FBI targets Net phoning

Internet phone calls are becoming a national security threat that must be countered with new wiretap rules, according to an FBI proposal presented to regulators this month.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
9 min read
Internet telephone calls are fast becoming a national security threat that must be countered with new police wiretap rules, according to an FBI proposal presented quietly to regulators this month.
Learn more about Net telephony

Representatives of the FBI's Electronic Surveillance Technology Section in Chantilly, Va., have met at least twice in the past three weeks with senior officials of the Federal Communications Commission to lobby for proposed new Internet eavesdropping rules. The FBI-drafted plan seeks to force broadband providers to provide more efficient, standardized surveillance facilities and could substantially change the way that cable modem and DSL (digital subscriber line) companies operate.

The new rules are necessary, because terrorists could otherwise frustrate legitimate wiretaps by placing phone calls over the Internet, warns a summary of a July 10 meeting with the FCC that the FBI prepared. "Broadband networks may ultimately replace narrowband networks," the summary says. "This trend offers increasing opportunities for terrorists, spies and criminals to evade lawful electronic surveillance."

In the last year, Internet telephony (also called voice over Internet Protocol, or VoIP) has grown increasingly popular among consumers and businesses with high-speed connections. Flat-rate plans cost between $20 and $40 a month for unlimited local and long-distance calls. One of the smaller VoIP providers, Vonage, recently said it has about 34,000 customers and expects to have 1 million by late 2004.

According to the proposal that the FCC is considering, any company offering cable modem or DSL service to residences or businesses would be required to comply with a thicket of federal regulations that would establish a central hub for police surveillance of their customers. The proposal has alarmed civil libertarians who fear that it might jeopardize privacy and warn that the existence of such hubs could facilitate broad surveillance of other Internet communications such as e-mail, Web browsing and instant messaging.

Under existing federal wiretapping laws, the FBI already has the ability to seek a court order to conduct surveillance of any broadband user though its DCS1000 system, previously called Carnivore. But the bureau worries that unless Internet providers offer surveillance hubs based on common standards, lawbreakers can evade or, at the very least, complicate surveillance by using VOIP providers such as Vonage, Time Warner Cable, Net2Phone, 8X8, deltathree and DigitalVoice.

Digital wiretapping
The origins of this debate date back nine years, to when the FBI persuaded Congress to enact a controversial law called the Communications Assistance for Law Enforcement Act, or CALEA. Louis Freeh, FBI director at the time, testified in 1994 that emerging technologies such as call forwarding, call waiting and cellular phones had frustrated surveillance efforts.

Congress responded to the FBI's concern by requiring that telecommunications services rewire their networks to provide police with guaranteed access for wiretaps. Legislators also granted the FCC substantial leeway in defining what types of companies must comply. So far, the FCC has interpreted CALEA's wiretap-ready requirements to cover only traditional analog and wireless telephone service.

"I think the FCC has a lot of room here," said Stewart Baker, a partner at Steptoe & Johnson who represents Internet service providers. "CALEA was written knowing that there would be new technologies for telecommunications." Baker, the former general counsel of the National Security Agency, said it was not clear whether the FBI had yet been frustrated by problems when wiretapping VOIP calls.

Derek Khlopin, regulatory counsel at the Telecommunications Industry Association, whose members include Cisco Systems, Ericsson, Lucent Technologies, Motorola and Nortel Networks, said what the FBI is "worried about is, when you have voice over DSL, if there's a way someone could say they're not subject to CALEA."

In a letter to the FCC, the FBI wrote: "CALEA applies to telecommunications carriers providing DSL and other types of wireline broadband access."

Some members of Khlopin's trade association, such as Cisco, already manufacture products that follow CALEA guidelines. Khlopin said his group did not have a position on the FBI's request, but suggested that "CALEA is not the only way that law enforcement can get the bad guys."

The FBI's proposal has drawn criticism in regard to privacy issues.

A representative of DSL provider Speakeasy said the company "does not support the extension of CALEA to ISPs, because the proposal appears to run counter to our commitment to protect our subscribers' privacy first and foremost. We certainly will be closely monitoring the progression of this particular proposal."

Barry Steinhardt, director of the American Civil Liberties Union (ACLU)'s technology and liberty program, said the FCC could not legally extend CALEA to cover the Internet without additional action by Congress. "CALEA does not apply to 'information services,' which was the then term of art for the Internet," Steinhardt said. "Voice over IP is just that, a voice service over the Net. CALEA should not, and so far has not, applied to VOIP."

The FBI proposal is before the FCC, which has jurisdiction over DSL and cable modem providers and is expected to rule on the matter this fall. "It's pending before the commission, and we plan to address the question," an FCC spokesman said.

How to follow the law
It's unclear what a broadband provider must do if the FCC extends CALEA's reach, and the regulations survive a possible court challenge from privacy groups such as the ACLU or network providers who do not wish to comply.

Martin King, an attorney in the FBI's general counsel's office who attended the July 10 meeting, said the bureau would not elaborate on its request to the FCC. "On this particular matter, we are going to decline to comment," King said.

Colleen Boothby, a former FCC official who is now a partner at Levine, Blaszak, Block & Boothby, said the implications of the FBI's proposal would vary based on how a broadband provider's system is configured.

"It's going to depend on what facilities they have," Boothby said. "When designing systems and configuring software and hardware, they have to preserve the government's ability to eavesdrop. Does it mean physical electrical closets? Does it mean an extra server in a secure room? It means as many varied things as there are variations in network design."

Lawrence Plumb, a spokesman for Verizon Communications, said: "How does a service provider architect its broadband network and equipment to be CALEA-compliant? The exact answer to 'how' isn't known."

Companies would be reimbursed for their costs to comply with CALEA. When enacting the law, Congress earmarked $500 million to reimburse telephone and cellular providers for their expenses.

Police encountered similar problems when wiretaps on customers using data services such as mMode from AT&T Wireless and PCS Vision from Sprint PCS could intercept only voice communications. Earlier this year, VeriSign, Cisco and other members of an industry consortium announced a set of products that would permit police to eavesdrop on wireless data transmissions.

FBI meetings
The FBI appears to have first presented its proposal to the FCC last year. But in the July 10 and July 22 meetings, the bureau extended it to say that if broadband providers cannot isolate specific VOIP calls to and from individual users, they must give police access to the "full pipe"--which, by including the complete simultaneous communications of hundreds or thousands of customers, could raise substantial privacy concerns.

A summary of the meeting prepared by the FBI said the FCC could "require carriers to make the full pipe available and leave law enforcement to perform the required minimization. This approach is already used when ISPs provide non-CALEA technical assistance for lawfully ordered electronic surveillance."

The July 22 meeting at the FCC included John Pignataro, deputy superintendent of Maryland's state police force, two attorneys for the FBI's Electronic Surveillance Technology Section, and Leslie Szwajkowski, the head of that section's policy unit. They met with a senior advisor to FCC Commissioner Kevin Martin. During the July 11 meeting, FBI representatives met with 10 officials from the FCC's Wireline Competition Bureau, its Media Bureau and the Office of Strategic Planning and Policy Analysis.

The meetings, according to summaries prepared by the FBI, stressed that "broadband telephony involves packet-mode communications, which are more difficult to intercept than circuit-mode communications. The need for CALEA-standardized broadband intercept capabilities is especially urgent in light of today's heightened threats to homeland security and the ongoing tendency of criminals to use the most clandestine modes of communication."

In an interview, however, a Vonage representative said the VOIP provider had never received a request from a police agency to do a live voice interception, though the company has been served with subpoenas for stored customer information. "We have been subpoenaed, I believe, several times for call records and call data," Vonage's Brooke Schulz said. "We've responded to those subpoenas very, very quickly. Because of the way our service is set up, we have all this data on hand, and it's very easy to do."

Schulz said if Vonage were to receive a proper request to perform a live voice interception, it would be trivial to comply with, because all the company's VOIP calls flow through central servers. "We are able to copy the data stream and send it in tandem to another location," Schulz said. "You can essentially send it to the law enforcement agency you need to send it to, as long as they have the proper equipment and the proper interconnect."

Because Vonage's network already is accessible to police armed with a legal wiretap order, Schulz said she was mystified by the FBI's proposal to the FCC. "We really don't know where it's coming from," she said.

Why the proposal?
The FBI declined to elaborate on the justification for its proposal. An FBI agent who attended the pair of meetings and spoke on condition of anonymity said that "if it's pending, we don't want to be talking about it."

One explanation for the proposal is that not all VOIP networks flow through a service that can be readily wiretapped. For instance, Pulver.com's Free World Dialup connects about 38,000 subscribers in 150 countries who typically use Cisco ATA-186 and Cisco 7960 VoIP phones to talk to each other directly.

The best place to intercept those types of VoIP calls would likely be at the user's broadband provider.

A second explanation for the FBI's proposal is that, by requiring broadband providers to comply with CALEA, police would have an easier time wiretapping other types of Internet communications such as e-mail, Web browsing and instant-messaging services.

David Sobel, general counsel of the Electronic Privacy Information Center, said: "It seems that current practices are providing the government with full access" to VoIP calls.

Baker, the CALEA attorney at Steptoe and Johnson, said: "It would be very difficult to set up a network so that you could only intercept voice packets and not the others. The likely result here is that you'll have modifications that are useful for law enforcement not just for voice packets but for other packets as well."

Yet another reason for the FBI's proposal, Baker said, is that the bureau is very interested in details about a VoIP phone call, not just the conversation itself. Those details, such as who was on the call, are called "punch list items" according to CALEA. "It's not about content but about getting call-identifying information or traffic analysis," Baker said. "Who was on the line, how long they stayed on, who did they put on hold--things like that. The FBI has always wanted to get that information served up very neatly, promptly and conveniently."

Some Internet providers have welcomed the FBI as an ally on this issue, which has arisen as part of an FCC proceeding over broadband deregulation and how to classify Internet access. By lobbying the FCC, the bureau is essentially seeking to expand the scope of CALEA, which says telecommunications services must ensure that their equipment and facilities are capable of "expeditiously isolating and enabling the government, pursuant to a court order or other lawful authorization," to intercept all communications from a specific customer.

FCC Chairman Michael Powell has indicated that he would like to move more Internet access services into the category of "information services," which have fewer regulations and likely would not be subject to CALEA. That alarms DSL providers such as EarthLink, which fear that deregulation means that former Baby Bells such as Verizon and BellSouth will raise their rates for access to the copper wire that runs to telephone subscribers' homes.

"The FBI is really an ally of sorts," said David Baker, EarthLink's vice president for law and public policy. "They're saying to the FCC, look, you guys are thinking of classifying everything as an information service, but you have to be aware of the implications."

EarthLink's Baker said "we're already seeing anticompetitive activities on the part of the phone companies even under the current rules. You do away with those rules, and you're ensuring that customers will have no choice but DSL provided by the phone company." Unless the FBI's proposal succeeds, he said, "everything that travels over a DSL connection, be it voice or e-mail, would be out of the reach of law enforcement. That would be a tremendous loophole and a breach of national security."