One aspect of VoIP security that keeps coming to my attention in recent weeks is that of location privacy, or in other words, does the call recipient (or others ‘listening on the line’) know where you are?
At a VON Europe panel this week, Cullen Jennings, Distinguished Engineer at Cisco, was talking about peer-to-peer (P2P) SIP, and how the P2P approach definitely helps with location privacy. He gave the example of emergency procedures in the USA, which require the country’s President and Vice President to be in different physical locations from each other yet still be able to communicate. At the same time, they must prevent eavesdropping enemies from locating the Vice President physically.
I said that ‘P2P helps’, but perhaps I should say ‘can help’, with the right systems in place. In the UK last week, Sky News ran a story about how criminals might use encrypted VoIP to run circles around the police, due to the difficulty of tapping and listening to the calls. I hope to be able to write in more detail in the next few weeks why this is basically untrue, but the information I have received is that the VoIP providers “can be very helpful” to the police in these cases. Even if a VoIP stream cannot be decrypted, it is often possible to obtain a list of times, durations, and IP addresses that can easily provide both location and evidence. Also, if a VoIP call breaks out onto the PSTN, a service offered by many or most VoIP telcos, then once again you have a location (albeit the call destination rather than the source), and you have the opportunity to monitor the call.
No-one likes to think that all their calls are being tracked, or that their location is known at all times, but of course in democratic countries we assume that there are enough checks and balances to ensure that this information is available to few and will not be abused. At the same time, criminals and terrorists should not assume that new technologies like VoIP and IM give them a cloak of anonymity, because this is definitely not the case.
I am not sure I follow that P2P SIP allows for location privacy. I would think the supernode will know the registered client’s IP address. I sure hope that the President and the Vice President do not use a public P2P system, SIP or otherwise. They can use direct communication technique and protect from intercept except when somebody has physical access to the network path. By the way, criminals and terrorists can use the same technology. That is why it is important that the government focuses on intercepting broadband connectivity, not just VoIP (see the recent paper published by CableLabs on this matter – http://www.cablemodem.com/downloads/specs/CM-SP-CBI2.0-I01-070611.pdf).
Pingback: We Know Where You Live « Continuous improvement