Interesting People mailing list archives
Wiretapping Technology vs. Wiretapping Laws
From: David Farber <dave () farber net>
Date: Wed, 10 Aug 2005 13:52:14 -0400
Begin forwarded message: From: Lauren Weinstein <lauren () vortex com> Date: August 10, 2005 11:39:26 AM EDT To: dave () farber net Cc: lauren () vortex com Subject: Wiretapping Technology vs. Wiretapping Laws Dave, Let me be even more explicit about this. In my recent message regarding the FCC's VoIP CALEA order, I said nothing about the technical issues involved in tapping Internet-only VoIP calls. I was only discussing the various interpretations of the new CALEA order, and whether or not that order might be applied to Internet-only calls conducted via services covered by that order, as opposed to their calls that are both VoIP *and* terminate on the public switched telephone network (PSTN). As far as actually tapping Internet-only VoIP calls is concerned, there really are only a few basic cases: 1) VoIP call has at least one leg that terminates on the PSTN. The Internet portion of the call may or may not be encrypted (or strongly encrypted). Result: Tapping is possible and relatively trivial for that call. The tap can be located at the Internet<->PSTN interface and there's no need to deal with Internet data at all other than addressing and control information that can be obtained from the service provider (remember, we're talking about legal wiretaps under order in these examples; illegal wiretaps will take varying amounts of extra work -- often not very much more work). Internet voice data encryption is irrelevant in this case. 2) VoIP call is Internet-only but is *not* encrypted (or is trivially encrypted, or is strongly encrypted but keys are available to the service provider and/or other external entities), with call voice data routing controlled by the central service. Result: Tapping is possible and relatively trivial for that call. Encryption is not a major issue in this case, and the service provider can be ordered to arrange for the call voice data to be routed in such a way that a copy is available in real time for the monitoring entity. Note that this case also can be used to define the situation where a VoIP call with no encryption or weak encryption is being made independent of a service provider. In this case, the monitoring entity will need to arrange for direct monitoring of the targets' data via their ISPs. This is obviously undesirable compared with the case of the data being controlled by a service provider, since it's more work (especially in a roving case). But it can still be done in a practical manner. 3) VoIP call is Internet-only but is strongly encrypted using keys unavailable to the service provider or other external entities. Call may be routed independently of any service provider or may be routed by a service provider. Result: Tapping is difficult, perhaps very difficult, perhaps impossible in a practical sense. If strong encryption is in use, the routing of the call ceases to be an issue, since the heavily encrypted data will not allow monitoring of the call, unless it can be decrypted within a useful time frame. Note that traffic analysis (who is calling, where are they calling, how often, etc.) may still be easily possible in this case, depending upon how that data is being handled (encrypted or in the clear?) and routed. Also, it should be obvious that if a monitoring entity is willing and able to surreptitiously install specialized software or hardware within a target's PC, then all bets are off and one must assume that essentially unlimited monitoring will be possible irrespective of the factors listed above. That's pretty much the entire ball game. Assuming that we're not dealing with the surreptitious installation case that I just mentioned, then strong encryption, with the keys unknown to any service provider or other external entity, represents the only reasonably reliable means to prevent practical wiretapping, regardless of whether the calls are VoIP Internet-only or not. - - - Russian Spy: "Are you trying to tell me that every phone in the country is tapped?" American Spy: "That's what's in my head..." Russian Spy: "But Don! This is AMERICA... not RUSSIA!" --- "The President's Analyst" (1967) --Lauren-- Lauren Weinstein lauren () pfir org or lauren () vortex com or lauren () eepi org Tel: +1 (818) 225-2800 http://www.pfir.org/lauren Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org Co-Founder, EEPI - Electronic Entertainment Policy Initiative - http://www.eepi.org Moderator, PRIVACY Forum - http://www.vortex.com Member, ACM Committee on Computers and Public Policy Lauren's Blog: http://lauren.vortex.com DayThink: http://daythink.vortex.com ------------------------------------- You are subscribed as lists-ip () insecure org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- Wiretapping Technology vs. Wiretapping Laws David Farber (Aug 10)