A new industry association report claims applying federal wiretap laws to voice-over-IP services will either limit the current flexibility of those services or introduce serious security risks to domestic IP networks. The report was issued Tuesday by a Silicon Valley-based group, the Information Technology Association of America, and co-authored by major technologists including Vin Cerf of Google, Whitfield Diffie of Sun Microsystems and Clinton Brooks, now retired from the National Security Administration.

It comes on the heels of last week’s federal district court ruling upholding the Federal Communications Commission’s ruling that VoIP providers must comply with the Communications Assistance for Law Enforcement Act (CALEA) rules that require service providers to enable law enforcement to do routine wire-tapping.

Such requirements overlook the fact that VoIP calls are very different from traditional PSTN calls, the report said. While some VoIP calls can be easily traced--those made from fixed locations using fixed IP addresses tied directly to an ISP’s access router--most calls involve dynamic assignment of IP addresses and enable the participating parties to be mobile, using different communications devices and even rapid changes of identity.

By not acknowledging the differences between the PSTN and the Internet, U.S. law enforcement officials may actually force creation of a complex security infrastructure that introduces new potential risks including man-in-the-middle attacks and capture of identity and password information.

The PSTN uses a direct connection between individual phones and local switches and direct dedicated connections between two parties on a call. VoIP calls are data streams broken down into packets that travel multiple paths through the Internet, to be reassembled at the destination site, making wire-tapping much more difficult. VoIP users access the network from any computer or digitally connected device, so their calls enter the network from unpredictable locations.

“As such, almost all VoIP systems have an associated rendezvous service, whose purpose is to take a familiar identifier, a telephone number, a screen name, or an e-mail address, and transform it into the specific IP address of the computer where the designated user can currently be reached,” the report explains.

Applying CALEA to digital PSTN switches was hard enough and came after many lawsuits that ultimately forced a change in design that today allows all information about a PSTN call, including the call itself, to be easily overheard on what amounts to a conference call with a silent partner.

“Yet applying CALEA to the centralized architecture of the PSTN is a piece of cake compared to applying the law to the decentralized architecture of the Internet,” the report states. For one thing, while central office (CO) switches conform to technical standards, there are “no such general standards for VoIP, which can be implemented in a variety of ways.”

In addition, the report points out, VoIP providers are separate entities from the ISPs or broadband service providers that operate the networks over which VoIP rides. So even relatively direct requests to wiretap at IP access routers is complicated by the complexity of service provider relationships and the fact that VoIP providers “can be located at arbitrary points on the Internet,” including foreign sites.

As a result of all these complications, “building a comprehensive, unavoidable, VoIP intercept capability into the Internet would appear to require the cooperation of a very large portion of the routing infrastructure,” the report states. That creates potential unintended consequences.

“There is a danger that intercept design features adopted for the benefit of
legitimate law enforcement agencies could be used by others, rendering the
entire Internet’s application space more vulnerable than it already is,” the report says. “This is very dangerous (and has more than privacy implications).”

That danger is the primary reason the Internet Engineering Task Force declined to develop wiretapping as part of its standards process, the report said.  Establishing a physical security presence in the Internet world is also complicated, since there are more than 1300 ISPs in the U.S. alone, many of whom are too small to provide the kind of security presence that big telephone companies provide today for their CO switches.

Implementing CALEA would also likely drive up the cost of VoIP and other Internet applications and stifle innovation in the process, the report said.

“The fundamental difficulty of applying CALEA to VoIP lies in law-enforcement’s desire to achieve 100% compliance with an authorized wiretap order,” it said. “If law enforcement were to adopt the practice of the intelligence agencies and settle for the best intelligence at a reasonable cost, it might do quite well.”