Home » blogs » auzelac's blog

Is CALEA compliance achievable and/or realistic?

For those not in the know, CALEA is the Communications Assistance for Law Enforcement Agencies – meaning it’s all about getting the bad guys.  There are many facets to the law and one can learn more at Ask CALEA.  A big part of helping the cops is “tapping” or “snooping” on the evil-doers’ phone calls.  Here’s the thing – VoIP and the entire “Converged” model of communications makes it more difficult to tap these calls.  I don’t believe that I am going out on a limb here, or telling anyone what they don’t already know.  It’s more that I am reinforcing some preconceived notions.

Tapping VoIP calls is more difficult than TDM calls for one simple reason: VoIP is a connection-oriented application (voice) using a connection-LESS medium (IP) as transport.  As a result of using a connection-less medium, the transport path can’t be safely assumed.  There’s no deterministic route that everything to or from an “evil-doer” traverses. Without that knowledge, where do you “tap”?  One option would be to “tap” every possible path that communications could take, but the cost involved with that is astronomical.  The other option is to ensure deterministic routing, or force routing in a way that makes thing “interceptable”. This problem starts lessening the closer to the intercept target the tap is placed, but there are still use cases where communications are "load-balanced" across multiple broad-band communications, say both cable and DSL broadband access to a home.  One could easily setup routing to use both networks simultaneously.  For me, this would mean that Time Warner would get half of my conversation, and my DSL provider (Frontier) would get the other half. 

So now for some outstanding questions that linger in my mind on CALEA:

- What about SKYPE or other peer-to-peer communications?  How is that addressed by the govt and LEAs?
- Is it beyond comprehension that sRTP (encrypted media) might be outlawed by our govt because it’s not “interceptable”?
- To what extent are equipment and software vendors held accountable to create “interceptable” flows?  If it’s mandated by our govt, then what’s preventing them from moving and setting up shop in a country that doesn’t have such regulations?
- Do the rules apply to “on-net” call flows where the PSTN is not involved at all?  

The bad-guys and evil-doers, especially the more sophisticated ones, are going to use cryptography, encrypted tunnels and encrypted peer to peer communications as well – so this begs the question – is all the trouble, expense and hassle worth it? Is it even plausible?

Adam “voiploser” Uzelac

Trackback URL for this post:

http://blogs.globalcrossing.com/trackback/271
auzelac – Mon, 2006 – 12 – 04 14:58
broadbandCALEACongressFCCRegulatoryVoIP
auzelac's blog

Vendors Can Not Support CALEA On Time... deadline May 14...

Diving into CALEA, what I find scary is vendors like AcmePacket will not have code revisions complete until late April (version 5.0 for the SD platform). The CALEA deadline is May 14. (that's tomorrow in the software development world)

Many companies will either not make the CALEA compliance dead line and face unknown punishments (rumors from legal departments everywhere of $10k a day until you are compliant). Or Providers face the option of recklessly dropping half tested code into a production network and crossing their fingers in the hope it works. And that's only if AcmePacket meets their target date of "late April." I don't know about you, but I've never seen a code release on time without a dozen or more bugs; those delivered "on time" are followed by a dozen or more point releases to correct the faults.

How does a VoIP provider explain to his customers that the network is down hard because he had to deploy untested/partially tested code into the production network? And he did so, because the FCC required it...

And we haven't even touched on the cost to implement a solution that is compliant; even if a provider can outsource to a Trusted Third Party (TTP), the cost is extremely high for smaller companies.

And of course, there remains the question, will CALEA do any good?
(if a certain congressman had kept his mouth shut, we'd still be listening in on the satellite phones the bad guys thought could not be tapped...) But now you've got me headed down the political front... I'll stop here...

-Guy Fawkes
...remember, remember...

Guy Fawkes – Wed, 2007 – 02 – 14 17:27
reply

RE: Vendors Can Not.....

I hear you loud and clear on heading down the slippery political front....ARG...Couple things.  Firstly, as I understand it the penalty is 10k a day THE SP CAN'T MAKE GOOD ON A TRAP REQUEST from the LEA.  This is different than a crazy 10k a day after may 14th.  Also, there are ways to trap calls that don't involve a dependancy on code from SBC vendors.  That doesn't mean it's cheaper though.  ;)   They always *ahem* "take advantage of you" at the drive-thru, Joe Pesci-style. (from one of the Lethal Weapon movies)

Adam "voiploser" Uzelac

auzelac – Wed, 2007 – 02 – 14 17:55
reply

So just what exactly are we s

So just what exactly are we small facilities based providers supposed to do? Pay thousands of dollars to some "trusted third party provider" to be compliant. This entire thing is a joke.

Anonymous (not verified) – Wed, 2007 – 01 – 31 21:08
reply

re: So just what exactly...

I agree 100%.  Something else that should bother the folks that must come into compliance is the lobbying efforts of these "trusted third party" providers, ensuring CALEA stays on the books! 

Adam "voiploser" Uzelac

auzelac – Thu, 2007 – 02 – 01 10:25
reply

CALEA compliance

You've touched on some interesting technical challenges, Adam. Wouldn't it be ironic to find that these hurdles were actually protecting well-intended employees from prosecution? Recall that in August, a federal court in Michigan ruled that the Bush administration’s NSA program to monitor the phone calls and e-mails of millions of Americans without warrants is unconstitutional and must be stopped. ACLU (11/14/2006) News Release

Paul Tranby (not verified) – Thu, 2006 – 12 – 07 11:53
reply

RE: CALEA compliance

What you mention was just back in August of 2006 - but how about [[http://www.epic.org/privacy/terrorism/usapatriot/foia/0606iob1.pdf|this]] hum-dinger....?

Here's a snip from it...

US Patriot Act Violation?

auzelac – Thu, 2006 – 12 – 07 14:25
reply

Post new comment

*
*


*

  • Easily link to terms in various wikis or other websites by typing [[prefix:term]]. Use the "|" character to create a "piped link," e.g., "[[w:public transport|public transportation]]" displays as "public transportation." For a full list of available prefixes and the websites to which they point, see interwiki.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <pre> <br> <p> <em> <img> <blockquote> <table> <tr> <td>
  • Lines and paragraphs break automatically.
More information about formatting options
Verify comment authorship
Captcha Image: you will need to recognize the text in it.
*
Please type in the letters/numbers that are shown in the image above.