By: Steven Bellovin, Columbia University; Matt Blaze, University of Pennsylvania; Ernest Brickell, Intel Corporation; Clinton Brooks, NSA (retired); Vinton Cerf, Google; Whitfield Diffie, Sun Microsystems; Susan Landau, Sun Microsystems; Jon Peterson, NeuStar; John Treichler, Applied Signal Technology
June 13, 2006
For many people, Voice over Internet Protocol (VoIP) looks like a nimble way of using a computer to make phone calls. Download the software, pick an identifier and then wherever there is an Internet connection, you can make a phone call. From this perspective, it makes perfect sense that anything that can be done with the telephone system -- such as E9111 and the graceful accommodation of wiretapping -- should be able to be done readily with VoIP as well.
This simplified view of VoIP misses the point of the new technology. The network architectures of the Internet and the Public Switched Telephone Network (PSTN) are substantially different. Lack of understanding of the implications of the differences has led to some difficult -- and potentially dangerous -- policy decisions. One of these is the recent FBI request to apply the Communications Assistance for Law Enforcement Act (CALEA) to VoIP. The FCC has issued an order for all "interconnected" and all broadband access VoIP services to comply with CALEA (without issuing specific regulations on what that would mean). The FBI has suggested that CALEA should apply to all forms of VoIP, regardless of the technology involved in its implementation[17].
Some cases -- intercept against a VoIP call made from a fixed location with a fixed Internet address2 connecting directly to a big Internet provider’s access router -- are the equivalent to a normal phone call, and such interceptions are relatively easy to do. But if any of these conditions is not met, then the problem of assuring interception is enormously harder. In order to extend authorized interception much beyond the easy scenario outlined above, it is necessary either to eliminate the flexibility that Internet communications allow -- thus making VoIP essentially a copy of the PSTN -- or else introduce serious security risks to domestic VoIP implementations. The former would have significant negative effects on U.S. ability to innovate, while the latter is simply dangerous. The current FBI and FCC direction on CALEA applied to VoIP carries great risks. In this paper, we amplify and expand upon these issues.