Voice of VOIPSA

From the land Down Under comes this interesting piece, “How ACMA Plans to Regulate VoIP” (ACMA= “Australian Communications and Media Authority”):

Speaking at the CommsDay Summit 2008 in Sydney, Chris Cheah, Acting ACMA Chairman explained how the organisation was adopting a three-strand approach to VoIP which included a review of existing regulation and a new “VoIP engagement strategy” to better understand the regulatory framework and ACMA’s approach.

ACMA wants to understand how existing regulation applies to the kinds of services that are now available, engage with the industry and consumers and finally put in place a specific compliance program. As part of the strategy ACMA will advise VoIP providers how the regulations apply to them and outline the types of services subject to regulation.

The article goes on to list out in some detail the different “compliance areas” the ACMA wants to focus on. For those concerned about government legislation and how it may impact VoIP, the piece should make for interesting reading. The article also notes that ACMA has a web site focused on VoIP regulation.

Technorati Tags:
acma, australia, government, legislation, voip, regulation, voipsecurity, voip legislation

Wikileaks recently published a leaked 88 page document entitled FBI Electronic Surveillance Needs for Carrier-Grade Voice over Packet (CGVoP) Service (PDF), which is part of the CALEA Implementation Plan published in January 2003. The document describes detailed FBI requirements for surveillance of phone calls made utilizing packet networks as their transport. The document broadly defines CGVoP Service as:

“The set of subscription-based voice services and features provided over carrier-managed packet networks, and includes wireline and wireless services.”

The document covers such surveillance events as:

• Registration and Authorization events including address registration and de-registration, mobility authorization and de-authorization
• Call Management events including call origination, termination, answer, call release, address resolution, admission control, and media modification
• Signaling events including subject signaling, network signaling, and post-cut-through dialing and signaling
• Feature Use events including call redirection, party hold, party retrieve, party join, party drop, call merge, and call split
• Communication Content events including content delivery start, change, and stop, as well as content unavailable
• Feature Management events including feature activation and deactivation
• Surveillance Status events including surveillance activation, continuation, change, and deactivation.

The document also discusses authorized access to identifying information and communication content, and more generalized surveillance requirements. It looks like they’ve fairly well covered the bases…

I gotta run and coach my kids basketball, but I’ll put this up real quick.

Ars Technica has a write up about the new E911 requirements bill passed by the Senate.

Ars usually does a great job with their analysis, so I won’t bother. My only comment is that congress seems to write Policy without concern for the effort of implementing Procedures. Now that the FCC will have the authority to dictate new requirements, I hope (but I doubt) they will work with companies and technologies to implement this correctly.

OK, so I’m cynical about the government, I’ve worked in it all my life.

EDIT: BTW, just in case some were wondering if this applies to VoIP Security, for my environment, E911 service is a security requirement.

The Truth in Caller ID Act of 2007 (HR 251) passed in the U.S. House of Representatives on June 12th. It’ll be interesting to see if it makes it through the Senate this time, as last Congress the Senate basically sat on it until it was dropped at the end of the 109th Congress as not having passed.

If you’re interested in tracking this (or any other) bill as it makes it’s way through the U.S. Legislation process, I’ve found GovTrack.us to be invaluable.

Over on his blog Steve Gold laments the lack of focus on VoIP Security at the recent VoIP for Business event in London, and also talks about the failure of Ofcom (the Office of Communications in the UK) to take on the issue in their recently published VoIP service provider regulations. 

For those that don’t know the name, Gold is a security consultant of some pedigree: he was famously prosecuted by the UK government back in the 1980’s for compromising accounts in the Prestel system, a videotex system that was one of the world’s first online networks.  The failure of this prosecution led to the drafting of the Computer Misuse Act in the UK.

That’s the question Dean Takahashi asks in a column in today’s San Jose Mercury News titled: Wiretapping could stifle VOIP technology. It is not entirely clear to me why Takahashi is writing this today given that there does not seem to be any real “new” news…. but with a headline like that and in the Mercury News, it is bound to get some attention over the next few days. Takahashi points out that US VoIP service providers that connect to the PSTN much comply with the FCC regulation by May 14, 2007 but that pure Internet peer-to-peer/p2p services like Skype are currently exempt. He does provide this teaser:

But it appears from its legal maneuvers that the FBI may also want to find a way to tap peer-to-peer calls, the ones that bypass the telephone system. And the FCC’s analysis of the FBI request suggests it might go along with a move to require wiretapping on any new Internet communications system.

Which leads to the obvious question of how a p2p system would actually do this… which leads to the opinion that some centralization would be required… which leads to the conclusion that this could therefore kill p2p VoIP systems in their true p2p form. The article refers people over to the Center for Democracy and Technology CALEA page where the CDT has copious amounts of info about CALEA (obviously from their point-of-view). Takahashi concludes with:

We have to balance the need to enforce laws with the need to move technology forward and at the same time protect our privacy. If we hobble technology to help law enforcement, we make ourselves vulnerable, not safer.

We faced this kind of issue in the early 1990s, when the debate was about whether to allow encryption technologies strong enough to hide data from the government. The government later decided to allow strong encryption to be used unencumbered, particularly as the technology was allowed overseas. The outcome here may be the same.

Given that VOIPSA is a global organization that encompasses a wide range of companies, people and geographic regions, its not really our place as an organization to wade into the debate of legislation in one particular country. But it is definitely a matter that does merit discussion and attention. There are very legitimate needs by law enforcement. There are also very legitimate privacy concerns - and security concerns. Where do we as nations, companies and individuals strike the balance?

In case anyone missed it, the Truth in Caller ID Act (now of 2007!) was re-introduced in the House as HR 251 on January 5th. The Senate’s version of the previous bill never passed during the 109th Congress, so here we go again… While re-reading through the bill however, I noticed something interesting that I hadn’t noticed before:

`(1) IN GENERAL- It shall be unlawful for any person within the United States, in connection with any telecommunications service or VOIP service, to cause any caller identification service to transmit misleading or inaccurate caller identification information, with the intent to defraud or cause harm.

By specifically naming VoIP service separately from other telecommunications services, and then subsequently defining what a VoIP “service” is:

`(C) VOIP SERVICE- The term `VOIP service’ means a service that–

`(i) provides real-time voice communications transmitted through end user equipment using TCP/IP protocol, or a successor protocol, for a fee or without a fee;

This ammendment seems to very specifically preclude any communications that take place on the Internet or any other “non-telecomunications” network that isn’t transmitted via both IP and TCP, or any successor protocols of IP and TCP used in conjuction that may follow them.

Now, I’m no lawyer by any stretch of the imagination, but that seems fairly clear to me. If true, that precludes Caller-ID information transmitted via any other transport protocol running within IP, or otherwise, from being affected by this law. Does that mean that if my signaling traffic happens to be UDP, as many of the protocols either are or allow, that it is then not subject to this law? I wonder if the tech-savvy, or lack thereof, of the U.S. Legislature may be introducing a nice convienient loophole for an attacker’s attorney to exploit when going to trial… birds of a feather after all.

Series of tubes, indeed.