CALEA ruling could have adverse impact for VOIP

Efforts to apply federal wiretap laws to Internet traffic could have unintended consequences for IT security, an industry association warns.

"The net result would be the introduction of substantial vulnerabilities into the network, and a side effect would be to move most of the infrastructure needed for a successful intercept outside of the U.S.," Internet pioneer Vinton Cerf said Tuesday in introducing the study by the IT Association of America. "The more I dig into it, the harder it gets."

ITAA performed the study in response to a ruling by the Federal Communications Commission that the Communications Assistance to Law Enforcement Act (CALEA) should apply to broadband Internet and voice over IP service providers. CALEA mandates that equipment in public switched telephone networks accommodate wiretaps for law enforcement agencies.

With voice services now being offered over Internet and other IP networks, FCC has said they should be treated the same as telephone networks. The rule has been upheld by the U.S. Court of Appeals for the District of Columbia.

But saying it and doing it are two different things. The infrastructures and technologies underlying VOIP and PSTN services are very different. The Internet is not centralized and provides a multitude of flexible services. IP addresses and locations of end points often are not static and traffic is not transmitted over a fixed circuit.

"It actually is quite hard to figure out who is talking to whom" in a VOIP call, said Cerf, chief Internet evangelist at Google Inc.

For an effective wiretap, information is needed from both the call setup, which establishes the connection between two end points, and the transmission. But the VOIP provider doing call setup often has little to do with the infrastructure used to transmit the packets, said Whitfield Diffie of Sun Microsystems.

"In Internet telephony, the two have been separated," Diffie said. "It becomes much harder to execute Internet telephony wiretaps."

The wiretap would require that the provider doing call setup give routing data for the call to law enforcement in real time, and the agency then would have to serve an order or warrant in real time on the proper carriers, who would have to validate that order, again in real time.

"It's conceivable all of this could be done, but it's not clear it could be done by mandate," Diffie said. "It's very hard to see how something like this could be done both effectively and securely."

Another element of the problem facing VOIP CALEA is that VOIP is not a specific technology, but a broad description of a type of service that can be implemented in a variety of ways. VOIP traffic is carried in the same type of packets as every other type of traffic.

"VOIP is just another network application," Cerf said. "I don't see any way to restrict and constrain the target to just voice."

Any system that makes interceptions efficient and targeted could be exploited by hackers, adding a new level of insecurity to an already nonsecure infrastructure, the report concludes. And any system that is implemented would require a massive R&D effort, Diffie said. And to date, the Internet Engineering Task Force, which develops and maintains the Internet Protocols, has decided it wants no part of such an effort because of the vulnerabilities inherent in a standardized wiretapping protocol.

Neither the FCC nor the Justice Department has commented on the issues raised in the study.