Wednesday, January 11, 2006

Wiretapping and VOIP

At the intersection of telecom and national security, Susan Landau has an interesting piece, "Security, Wiretapping, and the Internet", in the IEEE Journal of Security and Privacy.

CALEA (Communications Assistance for Law Enforcement Act) of 1994 called for built-in wiretapping capabilities of even digitally-switched networks (circuit-switched but with computer control). In 2005, the FCC ruled in the FBI's favor that these capability requirements be applied to Voice over Internet Protocol (packet-switched) under the FBI's implementation-and-application management. This despite VOIP possibly falling under the exception to CALEA for "information services." Though from a purpose-point of view it is certainly telephony, it functions in a radically different way than old-fashioned central offices and tandem centers.

There are a few problems with this, Landau notes. First, it directly strikes at the ability of packet-switched networks to both innovate and remain secure. Built-in security weaknesses "deep in the protocol stack" are a nightmare for internet security, and thus for national security. Poorly-planned backdoors make us vulnerable to terrorist strikes--hackers disabled the Davis-Besse nuclear power plant safety monitors (the plant was off at the time), shut down the flight control systems of the Worcester Airport, and released untreated sewage in Maroochy Shire, Australia. (Even more likely is that the weakness will be exploited to commit corporate information piracy.) It also weakens the position of US companies as innovaters, forcing us to build in complexity and weakness to our systems no one else wants. While the old-fashioned Public Switched Telephone Network had simple endpoints (just telephones) and a complicated routing architecture, the internet is "smart at the endpoints" and stupid in the middle. This transmission simplicity means that the internet can handle any new application the endpoint computers ask it for. If that simplicity is subject to new requirements, the entire architecture and evolution of the internet is in the hands of the FBI, not really known for their technological ability.

Second, this program will be under the FBI's oversight. That presents vastly different privacy issues than foreign intelligence gathering. The Patriot Act expanded FISA-rules (a low bar to start with) from pure foreign intelligence operations to any investigation where foreign intel was a "significant" purpose. While I am not in favor of a "libertarian panic" here, it does seem that the combination of all these new regulations is likely having effects on privacy that are not really well understood.

I highly recommend the Landau piece. She continues to write on these subjects, so I'm sure she'll be following this issue as the FCC ruling is challenged and interpreted.


Post a Comment

<< Home