Well, it only took about five years and three sessions of Congress to finally pass this thing in both the House and the Senate. The Senate passed their version of the bill (S. 30) on February 23rd and the House passed their version of the bill (H.R. 1258) on April 14th. All that remains now is for any differences in the two bills to be reconciled and sent to the President for a signature.
Last year Sweden effectuated a law giving the Powers That Be the right to listen in on all Internet traffic passing the border of the country. Sweden was just the first country to put such legislation into play. When I was visiting the CeBIT fair in Hannover earlier this year, I learned the Germany also are putting such legislation in place and that other EU countries will follow suit.
The really grave issue here is that the Powers That Be can monitor and intercept such traffic without needing a court order. Yes – you read this correctly. It is no joke.
So what does this have to do with your legal VoIP traffic?
The huge problem with this scenario is that you will have low-level clerks listen in on your business conversation. In theory, the VoIP packets passing through the wire will never get into the hands of a 3rd party modulo the person monitoring your conversation. In certain parts of the business world the climate is so harsh that corporate espionage is more the rule than the exception. The easiest way to get to information is to pay someone to leak that information to you. So what you really need is access to the right one of those low-level clerks and just pay enough money to get hold of your information.
Do not get me wrong – I am not saying that every people on the planet is corrupt, but it would be sticking your head in the sand if you do not believe that corruption does exist. Even in, what appears to be, more open European countries corruption exist. It would thus be very strange if a low paid clerk would not give away information to the wrong people.
Also, if a clerk is approached by a company from their own country and is asked to “help out with the foreign competitors” – this may be deemed morally acceptable. After all – who does not want to help their own kind. In fact, this is really nothing new and it is not uncommon that this is even done pro bono. From time to time we read about Powers That Be handing over secret information to domestic companies regarding their foreign competitors.
Especially in a country like Germany people are not happy. People from the former East Germany still have the workings of the Stasi fresh in their mind. Most Germans seems to be very weary to issues regarding monitoring and signal interception.
The current legislation’s in the various countries regarding signal interception is still too new to have had any negative impact on law abiding citizens. However, it is only a matter of time before we are going to read in the press about company secrets being spilled by persons close to, or working in, the Powers That Be. When this happens the press will have a field day.
The net result is that when this happens, many more people will actively begin to seek encryption capabilities for their business communication. First out will be email. Second out will be VoIP traffic. Telephony is still a very important business tool
A very interesting observation so far is that European VoIP equipment manufacturers are putting readily available encryption schemes into their offerings – this to a bigger extent than their American counterparts. This may have to do with what the market wants. A recent BBC Digital Plantet podcast outlined the same view: It seems that in Europe we are much more concerned about privacy than elsewhere.
Currently there are a slew of providers offering encrypted telephony solution and there are even a few that do encrypted VoIP. If the offering is done right these companies will become the heroes of 2010.
After reading this article you should really ask both your equipment vendor and your service provider if they are planning to offer encrypted VoIP. My guess is that they will probably look at you with blank eyes and not understand what you are asking.
Welcome to the 111th United States Congress! On January 7th, the bill that never made it through the Senate in the last Congress has been reintroduced as S. 30, the Truth in Caller ID Act of 2009. It was apparently read twice and referred to the Committee on Commerce, Science, and Transportation. It’s now got two more years to attempt to make it through the Senate and get signed into law… Is anyone else as skeptical as I am that it’ll actually happen? Remember, this bill started as the Truth in Caller ID Act of 2006.
From the land Down Under comes this interesting piece, “How ACMA Plans to Regulate VoIP” (ACMA= “Australian Communications and Media Authority”):
Speaking at the CommsDay Summit 2008 in Sydney, Chris Cheah, Acting ACMA Chairman explained how the organisation was adopting a three-strand approach to VoIP which included a review of existing regulation and a new “VoIP engagement strategy” to better understand the regulatory framework and ACMA’s approach.
ACMA wants to understand how existing regulation applies to the kinds of services that are now available, engage with the industry and consumers and finally put in place a specific compliance program. As part of the strategy ACMA will advise VoIP providers how the regulations apply to them and outline the types of services subject to regulation.
The article goes on to list out in some detail the different “compliance areas” the ACMA wants to focus on. For those concerned about government legislation and how it may impact VoIP, the piece should make for interesting reading. The article also notes that ACMA has a web site focused on VoIP regulation.
Wikileaks recently published a leaked 88 page document entitled FBI Electronic Surveillance Needs for Carrier-Grade Voice over Packet (CGVoP) Service (PDF), which is part of the CALEA Implementation Plan published in January 2003. The document describes detailed FBI requirements for surveillance of phone calls made utilizing packet networks as their transport. The document broadly defines CGVoP Service as:
“The set of subscription-based voice services and features provided over carrier-managed packet networks, and includes wireline and wireless services.”
The document covers such surveillance events as:
- Registration and Authorization events including address registration and de-registration, mobility authorization and de-authorization
- Call Management events including call origination, termination, answer, call release, address resolution, admission control, and media modification
- Signaling events including subject signaling, network signaling, and post-cut-through dialing and signaling
- Feature Use events including call redirection, party hold, party retrieve, party join, party drop, call merge, and call split
- Communication Content events including content delivery start, change, and stop, as well as content unavailable
- Feature Management events including feature activation and deactivation
- Surveillance Status events including surveillance activation, continuation, change, and deactivation.
The document also discusses authorized access to identifying information and communication content, and more generalized surveillance requirements. It looks like they’ve fairly well covered the bases…
I gotta run and coach my kids basketball, but I’ll put this up real quick.
Ars Technica has a write up about the new E911 requirements bill passed by the Senate.
Ars usually does a great job with their analysis, so I won’t bother. My only comment is that congress seems to write Policy without concern for the effort of implementing Procedures. Now that the FCC will have the authority to dictate new requirements, I hope (but I doubt) they will work with companies and technologies to implement this correctly.
OK, so I’m cynical about the government, I’ve worked in it all my life.
EDIT: BTW, just in case some were wondering if this applies to VoIP Security, for my environment, E911 service is a security requirement.
The Truth in Caller ID Act of 2007 (HR 251) passed in the U.S. House of Representatives on June 12th. It’ll be interesting to see if it makes it through the Senate this time, as last Congress the Senate basically sat on it until it was dropped at the end of the 109th Congress as not having passed.
If you’re interested in tracking this (or any other) bill as it makes it’s way through the U.S. Legislation process, I’ve found GovTrack.us to be invaluable.
Over on his blog Steve Gold laments the lack of focus on VoIP Security at the recent VoIP for Business event in London, and also talks about the failure of Ofcom (the Office of Communications in the UK) to take on the issue in their recently published VoIP service provider regulations.Â
For those that don’t know the name, Gold is a security consultant of some pedigree: he was famously prosecuted by the UK government back in the 1980’s for compromising accounts in the Prestel system, a videotex system that was one of the world’s first online networks.Â The failure of this prosecution led to the drafting of the Computer Misuse Act in the UK.
That’s the question Dean Takahashi asks in a column in today’s San Jose Mercury News titled: Wiretapping could stifle VOIP technology. It is not entirely clear to me why Takahashi is writing this today given that there does not seem to be any real “new” news…. but with a headline like that and in the Mercury News, it is bound to get some attention over the next few days. Takahashi points out that US VoIP service providers that connect to the PSTN much comply with the FCC regulation by May 14, 2007 but that pure Internet peer-to-peer/p2p services like Skype are currently exempt. He does provide this teaser:
But it appears from its legal maneuvers that the FBI may also want to find a way to tap peer-to-peer calls, the ones that bypass the telephone system. And the FCC’s analysis of the FBI request suggests it might go along with a move to require wiretapping on any new Internet communications system.
Which leads to the obvious question of how a p2p system would actually do this… which leads to the opinion that some centralization would be required… which leads to the conclusion that this could therefore kill p2p VoIP systems in their true p2p form. The article refers people over to the Center for Democracy and Technology CALEA page where the CDT has copious amounts of info about CALEA (obviously from their point-of-view). Takahashi concludes with:
We have to balance the need to enforce laws with the need to move technology forward and at the same time protect our privacy. If we hobble technology to help law enforcement, we make ourselves vulnerable, not safer.
We faced this kind of issue in the early 1990s, when the debate was about whether to allow encryption technologies strong enough to hide data from the government. The government later decided to allow strong encryption to be used unencumbered, particularly as the technology was allowed overseas. The outcome here may be the same.
Given that VOIPSA is a global organization that encompasses a wide range of companies, people and geographic regions, its not really our place as an organization to wade into the debate of legislation in one particular country. But it is definitely a matter that does merit discussion and attention. There are very legitimate needs by law enforcement. There are also very legitimate privacy concerns – and security concerns. Where do we as nations, companies and individuals strike the balance?
In case anyone missed it, the Truth in Caller ID Act (now of 2007!) was re-introduced in the House as HR 251 on January 5th. The Senate’s version of the previous bill never passed during the 109th Congress, so here we go again… While re-reading through the bill however, I noticed something interesting that I hadn’t noticed before:
`(1) IN GENERAL- It shall be unlawful for any person within the United States, in connection with any telecommunications service or VOIP service, to cause any caller identification service to transmit misleading or inaccurate caller identification information, with the intent to defraud or cause harm.
By specifically naming VoIP service separately from other telecommunications services, and then subsequently defining what a VoIP “service” is:
`(C) VOIP SERVICE- The term `VOIP serviceâ€™ means a service thatâ€“
`(i) provides real-time voice communications transmitted through end user equipment using TCP/IP protocol, or a successor protocol, for a fee or without a fee;
This ammendment seems to very specifically preclude any communications that take place on the Internet or any other “non-telecomunications” network that isn’t transmitted via both IP and TCP, or any successor protocols of IP and TCP used in conjuction that may follow them.
Now, Iâ€™m no lawyer by any stretch of the imagination, but that seems fairly clear to me. If true, that precludes Caller-ID information transmitted via any other transport protocol running within IP, or otherwise, from being affected by this law. Does that mean that if my signaling traffic happens to be UDP, as many of the protocols either are or allow, that it is then not subject to this law? I wonder if the tech-savvy, or lack thereof, of the U.S. Legislature may be introducing a nice convienient loophole for an attacker’s attorney to exploit when going to trial… birds of a feather after all.
Series of tubes, indeed.