[Infowarrior] - Big brother wants a window into VoIP at any cost

[Richard Forno]

 Big brother wants a window into VoIP at any cost

7/27/2006 5:56:16 PM, by Nate Anderson
http://arstechnica.com/news.ars/post/20060727-7372.html

The Communications Assistance for Law Enforcement Act (CALEA), passed in
1994, has powered its way back onto the front page this summer, and if you
1) live in the US and 2) pay taxes, you might soon be paying to implement
it. And if you're a drug-dealing mobster, you might soon be experiencing it.

The FBI wants the ability to tap VoIP calls. To do this, the agency also
wants access to all of your network traffic‹and it looks like it's on the
way to getting it. Following a long set of legal battles, the US Court of
Appeals in June upheld 2-1 a newer and broader definition of CALEA's scope
that could affect every university and library in the country.

While the case may not be fully settled until the Supreme Court hears it,
the Justice Department has announced plans to cut the legs out from beneath
it. The DoJ proposed a series of amendments to the original legislation
which explicitly give the FBI the authority it seeks. Unfortunately for
network operators, these amendments could be costly‹and the government has
no plans to help them foot the bill. If either 1) the amendments pass or 2)
the courts uphold the FCC decision, CALEA will open the floodgates for easy
government surveillance of Internet activity, and it could cost taxpayers a
bundle.

What's included in the amendments, and how might they affect you? Let's take
a look.
>From cell phones to VoIP

The FBI wanted greater access to cellular phones in the early 1990s, when
the a technology was still in its infancy. Congress gave it to them in
CALEA, a law intended to update surveillance authority for new forms of
communication. The FBI has taken full advantage of that new authority; in
2005, 91 percent of all government intercepts involved portable
devices‹mainly mobile phones.

But soon after the new law was written, technology leaped ahead. When the
rise of broadband connections and VoIP services became too great to ignore
any longer, the FBI pushed to expand CALEA's scope, claiming that it needed
the new authority to keep up with high-tech criminals. In a 5-0 vote back in
2004, the FCC voted in favor of the FBI's proposals and opened the door to
"wiretaps" of broadband networks, which had previously been excluded from
wiretapping requirements.

The new proposals caused controversy because CALEA had included a series of
exemptions for Internet systems. The FBI argued that Congress had never
meant to preclude the agency from tapping VoIP calls, and the FCC eventually
agreed. The EFF, the Center for Democracy & Technology, and other groups
opposed the move to extend the law to the Internet. A lawsuit was filed
against the FCC which claimed that the regulator had overstepped its
authority and had gone beyond the plain spirit of the law.

The courts have now ruled in favor of the FCC, which means that most network
operators will need to make their systems wiretap-friendly in 2007. Because
of the way the rules were drawn up, the CALEA requirements extend to
universities, public libraries, and other institutions that operate networks
connected to the public Internet. The rules also make clear that the
government will not reimburse operators for the necessary network upgrades.

In the past, the FCC specifically elected to classify broadband Internet as
a data service rather than a communications service in order to rationalize
deregulation. Expanding the scope of CALEA to include Internet surveillance
seems somewhat contradictory, since the language of CALEA clearly indicates
that the law was intended only for communications services.

Universities have been vocal critics of the new rules, claiming they will be
fabulously expensive to implement. The government responded by allowing
institutions to route all traffic through a Trusted Third Party (TTP) that
would handle the necessary filtering and compliance. Costs for such a
service could be far lower than the alternative, but this would involve
passing all the traffic over a campus network to a private company, and not
every university will be excited by the prospect.
New CALEA amendments

The government hopes to shore up the legal basis for the program by passing
amended legislation. The EFF took a look at the amendments and didn't like
what it found.

    According to the Administration, the proposal would "confirm [CALEA's]
coverage of push-to-talk, short message service, voice mail service and
other communications services offered on a commercial basis to the public,"
along with "confirm[ing] CALEA's application to providers of broadband
Internet access, and certain types of 'Voice-Over-Internet-Protocol'
(VOIP)." Many of CALEA's express exceptions and limitations are also
removed. Most importantly, while CALEA's applicability currently depends on
whether broadband and VOIP can be considered "substantial replacements" for
existing telephone services, the new proposal would remove this limit.

Also interesting is section 103e, which deals with "network access service
assistance requirements." The entire section was added to clarify what,
exactly, network operators need to do in order to make their networks
wiretap-friendly. The government realizes that it would pose an undue burden
on carriers to make them responsible for "looking inside" each packet and
filtering it based on content. Instead, the law directs operators to grab
the full "stream of wire or electronic communications"‹in other words, all
network data transmitted by an individual.

This stream would then be passed to the government, which would have the job
of sifting through it and extracting only the information covered by the
court order (VoIP, e-mail, etc.). A government analysis of this section
concludes that such a data stream might be too much for the government to
handle in real-time. The analysis notes that "some temporary storage or
buffering may be necessary" and network operators must "be capable of
storing communications and other information or time period specified by the
law enforcement agency as necessary to effectuate the interception or
access."

This provision worries the EFF. One of their lawyers tells Ars that "the
bill will put the technology in place to buffer packet streams, and places
the job of filtering those streams under government control. We know from
the NSA warrantless wiretapping program that the government is not limiting
itself to access to under court orders, and the CALEA bill must be
considered in light of the capacity it generates."

Although the new CALEA amendments make clear that this buffering and
filtering will only be used under court supervision, the EFF is justifiably
concerned that putting this technology in place on such a broad scale opens
the door for abuse. If Congress enacts these CALEA provisions, surveillance
can be ordered and analyzed from the comfort of FBI headquarters. Given how
easy this could make wiretaps, and given the potential cost of
implementation, the question remains: is the new program needed?
"Surveillance state?"

Each year, the Administrative Office of the United States Courts issues a
report on wiretapping. The 2005 version makes for fascinating reading, and
throws cold water on the idea that the government conducts massive
wiretapping operations of 'Net activity. It also throws cold water on the
idea that wiretap applications are hard to get.

1,773 intercepts were recorded last year, while a single one was rejected by
the courts. Though many people imagine that "the Feds" do the bulk of such
surveillance, reports shows that state police and prosecutors requested far
more wiretaps than did their federal counterparts (1,148 to 625). Wiretap
operations take, on average, 43 days, though the largest investigation of
the year (involving mobsters in New York) took 287 days and netted 51,712
cell phone calls. Encryption was encountered only 13 times, all of them by
state officials. None of the encryption systems prevented authorities from
getting at the "plain text" of the messages.

The vast majority of all wiretaps targeted cellular phones. Electronic taps
accounted for only 23 cases, and only eight of those involved computers.
This fact alone calls the CALEA expansion into question. If the government
does so little electronic surveillance, and has no trouble getting the
required court orders, why is it necessary to force every major computer
network in the country to spend money to become wiretap-friendly?

The FBI can do taps without the new CALEA authority, after all; that was the
whole point behind the development of its Carnivore system (the agency now
uses off-the-shelf tools). While this requires more work to set up each time
a tap is needed, it was done fewer than 10 times last year‹hardly a burden
for the agency.
Court-sanctioned searches aren't the only kind

One of the most interesting bits in the 2005 wiretapping report concerned
the nature of the alleged offenses. Most of the wiretaps‹81 percent‹dealt
with drug crimes. Second on the list was racketeering. Homicide came third.
Gambling was fourth. What's missing here? Terrorism.

Given the government's current preoccupation with ferreting out terrorists
and stopping potential attacks in their planning stages, it's interesting
that terrorism doesn't show up more frequently (it's not even a category on
the official chart). Obviously, this raises questions. Is the government
truly doing few terrorism-related wiretaps? Or is such information being
gained without judicial oversight?

The EFF and other civil liberty groups believe that the latter is true. The
public's odds of getting definitive answers wouldn't look good to a Vegas
gambler, especially after the recent dismissal of the ACLU's case against
AT&T, but there's still the possibility that some information will come to
light. The EFF's case against the telecom giant is still alive, and it may
only be through such cases that the public ever learns just how much of its
government's surveillance goes on without oversight‹and whether it wants to
trust that same government with even broader powers.