IP Convergence: Beyond VoIP, Beyond Cost Savings - CALEA

and from the "No taps for you" department...

Tue, 15 Jan 2008 15:06:53 +0000

This one is a beauty - on Jan. 10th of this month, the ACLU issued a statement that reported that a FBI wiretap was "unplugged" due to a lack of payment. The ACLU is quick to point out that this action was taken from the same telecoms that permitted the tap without the proper approvals...

From Michael German, ACLU National Security Policy Counsel: "It seems the telecoms, who are claiming they were just being "good patriots" when they allowed the government to spy on us without warrants, are more than willing to pull the plug on national security investigations when the government falls behind on its bills."

Adam "voiploser" Uzelac
DISCLAIMER: The comments here are mine only. They don't necessarily reflect intelligence, refined thoughts, or anything that the reader should take too seriously. Should the reader expect a polished thought process in the content addressed here, then a strong dose of medication should be prescribed to address that misconception.

Femtocells the Answer?

Mon, 14 Jan 2008 17:30:00 +0000

Femtocells the Answer?

There have been some very interesting developments in the wireless world as of late. Femtocells are basically Access Point Base Stations that permit wireless operators to extend coverage in places where “dead spots” are problematic. This sounds like a great idea for those that have experienced the issues where a wireless phone call drops due to one moving into an area where coverage is “shady” at best – for instance an elevator or a remote location in a campus or building. But with this concept, comes some problems that need to be resolved, like E911, Lawful Intercept and other such governmental obligations.

First note the informal poll below from www.cellcoverege.com - this is a problem the industry wants to address.

Poll: How do DropZones Affect You?

Annoying & inconvenient (36%)

Cannot replace home phone (15%)

Creates a safety gap (13%)

Crimping social life (16%)

Poor reflection on business (14%)

Other (5%)

Femtocells have been designed to use licensed and unlicensed wireless spectrum. In the licensed scenarios, there are concerns around Interference with the already established towers that provide subscriber access. There are limits to the number of adjacencies that mean special attention needs to be spent with regards to the placement of the femtocells. This concern stems from marketing such solutions direct to the consumer base, and this means a “willy nilly” approach to spectrum access for subscribers causes confusion with regards to E911 and Lawful Intercept requirements that mobile network operators much meet.

Though femtocells are gaining momentum as an alternative, there are concerns that first need to be addressed before an expectation of widespread use can be realized.

Adam “voiploser” Uzelac

DISCLAIMER: The comments here are mine only. They don’t necessarily reflect intelligence, refined thoughts, or anything that the reader should take too seriously. Should the reader expect a polished thought process in the content addressed here, then a strong dose of medication should be prescribed to address that misconception.

Ready for a scary thing? Deep Packet Inspection!

Thu, 02 Aug 2007 18:57:49 +0000

According to Wikipedia Deep Packet Inspection is “a form of computer network packet filtering that examines the data part of a through-passing packet, searching for non-protocol compliance or predefined criteria to decide if the packet can pass. This is in contrast to shallow packet inspection (usually called just packet inspection) which just checks the header portion of a packet.”

First off, this is a very real technology. A quick search via google brought the company Bivio Networks to my attention. (* Disclaimer: I have no interest, financial or otherwise with this company.) Bivio’s 7000 series claims that
“when fully configured, the 7000's application processing subsystem offers 45,000 MIPS -- enough to run "any IP network service" at wire speeds up to 10Gbps -- including IDS/IDP, firewalling, VPN, network surveillance, lawful interception, and application traffic management. Developers can use any of the standard Linux components (such as iptables) as part of their deep packet processing applications.

Now let’s look at some of the implications of DPI. A very interesting article on here from ars technica puts things in an interesting light:

“Imagine a device that sits inline in a major ISP's network and can throttle P2P traffic at differing levels depending on the time of day. Imagine a device that allows one user access only to e-mail and the Web while allowing a higher-paying user to use VoIP and BitTorrent. Imagine a device that protects against distributed denial of service (DDoS) attacks, scans for viruses passing across the network, and siphons off requested traffic for law enforcement analysis. Imagine all of this being done in real time, for 900,000 simultaneous users, and you get a sense of the power of deep packet inspection (DPI) network appliances.
Although the technology isn't yet common knowledge among consumers, DPI already gives network neutrality backers nightmares and enables American ISPs to comply with CALEA (government-ordered Internet wiretaps) reporting requirements. It also just might save the Internet (depending on who you believe). “
The power of this technology is simply awesome, and the impacts it can have are serious. The current state of government mandated network monitoring forces some network operators to consider implementing this. One word jumps to my mind, and that’s SCARY – and I am not referring to my driver’s license picture either!

By the way, did I mention that the above Bivio 7000 is listed at $10,000!

Is CALEA compliance achievable and/or realistic?

Thu, 07 Dec 2006 15:13:23 +0000

For those not in the know, CALEA is the Communications Assistance for Law Enforcement Agencies – meaning it’s all about getting the bad guys. There are many facets to the law and one can learn more at Ask CALEA. A big part of helping the cops is “tapping” or “snooping” on the evil-doers’ phone calls. Here’s the thing – VoIP and the entire “Converged” model of communications makes it more difficult to tap these calls. I don’t believe that I am going out on a limb here, or telling anyone what they don’t already know. It’s more that I am reinforcing some preconceived notions.

Tapping VoIP calls is more difficult than TDM calls for one simple reason: VoIP is a connection-oriented application (voice) using a connection-LESS medium (IP) as transport. As a result of using a connection-less medium, the transport path can’t be safely assumed. There’s no deterministic route that everything to or from an “evil-doer” traverses. Without that knowledge, where do you “tap”? One option would be to “tap” every possible path that communications could take, but the cost involved with that is astronomical. The other option is to ensure deterministic routing, or force routing in a way that makes thing “interceptable”. This problem starts lessening the closer to the intercept target the tap is placed, but there are still use cases where communications are "load-balanced" across multiple broad-band communications, say both cable and DSL broadband access to a home. One could easily setup routing to use both networks simultaneously. For me, this would mean that Time Warner would get half of my conversation, and my DSL provider (Frontier) would get the other half.

So now for some outstanding questions that linger in my mind on CALEA:

- What about SKYPE or other peer-to-peer communications? How is that addressed by the govt and LEAs?
- Is it beyond comprehension that sRTP (encrypted media) might be outlawed by our govt because it’s not “interceptable”?
- To what extent are equipment and software vendors held accountable to create “interceptable” flows? If it’s mandated by our govt, then what’s preventing them from moving and setting up shop in a country that doesn’t have such regulations?
- Do the rules apply to “on-net” call flows where the PSTN is not involved at all?

The bad-guys and evil-doers, especially the more sophisticated ones, are going to use cryptography, encrypted tunnels and encrypted peer to peer communications as well – so this begs the question – is all the trouble, expense and hassle worth it? Is it even plausible?

Adam “voiploser” Uzelac

The Trouble With Data Retention

Mon, 09 Oct 2006 18:31:40 +0000

The other week, the ITAA held a seminar on data retention issues. I did not attend, but the write-ups I have seen sure make me wish I did. Readers of this blog will know that I have serious reservations and innumerable questions about the Department of Justice’s efforts to expand CALEA and otherwise impose themselves in communications media. Their new push to impose data retention requirements on ISPs and communications companies is just as disconcerting.

You would think the regular reports of leaked data, stolen data, and otherwise mishandled data over the past several years would have raised some red flags about the amount of data government and companies already store and the apparent lack of adequate safeguards. It certainly has caught the eye of state legislatures of which at least 22 have passed data protection laws.

Panelists at the ITAA event all recognized the pitfalls inherent in data retention schemes. These range from the breaches of data we have read so much about to the negative effect on competitiveness and innovation that will result as more companies locate their operations off-shore in order to avoid the burden of an overly-regulated Internet. Of course the irony of this all is that at the same time Congress and the FCC claim to want a "regulation-free" Internet, they are imposing incredibly burdensome regulations in the name of “security” and law enforcement.

This country could dramatically improve law enforcement and security if every citizen kept a daily log of their personal activities available for inspection. In a broadband environment, citizens could even upload it every night so law enforcement could correlate it to daily crime statistics. And the sad thing is, there are a significant number of people who probably think it is a good idea. But communications companies have a different stake in this game than consumers. Consumers have a “privacy” interest, but communications companies have a very real bottom line interest. The more invasive government is in communications media, the less it will be trusted and used by consumers.

I recognize that government has always enjoyed the cooperation of “the phone company.” The Church Committee provided a glimpse into Operation Shamrock and the EFF is shedding new light on its apparent resurrection. But when the telephone was a monopoly what could you do? Now with a vast array of communications media available, consumers have a choice and you can be sure that over time they will choose the media they trust most. And if that media is networked overseas or is not network based at all, who loses?

It is time for communications companies to stand up in defense of their own self-interest. Massive data collection and retention initiatives, sweeping surveillance requests, and other measures that effectively deputize communications companies in the “war on ____” (drugs, crime, terror, whatever the war du jour happens to be) may appear the patriotic thing to do, but it comes at a price and for communications media that price is steep.

Stepping Out and Stepping Up

Sat, 19 Aug 2006 00:42:35 +0000

Stepping Out and Stepping Up

I will be on vacation next week so there will be no new entries until the week of the 28th. (That’s the stepping out part.) But I couldn’t let the week go by without recognizing the ruling by U.S. District Judge Anna Diggs Taylor declaring the Bush Administration’s electronic eavesdropping program (I refuse to use their Orwellian phraseology) unconstitutional and in violation of the FISA Act. It was a wonderful result, despite the truncated rationale. The country would have been better served with a more complete, more in-depth review of relevant precedent, but I guess she figured it would be appealed no matter how much she wrote so why waste the time.

For those of us in the telecommunications industry, we need to consider more deeply the responsibility of the telecommunications service providers, particularly in light of the ability to collect customer data on a scale and scope previously unimaginable. Just consider what you could learn about someone if you knew their list of “favorite” web sites. Add to that a record of their actual Internet searches. Add to that a record of all of their home phone calls. Add to that a record of all of their mobile phone calls. Add to that a record of their actual conversations. Add to that a record of their DVR recordings and music downloads. It’s an incredible amount of information not only in terms of quantity, but quality as well.

The future of this industry depends on mass consumer adoption of all of these networked services. If consumers don’t have confidence that their use of networked services is at least a semi-private matter, they will revert to customer-premise based solutions or forego the activity all together. This industry is already under pressure from the Federal Communications Commission to improve their handling of Customer Proprietary Network Information (“CPNI”). At the same time, major carriers suspected of supporting the Bush Administration’s surveillance efforts face massive class-action suits. Disregard for customer privacy is not something this industry can afford.

I recognize the legitimate need of law enforcement for access to customer records. Handled properly, these records can prove invaluable to law enforcement, crime prevention, and even the prevention of terrorist activities. But once the apparatus for collecting this information is in place, it is so tempting to use it for a different purpose. And so easy too. It’s literally just a few key strokes in some instances. Without proper control over this, consumer confidence is going to suffer and eventually so will the industry’s future. Serious consideration should be given to an industry Code of Conduct and standards for record creation, retention, and destruction. We all want a networked (wired and wireless) future, but at what cost? All of those carriers seeking to provide the triple and quadruple play take note.
Knowledge is power and consumers are not going to allow this industry to become omnipotent.

When is enough enough?

Tue, 11 Jul 2006 01:04:46 +0000

There was news Friday that the DoJ is preparing a package of legislation that would essentially extend CALEA to the Internet and codify recent surveillance practices. While one can sympathize with the concern that new communications technologies can be used for nefarious purposes, at some point society has to decide when enough is enough. They are even talking about the ability to eavesdrop on X-Box chatter.

When is enough enough? A society in which every communication is subject to eavesdropping is a society that will soon be too afraid to communicate. And then too afraid to innovate. And then too afraid to invest. And then it is too late. You’d think that we would have learned something from a 40-some year cold war. While there were numerous reasons Soviet society was in such a sad state when it collapsed, the smothering presence of government in every day life was a big contributor. When you live your life in fear that someone is watching you, you soon become too afraid to do much of anything.

The telecommunications industry plays a critical role in today’s economic and social life. The industry’s success is dependent on striking the right balance between security and convenience. No one wants to use an insecure network for communication. Everyone wants instant access to the network anytime, anywhere. But a network that is always subject to government monitoring is neither secure nor convenient and it will be bypassed. Industry needs to rise to the occasion and establish the right balance. Acquiescence to government demands may seem the right thing to do now, but in the long run it will cost this industry, and society, dearly.

The FBI/Police/etc and VoIP

Sat, 10 Jun 2006 02:10:26 +0000

I usually defer to Paul when the topic revolves around regulatory affairs, but I can't let today's ruling from the U.S. Court of Appeals for the District of Columbia go by without a comment. It's not good for business and it's doesn't make sense. Here's why I think this. Firstly, the cost of implementing technology required to intercept and listen in on conversations without either party being aware is significant. So now we have just told all the "bad-guys" out there that the FBI might be listening. What do you think they are going to do? Let me think of the alternatives....Firstly there's Skype, which is proprietary therefore the only folks that know that a call is happening are the calling and called party, as well as E-bay (owners of skype). I don't believe that Skype will be required to become CALEA compliant, but I will check on that with Paul. Next there is the pre-paid phone option. So I am a bad guy and I need to make some calls. I could just walk up to my local Target or 7-11 and buy a pre-paid phone with cash. This is completely untraceable because the target is unknown from a phone-number perspective – Or - how about an old fashion calling card and pay phone. I know there's not many of those still around, but it’s still an option. The issue is identifying the target. So here we have some MORE legislation that will cause undue burden to an already over-regulated industry. Isn't this fun!?!?! Adam Uzelac

Two votes, one goal

Fri, 09 Jun 2006 23:57:51 +0000

There were two significant votes in the past twelve hours. One was in the House of Representatives. The other was in the U.S. Court of Appeals for the District of Columbia.

The House passed the COPE Act. and defeated Ed Markey’s net neutrality amendment.

The U.S. Court of Appeals for the District of Columbia voted to uphold the FCC’s decision to apply CALEA to facilities-based broadband service and interconnected VoIP services.

While seemingly unrelated, the fact is these decisions go hand-in-hand. If you have net neutrality, you don’t need all this fancy equipment to identify and track different traffic types on the network. Then what would law enforcement do? How would they eavesdrop on virtually all Internet communications?

Without net neutrality, phone companies are free to invest in the facilities and equipment necessary to identify, track and trace all sorts of Internet traffic.

So you see, you can’t have one without the other. These two votes, from two different branches of government, on two different days, really are about the same thing.

For those of you who lament the loss of net neutrality, you really should lament the loss of privacy. Maybe all your efforts to fight net neutrality can now be put to good use.

Perfect Information

Fri, 26 May 2006 02:33:54 +0000

The irony of the information age is that for all its potential to educate, illuminate, and inform the populace as never before, it holds equal, if not greater, potential to indoctrinate, confuse, and deceive the populace. And therein lies the rub.

Imagine a “smart government” that made decisions based on facts not lobbyists. Couldn’t society greatly improve the delivery of government services, the allocation of citizen tax dollars, and the deployment of government resources if it had better information? In other words, couldn’t we form a more perfect union if we had more perfect information? After all, in The Wealth of Nations, Adam Smith said one of the three criteria for a perfect market is perfect information. The same holds true for government.

Shouldn’t we give government all of the information it requires to govern effectively? Shouldn’t we report our income to the penny so the proper amount of taxes could be with held? After all, this information is already held by employers, banks, and investment advisors.

Shouldn’t we report all of our spending so that the government can more precisely target taxes? After all, this information is already held by credit card companies, super markets, and virtually every other retailer.

Shouldn’t we report our every movement so that the government could easily account for everyone’s whereabouts at the scene of a crime? After all, toll collectors, airlines, credit card companies and cell phones already establish an electronic map of our whereabouts.

Shouldn’t we report our health status so the government can better track and prepare for diseases, epidemics, and viruses? Couldn’t government deliver better health care if it had better information about patients’ health?

Shouldn’t we register all of our purchases with the federal government to reduce property thefts? After all, if all purchases were registered, then recovery and return of stolen goods would improve dramatically. Credit card companies already retain the necessary information.

Shouldn’t everyone register with the federal government so that we can enforce our immigration laws? After all, you sign in at your gym? Why can’t you sign in with the federal government?

Shouldn’t we give the government our telephone records and Internet search queries? After all, the phone companies and search engines already collect this information?

A lot of people could probably be convinced of the merits of each of these proposals individually, or even collectively. John Walker’s essay printed in the Fall 2003 edition of Knowledge, Technology, and & Policy made a persuasive argument for total control of Internet content (even though he is opposed to it).

Logic would dictate these results and to a great extent we have already decided that it is ok to provide this information to the private sector with few enforceable limits or controls. We have done so as part of a macro quid pro quo with private enterprise getting the information they want in exchange for consumers getting the products they want. Shouldn’t the same dynamic hold in the public sector? We all want fair income taxation, swift justice, an effective health care system, secure borders, and to be safe from terrorists. So why don’t we simply provide the same information we provide to the private sector to our government?

Quite simply, the decisions made in the private sector are individual decisions. And while one could argue about the degree to which consumers truly can exercise choice in the marketplace, the fact of the matter is it is an individual choice to provide complete and accurate information to the private sector in exchange for goods and services. Consumers could provide partial or false information or they could provide none at all. How many times have you been asked for your phone number or zip code at the checkout counter and simply made one up or refused? I always do.

But when it comes to government, it is not an individual choice. It may be a choice of the majority of elected representatives, or the voting majority, but it is not a choice of the majority of people living in this country. Worse still, it may simply be, as it appears to be with the government’s “total information awareness” program, a decision of a very few zealots in the darkest recesses of our government.

And this is where a few bad apples spoil the whole bunch. The problem with sharing information with the government is that once the apparatus is established to collect, analyze and act on information it is extremely easy for individuals to abuse the process for their own purposes. Today the government may be monitoring for calls to al Qaeda, but how easy is it for someone with access to the monitoring program to begin monitoring for calls to the National Rifle Association? Who would know the search parameters were changed or new parameters were added? Power corrupts and absolute power corrupts absolutely. If you provide the government with the tools to know everything, they will use those tools – benevolently and malevolently. We have met the enemy…and he is us.

How Law Enforcement Undermines the “Dumb Pipe” Theory

Tue, 23 May 2006 00:34:25 +0000

ow Law Enforcement Undermines the “Dumb Pipe” Theory

For those of you who continue to hold out hope that the Internet would (notice the past tense) consist of “dumb pipes”, I can pretty much confirm for you that it ain’t gonna happen. I am attending the ISS conference in Arlington, referenced (ever so scandalously) in Wired online. While industry and government(s) are commingling, there is nothing untoward going on except perhaps the violation of various social graces as the foreign and domestic telecommunications and law enforcement worlds collide.

But I did have an epiphany of sorts while observing this crowd. The ISS show is really just another place for equipment vendors to hawk their goods. So as I was listening to the panel titled “Skype Control Management and Interrogation”, it dawned on me that the incumbent telecommunications industry and law enforcement have a perverse symbiotic relationship. Law enforcement seeks to track and identify as much detail as possible about global telecommunications traffic. So law enforceement imposes CALEA requirements on the industry.

The telecom equipment industry is more than happy to build government mandated boxes that perform “intelligent filtering”. When selling these boxes, vendors not only get to claim compliance with federal law, but they can pitch the added benefit for the incumbent service providers of being able to “intelligently filter” network traffic in support of their business plans. So the incumbents’ network investment in the technologies that undermine the “dumb pipe” theory is being subsidized by the U.S. government through its CALEA mandate and the prudent exercise of the cost reimbursement provisions of the law.

Don’t delude yourselves for a moment into thinking that some mamby pamby argument about ”keeping the Internet free” is going to stop this virtuous cycle. Law enforcement gets the information it wants. Equipment vendors get the sales they want. Incumbent operators get to intelligently filter their networks of all those nuisances otherwise known as competitors.

So it’s like I said, if you hope that the Internet will be “free”, you are in for a big disappointment. What would the incumbents do with all of that equipment law enforcement is giving them?

Off the books law enforcement

Fri, 05 May 2006 16:50:24 +0000

The FCC adopted its Second Report and Order and Memorandum Opinion and Order applying CALEA to “facilities-based broadband Internet access providers and interconnected voice over Internet protocol (VoIP) providers”. Susan Crawford provides some good background and interesting perspective, but there are several disturbing aspects of this action that go beyond the insular world of telecommunications.

Following the Department of Justice’s lead, the FCC has tortured the language of the Telecommunications Act of 1996 and the Communications Assistance for Law Enforcement Act of 1994 to conclude that the term “information services” has different meanings in the two statutes. The FCC was forced into this situation because of its determined effort to classify DSL services as “information services” and not as “telecommunications services” in the aftermath of the Brand-X decision. Since embarking on this course of action, the FCC has been doing everything ass-backwards ever since. Rather than have the courage of its convictions to affirmatively deregulate the Bell Companies, the FCC has instead chosen to re-define everything as an “information service” and then build up regulation of these services to suit the political and social aims of the Commission. They did it with E911 for VoIP providers and they are doing it again with this CALEA order.

Previously, services were either “telecommunications services”, with all of its attendant common carrier regulations or they were “information services” which were not regulated. Now, services may be regulated information services. How is it that the FCC was able to create this new category of services?

But as I said, this CALEA order has consequences far beyond the world of telecommunications. In its Order, the FCC refused to allow carriers to charge law enforcement for the capital expenditures necessary to make their networks CALEA compliant. The FCC also refused to adopt a national surcharge to recover CALEA costs. By denying carriers the right to recoup their costs for making their networks CALEA compliant, the Department of Justice and the FCC have effectively funded their surveillance activities “off the books”. Recall the Iran-Contra Affair of the Reagan Administration where the CIA funded its operations in Nicaragua by selling arms to Iran, bypassing the federal budget process and privatizing national security. Now the Department of Justice is bypassing the federal budget and getting the telecommunications industry to fund its wiretap efforts. And in light of the revelations coming out in the EFF class action suit against at&t, it appears that the federal government is continuing its efforts to privatize law enforcement and national security activities.

According to the 2004 Wiretap Report in 2004 there were 1,710 (legal) wiretaps executed in the United States at an average cost to law enforcement of just over $63,000 per wiretap. This does not include the costs incurred by the telecommunications carriers. The federal budget is a one of the ways that the citizenry curbs the power of government. If government is able to go off the books and fund its objectives, then I truly fear for the future of our “free” society.

As I write this, I am receiving word that the U.S. Court of Appeals for the District of Colombia was very skeptical of the FCC's defense of its first CALEA order and has serious doubts about the FCC's legal rationale surrounding the multiple definitions of information services. But I am sure there is also a takings case brewing here. After all, the government couldn't order every household to build a platform outside their window to allow the government to view inside without reimbursing people for their expense (never mind the absurdity of the suggestion), but that is exactly what they are doing with CALEA. They are requiring the industry to build a platform for the government to eavesdrop on virtually every communication and refusing to compensate the industry for their activity.

Of course compensation for the telecommunications industry should be the least of this country's worries. If you believe that VoIP is going to be a truly ubiquitous application embedded in virtually everything we do (including your voice recognition PCs), then you need to be concerned with how CALEA is being applied...unless you don't mind the government listening in on all of your electronic communications.