This session, "Tapping the Net Revisited: VoIP and Law Enforcement" explores a critically important question now before the Federal Communications Commission (FCC): Should technology developers be required to build an easy FBI "wiretap" into Internet phone calls (voice-over-Internet-protocol, or VoIP)? More specifically, ought the controversial CALEA legislation apply to VoIP?
The short answer is no. It's the long answer that this panel will provide.
Moderator: I'll provide a fast overview of wiretapping and VoIP--then intro the panelists. We have a great panel.
Steve is one of the leaders on Internet security issues; serves on the IETF.
Jeff Pulver is prez and CEO of Pulver.com. Jeff was among the first to prove that VoIP can be successful. He's going to talk about his interaction with the FCC over regulating his service. He could probably talk all day; this is the "Pulver decision" that essentially made it immune from regulation by the FCC.
Mike was with the FBI for 20 years. He was head of the CALEA implemenation unit. Now he's head of Fiducia.net; he assists companies with complying with CALEA, etc. So he's very knowledgable, and because he's no longer w/the government, can discuss the issue more freely.
Lee Tien probably needs no introduction, here. He's long been involved in the whole range of privacy issues @ EFF. He's on something like four panels at this conference alone.
So, here's a quick overview of wiretapping: Under title III, if there is a law enforcement reason, the FBI can go to a judge and get your content. So the question before this panel isn't whether the FBI can do this, but how.
CALEA was passed 1994 -- and it responded to a legitimate need. Required phone companies to build wiretap into the network. But Congress specifically exempted [Internet communications?]. Currently, ISPs aren't required to build wiretap in; but soon, they may have to. The FBI has asked the FCC to look into this. Specifically, it has asked for an extension of CALEA to the Net.
This means that the FCC would review technologies before deployment for "tapability"; this aspect of the issue has a lot of people upset.
Lots of different services fall under VoIP: Pulver is one; it's been around for -- what? -- 10 years. But there are different architectures of VoIP. There are different configurations, and thus, different problems for law enforcement.
(Briefly describes different architectures, using diagrams.)
Okay; enough. Let me let Steve start.
Steve Bellovin: One of the problems we have with using CALEA for the Internet is that the Internet is NOT a phone network. You can't just use alligator clips. It's not that simple. The Internet is different; we can't take old paradigm and get answers for a new environment. It just doesn't work.
As I like to put it: "On the Internet, no one knows what a phone call is."
When I speak about the phone system, I'm going to oversimplify. The 99 percent rule applies; most of it will work like this: there is one major service, and the system is primarily two-party. Alice calls Bob, Bob calls Alice. It's in-band signalling. If you've got those alligator clips, you're set. With caller-ID, you've got the "trap and trace" part of it, too. Fancy features exist; but they've been built into the network.
The Internet is very different. The complicated parts are at the end; the features are at the end. The network is not involved. It carries packets; it doesn't matter what the packets are. The edges define the application.
When we're trying to tap telephony, we ask: What IS a phone call? You can use SIP [?] to do IM -- is that a phone call? I could configure my home machines to do a lot of things that none of the ISPs would know about.
Even if it weren't for these things, providing CALEA-like services is a very difficult thing. The IETF discussed CALEA issues a few years ago -- we have an RFC that explains why IETF won't tailor its protocols to CALEA. Wiretapping , if it's to be done right, has to be done at the edges. Building it in is bad for security.
Mike Warren: I'm here to provide law enforcement's perspective, to tell you a little bit about the investigative process. Most of this process is based on records. A lot of this work is done w/historical searches. But at the other levels, we get into more requirements; we've got to show why a tap is needed.
Service providers are 14 times more likely to get a "historical" request than a real-time tap request. As for actual wiretaps -- there were only 2,400 issued in 2001. So how big is the problem? These numbers go up about 14 percent per year. Under PATRIOT, we have additional FISA orders.
Let me distinguish between CALEA and ELSUR. You can't use CALEA to authorize a wiretap. CALEA is a very measured law developed through compromise. Privacy interests are addressed in CALEA. Under CALEA we have compromise that allows the FBI needed access, while protecting your privacy. It also doesn't impede the development of new technologies.
So I was shocked when I heard that the FBI wanted to rewrite this. The FBI wants ALL communications subject to surveillance. Its petition would shift the burden to the carrier -- the carrier must validate a court order and authorize the tap. This is a big burden for the carrier. Not only that, but they must have expertise in-house.
Today, people can recover reasonable costs for conducting a wiretap in network. You don't have to build that capability without being paid. The FBI wants another scheme for cost-recovery.
Then there's the "Carnivore" issue; a carrier may not have the time to set up equipment to do surveillance. ISPs don't want anyone messing with their systems. ISPs are reluctant to have FBI bring in new tech; it may mess things up.
So the only valid point in the FBI petition is the request to reclassify communications that fall under CALEA. This could happen. But everything else -- it won't even pass the smile test.
This whole issue of enforcement -- it goes against the very language of CALEA.
Surveillance laws have provisions about cost-recovery. We don't need another scheme by the FCC for cost-recovery.
At the heart of what the FBI wants -- they want to take away the anonymity of the user. They want to be able to wiretap the call. But they can. All they need is the access provider. They can set up the tap. A little genuine shoe leather policework is required, but you can do it. You have sniffers, Carnivore, etc. There are solutions.
The FBI has failed to identify ANY trouble they are having with surveillance. There is no record of this argument. What I'm hearing is that they want a change in paradigm; they want network surveillance. But all of this is a show. They won't get it, and this will give them ammunition so they can complain to Congress.
Jeff Pulver: First, thanks for inviting me.
I've had an interesting experience during these past 12 months. I used to work on Wall Street. I had a day job, but I discovered something cool -- sort of a reincarnation of amateur radio. I happened to go online and download software one day and I talked to people all over the world. There was no worry about power -- only bandwidth and connectivity.
Many-to-many communication is very cool. Growing up in the '70s and '80s, I never thought I'd be using emerging tech 20 years later.
In '95 I moderated an Internet phone mailing list -- a question came up about [whether we could implement a new system], and the answer was yes. For $70 we created a hop-off gateway for 3 phone calls. We had free phone calls on the Net. Phone companies immediately tried to shut us down, but we were free. There were no laws related to "free," so for a while we were okay.
I set up Vine Coalition; don't agree with them today necessarily, but beginning was fun.
In 2000, I thought, wouldn't it be great to do "people -to-people," and created a company called Vonage. In 2003, we had 5,000 subscribers; today, many, many more.
I saw this as the second coming of VoIP, and I wanted to stop phone companies from stopping this revolution. I filed a petition that said we shouldn't be regulated. Open docket. When the reply comments came in, it showed me who my friends and enemies were. State of Minnesota went after Vonage -- no surprise to me.
All these folks were against us; then we saw some friends appear. Then, bigger enemies: the FBI and DOJ. I had a meeting w/the FBI--I was in the computer crimes division. I had a few introductions, but the rest of the people in the room were nameless agents, taking notes. I looked around for hidden cameras. I had to keep reminding myself that I'm not in a movie.
It was "share w/us how Free World Dial works; we're all ears." That was interesting -- it was hours of sharing.
Fundamentally, the interesting thing about what we're doing is that voice is just an application. But regulators think they own a piece of the action anyway; there were 20 states with open proceedings.
I spoke at the first FCC hearings on VoIP. I had only six minutes to do presentation. Kevin Werbach went first...I plowed through real fast. I was very taken with the chairman. I came out against regulation. But the chairman had already said this in the opening of the proceeding. There was no FCC action on Pulver last year. But then rumors began that they would take action.
More testifying. I made a public proclaimation that we will comply with the FBI. The FCC ruled -- the vote was pretty split. Some people there do not get it. And what happens to this issue when new people come in @ the FCC?
My main concern is that there's a lot of misinformation out there. I was told by an insider: "In Washington, there are a lot people like me -- people who don't have a clue. It's up to people like you to go educate Washington." So I want to encourage people to speak out.
Canada ruled differently on this, and I'm concerned. You're closing down innovation in Canada. After 15 minutes talking to a reporter, he said, "You're right but I don't care." Please, if you believe in something, stand up for it. Silence hurts more than anything. Everyone has a right to be heard.
I have 10 year-old twin sons; they've been on Internet since they were three years old. Disney.com was the home page. My son Jake requests, "I want to go to Thomas the Tank Engine. com." He's three. I type it in and it's already there. Later, we had company, and my son says, "This is my daddy, Jeff Pulver.com."
This is a new world with people growing up on the Internet. We've got to protect innovation for the future.
Lee Tien: I was asked to be short; not a problem. I am. (Big laugh.)
Two questions: there is a structural question and a consitutional problem. Is CALEA even something that makes sense under our Constitution?
Stuart Baker said in an article that it's not the FCC, but rather the FBI that is the primary governmental body regulating telecommunications. This is exactly right.
And the FBI is asking the industry to do something hard, expensive, and bad for innovation. There is no proof that this is needed. Has there been a material effect on law enforcement? They have to tell us, if they're going to demand this kind of re-engineering of the Internet. To my view, they didn't make the case in 1994, and they're not making it now.
I was on the panel Jeff mentioned, and I was concerned to hear how the FBI is presenting this issue. They are not entirely honest with the public. They emphasize that there are only a small number of wiretaps. Putting aside the question -- they want to re-engineer the Internet for that? -- we actually have trouble getting the real information needed to evaluate what's going on.
So there is a fundamental accountability issue in this debate. We have a situation set up by CALEA that is structural -- is this even constitutional? Private negotiation going on. It's all happening under the table, and without our say. That is, CALEA is set up for the FCC, for the industry, etc. EFF, certainly, is not one of the players built into the statute. So we don't have a dialogue about whether any of this should be happening. It's especially distressing because of certain forms of "creep."
So, there are different kinds of creep:
Definition-creep: the kinds of things considered to be "trap and trace" etc., have all broadened. Courts and the law are expanding the definition of what we mean by "call-identifying information." This is complex: on the Internet, it changes from layer to layer. We don't want the government deciding what is or isn't content.
Then there is mission creep. After CALEA was passed, FBI asked for the ability to listen to calls even after the named target had dropped off the line. There's something really wrong about that.
Finally, back to the issue of accountability: there's a cute little footnote in FBI petition. After they say, CALEA should pass on the costs, but under [...?] legislation, this cost shouldn't be *marked* anywhere. The bottom line is that they don't want us to know what's going on.
Audience Q & A:
Susan Landis [sp?]: When the FBI was pushing CALEA, we could look at the wiretap report. Under PATRIOT we see a shift; less information is available. So we're losing our ability to argue. This is very dangerous in this debate. And I realize that's not a question. (Big laugh.)
[Missed one last question.]
Posted by Donna Wentworth at April 21, 2004 10:53 AM