Interesting People mailing list archives
IP: IETF considers building wiretapping into the Internet
From: David Farber <farber () cis upenn edu>
Date: Tue, 12 Oct 1999 20:44:03 -0700
http://www.wired.com/news/politics/0,1283,31853,00.html Wiretapping the Net: Oh, Brother by Declan McCullagh (declan () wired com) 2:00 p.m. 12.Oct.99.PDT Since its humble beginnings as a 15-person committee in 1986, the Internet Engineering Task Force has had one guiding principle: To solve the problems of moving digital information around the world. As attendance at meetings swelled and the Internet became a vital portion of national economies, the standards-setting body has become increasingly important, but the engineers and programmers who are members remained focused on that common goal. No longer. The IETF is now debating whether to wire government surveillance into the next generation of Internet protocols. The issue promises to cause the most acrimonious debate the venerable group has ever experienced and could have a lasting effect on privacy online. To reach even a preliminary decision in a special plenary session of the IETF meeting in Washington next month, attendees must weigh whether law enforcement demands are more important than communications security and personal privacy -- a process that places technology professionals in the unusual position of taking a prominent political stand. "As Internet voice becomes a wider deployed reality, it is only logical that the subject has to come up," IETF chairman Fred Baker said. "We are deciding to bring it up proactively rather than reacting to something later in the game." The wiretapping issue arises as the IETF is wrestling with another prominent privacy issue in IPv6, the slated next-generation Internet protocol. As outlined, the proposal would include the unique serial number for each computer's network connection hardware as part of its expanded address. Many governments, including the United States, require telephone companies to configure their networks so police can easily wiretap calls. As more phone calls flow through the Internet, some experts predict that the FBI and similar agencies will demand additional surveillance powers. If the IETF takes no action and governments require IP telephony firms to use snoopable products, some veteran task force members fret that companies might simply start to use technology that won't talk to products from other manufacturers. It's a noxious prospect for a standards-setting body like IETF. Even worse: The products may divulge more information to an eavesdropper or introduce further security holes. "The basic problem is that the government will probably demand of IP telephony the rules that govern wiretaps," said University of Pennsylvania electrical engineering professor Dave Farber, a board member of the Electronic Frontier Foundation and the Internet Society. "...I wish we didn't have the law. But given that the law is there, it's wiser to make sure it just applies to the stuff that's IP telephony and not all of our data traffic." It's unclear whether the 1994 Communications Assistance to Law Enforcement Act (CALEA), which requires wiretapping access, applies to IP telephony firms. "There are two independent questions to answer," says Chris Savage, a Washington attorney who represents Internet providers and phone companies. "First, is the provider of the service a 'telecommunications carrier' under the law? If the answer's no, CALEA does not apply. If you are a telecommunications carrier under the law and using packet communications, the FCC has said that compliance doesn't kick in until September 2001." Even if CALEA does apply to products IP telephony firms may use, the IETF can simply ignore what legislators say, as the group did when supporting stronger encryption standards than what governments preferred. IETF Chairman Baker said the organization has not received any direct requests from the FBI or other law enforcement officials, and some members of the media gateway control working group brought up the subject in August during a discussion on a mailing list. "Megaco's" goal is to figure out how to replace a telephone company's traditional phone switch with digital controllers. Some of the megaco members work for telephone companies that have long since bowed to law enforcement demands, and they seemed ready to compromise. One poster from Nortel Networks wrote on 24 August that he hoped "our architecture allows government agencies to do what they require." But the IETF area director, Harvard University's Scott Bradner, said he thought the issue was too important to be decided by the handful of members in a working group. He brought it up during a September conference call of the Internet Engineering Steering Group, which acts as the IETF's executive committee. The IESG then decided the full membership should try to reach a rough consensus at the November meeting. Bradner and another IESG member created a mailing list for the topic and drafted an announcement released Monday. Privacy advocates say they're concerned. "If the mindset of the technical people involved in IETF has gotten to the point that they're voluntarily developing surveillance capabilities, that's a very disappointing development. The Internet community has been fighting to protect privacy from government intrusion for years and the IETF now appears to be doing the government's work," says David Sobel, general counsel for the Electronic Privacy Information Center. "Why doesn't the IETF start working on a key escrow encryption protocol? Where does it end if they're going to start anticipating what government mandates might be?" Jeff Schiller, an IESG member and MIT network manager, predicted libertarian sentiments would prevail at the November meeting. "We should not be building surveillance technology into standards. Law enforcement was not supposed to be easy. Where it is easy, it's called a police state," Schiller said. Schiller pointed to previous IETF decisions -- immortalized in a policy document, numbered 1984, which affirmed the group's opposition to weakening security to aid in government surveillance. More recently, the IETF agreed to include encryption in IPv6 even though US government regulations restrict its export. Peter Neumann, principal scientist at SRI International and moderator of the RISKS Digest, said the debate over wiretapping is similar to the one over encryption backdoors: Both imperil security. "It's the same argument. You're trying to put in a mechanism that's essentially misusable, corruptible, and compromisable. And you can't do it securely given the infrastructures we have. It's basically impossible," Neumann said. "The problem is any system or protocol that has a fundamental trap door in it is going to be misused ... Building in things that are fundamentally flawed does not make sense." ###
Current thread:
- IP: IETF considers building wiretapping into the Internet David Farber (Oct 12)