On June 9, a federal appeals court
upheld a Federal Communications Commission ruling that the
Communications Assistance to Law Enforcement Act (CALEA) - which enables law enforcement agencies to tap traditional phone lines for crime-fighting purposes - must also apply to broadband Internet and voice over IP service providers.
However, on June 13 a group of Internet technology experts, including Vinton Cerf, one of the Internet’s creators, released a
report stating that tapping VoIP lines will be extremely complicated and could lead to additional, unintended security problems.
Under pressure from the FBI and other law enforcement agencies,
the FCC ruled last year that CALEA must apply to VoIP, and set a date of May 14, 2007, for the expanded CALEA law to go into effect. (In addition, the FCC (
News -
Alert)
ruled on May 3, 2006, that broadband providers have until Aug. 1, 2006, to have all the appropriate wiretapping equipment in place on their networks.) Several Internet phone companies and civil liberties groups, however, appealed the FCC ruling, arguing that (a) it could lead to an erosion of privacy and (b) would be too costly for private network operators to implement. Last week, a three-judge panel of the Washington appeals court voted 2-1 to uphold the FCC ruling (which had the backing of President Bush at the time it was introduced).
The court ruled that operators of private networks - such as those run by corporations, colleges and universities - would not have to install the wiretapping equipment. However, an attorney for those challenging the FCC decision said in a published report that the ruling appears to require the operators of private networks to install these wiretapping devices at the portals where their networks connect with the public Internet, thus casting some doubt as to whether such networks will be completely inoculated against eavesdropping by law enforcement.
Meanwhile, Vinton Cerf and members of the IT Association of America (ITAA) - while they are not opposed to federal wiretapping per se - have released a report showing that it will not be an easy thing to achieve. For one thing, VoIP comes in many different flavors – for example, the system architecture that Skype (
News -
Alert) uses to deliver VoIP is different from that of Vonage (
News -
Alert) – and again is different from the services offered by any number Web-based VoIP service providers (obviously, one key fundamental difference between VoIP services is whether they use the PSTN to route calls or use peer-to-peer architecture). Throw in wireless VoIP and … well, you get the picture: Wiretapping on the Internet is way more complicated than wiretapping on the PSTN. The report finds that because the network architectures used can be so radically different (not to mention the differences between the proprietary signaling codes that are used, plus the basic fact that the Web runs on static IP addresses, etc. etc. etc.), it will be almost impossible for law enforcement to impose CALEA on VoIP in a uniform manner.
Furthermore, as the report states, complying with CALEA will be extremely expensive for the network operators - and that cost, in turn, will have to be passed onto consumers (although the FCC ruled that the operators of private networks won’t have to pay for VoIP wiretapping technology, service providers using the public Internet to deliver their services will be required to make their own investment in the equipment). This stands to substantially increase the cost of VoIP services – a major blow to an emerging technology which has been relying almost entirely on its price point to drive adoption rates.
As an example of how much it will cost an average operator to comply with CALEA, the ATAA report quotes a recent report by the Inspector General of the Department of Justice, who observed that a certain VoIP provider recently paid “approximately $100,000 to a trusted third party to develop its CALEA solution.” In addition, the third party will be charging the VoIP provider a monthly fee of $14,000 to $15,000 for monitoring and support, plus $2,000 for each intercept.
“These amounts do not include the cost of labor for writing code into NATs, or network address translation boxes, rewrite source and/or destination of IP addresses as they pass through routers or firewalls and are generally used to support multiple devices on a single public IP address (these are very common in home networks, for example),” the ATAA report states.
The report goes on to point out that requiring U.S. operators to incur these costs could “place them at a disadvantage in comparison to non-U.S. based providers, who do not have to comply with CALEA.”
Another major problem in applying CALEA to VoIP is security – for the network operator, the user, and the service provider. For one thing, the report finds that creating these “architected security breaches” for law enforcement could end up making it much easier for hackers to get into the network of their choosing and do a little eavesdropping of their own. Secondly, setting up a network to meet CALEA will require service providers to reveal literally all of the secrets of their proprietary technology, thus opening up the possibility that their “secret sauce” will be revealed to their competitors – if not everyone – should a hacker happen to get into the network (or a retired law enforcement agent to sell the information to someone).
“In order to extend authorized interception … it is necessary either to eliminate the flexibility that Internet communications allow — thus making VoIP essentially a copy of the PSTN — or else introduce serious security risks to domestic VoIP implementations,” the ATAA report states. “The former would have significant negative effects on U.S. ability to innovate, while the latter is simply dangerous. The current FBI and FCC direction on CALEA applied to VoIP carries great risks.”
The report concludes that, while it might be possible to apply CALEA to those VoIP services which operate on the simplest of network architectures (i.e. those which closely resemble the PSTN), it will take a while to develop proper methods to apply CALEA to other VoIP services. Therefore, the report seems to suggest that law enforcement not attempt to apply CALEA to all VoIP all at once, but rather do it gradually, starting with the simplest systems and moving up to the more complicated ones over time.
“It appears that CALEA may be effectively applied to those VoIP services that look most like conventional telephony,” the report states. “Intercept against a VoIP call made from a fixed location with a fixed IP address directly to a big internet provider’s access router is equivalent to wiretapping a normal phone call, and classical PSTN-style CALEA concepts could be applied directly. In fact, they could be exactly the same if the ISP properly secured its infrastructure and wiretap control process as the PSTN’s central offices are assumed to do.”
“On the other hand,” the report continues, “the feasibility of applying CALEA to more decentralized VoIP services seems quite problematic. Neither the manageability of such a wiretapping regime nor whether it can be made secure against subversion seem clear. Rather it seems fairly clear that a CALEA-type regimen is likely to introduce serious vulnerabilities through its ‘architected security breach.’”
“The fundamental difficulty of applying CALEA to VoIP lies in law-enforcement’s desire to achieve 100 percent compliance with an authorized wiretap order,” the report states. “If law enforcement were to adopt the practice of the intelligence agencies and settle for the best intelligence at a reasonable cost, it might do quite well.”
Finally, the report concludes with a rather ominous warning:
“The real cost of a poorly conceived ‘packet CALEA’ requirement would be the destruction of American leadership in the world of telecommunications and the services built on them. This would cause enormous and very serious national-security implications. Blindly applying CALEA to VoIP and realtime Internet communications is simply not worth this risk.”
In addition to Cerf, the authors of the report include Steven Bellovin, Columbia University; Matt Blaze, University of Pennsylvania; Ernest Brickell, Intel (
News -
Alert) Corporation; Clinton Brooks, NSA (retired); Whitfield Diffie, Sun Microsystems (
News -
Alert); Susan Landau, Sun Microsystems; Jon Peterson, NeuStar; and John Treichler, Applied Signal Technology.
A copy of the report may be viewed
here.
--------
Patrick Barnard is Associate Editor for TMCnet and a columnist covering the telecom industry. To see more of his articles, please visit Patrick Barnard’s columnist page.
TMCnet LOGIN
Webinars
