SecurityFocus: FBI seeks Internet telephony surveillance

[Ben Teitelbaum <>]

News clipping:  http://www.securityfocus.com/news/3466

-- 

FBI seeks Internet telephony surveillance

The Justice Department and the FBI ask regulators for expanded
technical capabilities to intercept Voice Over IP communications...
and anything else that uses broadband.

By [15]Kevin Poulsen, SecurityFocus Mar 27 2003 1:11AM

The FBI and Justice Department are worried that Voice Over IP (VoIP)
applications may become safe havens for criminals to communicate with
one another, unless U.S. regulators make broadband services more
vulnerable to lawful electronic eavesdropping, according to comments
filed with the FCC this month.

The government filing was prompted by the efforts of telecom
entrepreneur Jeffrey Pulver to win a ruling that his growing
peer-to-peer Internet telephony service [16]Free World Dialup is not
subject to the regulations that govern telephone companies.  Free
World Dialup has been called "Napster for Phones." It's a free service
aimed at developing Internet telephony as a mainstream alternative to
the public switched telephone network. After an initial investment of
about $250 for a Cisco SIP telephone -- a device that functions much
like a conventional analog phone, but plugs directly into an IP
network -- users can "dial" each other over the Internet anywhere in
the world at no cost. Free World Dialup provides a directory service
that assigns each user a virtual telephone number, and sets up each
phone call. Since it was launched in November, the service has
gathered over 12,000 users.

If it catches on, FWD could be a nightmare for old-fashioned telephone
companies. Those companies were likely agitated further when Pulver
[17]asked [pdf] the FCC in February for a "declaratory ruling" that
his service is outside the commission's jurisdiction. Pulver argues
that FWD is not a telecommunications service, but is just an Internet
application, no different from e-mail or instant messaging. Verizon,
SBC and other phone companies filed comments in opposition to Pulver's
petition.

And on the last day of the public comment period, so did the FBI.  It
turns out that one of the regulations from which FWD would be
incidentally exempt is the Communications Assistance for Law
Enforcement Act (CALEA), the federal law that required
telecommunications carriers to modify their networks to be
wiretap-friendly for the FBI. Crafted in 1994, before the Internet was
a household word, it's not entirely clear that CALEA even applies to
Voice Over IP , but the government has had some success persuading
companies that it does, or soon will, according to Stu Baker, a
partner in the Washington law firm of Steptoe and Johnson. "Right now,
I think Justice would lose a case trying to apply CALEA to VoIP,"
Baker wrote in an e-mail interview. "But eventually... VoIP will be a
mainstream substitute for the switched network. So a lot of companies
are complying now to avoid a hassle later."

The government worries that Free World Dialup's petition could buck
that trend: if the FCC finds that FWD is free from the plug-and-play
wiretap requirements, other Internet companies handling VoIP traffic
might start thinking they're exempt as well. "The DOJ and FBI are
concerned that if certain broadband telecommunications carriers fail
to comply with CALEA due to a misunderstanding of their regulatory
status, criminals may exploit the opportunity to evade lawful
electronic surveillance," reads the government filing.

Pulver says it's the government that misunderstands the situation. "My
hope is that the DoJ/FBI did not take the time to fully understand
what Free World Dialup is and isn't, and after some proactive
education it will be clear that we don't fall under the definitions,"
says Pulver. "It is much easier to build the wiretap function into the
access method, which is infrastructure based, rather than on every
Internet application that comes along."

                 Easier Broadband Surveillance Sought

Indeed, extending CALEA to cover Free World Dialup and services like
it would likely be futile, says Ofir Arkin, founder of
[18]Sys-Security Group and an expert on IP telephony security. Arkin
says users determined to skirt surveillance could easily set up their
own ad hoc directory services on the fly. "It's like a buddy list on
instant messaging," says Arkin. "They just have to build up such a
server, and give everyone access to it."

Arkin says the FBI's best bet for spying on VoIP users is to eavesdrop
directly on a target's broadband connection, perhaps using the
Bureau's "Carnivore" DCS-1000 network surveillance tool. With access
to the raw traffic, VoIP phones become exceedingly easy to listen in
on. "Those phones don't have a lot of CPU power, so the communication
between the two ends is not encrypted," Arkin says. "Whoever was to
sniff the information on the uplink or downlink or between those two
can hear whatever is said."

That point isn't lost on Justice and the FBI. The government is asking
that, should the FCC not reject FWD's petition outright, the
commission at least delay its decision until after it's ruled on two
other broadband proceedings that the Justice Department filed comments
on last year.

In those proceedings, Justice is asking the FCC to reinterpret CALEA
as extending to DSL and cable modem service -- not just telephone
calls. It's also asking the commission to expand the scope of the law
to include raw data communication -- Web surfing, e-mail, and anything
else that crosses the wire. Broadband providers are already obliged to
cooperate with court-ordered surveillance requests; the government's
FCC proposals would go beyond that and require companies to reengineer
their networks to make Internet eavesdropping easier technically, and
dirt cheap on a case-by-case basis. "It would be a major expansion of
the CALEA requirements," says David Sobel, an attorney with the
Electronic Privacy Information Center. "It would really obliterate the
distinction between voice and data."

Opponents of the CALEA expansion include AT&T and the National Cable
and Telecommunications Association. But the government's argument for
the additional capabilities is the same one that persuaded Congress to
pass CALEA in the first place eight years ago, and it only carries
more weight today. "Although we cannot describe in this forum the
particular circumstances, the FBI has sought interceptions of
transmissions carried by broadband technology, including cable modem
technology, in terrorism-related ... investigations involving
potentially life-threatening situations," the [19]Justice Department
wrote [pdf] in one of its filings last year. "Unless carriers are
required to ensure such access, law enforcement surveillance
capabilities will suffer a serious and dangerous gap." If the FCC
adopts the government's position, then broadband's last mile will be
the FBI's listening post, and Free World Dialup will be off the hook.
   
  15. 
mailto:
  16. http://www.freeworldialup.com/
  17. http://pulver.com/reports/FWDPetition.pdf
  18. http://www.sys-security.com/
  19. 
http://gullfoss2.fcc.gov/prod/ecfs/retrieve.cgi?native_or_pdf=pdf&id_document=6513198718

---------------------------------------------------------------wg-voip-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

    http://archives.internet2.edu/

---------------------------------------------------------------wg-voip--