FCC requires some broadband and VoIP Providers to accommodate wiretaps

September 26, 2005

I must have missed the FCC's announcement 3 days ago that the FCC was going to require certain broadband and VoIP Providers to accommodate wiretaps. The 59-page FCC report is a bit lengthy for me to digest today, so maybe I'll provide a more detailed analysis tomorrow.

A quick speed read seems to indicate the FCC is going to force Internet providers to accomodate wiretaps, but that doesn't include cafes or hotels that use or pay for Internet service. I guess the FCC is targetting the main ISPs and not resellers of Internet service. Here's a very interesting excerpt that sums up who is covered by CALEA wire-tapping rules:

We conclude that CALEA applies to providers of “interconnected VoIP services.” As defined in our recent VoIP E911 Order,107 interconnected VoIP services include those VoIP services that: (1) enable real-time, two-way voice communications; (2) require a broadband connection from the user’s location; (3) require IP-compatible customer premises equipment; and (4) permit users to receive calls from and terminate calls to the PSTN.108 We find that providers of interconnected VoIP services satisfy CALEA’s definition of “telecommunications carrier” under the SRP and that CALEA’s Information Services Exclusion does not apply to interconnected VoIP services. To be clear, a service offering is “interconnected VoIP” if it offers the capability for users to receive calls from and terminate calls to the PSTN; the offering is covered by CALEA for all VoIP communications, even those that do not involve the PSTN. Furthermore, the offering is covered regardless of how the interconnected VoIP provider facilitates access to and from the PSTN, whether directly or by making arrangements with a third party.

Am I wrong in interpreting this definition to not only include Vonage, Packet8, AT&T CallVantage, but also Skype and any other PC-to-PSTN software? Skype falls under (1), (2), and (4) but not necessarily (3), i.e."require IP-compatible customer premises equipment." The FCC is referring to ATAs (analog telephone adaptors), however the term IP-compatible customer premise equipment is "vague enough" that it could apply to a Personal Computer (PC), which Skype does require.

So while Skype was not covered by the e911 rules, it would appear that CALEA extends not just to typical VoIP broadband providers but also Skype whose SkypeOut service touches the PSTN.

Though I would have thought that granting the U.S. government (FBI specifically) the right to force Skype to make their facilities "wiretap-able" would have made major news three days ago. After all, Skype espouses the fact that it offers privacy, encryption, etc. for its Voice over IP. Maybe I am just misinterpreting the FCC order? I'll have to try and read it in its entirety tonight.

Reading a little deeper, I found this quote:
We find that interconnected VoIP service is not subject to the Information Services Exclusion in CALEA.As we have explained, the legislative history contains much discussion of “information services,” but not once did Congress contemplate that any type of voice service would fall into that category... Most significantly, Congress explicitly distinguished between “information services” that are not covered by CALEA and “services or facilities that enable the subscriber to make, receive or direct calls,” which are covered.

I read a bit more, and if I am interpreting this FCC order correctly, I believe that the FCC is now saying that PC-to-PSTN VoIP calls are covered (including SkypeOut calls) but that PC-to-PC calls fall under the classification of "information service" and are not covered by the CALEA's wiretapping rules. This would mean that Skype-to-Skype calls cannot be wiretapped but if you make a SkypeOut phone call, the FCC could request a wiretap at whomever Skype uses to terminate to the PSTN.

Thus, in reality, Skype wouldn't be the one having to allow the FBI into its facilities - rather Level3, Deltathree, and all other termination service providers used by Skype would have to open their doors for an FBI wiretap. Although I wonder if the FBI could force Skype to pass on the username to their termination service providers to make it easier to wiretap a specific Skype user. That info may already even be sent via SIP for billing purposes, but I'd have to confirm that.



Post a comment

See this page in TechnoratiTechnoratibook mark in del.icio.usDel.icio.usSlashdot.comSlashdotSubmit to Digg.comDigg

Tags: , , , , ,

Search Technorati: , , , , ,
Related Tags: , , , , ,

Listed below are links to sites that reference FCC requires some broadband and VoIP Providers to accommodate wiretaps:

Trackback Pings

TrackBack URL:
http://blog.tmcnet.com/mt3/t.fcgi/16540

» FCC must like Groundhog's Day from VoIP Blog - VoIP News, Gadgets
The FCC once again backed off again on enforcing a deadline for broadband VoIP providers to disconnect all customers who haven't acknowledged the e911 limitations. The decision to delay the enforcement came yesterday, just a day before the deadline... [More]

Tracked on September 28, 2005 10:18 AM

» Teamspeak the VoIP server for gamers from VoIP Blog - VoIP News, Gadgets
Teamspeak is one of the best kept secrets in VoIP, hidden in the dark bowels of the online gaming community. Teamspeak offers a scalable VoIP application which enables many users to simultaneously speak to one another. It was designed with... [More]

Tracked on October 5, 2005 10:25 AM

Comments to FCC requires some broadband and VoIP Providers to accommodate wiretaps


  1. Randell Jesup :
    September 27, 2005 11:02 AM

    They state elsewhere that if you're covered for some calls, you're covered for the entire service. So, if you're Skype, and you're covered because of PSTN interconnect (even via a 3rd party contract), you're covered for ALL calls.

    "To be clear, a service offering is "interconnected VoIP" if it offers the capability for users to receive calls from and terminate calls to the PSTN; the offering is covered by CALEA for all VoIP communications, even those that do not involve the PSTN."

    That's crystal-clear - all of Skype will be covered unless they drop PSTN interconnect.


  1. Tom Keating :
    September 27, 2005 11:33 AM

    >"To be clear, a service offering is "interconnected VoIP" if it offers the capability for users to receive calls from and terminate calls to the PSTN; the offering is covered by CALEA for all VoIP communications, even those that do not involve the PSTN."

    >>That's crystal-clear - all of Skype will be covered unless they drop PSTN interconnect.

    Yeah, you hit the nail on the head. I saw that too and thought the same thing. It was one of the vagueries I was going to try and pin down. It seemed part of the PDF stated one thing then contradicted it elsewhere or left it open to interpretation anyway.

    If you look at the context of that part of the FCC PDF ("even those that do not involve the PSTN") I also interpreted it to possibly mean that CALEA coverage would also include broadband VoIP providers that terminate PSTN dialed numbers without ever "truly" touching the PSTN since they can simply route subscriber-to-subscriber calls over IP.

    For instance, suppose you are a Vonage customer and you call another Vonage customer. Even though you dialed a PSTN phone number, the call is routed over IP throughout - it never touches the PSTN. I thought perhaps this type of IP-to-IP scenario was what the FCC was referring to as "wire-tappable" and not the Skype-to-Skype (IP-to-IP) scenario.

    I should point out that lots of ITSPs and even carriers have mutual termination agreements that keep the call on the IP network. Of course, usually, at some point you do "hop" off to the PSTN (unless you are in the same IP subscriber network) and obviously if you do hop off onto the PSTN this would definitely fall under CALEA.

    Thus, the "even those that do not involve the PSTN" sentence was one of the sentences I think the FCC is still unclear on. I'll have to contact them for clarification.

    In any event, I don't see how Skype is going to be technically able to enable the FBI to wiretap Skype-to-Skype calls. Doesn't seem technically feasible since it is peer-to-peer (though with supernodes) and has encryption. Though I suppose any encryption can be cracked.


  1. Randell Jesup :
    September 27, 2005 1:43 PM

    Overall it's crystal-clear to me. They don't say anywhere it has to be easy to do, just that you have to do it. If you can't, well that's your problem - you're out of business (in the US).

    The reality (both for Vonage and Skype) is that IP-to-IP calls would have to go through a proxy that can tap the streams. And *if* CALEA requires that it not be obvious to the caller that it's being tapped, then ALL calls will have to go through a proxy. Which means added costs for the service provider and added delay for the user. (Skype may not have added costs directly, but increased loading on their subscribers with open ports for proxying).

    Even Skype _can_ do this if they want (and under this rule they must); they already have a automatic proxy mechanism in place. If they need to keep it secret whether the call was tapped, they'll need to make sure two "open" phones calling each other still go through another node as a relay, so the caller can't tell if the relay is innocent or the FBI.

    Side effect - if you have an IP-to-IP service, and want to enhance it with a VoIP offering via a third party, the fact that the third party has CALEA servers/etc doesn't really help you. The only loophole would be for that to be an independant service contracted for separately by the user.

    BTW, as should be obvious, this is all about the requirements on VoIP service providers (Vonage, Skype, FWD - and it doesn't matter if it's free). The order also applies CALEA to all broadband access, period (and in fact almost any non-private network with switches or routers). This means that a user's calls (and web browsing, etc) must be interceptable and recordable by the ISP, and this is a separate requirement from VoIP. Effectively the widens the FCC's regulations and the FBI's wiretapping to the entire internet (or at least that part of it accessed through a US provider.)


  1. Randell Jesup :
    September 28, 2005 9:15 AM

    Bingo. From CNET today, confirmation that wiretap ability will be required by the FBI in PC software:

    "According to the three-page document, to preserve the openness that characterizes today's Internet, "consumers are entitled to run applications and use services of their choice, subject to the needs of law enforcement." Read the last seven words again.

    The FCC didn't offer much in the way of clarification. But the clearest reading of the pronouncement is that some unelected bureaucrats at the commission have decreeed that Americans don't have the right to use software such as Skype or PGPfone if it doesn't support mandatory backdoors for wiretapping. (That interpretation was confirmed by an FCC spokesman on Monday, who asked not to be identified by name. Also, the announcement came at the same time as the FCC posted its wiretapping rules for Internet telephony.) "

    So, you can forget having secure communications, period. And this opens up a HUGE hole for people to exploit - one of the side-effects of a system designed to make tapping easy is that people other than the intended ones (law enforcement with judicial/legal right to do so) will tap you. Competitors, hackers, agents who don't care about your constitutional rights, etc, all can find ways to turn on the tapping. Not to mention that it strongly discourages companies from introducing encrypted communications (even ones designed to be legally tappable).

    Note also that this implies it will be illegal to use software on the internet that the FBI doesn't like. Can you say "police state"? Learn.

    Note: I'm one of the libsrtp developers. SRTP can be tappable or untappable; that's dependant on the session setup at higher levels to negotiate keys, identity and transport.


  1. John Todd :
    September 30, 2005 3:22 PM

    This will get uglier. Definitions are going to become very important.

    I think one of the easiest ways to remove CALEA compliance is to ditch the PSTN. SIP URI dialing, or non-E.164 dialing strings would make PSTN interconnect impossible directly, or certainly "non-intiutive" which may release operators from CALEA compliance. However, that may be ruled in either directon. In the current climate of fear and stupidity, I would suspect lawmakers would sink this option as well if given the chance to puff up their law-and-order image.

    Even in a VoIP network that does not touch the PSTN or use E.164 numbering, it is possible for a rogue endpoint(s) to connect to the PSTN as a gateway or two-stage dialing system. Does this automatically classify the entire network and all other endpoints as falling into CALEA jurisdiction? If so, then it is impossible to have _any_ communications mechanism for voice that does not fall into CALEA. Dangerous waters.

    What about corporate PBX systems? Do these fall into CALEA compliance? They are not explicitly exempted, but I've not seen anyone point at them. How about systems whose proxies and controlling companies are overseas? I've advised several ITSPs to move offshore in years past, and they've simply scoffed at me for being paranoid - I'm being polite and not poking them with the "Itoldjaso" stick yet.

    Most people don't understand what CALEA compliance actually is. It is not merely the ability to tap phone lines or get a PIN register. There is a very specific and immensely complex document that outlines the interfaces and requirements for CALEA intercept or monitoring - it is a protocol, and in some cases a physical interface.

    Here is a reference for (possibly older) CALEA specifications:
    http://ftp.tiaonline.org/tr-45/tr452/Incoming/LAES/J-STD-025A.pdf

    JT


  1. Jason :
    September 30, 2005 7:02 PM

    "As defined in our recent VoIP E911 Order,107 interconnected VoIP services include those VoIP services that: (2) require a broadband connection from the user’s location;"

    Skype doesn't require a broadband connection. It can be used with dial up.


  1. John Todd :
    October 1, 2005 12:53 PM

    That's a good point, and one that bears investigating. Currently, the FCC definition of "broadband" is 200kbps. See link below. Now, I have basic SIP RTP streams that will work just fine over 56kbps modems with GSM or G.729. If I was really a masochist, I could probably (with VAD) put two G.729 streams over dial-up using IAX trunking, and that's assuming 28.8k uplink and 56k down.

    So did the CALEA provisions just hoist themselves by their own definition petards?

    http://www.newnetworks.com/FCCbroadbandrelease070705.htm

    JT


  1. Randell Jesup :
    October 3, 2005 10:15 AM

    No, their provisions hold and apply most VoIP services, low-bandwidth or not. They applied CALEA to any broadband ISP (>200Kbps). Separately, they applied it to any VoIP provider connected to the PSTN even indirectly. So Skype is covered. A dialup-only ISP doesn't have to implement CALEA (and they also haven't applied it to things like WiFi hotspots, even though they're broadband - yet.

    The only way to avoid CALEA for VoIP calls (for the moment) will be to use a dial-up-only ISP and use a VoIP service with no PSTN connectivity.

    There may not be a lot of dial-up-only ISPs by the time this goes into effect....


(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)