Interesting People mailing list archives
IP: more on IETF considers building wiretapping into the Internet
From: David Farber <farber () cis upenn edu>
Date: Fri, 15 Oct 1999 10:59:56 -0700
X-Server-Uuid: 47feacc6-2336-11d3-82c6-0008c7db26d1 From: "Baker, Stewart" <SBaker () steptoe com> To: "'farber () cis upenn edu'" <farber () cis upenn edu> cc: "Albertazzie, Sally" <SAlbertazzie () steptoe com> Subject: RE: IETF considers building wiretapping into the Internet Date: Wed, 13 Oct 1999 12:12:14 -0400 X-WSS-ID: 141A70F83699-07-01 Dave, Some background on this might be helpful. I've done a lot of work for companies struggling with CALEA compliance over the past five years. CALEA requires that all telecom carriers buy equipment that is wiretap-ready, so it applies not just to American companies, but to anyone who wants to sell telecom gear in the US. That means the impact of CALEA is global. Plus, other countries like Germany have similar requirements or quasirequirements. There are some advantages under CALEA to industry standards efforts. The most recent FCC decisions have more or less gutted all of the protections that EFF and industry thought they got in the "compromise" that led to CALEA's passage (and ultimately to EFF's retreat from Washington). But there is one exception to this unhappy track record. The FCC has taken seriously the provision of CALEA that allows industry to take the first crack at applying CALEA to new technologies by writing industry standards on CALEA compliance. If the FBI doesn't like those standards, it has to challenge them before the FCC. So industry gets the "first mover" advantage when it addresses CALEA through a standards effort. That doesn't mean that the IETF should take on this effort. When and how IP telephony might be covered by CALEA is a complex legal question, and there are good arguments against applying CALEA to IP telephony. If CALEA applies, many of the implementation details will be as much legal as technical. Plus, the FCC has called on TIA (the Telecommunications Industry Association, which administers numerous telecom standards efforts and which wrote the fairly minimalist wireless/wireline standard that was challenged by the FBI as not going far enough) to report on problems associated with packet data taps. I participated in much of the TIA effort, and then defended it at the FCC. That process was not the usual standards scene; the FBI not surprisingly demanded a seat at the table and the right to make submissions, most of which were lengthy, often delayed, and which always sparked ideological and legal debates that consumed months of time. On the whole, I wonder if IETF wants to bite this off. I would not be surprised to see multiple standards devised for particular implementations that take advantage of implementation-specific architectural features that can allow law enforcement access without building in holes that affect all Internet communications. That may turn out to be a better way to go than some giant goat-grope of the sort that we sometimes saw in earlier standards efforts. Stewart Baker Steptoe & Johnson LLP phone -- 202.429.6413 email fax -- 202.261.9825 main fax -- 202.429.3902 sbaker () steptoe com -----Original Message----- From: David Farber [mailto:farber () cis upenn edu] Sent: Tuesday, October 12, 1999 11:44 PM To: ip-sub-1 () admin listbox com Subject: IP: IETF considers building wiretapping into the Internet > > >http://www.wired.com/news/politics/0,1283,31853,00.html > > Wiretapping the Net: Oh, Brother > by Declan McCullagh (declan () wired com) > > 2:00 p.m. 12.Oct.99.PDT > Since its humble beginnings as a > 15-person committee in 1986, the > Internet Engineering Task Force has had > one guiding principle: To solve the > problems of moving digital information > around the world. > > As attendance at meetings swelled and > the Internet became a vital portion of > national economies, the > standards-setting body has become > increasingly important, but the engineers > and programmers who are members > remained focused on that common goal. > > No longer. > > The IETF is now debating whether to wire > government surveillance into the next > generation of Internet protocols. The > issue promises to cause the most > acrimonious debate the venerable group > has ever experienced and could have a > lasting effect on privacy online. > > To reach even a preliminary decision in a > special plenary session of the IETF > meeting in Washington next month, > attendees must weigh whether law > enforcement demands are more important > than communications security and > personal privacy -- a process that places > technology professionals in the unusual > position of taking a prominent political > stand. > > "As Internet voice becomes a wider > deployed reality, it is only logical that the > subject has to come up," IETF chairman > Fred Baker said. "We are deciding to bring > it up proactively rather than reacting to > something later in the game." > > The wiretapping issue arises as the IETF > is wrestling with another prominent > privacy issue in IPv6, the slated > next-generation Internet protocol. As > outlined, the proposal would include the > unique serial number for each computer's > network connection hardware as part of > its expanded address. > > Many governments, including the United > States, require telephone companies to > configure their networks so police can > easily wiretap calls. As more phone calls > flow through the Internet, some experts > predict that the FBI and similar agencies > will demand additional surveillance > powers. > > If the IETF takes no action and > governments require IP telephony firms to > use snoopable products, some veteran > task force members fret that companies > might simply start to use technology that > won't talk to products from other > manufacturers. It's a noxious prospect for > a standards-setting body like IETF. > > Even worse: The products may divulge > more information to an eavesdropper or > introduce further security holes. > > "The basic problem is that the > government will probably demand of IP > telephony the rules that govern > wiretaps," said University of Pennsylvania > electrical engineering professor Dave > Farber, a board member of the Electronic > Frontier Foundation and the Internet > Society. "...I wish we didn't have the law. > But given that the law is there, it's wiser > to make sure it just applies to the stuff > that's IP telephony and not all of our data > traffic." > > It's unclear whether the 1994 > Communications Assistance to Law > Enforcement Act (CALEA), which requires > wiretapping access, applies to IP > telephony firms. > > "There are two independent questions to > answer," says Chris Savage, a > Washington attorney who represents > Internet providers and phone companies. > "First, is the provider of the service a > 'telecommunications carrier' under the > law? If the answer's no, CALEA does not > apply. If you are a telecommunications > carrier under the law and using packet > communications, the FCC has said that > compliance doesn't kick in until > September 2001." > > Even if CALEA does apply to products IP > telephony firms may use, the IETF can > simply ignore what legislators say, as the > group did when supporting stronger > encryption standards than what > governments preferred. > > IETF Chairman Baker said the organization > has not received any direct requests from > the FBI or other law enforcement > officials, and some members of the media > gateway control working group brought > up the subject in August during a > discussion on a mailing list. "Megaco's" > goal is to figure out how to replace a > telephone company's traditional phone > switch with digital controllers. > > Some of the megaco members work for > telephone companies that have long since > bowed to law enforcement demands, and > they seemed ready to compromise. One > poster from Nortel Networks wrote on 24 > August that he hoped "our architecture > allows government agencies to do what > they require." > > But the IETF area director, Harvard > University's Scott Bradner, said he > thought the issue was too important to > be decided by the handful of members in > a working group. He brought it up during > a September conference call of the > Internet Engineering Steering Group, > which acts as the IETF's executive > committee. > > The IESG then decided the full > membership should try to reach a rough > consensus at the November meeting. > Bradner and another IESG member > created a mailing list for the topic and > drafted an announcement released > Monday. > > Privacy advocates say they're concerned. > "If the mindset of the technical people > involved in IETF has gotten to the point > that they're voluntarily developing > surveillance capabilities, that's a very > disappointing development. The Internet > community has been fighting to protect > privacy from government intrusion for > years and the IETF now appears to be > doing the government's work," says David > Sobel, general counsel for the Electronic > Privacy Information Center. > > "Why doesn't the IETF start working on a > key escrow encryption protocol? Where > does it end if they're going to start > anticipating what government mandates > might be?" > > Jeff Schiller, an IESG member and MIT > network manager, predicted libertarian > sentiments would prevail at the November > meeting. > > "We should not be building surveillance > technology into standards. Law > enforcement was not supposed to be > easy. Where it is easy, it's called a police > state," Schiller said. > > Schiller pointed to previous IETF decisions > -- immortalized in a policy document, > numbered 1984, which affirmed the > group's opposition to weakening security > to aid in government surveillance. > > More recently, the IETF agreed to include > encryption in IPv6 even though US > government regulations restrict its > export. > > Peter Neumann, principal scientist at SRI > International and moderator of the RISKS > Digest, said the debate over wiretapping > is similar to the one over encryption > backdoors: Both imperil security. > > "It's the same argument. You're trying to > put in a mechanism that's essentially > misusable, corruptible, and > compromisable. And you can't do it > securely given the infrastructures we > have. It's basically impossible," Neumann > said. > > "The problem is any system or protocol > that has a fundamental trap door in it is > going to be misused ... Building in things > that are fundamentally flawed does not > make sense." > >### Content-Type: application/octet-stream; name="Baker, Stewart A. (E-mail).vcf" Content-Disposition: attachment; filename="Baker, Stewart A. (E-mail).vcf" Content-Transfer-Encoding: 7bit
Current thread:
- IP: more on IETF considers building wiretapping into the Internet David Farber (Oct 15)