[Infowarrior] - Technologists assail federal Net-tapping rules

Tue Jun 13 08:37:56 EDT 2006

Technologists assail federal Net-tapping rules

By Declan McCullagh
http://news.com.com/Technologists+assail+federal+Net-tapping+rules/2100-1028
_3-6083066.html

Story last modified Mon Jun 12 21:00:05 PDT 2006

Federal regulations saying that police must be able to tap into Internet
phone conversations with ease are coming under renewed attack from
academics, engineers and one of the Net's founding fathers.

A 21-page study to be released Tuesday says it's impossible for the
government to expect all products that use voice over Internet protocol, or
VoIP, to comply with the Federal Communications Commission's September 2005
requirement mandating wiretapping backdoors for government surveillance.
That requirement is backed by the Bush administration.
Listening in

The study, organized by the Information Technology Association of America,
says that because VoIP relies on a fundamentally different network
architecture from that of traditional phone lines, such a mandate would pose
"enormous costs" to the industry and could even introduce significant
security risks.

The nine contributors included Vint Cerf, Google's chief Internet evangelist
and one of the Net's founding fathers; Steven Bellovin and Matt Blaze, both
prominent computer security professors who specialize in security; Clinton
Brooks, a former National Security Agency official; and engineers from Sun
Microsystems and Intel.

The report follows a ruling Friday by a federal appeals court in Washington,
D.C., that upheld the legality of the FCC's wiretapping regulations.
Librarians, community colleges, and companies including Sun had challenged
the rules, saying the FCC did not have the authority to extend the
Communications Assistance for Law Enforcement Act, or CALEA, to the
Internet. (The decision may be appealed.)

Even without the FCC rules that are scheduled to take effect in May 2007,
police have the legal authority to conduct Internet wiretaps--that's
precisely what the FBI's Carnivore system was designed to do. Still, the FBI
has claimed, the need for "standardized broadband intercept capabilities is
especially urgent in light of today's heightened threats to homeland
security and the ongoing tendency of criminals to use the most clandestine
modes of communication."

The controversy over the FCC mandatory wiretapping regulations comes as the
Bush administration is facing increasing congressional pressure, especially
from Sen. Arlen Specter, a Pennsylvania Republican, over its telephone and
Internet surveillance program overseen by the National Security Agency. AT&T
is being sued in a separate case in San Francisco over allegations that it
cooperated in a way that violated federal privacy laws.

The nature of VoIP could also elevate the risk that authorities aren't
eavesdropping on the person they originally had in mind, the ITAA report's
authors argue. Because it's theoretically simple for an individual to
acquire multiple VoIP phone numbers, "recognizing and tracking the multiple
identities that are so natural to the Internet lifestyle would be taxing."

In addition, the study says, allowing full access by law enforcement would
almost certainly require overhauling inherently decentralized networks to
allow for certain points where interception would take place--and open up
new security risks in the process. That's because such an arrangement would
arguably make it easier for hackers to capture identity information and
passwords, engage in "man-in-the-middle alteration of data," or potentially
spoof the communications going on.

"It's sort of like if you were chasing someone and you knew they had to go
over a particular bridge," said Mark Uncapher, a senior vice president at
ITAA.

Though there may be some security concerns, the benefits of mandating
wiretapping access outweigh the costs, said Tim Richardson, senior
legislative liaison for the Fraternal Order of Police. (Many police
organizations, including the National Sheriffs' Association, the Police
Executive Research Forum, the Illinois State Police and the Tennessee Bureau
of Investigation petitioned the FCC in favor of the wiretapping rules.)

"If that was going to increase the propensity for crime, that's something
that law enforcement would take a look at," Richardson said. "But the
adaptability of technology is so great in this day and age that I have a
high degree of faith in the initiative that (companies would employ to find
something) that's not as costly and doesn't compromise the security of their
networks."

Complexities involved in meeting such a mandate exist on a number of levels,
the ITAA report said. One problem is that, in contrast to traditional
telephones, whose calls can virtually always be traced to a centralized
switching location, VoIP users are often nomadic.

"The paradigm of VoIP intercept difficulty is a call between two road
warriors who constantly change locations and who, for example, may call from
a cafe in Boston to a hotel room in Paris and an hour later from an office
in Cambridge to a gift shop at the Louvre," the report says, and adds that
building in mandatory wiretapping hubs for real-time interception is so
expensive that it could put smaller companies out of business.