Report slams US VoIP-tapping policy

Federal regulations in the US stating police must be able to tap into internet phone conversations with ease are coming under renewed attack from academics, engineers and one of the net's founding fathers.

A 21-page study to be released today says it's impossible for the government to expect all products that use voice over IP, or VoIP, to comply with the Federal Communications Commission's (FCC) September 2005 requirement mandating wiretapping backdoors for government surveillance. That requirement is backed by the Bush administration.

The study, organised by the Information Technology Association of America (Itaa), says that because VoIP relies on a fundamentally different network architecture from that of traditional phone lines, such a mandate would pose "enormous costs" to the industry and could even introduce significant security risks.

The nine contributors include Vint Cerf, Google's chief internet evangelist and one of the net's founding fathers; Steven Bellovin and Matt Blaze, both prominent computer security professors who specialise in security; Clinton Brooks, a former National Security Agency official; and engineers from Intel and Sun Microsystems.

The report follows a ruling on Friday by a federal appeals court in Washington, DC, that upheld the legality of the FCC's wiretapping regulations. Librarians, community colleges, and companies including Sun had challenged the rules, saying the FCC did not have the authority to extend the Communications Assistance for Law Enforcement Act to the internet. (The decision may be appealed.)

Even without the FCC rules, which are scheduled to take effect in May 2007, police have the legal authority to conduct internet wiretaps - the FBI's Carnivore system was designed to do precisely that.

The controversy over the FCC mandatory wiretapping regulations comes as the Bush administration is facing increasing congressional pressure over its telephone and internet surveillance program overseen by the National Security Agency. AT&T is being sued in a separate case in San Francisco over allegations it co-operated in a way that violated federal privacy laws.

The nature of VoIP could also elevate the risk that authorities aren't eavesdropping on the person they originally had in mind, the Itaa report's authors argue. Because it's theoretically simple for an individual to acquire multiple VoIP phone numbers, "recognising and tracking the multiple identities that are so natural to the internet lifestyle would be taxing".

In addition, the study says, allowing full access by law enforcement would almost certainly require overhauling inherently decentralised networks to allow for certain points where interception would take place - and open up new security risks in the process. That's because such an arrangement would arguably make it easier for hackers to capture identity information and passwords, engage in "man-in-the-middle alteration of data", or potentially spoof the communications going on.

Though there may be some security concerns, the benefits of mandating wiretapping access outweigh the costs, according to Tim Richardson, senior legislative liaison for the Fraternal Order of Police. (Many police organisations petitioned the FCC in favour of the wiretapping rules.)

Richardson said: "If that was going to increase the propensity for crime, that's something that law enforcement would take a look at. But the adaptability of technology is so great in this day and age that I have a high degree of faith in the initiative that [companies would employ to find something] that's not as costly and doesn't compromise the security of their networks."

Declan McCullagh writes for CNET News.com