VoIP wiretap rules attacked

Tuesday, June 13th, 2006 | Posted in VoIP Regulation, VoIP Wiretap | 1 Comment »

VoIP service technology experts are not pleased:

Federal regulations saying that police must be able to tap into Internet phone conversations with ease are coming under renewed attack from academics, engineers and one of the Net’s founding fathers.

A 21-page study (click for PDF) to be released Tuesday says it’s impossible for the government to expect all products that use voice over Internet protocol, or VoIP, to comply with the Federal Communications Commission’s September 2005 requirement mandating wiretapping backdoors for government surveillance. That requirement is backed by the Bush administration.

The study, organized by the Information Technology Association of America, says that because VoIP relies on a fundamentally different network architecture from that of traditional phone lines, such a mandate would pose "enormous costs" to the industry and could even introduce significant security risks.

The nine contributors included Vint Cerf, Google’s chief Internet evangelist and one of the Net’s founding fathers; Steven Bellovin and Matt Blaze, both prominent computer security professors who specialize in security; Clinton Brooks, a former National Security Agency official; and engineers from Sun Microsystems and Intel.

Vendors see profits in VoIP wiretap regulations

Monday, June 12th, 2006 | Posted in VoIP Regulation, VoIP Wiretap | No Comments »

It would appear that not everybody in VoIP is complaining about the FCC VoIP service wiretap requirements:

Two software vendors have made their IP wiretapping tools for carriers and law-enforcement agencies work together.

Narus’ NarusInsight Intercept Suite for carriers has been fully tested for interoperability with Pen-Link’s Lincoln 2 data collection and reporting software for law enforcement, the companies will announce Tuesday.

The transition on carrier networks from circuit-switched phone calls to IP packet data services has turned the world of wiretapping upside down. With new laws requiring carriers to hand over information about subscribers’ e-mail and Web surfing, carriers and legal agencies need new tools that work with each other.

…The Narus and Pen-Link products are the first to comply with both the ETSI rules and the VoIP CALEA regulations as well as U.S. laws on collecting e-mail and Web data, the companies claim. Specifically, they fully comply with the CALEA T1.678 standard and the ETSI TS 102 232/233/234 standards.

The software is intended for probes, with warrants, of specific users’ traffic during specific periods, Bannerman said.

Court Upholds FCC on Broadband CALEA Compliance

Friday, June 9th, 2006 | Posted in VoIP Regulation, VoIP Wiretap | No Comments »

FCC wins this round:

A U.S. Court of Appeals ruling that upheld the FCC’s decision to apply digital wiretapping rules to VoIP providers probably won’t significantly affect wireless carriers’ broadband wiretap capabilities, according to a CTIA representative.

The U.S. Court of Appeals for the District of Columbia this afternoon upheld an FCC decision to require broadband VoIP providers to have wiretapping capabilities in place for law enforcement use.

The decision ostensibly would apply to wireless broadband services, says Mike Altschul, senior vice president and general counsel at CTIA, but wireless carriers already are covered by the Communications Assistance for Law Enforcement Act (CALEA). VoIP providers haven’t been classified as telecom carriers, so the rules are new to them.

Judges challenge new U.S. Internet wiretap rules

Saturday, May 6th, 2006 | Posted in VoIP Regulation, VoIP Wiretap | No Comments »

Interesting article on the legal challenges to extending CALEA to VoIP:

A U.S. appeals panel sharply challenged the Bush administration Friday over new rules making it easier for police and the FBI to wiretap Internet phone calls. A judge said the government’s courtroom arguments were “gobbledygook.”

The skepticism expressed so openly toward the administration’s case encouraged civil liberties and education groups that argued that the U.S. is improperly applying telephone-era rules to a new generation of Internet services.

“Your argument makes no sense,” U.S. Circuit Judge Harry T. Edwards told the lawyer for the Federal Communications Commission, Jacob Lewis. “When you go back to the office, have a big chuckle. I’m not missing this. This is ridiculous. Counsel!”

At another point in the hearing, Edwards told the FCC’s lawyer that his arguments were “gobbledygook” and “nonsense.”

[...] In the current case, Edwards appeared especially skeptical over the FCC’s decision to require that providers of Internet phone service and broadband services must ensure their equipment can accommodate police wiretaps under the 1994 Communications Assistance for Law Enforcement Act, known as CALEA.

The new rules go into effect in May 2007.

The 1994 law was originally aimed at ensuring court-ordered wiretaps could be placed on wireless phones.

The Justice Department, which has lobbied aggressively on the subject, warned in court papers that failure to expand the wiretap requirements to the fast-growing Internet phone industry “could effectively provide a surveillance safe haven for criminals and terrorists who make use of new communications services.”

Critics said the new FCC rules are too broad and inconsistent with the intent of Congress when it passed the 1994 surveillance law, which excluded categories of companies described as information services.

The FCC asserted that providers of high-speed Internet services should be covered under the 1994 law because their voice-transmission services can be considered separately from information services. “Congress intended to cover services (in the 1994 law) that were functionally equivalent” to traditional telephones, Lewis said during the hearing in U.S. Circuit Court for the District of Columbia.

“There’s nothing to suggest that in the statute,” Edwards replied. “Stating that doesn’t make it so.”

The panel appeared more inclined to support the FCC’s argument that Internet-phone services – which allow users to dial and receive calls from traditional phone numbers – may be covered under the 1994 law and required to accommodate court-ordered wiretaps. The technology, popularized by Holmdel, N.J.-based Vonage Holdings Corp., is known as “voice over Internet protocol,” or VOIP.

“Voice-over is a very different thing,” U.S. Circuit Judge David B. Sentelle said. He said it offered “precisely the same” functions as traditional telephone lines.

VoIP service providers will have to comply with CALEA

Thursday, May 4th, 2006 | Posted in VoIP News, VoIP Regulation, VoIP Wiretap | No Comments »

The FCC voted on May 4th to require VoIP service providers to comply with the 1994 Communications Assistance for Law Enforcement Act (CALEA) by making their services easily wiretappable.  Broadband and VoIP providers will have until May 17, 2007 to comply with the law, and will have to foot the bill for any related costs, which could run into the hundreds of millions of dollars.

Five WiFI VoIP security issues

Thursday, February 16th, 2006 | Posted in IP Telephony, VoIP News, VoIP Security, VoIP Service Providers, VoIP Wiretap | No Comments »

Five WiFi VoIP sercurity issues from Unstrung:

Here’s a Top 5 list of enterprise WiFi VOIP security issues, and some ways to guard against them:

Widespread deployment equals a security headache:
Because of the "ubiquity of deployment" in many enterprises, attacks can spread quickly and be targeted to take down multiple devices at once. IT managers should stay up to the minute with phone upgrades, and consider running phones over a separate physical or virtual LAN as a defense against these attacks.

Many points of attack:
As the phones get more sophisicated, so could the points of entry for malicious attacks increase. Bluetooth, email, client Web browsers, SMS, WiFi, media players, and image viewers could open back doors for hackers. Though users can use open-source and commercial tools to continually test their phones and networks, they’ll ultimately have to rely on vendors to do proactive testing on these devices.

"Some vendors may engage in this testing while the majority will not," warns Merdinger.

Targeting phones in public environments:
For example, a Bluetooth scanner could be hidden at the entrance to a major airport or train station and be used to grab user data. It may be best to keep Bluetooth and other wireless features swicthed off when not needed.

Rogue again:
Meanwhile, at the office and on the road, users and IT departments will have to keep their guard up and scan for rogue access points. Hackers will set up access points to specifically target WiFi phones in the corporate space as well as at hotels, conferences, and other places business people like to congregate. Good device authentication and encryption can help provide protection here.

Targeted attacks:
Targeted attacks on specific voice-over-wireless networks could also be an issue, albeit one that the victims may try to downplay. "There will be targeted attacks on VoIP networks [from hackers or competitors] that will be kept quiet if there is no legal requirement for disclosure or obvious public knowledge," Merdinger says.

Users, however, shouldn’t get in a snit about VOIP calls that are often unencrypted and therefore easier to listen in on. Unless attackers are targeting a specific user, it is much simpler to find useful information sent by the user or held on the phone than to listen in on calls, even if you’re the NSA.

"Most attackers are going to go after text information — much easier to parse for the juicy information," says Merdinger.

VoIP monitoring, Patriot Act expansion and the history of wiretaps

Friday, November 4th, 2005 | Posted in VoIP News, VoIP Security, VoIP Wiretap | 3 Comments »

Here’s some more information on the developing VoIP wiretap story, with a lawsuit being filed and a proposed expansion of the Patriot Act under debate.  At the end of the post we’ve also quoted some interesting background information on the history of wiretaps courtesy of CourtTV.

First, the lawsuits:

Last week, an alliance of Voice over Internet Protocol (VOIP) telephony providers and technology makers — including Sun Microsystems — filed a petition in federal court in Washington D.C. seeking to have the FCC’s rule requiring that all future Internet telephone systems be built to accommodate wiretapping technology.

Also:

Separately, the American Council on Education, which represents about 2,000 colleges and universities, filed an appeal of the rule on [October 24th] in federal court in Washington.

The education group said schools are willing to cooperate with the FBI, but that there are other ways to assist law enforcement rather than rewiring networks.

"We fear that the FCC order will make every college and university replace every router and every switch in their systems," said council senior vice president Terry Hartle. "The cost of doing that is substantial."

Moving on, here’s a summary of the proposed expansions / extensions of the Patriot Act:

• Roving wiretaps: Section 206 expands the 1978 Foreign Intelligence Surveillance Act to allow federal agents to wiretap several phone lines based on a single wiretap order, issued by the secret FISA court. The target of the roving wiretaps under 206 can be a “John Doe,” in contravention of previous court rulings that either the person or the place to be wiretapped must be “particularly described.”  These wiretaps don’t require after-the-fact justification to the court, though pending reauthorization would change that.

  Pre-PATRIOT wiretap law required that common carrier telecommunication firms that must provide wiretapping assistance be named in the warrant.  But PATRIOT vitiates that requirement, allowing the issuance of generic orders by the court and leaving the wiretapping agents to direct telecommunications providers to provide access to their systems.

  After stonewalling requests for information for a few years, the Department of Justice in March, with the sunset coming up, said this provision had been used 49 times. Competing PATRIOT reauthorization acts in the House and Senate would renew the provision for 10 and four years respectively.  The Senate bill would require more information about the target beforehand and add extensive public reporting on the use of roving wiretaps.

• VoIP and Voicemail: Section 209 makes it easier for the FBI to search “stored communications” without a wiretap order or in some cases without a search warrant.  Thought purportedly targeted at voicemail, this will apparently apply to VoIP (voice-over-Internet) calls that are cached in the process of travelling over networks.  Section 209 is set to be made permanent as well.

(more…)