Wednesday, August 13, 2003
By Declan McCullagh, Staff Writer, CNET News.com
FBI targets Net phoning
Internet phone calls are becoming a national security threat that must
be countered with new wiretap rules, according to an FBI proposal
presented to regulators this month.
Internet telephone calls are fast becoming a national security threat
that must be countered with new police wiretap rules, according to an
FBI proposal presented quietly to regulators this month.
Representatives of the FBI's Electronic Surveillance Technology Section
in Chantilly, Va., have met at least twice in the past three weeks with
senior officials of the Federal Communications Commission to lobby for
proposed new Internet eavesdropping rules.
The FBI-drafted plan seeks to force broadband providers to provide more
efficient, standardized surveillance facilities and could substantially
change the way that cable modem and DSL (digital subscriber line)
companies operate.
The new rules are necessary, because terrorists could otherwise
frustrate legitimate wiretaps by placing phone calls over the
Internet, warns a summary of a July 10 meeting with the FCC that
the FBI prepared.
"Broadband networks may ultimately replace narrowband networks,"
the summary says. "This trend offers increasing opportunities
for terrorists, spies and criminals to evade lawful electronic
surveillance."
In the last year, Internet telephony (also called voice over Internet
Protocol, or VOIP) has grown increasingly popular among consumers and
businesses with high-speed connections. Flat-rate plans cost between
$20 and $40 a month for unlimited local and long-distance calls.
One of the smaller VOIP providers, Vonage, recently said it has about
34,000 customers and expects to have 1 million by late 2004.
According to the proposal that the FCC is considering, any company
offering cable modem or DSL service to residences or businesses would
be required to comply with a thicket of federal regulations that would
establish a central hub for police surveillance of their customers.
The proposal has alarmed civil libertarians who fear that it might
jeopardize privacy and warn that the existence of such hubs could
facilitate broad surveillance of other Internet communications such
as e-mail, Web browsing and instant messaging.
Under existing federal wiretapping laws, the FBI already has the
ability to seek a court order to conduct surveillance of any broadband
user though its DCS1000 system, previously called Carnivore.
But the bureau worries that unless Internet providers offer surveillance
hubs based on common standards, lawbreakers can evade or, at the very
least, complicate surveillance by using VOIP providers such as Vonage,
Time Warner Cable, Net2Phone, 8X8, deltathree and DigitalVoice.
Digital wiretapping
The origins of this debate date back nine years, to when the
FBI persuaded Congress to enact a controversial law called the
Communications Assistance for Law Enforcement Act, or CALEA.
Louis Freeh, FBI director at the time, testified in 1994 that emerging
technologies such as call forwarding, call waiting and cellular phones
had frustrated surveillance efforts.
Congress responded to the FBI's concern by requiring that
telecommunications services rewire their networks to provide
police with guaranteed access for wiretaps.
Legislators also granted the FCC substantial leeway in defining
what types of companies must comply. So far, the FCC has interpreted
CALEA's wiretap-ready requirements to cover only traditional analog
and wireless telephone service.
"I think the FCC has a lot of room here," said Stewart Baker, a partner
at Steptoe & Johnson who represents Internet service providers.
"CALEA was written knowing that there would be new technologies for
telecommunications." Baker, the former general counsel of the National
Security Agency, said it was not clear whether the FBI had yet been
frustrated by problems when wiretapping VOIP calls.
Derek Khlopin, regulatory counsel at the Telecommunications Industry
Association, whose members include Cisco Systems, Ericsson, Lucent
Technologies, Motorola and Nortel Networks, said what the FBI is
"worried about is, when you have voice over DSL, if there's a way
someone could say they're not subject to CALEA."
In a letter to the FCC, the FBI wrote: "CALEA applies to telecommunications
carriers providing DSL and other types of wire line broadband access."
Some members of Khlopin's trade association, such as Cisco, already
manufacture products that follow CALEA guidelines. Khlopin said his
group did not have a position on the FBI's request, but suggested that
"CALEA is not the only way that law enforcement can get the bad guys."
The FBI's proposal has drawn criticism in regard to privacy issues.
A representative of DSL provider Speakeasy said the company "does not
support the extension of CALEA to ISPs, because the proposal appears
to run counter to our commitment to protect our subscribers' privacy
first and foremost. We certainly will be closely monitoring the
progression of this particular proposal."
Barry Steinhardt, director of the American Civil Liberties Union (ACLU)'s
technology and liberty program, said the FCC could not legally extend
CALEA to cover the Internet without additional action by Congress.
"CALEA does not apply to 'information services,' which was the then
term of art for the Internet," Steinhardt said. "Voice over IP is just
that, a voice service over the Net. CALEA should not, and so far has
not, applied to VOIP."
The FBI proposal is before the FCC, which has jurisdiction over DSL
and cable modem providers and is expected to rule on the matter this
fall. "It's pending before the commission, and we plan to address the
question," an FCC spokesman said.
How to follow the law
It's unclear what a broadband provider must do if the FCC extends CALEA's
reach, and the regulations survive a possible court challenge from
privacy groups such as the ACLU or network providers who do not wish
to comply.
Martin King, an attorney in the FBI's general counsel's office who
attended the July 10 meeting, said the bureau would not elaborate on
its request to the FCC. "On this particular matter, we are going to
decline to comment," King said.
Colleen Boothby, a former FCC official who is now a partner at Levine,
Blaszak, Block & Boothby, said the implications of the FBI's proposal
would vary based on how a broadband provider's system is configured.
"It's going to depend on what facilities they have," Boothby said.
"When designing systems and configuring software and hardware, they
have to preserve the government's ability to eavesdrop. Does it mean
physical electrical closets ? Does it mean an extra server in a secure
room ? It means as many varied things as there are variations in
network design."
Lawrence Plumb, a spokesman for Verizon Communications, said: "How does
a service provider architect its broadband network and equipment to be
CALEA-compliant ? The exact answer to 'how' isn't known."
Companies would be reimbursed for their costs to comply with CALEA.
When enacting the law, Congress earmarked $500 million to reimburse
telephone and cellular providers for their expenses.
Police encountered similar problems when wiretaps on customers using
data services such as mMode from AT&T Wireless and PCS Vision from
Sprint PCS could intercept only voice communications. Earlier this year,
VeriSign, Cisco and other members of an industry consortium announced
a set of products that would permit police to eavesdrop on wireless
data transmissions.
FBI meetings
The FBI appears to have first presented its proposal to the FCC last
year. But in the July 10 and July 22 meetings, the bureau extended it
to say that if broadband providers cannot isolate specific VOIP calls
to and from individual users, they must give police access to the
"full pipe" -which, by including the complete simultaneous communications
of hundreds or thousands of customers, could raise substantial privacy
concerns.
A summary of the meeting prepared by the FBI said the FCC could
"require carriers to make the full pipe available and leave law
enforcement to perform the required minimization. This approach is
already used when ISPs provide non-CALEA technical assistance for
lawfully ordered electronic surveillance."
The July 22 meeting at the FCC included John Pignataro, deputy
superintendent of Maryland's state police force, two attorneys for
the FBI's Electronic Surveillance Technology Section, and Leslie
Szwajkowski, the head of that section's policy unit. They met with
a senior advisor to FCC Commissioner Kevin Martin. During the July
11 meeting, FBI representatives met with 10 officials from the FCC's
Wireline Competition Bureau, its Media Bureau and the Office of
Strategic Planning and Policy Analysis.
The meetings, according to summaries prepared by the FBI, stressed
that "broadband telephony involves packet-mode communications, which
are more difficult to intercept than circuit-mode communications.
The need for CALEA-standardized broadband intercept capabilities is
especially urgent in light of today's heightened threats to homeland
security and the ongoing tendency of criminals to use the most
clandestine modes of communication."
In an interview, however, a Vonage representative said the VOIP
provider had never received a request from a police agency to do
a live voice interception, though the company has been served with
subpoenas for stored customer information. "We have been subpoenaed,
I believe, several times for call records and call data," Vonage's
Brooke Schulz said. "We've responded to those subpoenas very, very
quickly. Because of the way our service is set up, we have all this
data on hand, and it's very easy to do."
Schulz said if Vonage were to receive a proper request to perform a
live voice interception, it would be trivial to comply with, because
all the company's VOIP calls flow through central servers. "We are
able to copy the data stream and send it in tandem to another location,
" Schulz said. "You can essentially send it to the law enforcement
agency you need to send it to, as long as they have the proper
equipment and the proper interconnect."
Because Vonage's network already is accessible to police armed with a
legal wiretap order, Schulz said she was mystified by the FBI's
proposal to the FCC. "We really don't know where it's coming from,"
she said.
Why the proposal ?
The FBI declined to elaborate on the justification for its proposal.
An FBI agent who attended the pair of meetings and spoke on condition
of anonymity said that "if it's pending, we don't want to be talking
about it."
One explanation for the proposal is that not all VOIP networks flow
through a service that can be readily wiretapped. For instance,
Pulver.com's Free World Dialup connects about 38,000 subscribers in
150 countries who typically use Cisco ATA-186 and Cisco 7960 VOIP
phones to talk to each other directly.
The best place to intercept those types of VOIP calls would likely
be at the user's broadband provider.
A second explanation for the FBI's proposal is that, by requiring
broadband providers to comply with CALEA, police would have an easier
time wiretapping other types of Internet communications such as e-mail,
Web browsing and instant-messaging services.
David Sobel, general counsel of the Electronic Privacy Information
Center, said : "It seems that current practices are providing the
government with full access" to VOIP calls.
Baker, the CALEA attorney at Steptoe and Johnson, said: "It would be
very difficult to set up a network so that you could only intercept
voice packets and not the others. The likely result here is that you'll
have modifications that are useful for law enforcement not just for
voice packets but for other packets as well."
Yet another reason for the FBI's proposal, Baker said, is that the
bureau is very interested in details about a VOIP phone call, not just
the conversation itself. Those details, such as who was on the call,
are called "punch list items" according to CALEA. "It's not about
content but about getting call-identifying information or traffic
analysis," Baker said. "Who was on the line, how long they stayed on,
who did they put on hold--things like that. The FBI has always wanted
to get that information served up very neatly, promptly and conveniently."
Some Internet providers have welcomed the FBI as an ally on this issue,
which has arisen as part of an FCC proceeding over broadband deregulation
and how to classify Internet access. By lobbying the FCC, the bureau is
essentially seeking to expand the scope of CALEA, which says
telecommunications
services must ensure that their equipment and facilities are capable of
"expeditiously isolating and enabling the government, pursuant to a
court order or other lawful authorization," to intercept all communications
from a specific customer.
FCC Chairman Michael Powell has indicated that he would like to move
more Internet access services into the category of "information
services," which have fewer regulations and likely would not be subject
to CALEA. That alarms DSL providers such as EarthLink, which fear that
deregulation means that former Baby Bells such as Verizon and BellSouth
will raise their rates for access to the copper wire that runs to
telephone subscribers' homes.
"The FBI is really an ally of sorts," said David Baker, EarthLink's
vice president for law and public policy. "They're saying to the FCC,
look, you guys are thinking of classifying everything as an information
service, but you have to be aware of the implications."
EarthLink's Baker said "we're already seeing anticompetitive activities
on the part of the phone companies even under the current rules. You do
away with those rules, and you're ensuring that customers will have no
choice but DSL provided by the phone company."
Unless the FBI's proposal succeeds, he said, "everything that travels
over a DSL connection, be it voice or e-mail, would be out of the
reach of law enforcement. That would be a tremendous loophole and a
breach of national security."
http://www.businessweek.com/technolo...es/5056424.htm
Reply With Quote