January 2nd, 2004


Guess who's listening in...!

Cryptome.org just got an interesting new government-restricted document today on how the FBI does/can do surveilance on voice-over-IP calls. This is particularly of interest to me, in that I worked for a VoIP provider for quite awhile.

It's not easy reading unless you're used to this kind of stuff. It reads like a doc written by a telco expert which has been reviewed by lawyers, with the controversial bits left intentionally vague and full of acronyms.

For instance, the phrase...
"In CGVoP networks, certain key functionality and features are or could be provided by CPE."
...means that the FBI -- if they deem it techically useful or necessary -- will have "the talk" with the manufacturer of the phone/telco equipment in your house, in order to allow for the monitoring of your calls. Of course, similar features are built into switching and routing equipment as well, which is located in the local phone carrier's central offices. There is even a suggestion in the document that authentication between equipment in the customer's house and equipment in the central offices will not occur unless such features are in place.

This cooperation between telco businesses and government is required according to the 1994 Communications Assistance for Law Enforcement Act. If you wondered why you never heard about CALEA, it is probably because it was rushed through congress in the last night of the 1994 congressional session, with no real public debate or input on the matter.

One has to wonder how these security issues play out. Do overseas customers "import" US security by default? Can organizations like the NSA or the CIA use it for spying on people? Are these features enabled in hardware or in software? Can they be bypassed? Questions, questions...