Technologists assail federal Net-tapping rules

A 21-page study (click for PDF) to be released Tuesday says it's impossible for the government to expect all products that use voice over Internet protocol, or VoIP, to comply with the Federal Communications Commission's September 2005 requirement mandating wiretapping backdoors for government surveillance. That requirement is backed by the Bush administration.

The study, organized by the Information Technology Association of America, says that because VoIP relies on a fundamentally different network architecture from that of traditional phone lines, such a mandate would pose "enormous costs" to the industry and could even introduce significant security risks.

The nine contributors included Vint Cerf, Google's chief Internet evangelist and one of the Net's founding fathers; Steven Bellovin and Matt Blaze, both prominent computer security professors who specialize in security; Clinton Brooks, a former National Security Agency official; and engineers from Sun Microsystems and Intel.

The report follows a ruling Friday by a federal appeals court in Washington, D.C., that upheld the legality of the FCC's wiretapping regulations. Librarians, community colleges, and companies including Sun had challenged the rules, saying the FCC did not have the authority to extend the Communications Assistance for Law Enforcement Act, or CALEA, to the Internet. (The decision may be appealed.)

Even without the FCC rules that are scheduled to take effect in May 2007, police have the legal authority to conduct Internet wiretaps--that's precisely what the FBI's Carnivore system was designed to do. Still, the FBI has claimed, the need for "standardized broadband intercept capabilities is especially urgent in light of today's heightened threats to homeland security and the ongoing tendency of criminals to use the most clandestine modes of communication."

The controversy over the FCC mandatory wiretapping regulations comes as the Bush administration is facing increasing congressional pressure, especially from Sen. Arlen Specter, a Pennsylvania Republican, over its telephone and Internet surveillance program overseen by the National Security Agency. AT&T is being sued in a separate case in San Francisco over allegations that it cooperated in a way that violated federal privacy laws.

The nature of VoIP could also elevate the risk that authorities aren't eavesdropping on the person they originally had in mind, the ITAA report's authors argue. Because it's theoretically simple for an individual to acquire multiple VoIP phone numbers, "recognizing and tracking the multiple identities that are so natural to the Internet lifestyle would be taxing."

In addition, the study says, allowing full access by law enforcement would almost certainly require overhauling inherently decentralized networks to allow for certain points where interception would take place--and open up new security risks in the process. That's because such an arrangement would arguably make it easier for hackers to capture identity information and passwords, engage in "man-in-the-middle alteration of data," or potentially spoof the communications going on.

"It's sort of like if you were chasing someone and you knew they had to go over a particular bridge," said Mark Uncapher, a senior vice president at ITAA.

Though there may be some security concerns, the benefits of mandating wiretapping access outweigh the costs, said Tim Richardson, senior legislative liaison for the Fraternal Order of Police. (Many police organizations, including the National Sheriffs' Association, the Police Executive Research Forum, the Illinois State Police and the Tennessee Bureau of Investigation petitioned the FCC in favor of the wiretapping rules.)

"If that was going to increase the propensity for crime, that's something that law enforcement would take a look at," Richardson said. "But the adaptability of technology is so great in this day and age that I have a high degree of faith in the initiative that (companies would employ to find something) that's not as costly and doesn't compromise the security of their networks."

Complexities involved in meeting such a mandate exist on a number of levels, the ITAA report said. One problem is that, in contrast to traditional telephones, whose calls can virtually always be traced to a centralized switching location, VoIP users are often nomadic.

"The paradigm of VoIP intercept difficulty is a call between two road warriors who constantly change locations and who, for example, may call from a cafe in Boston to a hotel room in Paris and an hour later from an office in Cambridge to a gift shop at the Louvre," the report says, and adds that building in mandatory wiretapping hubs for real-time interception is so expensive that it could put smaller companies out of business.