ITAA Study Notes VoIP Wiretap Risks
Applying CALEA requirements to VoIP services could create security “vulnerabilities,” the Information Technology Assn. of America (ITAA) said Tues. The study, by technology experts, focused on decentralized VoIP services such as Skype, concluding the ability to wiretap these purely Internet-based services “is simply not worth [the] risk” to national security.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The FCC last year applied CALEA to another class of VoIP providers such as Vonage “interconnected” with the public switched telephone network (PSTN), an action upheld last week by the U.S. Appeals Court, D.C. The agency hasn’t acted on CALEA compliance by purely Internet-based providers, like those in the ITAA study, but has sought comment on the possibility of imposing CALEA regulations on them. ITAA and some companies represented by the study’s authors have opposed the FCC’s CALEA-VoIP regulatory actions.
The Internet’s more flexible architecture complicates interception and is more likely to cause security risks, ITAA warned. Tapping a phone network is relatively easy, since there are identifiable choke points for interceptions and they're under network operators’ control, said the study. Interconnected VoIP can be entered through the traditional phone network, but pure Internet communications require more invasive interceptions, it said: “Various attacks, including man-in-the-middle alternation of data… capture of identity information and passwords, and many other pernicious behaviors could well be enabled by CALEA-like accommodations.” Wiretap targets using VoIP could be mobile and often change Internet identities, perhaps requiring more widespread wiretapping and raising privacy concerns about sweeps extending to people who aren’t under investigation, the report said.
Internet voice communications originate from many types of companies, using many types of addresses, and are sent in packets via many routes, said study co-author and Sun Microsystems chief security office Whitfield Diffie. Opening such services to wiretapping would be very difficult, costly and risky, Diffie said. “A massive security effort” would be needed to make sure adding wiretap ability in such a diverse environment doesn’t risk security breaches, Diffie said at an ITAA-sponsored call-in news conference.
A CALEA mandate on Internet communications probably would make instant messaging, on-line gaming and other types of Internet services targets of interception as well, leading to privacy questions, said Vinton Cerf of Google, another co- author. “I don’t see any way to target only voice,” he said. A wiretap mandate might drive call setup operations to other countries, where CALEA doesn’t apply, he said.
When technologists talk about vulnerabilities, most think of hacking, but terrorist access to communications also is a significant risk, Susan Landau, Sun Microsystems engineer, said: “We're not talking about being unable to wiretap. We're talking about the vulnerabilities that arise when VoIP is built to be CALEA compliant.” The alternatives are to “eliminate the flexibility that Internet communications allow… or introduce serious security risks to domestic VoIP implementations,” the study said: “The former would have significant negative effects on U.S. ability to innovate, while the latter is simply dangerous.”
It depends what security risks are at stake, but “it’s hard to imagine them outweighing carriers’ obligation to the public,” said Tim Richardson, senior legislative liaison for the Fraternal Order of Police. He said authorities would want to look into anything that might encourage crime. But technology is so adaptable, Richardson said, that he has faith “ companies could find a solution that doesn’t compromise security or significantly raise costs.