Federal regulations saying that police must be able to tap into Internet phone conversations with ease are coming under renewed attack from academics, engineers and one of the Net’s founding fathers.

A 21-page study (click for PDF) to be released Tuesday says it’s impossible for the government to expect all products that use voice over Internet protocol, or VoIP, to comply with the Federal Communications Commission’s September 2005 requirement mandating wiretapping backdoors for government surveillance. That requirement is backed by the Bush administration.

The study, organized by the Information Technology Association of America, says that because VoIP relies on a fundamentally different network architecture from that of traditional phone lines, such a mandate would pose "enormous costs" to the industry and could even introduce significant security risks.

The nine contributors included Vint Cerf, Google’s chief Internet evangelist and one of the Net’s founding fathers; Steven Bellovin and Matt Blaze, both prominent computer security professors who specialize in security; Clinton Brooks, a former National Security Agency official; and engineers from Sun Microsystems and Intel.

Two software vendors have made their IP wiretapping tools for carriers and law-enforcement agencies work together.

Narus’ NarusInsight Intercept Suite for carriers has been fully tested for interoperability with Pen-Link’s Lincoln 2 data collection and reporting software for law enforcement, the companies will announce Tuesday.

The transition on carrier networks from circuit-switched phone calls to IP packet data services has turned the world of wiretapping upside down. With new laws requiring carriers to hand over information about subscribers’ e-mail and Web surfing, carriers and legal agencies need new tools that work with each other.

…The Narus and Pen-Link products are the first to comply with both the ETSI rules and the VoIP CALEA regulations as well as U.S. laws on collecting e-mail and Web data, the companies claim. Specifically, they fully comply with the CALEA T1.678 standard and the ETSI TS 102 232/233/234 standards.

The software is intended for probes, with warrants, of specific users’ traffic during specific periods, Bannerman said.

A U.S. Court of Appeals ruling that upheld the FCC’s decision to apply digital wiretapping rules to VoIP providers probably won’t significantly affect wireless carriers’ broadband wiretap capabilities, according to a CTIA representative.

The U.S. Court of Appeals for the District of Columbia this afternoon upheld an FCC decision to require broadband VoIP providers to have wiretapping capabilities in place for law enforcement use.

The decision ostensibly would apply to wireless broadband services, says Mike Altschul, senior vice president and general counsel at CTIA, but wireless carriers already are covered by the Communications Assistance for Law Enforcement Act (CALEA). VoIP providers haven’t been classified as telecom carriers, so the rules are new to them.

A U.S. appeals panel sharply challenged the Bush administration Friday over new rules making it easier for police and the FBI to wiretap Internet phone calls. A judge said the government’s courtroom arguments were “gobbledygook.”

The skepticism expressed so openly toward the administration’s case encouraged civil liberties and education groups that argued that the U.S. is improperly applying telephone-era rules to a new generation of Internet services.

“Your argument makes no sense,” U.S. Circuit Judge Harry T. Edwards told the lawyer for the Federal Communications Commission, Jacob Lewis. “When you go back to the office, have a big chuckle. I’m not missing this. This is ridiculous. Counsel!”

At another point in the hearing, Edwards told the FCC’s lawyer that his arguments were “gobbledygook” and “nonsense.”

[...] In the current case, Edwards appeared especially skeptical over the FCC’s decision to require that providers of Internet phone service and broadband services must ensure their equipment can accommodate police wiretaps under the 1994 Communications Assistance for Law Enforcement Act, known as CALEA.

The new rules go into effect in May 2007.

The 1994 law was originally aimed at ensuring court-ordered wiretaps could be placed on wireless phones.

The Justice Department, which has lobbied aggressively on the subject, warned in court papers that failure to expand the wiretap requirements to the fast-growing Internet phone industry “could effectively provide a surveillance safe haven for criminals and terrorists who make use of new communications services.”

Critics said the new FCC rules are too broad and inconsistent with the intent of Congress when it passed the 1994 surveillance law, which excluded categories of companies described as information services.

The FCC asserted that providers of high-speed Internet services should be covered under the 1994 law because their voice-transmission services can be considered separately from information services. “Congress intended to cover services (in the 1994 law) that were functionally equivalent” to traditional telephones, Lewis said during the hearing in U.S. Circuit Court for the District of Columbia.

“There’s nothing to suggest that in the statute,” Edwards replied. “Stating that doesn’t make it so.”

The panel appeared more inclined to support the FCC’s argument that Internet-phone services – which allow users to dial and receive calls from traditional phone numbers – may be covered under the 1994 law and required to accommodate court-ordered wiretaps. The technology, popularized by Holmdel, N.J.-based Vonage Holdings Corp., is known as “voice over Internet protocol,” or VOIP.

“Voice-over is a very different thing,” U.S. Circuit Judge David B. Sentelle said. He said it offered “precisely the same” functions as traditional telephone lines.

Here’s a Top 5 list of enterprise WiFi VOIP security issues, and some ways to guard against them:

Widespread deployment equals a security headache:
Because of the "ubiquity of deployment" in many enterprises, attacks can spread quickly and be targeted to take down multiple devices at once. IT managers should stay up to the minute with phone upgrades, and consider running phones over a separate physical or virtual LAN as a defense against these attacks.

Many points of attack:
As the phones get more sophisicated, so could the points of entry for malicious attacks increase. Bluetooth, email, client Web browsers, SMS, WiFi, media players, and image viewers could open back doors for hackers. Though users can use open-source and commercial tools to continually test their phones and networks, they’ll ultimately have to rely on vendors to do proactive testing on these devices.

"Some vendors may engage in this testing while the majority will not," warns Merdinger.

Targeting phones in public environments:
For example, a Bluetooth scanner could be hidden at the entrance to a major airport or train station and be used to grab user data. It may be best to keep Bluetooth and other wireless features swicthed off when not needed.

Rogue again:
Meanwhile, at the office and on the road, users and IT departments will have to keep their guard up and scan for rogue access points. Hackers will set up access points to specifically target WiFi phones in the corporate space as well as at hotels, conferences, and other places business people like to congregate. Good device authentication and encryption can help provide protection here.

Targeted attacks:
Targeted attacks on specific voice-over-wireless networks could also be an issue, albeit one that the victims may try to downplay. "There will be targeted attacks on VoIP networks [from hackers or competitors] that will be kept quiet if there is no legal requirement for disclosure or obvious public knowledge," Merdinger says.

Users, however, shouldn’t get in a snit about VOIP calls that are often unencrypted and therefore easier to listen in on. Unless attackers are targeting a specific user, it is much simpler to find useful information sent by the user or held on the phone than to listen in on calls, even if you’re the NSA.

"Most attackers are going to go after text information — much easier to parse for the juicy information," says Merdinger.

First, the lawsuits:

Last week, an alliance of Voice over Internet Protocol (VOIP) telephony providers and technology makers — including Sun Microsystems — filed a petition in federal court in Washington D.C. seeking to have the FCC’s rule requiring that all future Internet telephone systems be built to accommodate wiretapping technology.

Also:

Separately, the American Council on Education, which represents about 2,000 colleges and universities, filed an appeal of the rule on [October 24th] in federal court in Washington.

The education group said schools are willing to cooperate with the FBI, but that there are other ways to assist law enforcement rather than rewiring networks.

"We fear that the FCC order will make every college and university replace every router and every switch in their systems," said council senior vice president Terry Hartle. "The cost of doing that is substantial."

Moving on, here’s a summary of the proposed expansions / extensions of the Patriot Act:

• Roving wiretaps: Section 206 expands the 1978 Foreign Intelligence Surveillance Act to allow federal agents to wiretap several phone lines based on a single wiretap order, issued by the secret FISA court. The target of the roving wiretaps under 206 can be a “John Doe,” in contravention of previous court rulings that either the person or the place to be wiretapped must be “particularly described.”  These wiretaps don’t require after-the-fact justification to the court, though pending reauthorization would change that.

  Pre-PATRIOT wiretap law required that common carrier telecommunication firms that must provide wiretapping assistance be named in the warrant.  But PATRIOT vitiates that requirement, allowing the issuance of generic orders by the court and leaving the wiretapping agents to direct telecommunications providers to provide access to their systems.

  After stonewalling requests for information for a few years, the Department of Justice in March, with the sunset coming up, said this provision had been used 49 times. Competing PATRIOT reauthorization acts in the House and Senate would renew the provision for 10 and four years respectively.  The Senate bill would require more information about the target beforehand and add extensive public reporting on the use of roving wiretaps.

• VoIP and Voicemail: Section 209 makes it easier for the FBI to search “stored communications” without a wiretap order or in some cases without a search warrant.  Thought purportedly targeted at voicemail, this will apparently apply to VoIP (voice-over-Internet) calls that are cached in the process of travelling over networks.  Section 209 is set to be made permanent as well.

Also, here’s some interesting information from CourtTV on the history of wiretaps:

Wiretapping — so named because eavesdropping police placed metal clips on the analog wires that carried conversations — has a complex legal history.

A 1928 case, Olmstead v. United States, legitimized the practice, when the Supreme Court ruled it was acceptable for police to monitor the private calls of a suspected bootlegger.

Behind that 5-4 ruling, however, a seminal debate was raging. The dissenting opinion by Justice Louis Brandeis argued, among other things, that the government had no right to open someone’s mail, so why should a phone — or other technologies that might emerge — carry different expectations about privacy?

In 1967, as the dawn of the digital age was fulfilling Brandeis’ fears that other forms of technological eavesdropping would become possible, the Supreme Court reversed Olmstead. After that, authorities had to get a search warrant before setting wiretaps, even on public payphones.

That apparently hasn’t been much of a hindrance.

State and federal authorities have had 30,975 wiretap requests authorized since 1968, with only 30 rejections, according to the Electronic Privacy Information Center. Some 1,710 wiretaps were authorized last year, the most ever, with zero denied.

Since 1980, authorities also have been able to set secret wiretaps with the approval of the Foreign Intelligence Surveillance Court, which privacy watchdogs say requires a lower standard of evidence than the general warrant process. For the first two decades FISA orders numbered less than 1,000 annually; 2003 and 2004 each saw more than 1,700. Only four FISA applications have been rejected, all in 2003.

But technology began to pose obstacles in the 1980s, as old-fashioned telephone networks were giving way to digital switching systems that could also transmit information. Suddenly some wiretaps had to become virtual, using "packet sniffing" programs that spy on the splintered packets of data that make up network traffic.