Thursday, June 22, 2006

Extending CALEA to VoIP: a bad idea

The Information Technology Association of America (ITAA) has issued a report on “Security Implications of Applying the Communications Assistance to Law Enforcement Act to Voice over IP” (21-page PDF) by Steven Bellovin, Matt Blaze, Ernest Brickell, Clinton Brooks, Vinton Cerf, Whitfield Diffie, Susan Landau, Jon Peterson, and John Treichler. This report comes at a time when the FCC and courts have already ruled that VoIP and facilities-based broadband providers must provide lawful interception capabilities under CALEA for VoIP services that are “interconnected” with the publicly-switched telephone network (PSTN).

The report effectively argues that in order to extend CALEA compliance to VoIP, “it is necessary either to eliminate the flexibility that Internet communications allow—thus making VoIP essentially a copy of the PSTN—or else introduce serious security risks to domestic VoIP implementations. The former would have significant negative effects on U.S. ability to innovate, while the latter is simply dangerous.”

The report gives a good basic explanation of VoIP (which comes in a variety of possible flavors), an explanation of pre-CALEA wiretapping and current CALEA wiretapping (including cellular telephone wiretapping and roving wiretaps), and then describes the similarities and differences between the Internet and the PSTN.

It then describes the issues of security raised by applying CALEA to VoIP and the risks to innovation created by applying CALEA to VoIP.

Two of the key problems for applying CALEA to VoIP are:

  • VoIP mobility. A VoIP phone can be plugged in anywhere on the Internet, for non-facilities-based VoIP providers like Vonage. The network that connects the VoIP phone to the Internet—which is the one in a position to intercept the call data--need not be the network of the VoIP provider, or have any relationship with the VoIP provider.
  • VoIP identity agility. A VoIP user can have multiple VoIP providers and easily switch between them from moment to moment. The owner of the Internet access network is not in a position to know who a VoIP user is purchasing VoIP services from. They are in a position to be able to intercept and detect what VoIP providers the user connects to directly, but not if the VoIP user is using encrypted traffic through proxies.

Further problems are caused by the fact that the communications between two VoIP phones is peer-to-peer, and the routing of a call at the IP layer can change in mid-call. Because of the former issue, the call contents may not traverse the VoIP provider's network, and thus it will not be in a position to intercept (unless it behaves like the PSTN, forcing the call contents to also come through its network, using SIP proxies/RTP relays). In order to truly be able to intercept all VoIP calls using VoIP as it is designed, there would have to be cooperation between the VoIP user’s access provider of the moment (which could be any Internet provider—a WiFi hotspot, a friend’s ISP, a hotel’s Internet connection) and the VoIP provider being used—but law enforcement may not be in a position to know either of these. The kind of cooperation required would have to be very rapid, with interception equipment and systems already in place and able to eavesdrop wherever the voice traffic may flow, upon appropriate request. This would require extensive coordination across every VoIP and Internet provider in the United States of a sort that doesn’t exist today. It would require extremely careful design and implementation to avoid creating vulnerabilities that would allow this incredibly complex infrastructure to be exploited by unauthorized users--but with so many parties involved, I think that's a pipe dream. This incident with cellular telephony in Greece shows what can already happen today with unauthorized parties exploiting CALEA technology.

And the FCC has ordered that it be in place by May 14, 2007. There’s no way that’s remotely possible--note that the FCC gave ordinary wireline telephone companies over a decade to implement CALEA in the PSTN, and it has been an extremely difficult and expensive process. At best, by the deadline facilities-based VoIP providers will be able to provide interception for call traffic that goes across their own networks, and apparently be forced to do that for all traffic (or else there would be a way to distinguish calls being rerouted for interception from all other calls). And if that's the only kind of VoIP that is permitted, VoIP innovation is stifled.

One company that has been pushing hard for these extensions of CALEA is Verisign. They have been doing so because they want to act as the one-stop-shop for U.S. law enforcement, setting up their own infrastructure to interconnect with all Internet and VoIP providers to provide everything from subpoena handling to wiretapping services under contract to the providers. This would effectively hand off wiretapping capability to a third party, working on behalf of the government, over which the individual providers would have little oversight.

For more on CALEA, see the Electronic Frontier Foundation's CALEA website. For more on the history and politics of wiretapping, see Whitfield Diffie and Susan Landau's excellent book, Privacy on the Line: The Politics of Wiretapping and Encryption.

UPDATE July 7, 2006: I've updated the above text in light of Charles' comment, to make it more accurate about interception by forcing VoIP calls to route through the VoIP provider's network.

9 comments:

Charles said...

Does it really have to be that complicated and require such an intercooperation between every player? When using VoIP, actual end-user "phone numbers" (which don't always need to respect the same standards as conventional telephone, but this doesn't harm the point) are assigned by the VoIP provider. Surely, when initiating communication (even from VoIP to VoIP and hence ultimately peer-to-peer) some traffic must first occur between the user and the VoIP provider to route the traffic to the right place. If eavesdropping is necessary on a certain number, can't the localization of the IP address of the originating call (and hence interception) be made when the call is initiated? The VoIP provider could then simply force the signal to route through its network, where it can be intercepted, no? The same could work for incoming calls, as a query has to be made to the VoIP provider to get the address corresponding to a certain number.

I don't know all that much about VoIP technology and protocols, so I may be way out in the left field, there.

Jim Lippard said...

Charles:

I didn't accurately represent the choice described in the paper--the choice between making calls interceptable but emulating the PSTN, or using the new technology and making it very difficult to intercept calls.

You are correct that a VoIP provider can use SIP proxies/RTP relays to force all of the actual call traffic through their network, and that's probably what will be forced to happen. But that loses the efficiency benefits of peer-to-peer communications and prevents it from working the way it was designed to work.

Charles said...

I'm not advocating that all calls be routed through their network. I was thinking that, presumably, when a call needs to be intercepted, the VoIP provider can simply sit and wait until a call to or from the number of interest gets initiated and then force only the traffic associated with that particular call to be routed through their network so they can eavesdrop and relay to the interested law enforcement agency. This might come to a detriment to the person being eavesdroped on (which might tip them off, but hey, you can't have it both ways all the time, right?) but it could be feasible without hampering the development of VoIP. VoIP providers are already aware of all the calls being made to and from any user, the proof is that Vonage charges me for it and shows it to me on my bill! I'm just thinking it might not be as difficult and detrimental to implement .

Jim Lippard said...

You're right that the VoIP provider knows about every call, since the signalling information for the call setup and tear-down always goes through the VoIP provider (that's what makes them the VoIP provider). Collecting call detail records--who calls who when and for how long--are no problem. It's the actual call content interception that's more problematic.

One of the requirements of CALEA is that the interception be done in such a way that the act of interception doesn't tip off the person whose calls are being intercepted. The specific wording (from the FCC's 1999 CALEA Report and Order) is:

(4) facilitating authorized communications interceptions and access to call-identifying information unobtrusively and with a minimum of interference with any subscriber's telecommunications service and in a manner that protects--

(A) the privacy and security of communications and call-identifying information not authorized to be intercepted; and

(B) information regarding the government's interception of communications and access to call-identifying information.

The clause (B) has been interpreted to not only prevent the person who's call is being intercepted from knowing, but to keep the number of people with knowledge of the intercept at the carrier to a minimum.

BTW, the FCC's documents on CALEA are here.

Jim Lippard said...

Looks like the FBI is now pushing a bill that will effectively create the "wiretapping everywhere" scenario.

It actually sounds rather similar to what has already been done in the Netherlands.

blogiast said...
This comment has been removed by a blog administrator.
blogiast said...
This comment has been removed by a blog administrator.
blogiast said...
This comment has been removed by a blog administrator.
blogiast said...
This comment has been removed by a blog administrator.