Internet pioneers: VOIP wiretapping complicated

U.S. government efforts to require most VOIP (voice over Internet Protocol) providers to permit law enforcement agencies to wiretap phone calls could introduce new cybersecurity problems to the Internet, a group of Internet security experts said Tuesday.

A U.S. Federal Communications Commission (FCC) rule requiring VOIP providers to allow wiretapping by May 2007 would either require a massive re-engineering of the Internet or introduce broad security risks, said authors of a new study released by the Information Technology Association of America (ITAA), an IT vendor trade group.

In addition, the requirements would stall Internet innovations in the U.S. by adding hundreds of thousands of dollars in set-up and maintenance costs to VOIP providers and potentially to other Internet applications that provide voice services, including instant messaging and online games, said the study [PDF file].

The study, co-authored by several people including TCP/IP co-creator Vinton Cerf and former U.S. National Security Agency encryption scientist Clinton Brooks, comes days after a U.S. appeals court upheld the FCC's VOIP wiretapping rules. On Friday, the U.S. Court of Appeals for the District of Columbia upheld the ruling, requiring that VOIP providers offering a substitute for traditional telephone service comply with a 1994 telephone wiretapping law called the Communications Assistance for Law Enforcement Act (CALEA).

The FCC did not immediately respond to a request for comments about the ITAA study. But on Friday, FCC Chairman Kevin Martin said allowing law enforcement wiretapping of VOIP calls is of "paramount importance" to U.S. security.

Tracking VOIP calls would be more difficult than tracking calls on the traditional telephone network, because VOIP providers have little control over how their calls are routed across the Internet, said Whitfield Diffie, chief security officer at Sun Microsystems Inc. VOIP providers "have no special Internet privileges" to control traffic, said Diffie, one of the study's authors.

VOIP wiretapping would require law enforcement to have access to both customer data from the VOIP providers and real-time tracking of calls routed across the Internet, he said. Requiring Internet service providers to respond in real time to requests for them to record VOIP calls would open up the Internet to new vulnerabilities, he added.

"You find yourself in a technologically very, very complicated problem," Diffie added. "It's not inconceivable that a system of that kind could be built. You have a magnitude of vulnerability -- I can't think of any parallel in any system we've seen so far."

Such a wiretapping system would require a "major research and development effort" in order to reduce security vulnerabilities, he added. In addition, it would be difficult to apply the FCC wiretapping rules to VOIP calls worldwide, he said.

"These things do not respect borders," he said. "It's very hard to see how something of this kind can be done both effectively and securely."

If the FCC CALEA rules are enforced, all kinds of Internet applications would be monitored, added Cerf, the chief Internet evangelist at Google. "I don't see any way to constrain or restrict the target of the intercept to simply voice, because, in fact, every application would have to be effectively treated in the same fashion," he said. "There's no way to tell what the bits mean in the packets that are flowing."