestamps, and network interfaces transited. ESnet also uses network intrusion detection systems (NIDS) that perform deep packet inspection to protect its systems and networks from attack. ESnet has the technical ability to collect more data ad hoc and may do so in the process of testing or debugging network connectivity or performance, or in coordination with an ESnet site.
IV. Why We Collect Information
ESnet collects network monitoring data for a variety of reasons: to aid in operational support, capacity planning, forecasting, fault diagnosis, cybersecurity, and also to support research projects.
V. Disclosure of Monitoring Data
ESnet is the steward of all the network monitoring data it collects. In general, ESnet does not disclose, give away, or sell its network monitoring data to any other organization, nor does it delegate its stewardship responsibility. Notwithstanding this non-disclosure principle, ESnet may share network monitoring data under the following circumstances:
A. Site Access
DOE Labs, plants and facilities, and other ESnet customers may from time to time make a request for information about their own usage of ESnet. In such cases, ESnet will make reasonable attempts to provide views of data that only include information that the particular site could reasonably have gathered on its own, by analyzing its network connections to ESnet. Further, ESnet will coordinate with a designated representative of the site before sharing such data.
B. Network Provider Access
ESnet is part of a large community of Research and Education Networks (RENs) at various scales (national, regional, state). These include, for example, Internet2 and CENIC in the United States.
Other Research and Education Networks may, from time to time, make a request for information about the traffic they exchange with ESnet (that is, traffic which passes between the two networks). If sharing of network monitoring data is authorized, ESnet will make reasonable attempts to provide views of data that only include information that the network could reasonably have gathered own its own, by analyzing its own network connections to ESnet. We require all Networks provided with such data to enter into an agreement prohibiting them from sharing it further.
C. Researcher Access
Network or security researchers may from time to time make a written request for Network Data. ESnet will use current accepted practices in the R&E community, such as anonymizing the IP addresses in a prefix-preserving manner, to de-identify the data released to researchers to ensure user privacy wherever possible. Alternatives, such as executing the researcher’s algorithms ourselves, may be used where anonymization is impractical.
D. Third Party Access
For the purposes of securing the network and to analyze and resolve operational issues, ESnet may, by contract, involve third parties. This analysis may include, from time to time, raw packet captures in addition to flow data. Both ESnet staff and such third parties are obligated to protect the data and use it only for the purposes identified. ESnet will assure that such information is managed and shared with third parties only within a defined contractual relationship, and bound by a written Non-Disclosure Agreement. Use of a cloud service to support ESnet operations does not itself constitute a third party disclosure.
E. Access in the Event of Operational or Cybersecurity Emergency
In the event of a network or cybersecurity emergency affecting ESnet sites, customers, or the wider Internet, ESnet may release relevant network data to enable the process of debugging, analysis, or service restoration.
E. Law Enforcement Requests
If required by law and upon advice of University of California legal counsel, ESnet will comply with lawful requests to disclose Network Data.
F. Other Requests
Other requests for network monitoring data will be processed with the assistance of University of California legal counsel.
VI. How Data Is Collected, Retained, and Protected
ESnet collects network monitoring data (as defined in III., above) throughout its network, and occasionally takes full packet captures of specific links for network operations and security purposes. All network monitoring data is managed under the control of authorized ESnet employees and contractors only.
ESnet takes appropriate steps to protect network monitoring data from unauthorized access or disclosure. Additionally, ESnet employs industry standard security measures, including physical, electronic, and procedural safeguards such as NDAs, to protect against the disclosure, loss, misuse, and alteration of the information under our control.
When considering use of cloud-based tools to store or process data, ESnet utilizes a tailored cloud assessment security process based upon LBNL’s processes and data classifications. We do not store or process classified information, and for controlled data (e.g., protected by HIPAA, FERPA, etc.) the cloud provider must support the same FIPS level as ESnet or higher. Our cloud security assessment process makes a risk-based determination based upon the data in question, and we evaluate the cloud provider’s security offerings and certifications (e.g., SOC 2 Type 2, FedRAMP, etc.) to follow industry best practices before entering into contract with a vendor.
VIII. Notice for Updates and Changes to Policy
IX. Who to Contact if You Have Questions
Last Updated October 2020
 An example set of criteria includes the process used by CAIDA (http://www.caida.org/data/passive/passive_dataset_request.xml)