FBI request to FCC for packet CALEA [declan () well com: [Politech] FBI, Justice Dept. seek wiretaps for VoIP conversations [priv]]

[Dave Farber <dave () farber net>]

> Delivered-To: dfarber+ () ux13 sp cs cmu edu
> Date: Thu, 08 Jan 2004 12:18:55 -0800
> From: Seth David Schoen <schoen () eff org>
>
> Seth David Schoen writes:
>
> > I'll ask Declan if he knows a docket number for this.
>
> So I want to renew a point I had raised earlier.
>
> In packet telephony, unlike in the traditional telco world, it is not
> necessary for systems to be designed so that a "carrier" can access
> the "content" of communications.  Whether they are is an engineering
> decision that might be influenced by other considerations, such as
> economics and politics.
>
> A strange assumption that carriers can get content in the first place
> underlies the FBI's packet CALEA campaign.  But designing the networks
> that way is disfavored both by privacy advocates (that's us) and many
> security engineers, who point out that risks of illicit interception
> are enhanced.  (It's kind of parallel to the Clipper Chip issue.  If
> you create a mechanism for law enforcement access, your system is
> likely to be much less secure overall than if you don't.  People other
> than law enforcement can attack the system using the mechanisms that
> were created for law enforcement.  Nobody knows how to make a system
> that merely provides law enforcement access while being in every other
> respect just as secure as the alternatives.)
>
> I haven't been able to figure out what is motivating companies to make
> the design decisions they've been making.  The results of those
> decisions have been that people who use many commercial VOIP services
> probably have significantly less privacy protection than people who
> use decade-old open source VOIP software (that might happen to be less
> user-friendly and less interoperable).  In that sense, their decisions
> have been a step backwards.
>
> Is there anything we can do about this?  Is there any way that we can
> get VOIP companies to stop knowing what their customers are saying?
>
> Here's what I wrote about this last week on Dave Farber's list:
>
> > Here is a more fundamental question.  When you make a VOIP call, why
> > does your service provider know your session key?  (Or, in the
> > alternative, when you make a VOIP call, why isn't your conversation
> > encrypted with a session key?)
> >
> > There have been software VOIP applications for years (PGPfone and
> > SpeakFreely are the earliest I recall) that do end-to-end encryption.
> > If VOIP "carriers" don't do that, they have taken a technological step
> > backward.
> >
> > What a hollow "victory" over the Clipper Chip if all your voice session
> > keys are "escrowed" down at some VOIP technology company (which is
> > safeguarding them less well than the Clipper plan would have).
>
> (One possible interpretation is that existing VOIP companies don't
> have a privacy-friendly business model because they think of themselves
> as selling _services_ instead of _devices_.  If instead they sold VOIP
> phones that worked with any ISP's data service and absent any future
> relationship with the VOIP company, there might be many fewer
> incentives not to include strong privacy protections, especially if
> the VOIP devices themselves have to compete on feature set.)
>
> --
> Seth Schoen
> Staff Technologist                                schoen () eff org
> Electronic Frontier Foundation                    http://www.eff.org/
> 454 Shotwell Street, San Francisco, CA  94110     1 415 436 9333 x107

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/