Computer Science 199r. CALEA, The USA PATRIOT Act, and VoIP: Privacy Concerns with Next Generation Telephony

Transcription

1 Computer Science 199r CALEA, The USA PATRIOT Act, and VoIP: Privacy Concerns with Next Generation Telephony Pierce Tria May 14, 2007

2 Privacy Concerns with Next Generation Telephony I. CALEA and The USA PATRIOT Act In the early 1990 s, the Federal Bureau of Investigation (FBI) began to worry about their ability to employ effective wiretaps on telephone devices. With technology advancing so quickly, they feared that technology was outpacing their ability to effectively tap into conversations. Citing 183 cases where the FBI felt that could not effectively carry out a wiretap, FBI Director Louis Freeh asked that new legislation be enacted to protect law enforcement s ability to conduct court-ordered wiretaps. 1 In 1994, Freeh s request was heard and the Communications Assistance for Law Enforcement Act (CALEA) was passed to help ensure that law enforcement would never be hindered by technology. CALEA, in its most basic form, mandates that all telephony systems be designed so as to accommodate for wiretapping by law enforcement. In 2001, following the September 11 th terrorist attacks on the United States, Congress passed another crucial law to assist law enforcement in preventing future terrorist attacks. The act became known as the USA PATRIOT Act (Uniting and Strengthening American by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act). This act aimed to create more cooperation among law enforcement agencies and also sought to make surveillance of suspected terrorists much easier. Most notably, Section 505 of this act expands the use of National Security Letters (NSLs), which allow for wiretaps without a warrant as is typically necessary. This section has risen significant privacy concerns. II. Voice over Internet Protocol Vs. Conventional Telephony Systems Voice over internet protocol (VoIP) has emerged recently as a new and promising form of communication. Unlike current popular telephone systems, VoIP uses a packet-based system as opposed to circuit based one. This means that in conventional telephony systems there is a circuit formed between the caller and receiver. Thus, to tap into a circuit-based conversation, one must create a new loop in the already existing circuit (See Figure 1). Figure 1 Above is a simple wiretap on a circuit-based system. 1 Whitfield Diffie and Susan Landau, Privacy on the Line, Cambridge: MIT Press, 2007, pp. 218.

3 In a circuit based system all of the information is transported over two designated wires which makes tapping such a system quite straightforward. Figure 1 reflects the telephone system as it existed prior to the 1990 s. In the mid-1990 s as new technology emerged, telecommunications companies gained the ability to create wiretaps in a new, more effective way. With an increasingly digitized system, carriers decided that they could tap a conversation by merely creating an invisible, silent third caller in any conversation. 2 This is merely a modified conference call. A packet-based system, such as a VoIP system, uses a much different protocol for transmission and so the issue of tapping VoIP conversations becomes quite challenging technically and raises many new privacy concerns. In a VoIP system, the information transmitted, namely one s voice, is not sent as a constant stream of data over a pre-determined path. Instead, the information is broken up into discrete packets which are then sent over various unique paths. In terms of efficiency this is a far superior system since information can be transported more quickly and more cheaply since no designated circuit must be formed between the caller and receiver. A simplified VoIP call can be seen below. Figure 2 This is a simplified view of a VoIP conversation. Packets containing information travel over various paths in the network of routers. These paths are not predetermined. 2 Whitfield Diffie and Susan Landau, Privacy on the Line, Cambridge: MIT Press, 2007, pp

4 There exist several theories today regarding how one can tap into a VoIP conversation. These methods will be discussed, at length, in the subsequent sections. Chiefly of concern within this paper are the privacy concerns and other issues that arise when one wishes to tap a VoIP communication in the same manner he could a conventional phone conversation. CALEA mandates that law enforcement be able to tap VoIP communications and so in recent years this issue of building tapping avenues into the VoIP architecture has become more salient. III. Potential Privacy Concerns in Tapping VoIP Many have voiced concerns over what types of information law enforcement could gain by implementing VoIP tapping protocols. To address these concerns, let us recall how VoIP operates. The data being transported one s voice is split into packets, each of which is labeled with an IP address telling it where it is to be delivered. Bearing this in mind, it is easy to see why many fear that law enforcement could gain information regarding a person s exact whereabouts while they are making a phone call. A simple trace of the IP address could tell where the caller or receiver is physically. As we will see in the following section, however, ability to tap VoIP is still in its infancy. Given the current abilities of law enforcement, it will be years before VoIP will have to worry about such a privacy issue. Also, many worry that tapping of VoIP will give police and law enforcement access to all of the packets their computer sends upstream to their Internet service provider (ISP). The notion is that any law enforcement agency would be able to monitor one s s and webbrowsing habits without proper clearance to do so since they would be intercepting all incoming and outgoing packets from one s computer. This seems like a logical concern on its surface, however, when recording VoIP conversations, a switched port analyzer (SPAN) is typically used. A SPAN isolates only the VoIP packets for recording, allowing the rest of the packets containing other information to travel without being recorded. One less concrete privacy concern is with regards to the USA PATRIOT Act and how it may be applied to VoIP wiretaps. NSLs increase the freedom of law enforcement to conduct wiretaps. The question is, will the USA PATRIOT Act make it much easier to gain information such as a caller s location? Furthermore, if it is that much easier, who will be able to gain such information and how will it be used? IV. Methods for Tapping VoIP There have been many theories for how once could conduct a successful tap on a VoIP conversation. Following is a list of some of the most popular ideas and if they are in fact plausible methods. Method #1: Place Tapping Device on Client to Intercept All VoIP Packets The idea here is to place a listening device on a person s computer in order to listen in on their VoIP conversations. The device catches all of the outgoing and incoming packets that make up the conversation. In this manner, law enforcement can hear both sides of the conversation.

5 Placing a tapping device on the client computer is not a truly plausible idea because it is quite possible that such a device could be easily discovered and so, easily removed. 3 The tap itself would work and would yield the information necessary but it would be far too easy for a suspect to remove a listening device before law enforcement could use it. Additionally, gaining access to a suspect s home or office to plant a listening device could be problematic, especially in cases where a NSL is being used to allow for the tap. A NSL is not a warrant and a warrant would be necessary to place this type of listening device within someone s home. The legality of placing one of these taps, even with a warrant, is debated. 4 This approach is technically very plausible but there are legal issues, namely the need of a warrant, and also logistical issues, that such a tap would be easily removed. Method #2: Place a Tap on the Client s Access Router Here, law enforcement would tap one s ISP access router. The premise of this method is that all of a person s information must go through a single access router. In Figure 2, Alice and Bob are each connected to a single access router (R1 and R2 respectively) which then gives them access to the broader network of routers. Again, this idea seems quite plausible on paper since it makes intuitive sense. In practice, however, this method is not so reasonable. Tapping the access router would theoretically allow law enforcement agencies to hear any VoIP conversation. The trouble here is that neither of the access routers has any information that can distinguish who Bob or Alice is. There is no permanent identifier (like a phone number) for either Alice or Bob that would allow the router to determine what packets are coming from which specific user. This problem therefore, makes tapping by means of access routers, not suitable. 5 Method #3: Monitor a Group of Routers This method is less commonly advocated but still some maintain that it could be a plausible tapping method. In this case, law enforcement would monitor a large number of routers and hope to catch enough packets to piece together a conversation. This approach has more flaws than it has merits. Since VoIP is so dynamic, one has no way of knowing which routers will be used and which path each packet will choose to take to its destination. This is truly a shotgun approach which aims to simply monitor a large set of routers in hopes that some of the VoIP packets will be traveling over this segment of routers. This is another good theoretical approach, but not a terribly scalable or practical approach. There are simply too many paths for packets to take and so without monitoring a very large 3 Whitfield Diffie and Susan Landau, Privacy on the Line, Cambridge: MIT Press, 2007, pp Steven Bellovin, et al, Security Implications of Applying the Communications Assistance to Law Enforcement Act to Voice over IP, ITAA, June 13, Whitfield Diffie and Susan Landau, Privacy on the Line, Cambridge: MIT Press, 2007, pp

6 segment of routers this is not a feasible approach. 6 All three methods have merits but each has flaws which severely inhibit its implementation. Currently, there exists no viable protocol to tap into VoIP conversations though slow progress is being made. One researcher at George Mason University believes he may have a viable method to determine at the very least which users are speaking to one another but he has yet to develop viable tapping technology. 7 Another large issue not raised specifically in any of these methods is the issue of jurisdiction. The United States may pass any number of laws dictating what telecommunications companies must do to assist law enforcement in this country. VoIP raises a new question since a VoIP provider could be a non-us company providing a service to American citizens. Thus, VoIP brings about a new level of compliance issues that previously have not manifested themselves. This is yet another obstacle to consider when creating viable tapping methods for VoIP systems. V. Indirect Privacy Issues Though the tapping of VoIP communications has some very direct privacy implications, perhaps more interesting and crucial are the implicit privacy concerns which come to light when applying CALEA and the USA PATRIOT Act to VoIP. One of the biggest issues is what will next fall under the scope of CALEA. Initially, according to Susan Crawford, CALEA did not apply to the internet or online applications. 8 Interestingly, the Federal Communications Commission (FCC) has expanded CALEA in recent years to include VoIP. In 2005 the FCC issued a CALEA Order. This order mandates that VoIP providers comply with CALEA by May 15, 2007 or suffer a $10,000 per day fine. 9 The question on the minds of many is what online applications will be subject to CALEA next. Will instant messaging need to be tapped? 10 Will any number of social networking sites require back doors so law enforcement can monitor what individuals are posting? In this respect there are some very serious, very credible privacy threats which may be created by expanding the scope of CALEA. The question becomes bigger than merely, what are the privacy concerns with tapping VoIP? and instead becomes a question of what applications the law require to comply with CALEA. 6 Whitfield Diffie and Susan Landau, Privacy on the Line, Cambridge: MIT Press, 2007, pp Xinyuan Wang et al., Tracking Anonymous Peer-to-Peer VoIP Calls on the Internet, November 7, Susan P. Crawford, The Ambulance, The Squad Car, & The Internet, Berkeley Technology Law Journal, Susan P. Crawford, The Ambulance, The Squad Car, & The Internet, Berkeley Technology Law Journal, Steven Bellovin, et al, Security Implications of Applying the Communications Assistance to Law Enforcement Act to Voice over IP, ITAA, June 13, 2006.

7 The expanding scope of CALEA is worrisome and presents some serious threats to privacy. Though currently it does not present any direct threats, the expansion on CALEA is a continuing worry. In some sense, the application of CALEA to VoIP could only be a preview of what is to come in the future. VI. The Future of CALEA, the USA PATRIOT Act and VoIP With the FCC s deadline for compliance only hours away, and no clear viable manner in which to tap VoIP communications, it seems unlikely that the VoIP providers will be able to meet the demands of the FCC s CALEA Order. Though several viable options have been introduced within this paper, each has issues which inhibit its ability to reliably provide law enforcement access to VoIP conversations. The application of CALEA to VoIP systems could have serious implications for the future architecture of the system. As Steven Bellovin, et al. remind us, A major advantage of VoIP is cost savings. CALEA is expensive. 11 If VoIP providers are forced to comply with CALEA many will likely be pushed out of business. If this is the case, America will likely cease to be the home of telecommunications innovation. On the contrary, the United States must balance innovation with security. If the United States were to be attacked and it was known that such an attack was organized using we might expect sweeping reforms on the part of the FCC. The FCC has vowed to stick by its $10,000 per day fine for CALEA non-compliance and if VoIP were found to be the cause of a major American terrorist attack, the FCC would likely step in to stipulate specific architecture that VoIP must follow so as to make it suitable to wiretaps. According to Diffie and Laundau there exist, two particular types of VoIP services [which] have architectures that fundamentally resemble the telephone network and thus their accommodation of CALEA is not particularly difficult. 12 It is likely that in the event of some tragedy planned by VoIP the government might mandate that all VoIP carriers adopt these architectures. VII. Conclusions Given current technology, it is the belief of this panel that there exist no credible threats currently to privacy because viable wiretapping technologies have yet to be fully developed. Once the tapping capabilities are developed, the privacy issues brought up within this paper may very well be credible and realistic. Under current conditions, this is not the case. Perhaps more important is the issue of the increasing scope of CALEA. This is a real worry since expansion of CALEA means there will be more and more threats to privacy. 11 Steven Bellovin, et al, Security Implications of Applying the Communications Assistance to Law Enforcement Act to Voice over IP, ITAA, June 13, Whitfield Diffie and Susan Landau, Privacy on the Line, Cambridge: MIT Press, 2007, pp. 295.

8 Currently, CALEA and the USA PATRIOT Act as they apply to VoIP present very few, if any credible threats to privacy. In the future, we can expect this to change if VoIP becomes more vulnerable to taps and if CALEA continues to expand in scope.