Yesterday the IT Association of America
released a report
decrying the move by the FCC to apply the Communications Assistance for Law Enforcement Act to VoIP traffic. The report's authors are an illustrious bunch, including Internet and security luminaries Vint Cerf, Steve Bellovin, Whitfield Diffie and Jon Peterson.
The key charge levelled by the report is that the Feds want to make VoIP over the Internet work like the PSTN, simply so that it is amenable to wiretapping. This turns the Internet notion of the stupid network
upside-down, replacing it with centralized switching and control. The report points out that once a call is set up between two parties, the VoIP service provider(s) involved don't necessarily play any role in routing the IP packets that carry the actual conversations, making interception problematical.
This is especially a problem for P2P-based services like Skype, which would be covered by the proposed CALEA regulations, simply because they offer PSTN interconnection through services such as SkypeIn and SkypeOut. A close reading of the regulations indicates that the mere interconnection of a VoIP network with the PSTN would render all calls entirely within
the VoIP network subject to the purview of CALEA, even if they don't touch the PSTN. To quote the FCC ruling
To be clear, a service offering is “interconnected VoIP” if it offers the capability for users to receive calls from and terminate calls to the PSTN; the offering is covered by CALEA for all VoIP communications, even those that do not involve the PSTN. Furthermore, the offering is covered regardless of how the interconnected VoIP provider facilitates access to and from the PSTN, whether directly or by making arrangements with a third party.
This can also be interpreted to mean that if any
subscriber to a VoIP service can be reached at a phone number through that service, or can make an outgoing call to the PSTN somehow
, then all
subscribers to the service are subject to CALEA.
This is less of a problem for the likes of Vonage, who simply provide PSTN replacement, as the VoIP phone calls usually do
transit the networks of the VoIP service providers, in contrast to the scenario described in the ITAA report. There is one principal reason for this: a service provider has to provide media proxies to allow subscribers behind firewalls to communicate with each other, and those proxies naturally sit at the boundary of the VoIP service provider's network. Since the majority of VoIP subscribers have broadband routers that provide network address translation and firewalling, then most (if not all) calls will be routed via media proxies.
These media proxies are commonly known in the industry as session border controllers
, and they are much more than simply rendezvous points for firewalled subscribers: they provide firewalling for the service provider's own network, allowing in authenticated VoIP signaling and media traffic while protecting it from VoIP-borne threats. This processing of both the call signaling and the call contents makes them ideal for -- you guessed it -- wiretapping.
So, are the concerns of Vint Cerf and his colleagues misplaced? Those looking simply to replace the PSTN with something a little more flexible and a little cheaper, can simply use session border controllers for CALEA; those wanting to create innovative P2P communities, bypassing the PSTN altogether are probably OK (wiretapping then becomes the responsibility of the broadband access provider); but those wanting to marry innovation with the PSTN had best watch out.
The FCC's deadline for VoIP service providers to comply with CALEA is 14 May 2007. It will be interesting to see whether SkypeIn and SkypeOut are still available then.