IP Convergence: Beyond VoIP, Beyond Cost Savings

This one is a beauty - on Jan. 10th of this month, the ACLU issued a statement that reported that a FBI wiretap was "unplugged" due to a lack of payment.  The ACLU is quick to point out that this action was taken from the same telecoms that permitted the tap without the proper approvals...

From Michael German, ACLU National Security Policy Counsel: "It seems the telecoms, who are claiming they were just being "good patriots" when they allowed the government to spy on us without warrants, are more than willing to pull the plug on national security investigations when the government falls behind on its bills."

Adam "voiploser" Uzelac
DISCLAIMER: The comments here are mine only. They don't necessarily reflect intelligence, refined thoughts, or anything that the reader should take too seriously. Should the reader expect a polished thought process in the content addressed here, then a strong dose of medication should be prescribed to address that misconception.

Femtocells the Answer?

There have been some very interesting developments in the wireless world as of late.  Femtocells are basically Access Point Base Stations that permit wireless operators to extend coverage in places where “dead spots” are problematic.  This sounds like a great idea for those that have experienced the issues where a wireless phone call drops due to one moving into an area where coverage is “shady” at best – for instance an elevator or a remote location in a campus or building.  But with this concept, comes some problems that need to be resolved, like E911, Lawful Intercept and other such governmental obligations.  

First note the informal poll below from www.cellcoverege.com - this is a problem the industry wants to address.

Poll: How do DropZones Affect You?

Annoying & inconvenient (36%)

Cannot replace home phone (15%)

Creates a safety gap (13%)

Crimping social life (16%)

Poor reflection on business (14%)

Other (5%)

Femtocells have been designed to use licensed and unlicensed wireless spectrum.  In the licensed scenarios, there are concerns around Interference with the already established towers that provide subscriber access.  There are limits to the number of adjacencies that mean special attention needs to be spent with regards to the placement of the femtocells. This concern stems from marketing such solutions direct to the consumer base, and this means a “willy nilly” approach to spectrum access for subscribers causes confusion with regards to E911 and Lawful Intercept requirements that mobile network operators much meet.

Though femtocells are gaining momentum as an alternative, there are concerns that first need to be addressed before an expectation of widespread use can be realized.

Adam “voiploser” Uzelac

DISCLAIMER: The comments here are mine only. They don’t necessarily reflect intelligence, refined thoughts, or anything that the reader should take too seriously. Should the reader expect a polished thought process in the content addressed here, then a strong dose of medication should be prescribed to address that misconception.

According to Wikipedia Deep Packet Inspection is “a form of computer network packet filtering that examines the data part of a through-passing packet, searching for non-protocol compliance or predefined criteria to decide if the packet can pass. This is in contrast to shallow packet inspection (usually called just packet inspection) which just checks the header portion of a packet.”

First off, this is a very real technology.  A quick search via google brought the company Bivio Networks to my attention. (* Disclaimer: I have no interest, financial or otherwise with this company.)  Bivio’s  7000 series claims that
“when fully configured, the 7000's application processing subsystem offers 45,000 MIPS -- enough to run "any IP network service" at wire speeds up to 10Gbps -- including IDS/IDP, firewalling, VPN, network surveillance, lawful interception, and application traffic management. Developers can use any of the standard Linux components (such as iptables) as part of their deep packet processing applications.

Now let’s look at some of the implications of DPI.  A very interesting article on here from ars technica puts things in an interesting light:

“Imagine a device that sits inline in a major ISP's network and can throttle P2P traffic at differing levels depending on the time of day. Imagine a device that allows one user access only to e-mail and the Web while allowing a higher-paying user to use VoIP and BitTorrent. Imagine a device that protects against distributed denial of service (DDoS) attacks, scans for viruses passing across the network, and siphons off requested traffic for law enforcement analysis. Imagine all of this being done in real time, for 900,000 simultaneous users, and you get a sense of the power of deep packet inspection (DPI) network appliances.
Although the technology isn't yet common knowledge among consumers, DPI already gives network neutrality backers nightmares and enables American ISPs to comply with CALEA (government-ordered Internet wiretaps) reporting requirements. It also just might save the Internet (depending on who you believe). “
The power of this technology is simply awesome, and the impacts it can have are serious.  The current state of government mandated network monitoring forces some network operators to consider implementing this.  One word jumps to my mind, and that’s SCARY – and I am not referring to my driver’s license picture either!

By the way, did I mention that the above Bivio 7000 is listed at $10,000!

For those not in the know, CALEA is the Communications Assistance for Law Enforcement Agencies – meaning it’s all about getting the bad guys.  There are many facets to the law and one can learn more at Ask CALEA.  A big part of helping the cops is “tapping” or “snooping” on the evil-doers’ phone calls.  Here’s the thing – VoIP and the entire “Converged” model of communications makes it more difficult to tap these calls.  I don’t believe that I am going out on a limb here, or telling anyone what they don’t already know.  It’s more that I am reinforcing some preconceived notions.

Tapping VoIP calls is more difficult than TDM calls for one simple reason: VoIP is a connection-oriented application (voice) using a connection-LESS medium (IP) as transport.  As a result of using a connection-less medium, the transport path can’t be safely assumed.  There’s no deterministic route that everything to or from an “evil-doer” traverses. Without that knowledge, where do you “tap”?  One option would be to “tap” every possible path that communications could take, but the cost involved with that is astronomical.  The other option is to ensure deterministic routing, or force routing in a way that makes thing “interceptable”. This problem starts lessening the closer to the intercept target the tap is placed, but there are still use cases where communications are "load-balanced" across multiple broad-band communications, say both cable and DSL broadband access to a home.  One could easily setup routing to use both networks simultaneously.  For me, this would mean that Time Warner would get half of my conversation, and my DSL provider (Frontier) would get the other half. 

So now for some outstanding questions that linger in my mind on CALEA:

- What about SKYPE or other peer-to-peer communications?  How is that addressed by the govt and LEAs?
- Is it beyond comprehension that sRTP (encrypted media) might be outlawed by our govt because it’s not “interceptable”?
- To what extent are equipment and software vendors held accountable to create “interceptable” flows?  If it’s mandated by our govt, then what’s preventing them from moving and setting up shop in a country that doesn’t have such regulations?
- Do the rules apply to “on-net” call flows where the PSTN is not involved at all?  

The bad-guys and evil-doers, especially the more sophisticated ones, are going to use cryptography, encrypted tunnels and encrypted peer to peer communications as well – so this begs the question – is all the trouble, expense and hassle worth it? Is it even plausible?

Adam “voiploser” Uzelac

The other week, the ITAA held a seminar on data retention issues. I did not attend, but the write-ups I have seen sure make me wish I did. Readers of this blog will know that I have serious reservations and innumerable questions about the Department of Justice’s efforts to expand CALEA and otherwise impose themselves in communications media. Their new push to impose data retention requirements on ISPs and communications companies is just as disconcerting.

You would think the regular reports of leaked data, stolen data, and otherwise mishandled data over the past several years would have raised some red flags about the amount of data government and companies already store and the apparent lack of adequate safeguards. It certainly has caught the eye of state legislatures of which at least 22 have passed data protection laws.

Panelists at the ITAA event all recognized the pitfalls inherent in data retention schemes. These range from the breaches of data we have read so much about to the negative effect on competitiveness and innovation that will result as more companies locate their operations off-shore in order to avoid the burden of an overly-regulated Internet. Of course the irony of this all is that at the same time Congress and the FCC claim to want a "regulation-free" Internet, they are imposing incredibly burdensome regulations in the name of “security” and law enforcement.

This country could dramatically improve law enforcement and security if every citizen kept a daily log of their personal activities available for inspection. In a broadband environment, citizens could even upload it every night so law enforcement could correlate it to daily crime statistics. And the sad thing is, there are a significant number of people who probably think it is a good idea. But communications companies have a different stake in this game than consumers. Consumers have a “privacy” interest, but communications companies have a very real bottom line interest. The more invasive government is in communications media, the less it will be trusted and used by consumers.

I recognize that government has always enjoyed the cooperation of “the phone company.” The Church Committee provided a glimpse into Operation Shamrock and the EFF is shedding new light on its apparent resurrection. But when the telephone was a monopoly what could you do? Now with a vast array of communications media available, consumers have a choice and you can be sure that over time they will choose the media they trust most. And if that media is networked overseas or is not network based at all, who loses?

It is time for communications companies to stand up in defense of their own self-interest. Massive data collection and retention initiatives, sweeping surveillance requests, and other measures that effectively deputize communications companies in the “war on ____” (drugs, crime, terror, whatever the war du jour happens to be) may appear the patriotic thing to do, but it comes at a price and for communications media that price is steep.

Stepping Out and Stepping Up

I will be on vacation next week so there will be no new entries until the week of the 28th. (That’s the stepping out part.) But I couldn’t let the week go by without recognizing the ruling by U.S. District Judge Anna Diggs Taylor declaring the Bush Administration’s electronic eavesdropping program (I refuse to use their Orwellian phraseology) unconstitutional and in violation of the FISA Act. It was a wonderful result, despite the truncated rationale. The country would have been better served with a more complete, more in-depth review of relevant precedent, but I guess she figured it would be appealed no matter how much she wrote so why waste the time.

For those of us in the telecommunications industry, we need to consider more deeply the responsibility of the telecommunications service providers, particularly in light of the ability to collect customer data on a scale and scope previously unimaginable. Just consider what you could learn about someone if you knew their list of “favorite” web sites. Add to that a record of their actual Internet searches. Add to that a record of all of their home phone calls. Add to that a record of all of their mobile phone calls. Add to that a record of their actual conversations. Add to that a record of their DVR recordings and music downloads. It’s an incredible amount of information not only in terms of quantity, but quality as well.

The future of this industry depends on mass consumer adoption of all of these networked services. If consumers don’t have confidence that their use of networked services is at least a semi-private matter, they will revert to customer-premise based solutions or forego the activity all together. This industry is already under pressure from the Federal Communications Commission to improve their handling of Customer Proprietary Network Information (“CPNI”). At the same time, major carriers suspected of supporting the Bush Administration’s surveillance efforts face massive class-action suits. Disregard for customer privacy is not something this industry can afford.

I recognize the legitimate need of law enforcement for access to customer records. Handled properly, these records can prove invaluable to law enforcement, crime prevention, and even the prevention of terrorist activities. But once the apparatus for collecting this information is in place, it is so tempting to use it for a different purpose. And so easy too. It’s literally just a few key strokes in some instances. Without proper control over this, consumer confidence is going to suffer and eventually so will the industry’s future. Serious consideration should be given to an industry Code of Conduct and standards for record creation, retention, and destruction. We all want a networked (wired and wireless) future, but at what cost? All of those carriers seeking to provide the triple and quadruple play take note.
Knowledge is power and consumers are not going to allow this industry to become omnipotent.

There was news Friday that the DoJ is preparing a package of legislation that would essentially extend CALEA to the Internet and codify recent surveillance practices. While one can sympathize with the concern that new communications technologies can be used for nefarious purposes, at some point society has to decide when enough is enough. They are even talking about the ability to eavesdrop on X-Box chatter.

When is enough enough? A society in which every communication is subject to eavesdropping is a society that will soon be too afraid to communicate. And then too afraid to innovate. And then too afraid to invest. And then it is too late. You’d think that we would have learned something from a 40-some year cold war. While there were numerous reasons Soviet society was in such a sad state when it collapsed, the smothering presence of government in every day life was a big contributor. When you live your life in fear that someone is watching you, you soon become too afraid to do much of anything.

The telecommunications industry plays a critical role in today’s economic and social life. The industry’s success is dependent on striking the right balance between security and convenience. No one wants to use an insecure network for communication. Everyone wants instant access to the network anytime, anywhere. But a network that is always subject to government monitoring is neither secure nor convenient and it will be bypassed. Industry needs to rise to the occasion and establish the right balance. Acquiescence to government demands may seem the right thing to do now, but in the long run it will cost this industry, and society, dearly.

I usually defer to Paul when the topic revolves around regulatory affairs, but I can't let today's ruling from the U.S. Court of Appeals for the District of Columbia go by without a comment. It's not good for business and it's doesn't make sense. Here's why I think this. Firstly, the cost of implementing technology required to intercept and listen in on conversations without either party being aware is significant. So now we have just told all the "bad-guys" out there that the FBI might be listening. What do you think they are going to do? Let me think of the alternatives....Firstly there's Skype, which is proprietary therefore the only folks that know that a call is happening are the calling and called party, as well as E-bay (owners of skype). I don't believe that Skype will be required to become CALEA compliant, but I will check on that with Paul. Next there is the pre-paid phone option. So I am a bad guy and I need to make some calls. I could just walk up to my local Target or 7-11 and buy a pre-paid phone with cash. This is completely untraceable because the target is unknown from a phone-number perspective – Or - how about an old fashion calling card and pay phone. I know there's not many of those still around, but it’s still an option. The issue is identifying the target. So here we have some MORE legislation that will cause undue burden to an already over-regulated industry. Isn't this fun!?!?! Adam Uzelac

There were two significant votes in the past twelve hours. One was in the House of Representatives. The other was in the U.S. Court of Appeals for the District of Columbia.

The House passed the COPE Act. and defeated Ed Markey’s net neutrality amendment.

The U.S. Court of Appeals for the District of Columbia voted to uphold the FCC’s decision to apply CALEA to facilities-based broadband service and interconnected VoIP services.

While seemingly unrelated, the fact is these decisions go hand-in-hand. If you have net neutrality, you don’t need all this fancy equipment to identify and track different traffic types on the network. Then what would law enforcement do? How would they eavesdrop on virtually all Internet communications?

Without net neutrality, phone companies are free to invest in the facilities and equipment necessary to identify, track and trace all sorts of Internet traffic.

So you see, you can’t have one without the other. These two votes, from two different branches of government, on two different days, really are about the same thing.

For those of you who lament the loss of net neutrality, you really should lament the loss of privacy. Maybe all your efforts to fight net neutrality can now be put to good use.

The irony of the information age is that for all its potential to educate, illuminate, and inform the populace as never before, it holds equal, if not greater, potential to indoctrinate, confuse, and deceive the populace. And therein lies the rub.

Imagine a “smart government” that made decisions based on facts not lobbyists. Couldn’t society greatly improve the delivery of government services, the allocation of citizen tax dollars, and the deployment of government resources if it had better information? In other words, couldn’t we form a more perfect union if we had more perfect information? After all, in The Wealth of Nations, Adam Smith said one of the three criteria for a perfect market is perfect information. The same holds true for government.

Shouldn’t we give government all of the information it requires to govern effectively? Shouldn’t we report our income to the penny so the proper amount of taxes could be with held? After all, this information is already held by employers, banks, and investment advisors.

Shouldn’t we report all of our spending so that the government can more precisely target taxes? After all, this information is already held by credit card companies, super markets, and virtually every other retailer.

Shouldn’t we report our every movement so that the government could easily account for everyone’s whereabouts at the scene of a crime? After all, toll collectors, airlines, credit card companies and cell phones already establish an electronic map of our whereabouts.

Shouldn’t we report our health status so the government can better track and prepare for diseases, epidemics, and viruses? Couldn’t government deliver better health care if it had better information about patients’ health?

Shouldn’t we register all of our purchases with the federal government to reduce property thefts? After all, if all purchases were registered, then recovery and return of stolen goods would improve dramatically. Credit card companies already retain the necessary information.

Shouldn’t everyone register with the federal government so that we can enforce our immigration laws? After all, you sign in at your gym? Why can’t you sign in with the federal government?

Shouldn’t we give the government our telephone records and Internet search queries? After all, the phone companies and search engines already collect this information?

A lot of people could probably be convinced of the merits of each of these proposals individually, or even collectively. John Walker’s essay printed in the Fall 2003 edition of Knowledge, Technology, and & Policy made a persuasive argument for total control of Internet content (even though he is opposed to it).

Logic would dictate these results and to a great extent we have already decided that it is ok to provide this information to the private sector with few enforceable limits or controls. We have done so as part of a macro quid pro quo with private enterprise getting the information they want in exchange for consumers getting the products they want. Shouldn’t the same dynamic hold in the public sector? We all want fair income taxation, swift justice, an effective health care system, secure borders, and to be safe from terrorists. So why don’t we simply provide the same information we provide to the private sector to our government?

Quite simply, the decisions made in the private sector are individual decisions. And while one could argue about the degree to which consumers truly can exercise choice in the marketplace, the fact of the matter is it is an individual choice to provide complete and accurate information to the private sector in exchange for goods and services. Consumers could provide partial or false information or they could provide none at all. How many times have you been asked for your phone number or zip code at the checkout counter and simply made one up or refused? I always do.

But when it comes to government, it is not an individual choice. It may be a choice of the majority of elected representatives, or the voting majority, but it is not a choice of the majority of people living in this country. Worse still, it may simply be, as it appears to be with the government’s “total information awareness” program, a decision of a very few zealots in the darkest recesses of our government.

And this is where a few bad apples spoil the whole bunch. The problem with sharing information with the government is that once the apparatus is established to collect, analyze and act on information it is extremely easy for individuals to abuse the process for their own purposes. Today the government may be monitoring for calls to al Qaeda, but how easy is it for someone with access to the monitoring program to begin monitoring for calls to the National Rifle Association? Who would know the search parameters were changed or new parameters were added? Power corrupts and absolute power corrupts absolutely. If you provide the government with the tools to know everything, they will use those tools – benevolently and malevolently. We have met the enemy…and he is us.