October 30, 2024

Wiretapping the Net

Another interesting day at the Meltdown conference. John Morris of CDT gave an eye-opening talk about online wiretapping and the policy debate over how to apply CALEA to VoIP services.

Let me explain the jargon. CALEA is the Communications Assistance to Law Enforcement Act of 1994, which says that telecommunications providers must design their networks so as to allow (properly authorized) government wiretapping. CALEA applies to “telecommunications” but not to “information services,” so Internet software has thus far been exempt. However, the FCC, which regulates telecom, has some power to expand the application of CALEA.

VoIP is Voice over IP, a term referring to services that transmit voice over the Internet. Some VoIP services can substitute for traditional phone service; others provide similar functions in different form, such as voice-enabled instant messaging; and some provide entirely new functions.

In March, law enforcement agencies asked the FCC, which regulates telecom, to apply CALEA to “IP-enabled services” such as VoIP. Conventional wisdom says that the FCC will issue some kind of regulation in this area. But what exactly?

It seems likely that the FCC will require VoIP providers to be ready to provide information to law enforcement. The key question is whether providers will only have to provide the information that they already gather or whether providers will be required to (re-)design their technology so that it can gather the information that law enforcement wants.

A “design for wiretapping” requirement would seem to rule out certain designs, particularly those that rely on open protocols and the end-to-end principle. Such designs leave too much control in the hands of end users, so that no vendor can be assured of having access to the information that they would be required to gather. On the other side, law enforcement will argue that CALEA is toothless without design requirements, and existing telecom providers would be happy to see open, end-to-end architectures outlawed.

Coincidentally, as I was writing the previous paragraph, sitting in my hotel room with the television on in the background, a commercial came on CNN, urging viewers to ask their legislators to “update our telecom laws.” Then I ran across today’s New York Times article on the telecom regulation battles.

This is definitely an issue to watch.

Comments

  1. Steve Witham says

    The previous commenter’s question is hard. What if criminals never made mistakes and never had to risk exposure? It’s hard to answer because it’s so impossible. But think of the year 1800. What if some walls were thick enough that whispered conversations on one side couldn’t be overheard on the other?

    Of course criminals are among the first to be careful about security (not that they always are). What required tap-ability does is make it harder to start being secretive. An overhead or entry cost like that gives an advantage to large criminals over small ones (and over regular people who might someday have secrets), and large businesses with security needs over small ones.

    The argument that law enforcement needs wiretaps reminds me of the phrase “burdon of proof”. If all suspects must pre-arrange to dump their life details to the cops’ computers, “burdon” has a quaint ring to it.

  2. Chris Tunnell says

    This isn’t really a comment, but more a question:

    What happens when technology — either in the form of Voice over IP or something more distributed — makes wiretapping impossible?

    I don’t think we are too far from a time in which the government gets thrown into the mix of adversaries and is protected against through cryptography.

    What would the government be without wiretaps? In the instant, it is in the best interest of the user to protect themself againt all non-recievers. However, in the long run, the user isn’t protected physically since the government has trouble “regulating” the population.

    I would just be interested to hear what you feel about this Prof. Felten since it deals with government intervention in technology.