IP Wiretap Ruling Raises Security Concerns

Experts say Internet telephony also makes intercepts difficult, especially in real time

A Federal Communications
Commission ruling that
federal wiretap laws should
apply to Internet traffic could
pose difficulties for agencies trying
to conduct wiretaps while
creating unintended consequences
for IT security, an industry
association warns.


'The net result would be the introduction
of substantial vulnerabilities
into the network, and a
side effect would be to move most
of the infrastructure needed for a
successful intercept outside of
the U.S.,' Internet pioneer Vinton
Cerf said recently in introducing
the study by the IT Association of
America. 'The more I dig into it,
the harder it gets.'


ITAA performed the study in
response to a ruling by the Federal
Communications Commission
that the Communications
Assistance to Law Enforcement
Act (CALEA) should apply to
broadband Internet and voice
over IP service providers.
CALEA mandates that equipment
used in public, switched
telephone networks accommodate
wiretaps for law enforcement
agencies.


Technical hurdles

With voice services now being
offered over the Internet and
other IP networks, FCC has said
they should be treated the same
as telephone networks. The rule
has been upheld by the U.S.
Court of Appeals for the District
of Columbia.


But saying it and doing it are
two different things. The infrastructures
and technologies underlying
VOIP and PSTN services
are very different. The Internet
is not centralized and
provides a multitude of flexible
services. IP addresses and locations
of end points often are not
static and traffic is not transmitted
over a fixed circuit.


'It actually is quite hard to figure
out who is talking to whom'
in a VOIP call, said Cerf, chief Internet
evangelist for Google Inc.


For an effective wiretap, information
is needed from both
the call setup, which establishes
the connection between two
end points, and the transmission.


But the VOIP provider
doing call setup often has little
to do with the infrastructure
used to transmit the packets,
said Whitfield Diffie of Sun Microsystems
Inc.


'In Internet telephony, the
two have been separated,' Diffie
said. 'It becomes much harder
to execute Internet telephony
wiretaps.'


The wiretap would require
that the provider doing call
setup give routing data for the
call to law enforcement in real
time, and the agency then would
have to serve an order or warrant
in real time on the proper
carriers, who would have to validate
that order, again in real
time.


'It's conceivable all of this
could be done, but it's
not clear it could be
done by mandate,'
Diffie said. 'It's very
hard to see how something
like this could be
done both effectively
and securely.'


Another element of the problem
facing law enforcement
agencies is that VOIP is not a
specific technology, but a broad
description of a type of service
that can be implemented in a
variety of ways. VOIP traffic is
carried in the same type of packets
as every other type of traffic.


'VOIP is just another network
application,' Cerf said. 'I don't
see any way to restrict and constrain
the target to just voice.'

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above