The FCC has released its Notice of Proposed Rulemaking (NPRM) on Internet wiretapping. (Backstory here.) The NPRM outlines a set of rules that the FCC is likely to issue, requiring certain online service providers to facilitate (properly authorized) government wiretapping of their customers. The document is a dense 100 pages, and it touches on issues from protocol design to administrative law to network economics, so no one reader or analyst can hope to understand it whole. Below is my initial reaction to reading it.
I’ll start by noting that the FCC isn’t working with a clean slate but must adopt the framework established by the CALEA statute. Some FCC critics (not including me) would prefer a world in which the government could never wiretap anybody for any reason; but that’s not the FCC’s decision to make. The question before the FCC is how to apply the CALEA statute to new Net services, not what the optimal wiretapping policy would be.
One important question is whether the FCC has the authority to issue the rules it is considering. Even some of the FCC commissioners express doubt on this point. This question is outside my expertise, so I’ll defer to people like Susan Crawford (who also has doubts about the FCC’s authority).
Instead, I’ll ask whether the FCC’s proposals are good policy, if we take as given the value judgments expressed in the CALEA statute, which I read as these three: (1) Properly authorized wiretapping is an important law enforcement and national security tool. (2) If necessary, communications providers should accept modest costs to enable lawful wiretapping. (3) In designing networks, wiretappability should be a consideration, but it can be overridden by other important design factors. (Again: I’m not taking a position here for or against these three statements; I’m only asserting that they reflect the views of Congress, as expressed in CALEA.)
The FCC’s first proposal is to require broadband ISPs to be ready to provide law enforcement with the packet-level traffic of any of the ISPs’ customers. I read this rule as requiring ISPs to make their best effort to turn over the raw packets as actually sent and received by the customer, and not as requiring ISPs to interpret, classify, or decode the traffic. This seems like a reasonable rule, in light of CALEA. Capturing the necessary packet-streams won’t be overly expensive for ISPs and doesn’t seem to require redesign of ISPs’ networks; and law enforcement can analyze the packet stream as necessary by using standard tools.
The second, and harder, question answered by the FCC is whether to require VoIP (i.e., voice service over the Internet) to be wiretappable. The FCC tries to take a middle ground on this issue, requiring only “managed” VoIP services to be tappable. The definition of “managed” is a little fuzzy, but it seems to apply only to services that meet all three of these criteria: (1) they look to the consumer like a kind of telephone-like service; (2) they allow calls to people with old-fashioned phones; and (3) they involve the provider’s equipment in each call (i.e., involvement in the call itself, not just as a sort of directory service). VoIP services that are “managed” in this sense would be required to facilitate wiretapping. Other services, like voice-enabled instant messaging, are not managed and so would not have to facilitate wiretapping.
The FCC’s proposed rule looks to me like a reasonable attempt to apply the goals of CALEA to VoIP technology. Managed services are precisely those that are best situated to capture the kind of information needed for wiretapping; and network designs that are inherently unwiretappable would seem to qualify as unmanaged. Two caveats apply, though. First, the NPRM’s definition of “managed” isn’t completely clear, so the definition I gave above may not be the one the FCC meant. Second, as any close reading of the NPRM will demonstrate, the actual application of a CALEA regime to these technology would involve lots of detailed decisions and determinations by the FCC and others, and the details could be bungled. (Indeed, given the sheer number of details, and their complexity, some nonzero amount of bungling seems inevitable.)
There’s much, much more in the NPRM, but I’ve gone on long enough, so I’ll stop for now. My overall impression is that this is a document that will get criticism from both directions. Law enforcement will think it doesn’t do enough; and some technologists will think it meddles too much in their affairs. Contrary to the cliche, criticism from both sides often doesn’t mean you’re doing a good job. But this may be one of those cases where the cliche is right. Overall, I think the FCC has done a pretty good job of applying the semi-contradictory goals of CALEA in a new arena.
The real question should be what rights are granted to users and ISPs? These new rules appear to gaurentee the government’s rights to wiretap in certain scenarios, but it should also gaurentee the right for users NOT to be wiretapped in other scenarios. As far as I understand this is how it works for telephones and I think it would be only fair that the same thing applies.
Yes, it is physically possible to pipe the output of some glorified version of “tcpdump” into some (massive) log-file that sits on a disk in some special computer that The Police connect to your network.
The point, however, is not this possibility, or the expense, but _whether this will achieve anything in the real world_.
The answer is pretty obvious to anyone who has worked in this area for about 10 minutes: zip. Zilch. None. The cat is completely out of the bag and running rampant for VoIP (let alone secure versions of VoIP). VPN’s, ssh, and a host of other commonly used tools preclude any form of access to _ANYONE_, including so-called “law-enforcement”.
Basically, the government can install all their precious hardware, they can follow all of their detailed plans, enforce their Rules and Regulations, they can assert their chains of evidence in court, they can do all of this and more, but ultimately it won’t work. They will catch some stupid people at first, but quickly thereafter, the traffic they are monitoring will be transformed into noise.
Another interesting question is why people like Ed Felten(!!) are so worried about this sort of thing. The Internet can be used for evil — and there is nothing we can do about it! Oh no!
But the same can be said for hand-guns, baseball bats, broken bottles, rocks, fists, your own imagination, over the counter drugs, and who knows what else. Frankly, if the government wants complete control, they would do alot better to just mandate that everyone carry around a device that records where they go and what they do. In addition to “fixing” all of the problems with that the den on inniquity called the Internet (without a single engineering adjustment), it would also solve the golf club problem too (arguably much more important).
But of course, we already have names for this form of governance. Books have been written about it, in fact.
I think my point about fiberoptics was this (it was late and I was tired):
If they can tap those lines (they obviously have to do something differently, like hook in at the end points (i.e. a junction box, the company, etc), then wouldn’t it be possible for ISPs to do something similar? I think we can agree that for dialup this is something that would necessarily need to be done at a central location (you can’t predict where someone will dial in from), but from an always-on connection, shouldn’t it be possible to drop something at a cable box or junction box to do this work?
VoIP Regulation: Four Questions for the FCC
Susan Crawford has four good questions for the FCC about its decision to apply CALEA regulations to Vo
Ashcroft has won another blow to our privacy
U.S. regulators on Wednesday ruled tentatively in favor of an FBI and Justice Department proposal that would compel Internet broadband and VoIP providers to open their networks up to easy surveillance by law enforcement agencies. At issue is the…
Jordan,
The difficulty of tapping fiber-optic lines has to do with the fact that there is little if any leakage of the signal outside the cable. Contrast that with electrical wires, in which currents in the wire necessarily create magnetic fields that can be sensed nearby. This is more of an issue for external wiretappers (e.g., spies) who don’t have access to the data stream at a cable’s endpoints.
I generally agree with you that activities should not be shielded from law enforcement just because they happen online. Where possible, the rules should be the same online as offline.
Digital Phone Tap Rules
Over at Freedom to Tinker, Edward Felton has taken a close look at the FCC’s proposed rules on digital wiretapping. (This software isn’t mentioned in the new rules, but if you want it, here it is, come and get it.)…
From someone way too wet behind the ears.
Going back in the way-back time machine (to like 4th grade, which is way-back for someone who just graduated)
I remember learning something in a robotics after school program (which I’m sure no public school can afford now) about it being pretty difficult to wiretap (in the traditional sense of the word) phone conversations carried over a fiber optic phone lines (now, this was way-back and I’m not sure I remember correctly). I also decided not to take networking at Princeton so my idea may be way off here, but my question is this: would it be so difficult to write a piece of code in the router that says ah this packet is coming from http://WWW.XXX.YYY.ZZZ IP address, dump it to a log and note the date and time? I don’t know (don’t remember?) much about packets and router software or really anything of that nature, but if the packet contains the senders and receivers IP address, would this be a difficult task?
I’m not against the wiretapping. If it were true that we lived in a free society, then it would be a different story. But there has never been a purely free society, will never be a purely free society (I’m pretty sure I’ll never see it) for much the same reason why pure communism won’t work. Not all people are happy being equal with everyone else. Not all people want to start from the bottom and work their way to the top or wherever. So people resort to bucking and cheating the system, and if the government, which we give responsiblity to, legitimately needs to catch them, isn’t it worth the tiny sacrifice? I think the idea here of the FCC is a noble one; they are trying, it seems, to reach a compromise between “discomforting” the ISPs and helping law enforcement. I haven’t read Susan’s post about whether or not the FCC can in fact do this, so I won’t make any comment about that. I’m curious as to why technologists can complain that this meddles with their affairs, however; doesn’t illegal stuff happen over computer networks, and is there anyone watching? Does everyone get amnesty simply by logging on? I’m sure someone has a good response to that. I’m simply curious. And if I had a blog, I’m sure that this would make a good post here, but at least here I might actually have someone read it and get constructive criticism :-).
Are there any requirements that the wiretapping must be invisble to the customer? I’m asking because if you can’t copy the packets at the edge device, you’d have to resort to routing or tunneling tricks which might become apparent in TTLs, ICMP TTL Exceed generation, or just increased latency or jitter.
If there were such requirements, most ISPs either need new edge devices, or new core routers. 8-(