S.2281 Hearing (was: Justice Dept: Wiretaps...)

• Previous message (by thread): S.2281 Hearing (was: Justice Dept: Wiretaps...)
• Next message (by thread): S.2281 Hearing (was: Justice Dept: Wiretaps...)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 12:30 AM -0400 on 6/20/04, John Curran wrote:
>At 12:06 AM -0400 6/20/04, Sean Donelan wrote:
>[snip]
>  >It sounds good, if you assume there will always be a PSTN.  But its
>>like defining the Internet in terms of connecting to the ARPANET.
>
>Correct.  It's a workable interim measure to continue today's practice
>while the edge network is transitioning to VoIP.  It does not address
>the more colorful long-term situation that law enforcement will be in
>shortly with abundant, ad-hoc, encrypted p2p communications.
>
>>What about Nextel's phone-to-phone talk feature which doesn't touch
>>the PSTN?  What about carriers who offer "Free" on-net calling, which
>>doesn't connect to the PSTN and off-net calling to customers on the
>  >PSTN or other carriers.
[snip]

[I've been writing this over the past day or so in bursts; apologies 
if this re-hashes what others have said more succinctly or elegantly. 
I think there are still some points in here that haven't been 
addressed by others, so I'll respond to the most recent sub-thread]

I think that while the debate about CALEA's short-term legislative 
extension to cover VoIP services is certainly interesting and scary, 
I fail to see how it will be relevant in the coming years as the 
market progresses.  Because of the quickly growing diversity of VoIP 
technology, interconnection methods, and customer/vendor hierarchies, 
I do not believe it will be possible to enforce (or even legislate) 
an interception policy that is effective without extensive and 
draconian technical and legal methods.

Comments to support my thesis:

   1) In the debate thus far, it does seem reasonable that PSTN calls 
are subject to CALEA.  It even sounds reasonable that services that 
interconnect from VoIP networks to the PSTN are subject to CALEA. 
But what information must be provided during an "interconnect"?  What 
_is_ an "interconnect", anyway?  If I have a service that hands off a 
call from my customer's SIP home media gateway to another carrier's 
SIP gateway device, am I obligated to tell the other carrier the real 
caller ID of the caller?  Does caller ID provide adequate 
identification?  What if there isn't a "real" caller ID?  Which one 
of us must be subjected to CALEA rules?  Both?  How about a 
residential gateway (SIP->FXO) that participates in a global P2P mesh 
co-op to allow cheap/free local calls anywhere?  (Hint: that's 
coming.)  Is every member of such a mesh subject to CALEA?


  2) Perhaps the most relevant point to my thesis is that the "service 
provider" may not fall under the jurisdiction of United States law, 
but that does not preclude them from offering service in the US that 
is equivalent to vendors who _do_ reside in the US.  I will note that 
this is NANOG, and not USANOG.  While the US has a significant 
influence in North American (and worldwide) intercept legislation, it 
certainly cannot require other nations to implement the same policy. 
We're all running scared about what the US will do, but it is a 
tempest in a teapot for providers who are packet-based and 
potentially mobile, or who are already outside of the USA.

      Some sub-comments on geography/national authority:

       a) Do you think that Skype (domain registered in Luxembourg, 
company in the Netherlands?) or any other non-US P2P network or 
software provider will implement CALEA into it's software or service 
because of threats by the US Department of Justice?  Consistently?

       b) Do you think that it will be illegal for overseas firms to 
contract with IP->PSTN gateway providers in the USA for call 
termination because the origins of their calls are unknown and thus 
are un-distinguishable by CALEA intercepts from non-targeted calls?

       c) Do you think that it will be illegal for US Citizens or 
residents to send encrypted SRTP (or other media) streams to IP->PSTN 
gateways that are outside of the United States, where CALEA does not 
apply?

       d) More broadly: Do you think it should or will be illegal to 
accept or generate a communication method without some authoritative 
method to trace the origin or destination of the communication?  If 
you answer "No", then CALEA grows more worthless by the day.  If you 
answer "Yes", then how does your government apply this across 
national boundaries, and more importantly, how does a government 
technically enforce it without becoming a police state?

       e) Do you think any company will be inclined to stay in the US 
if the cost of doing business increases by X% due to CALEA 
requirements?  To what number can X% rise before they close up shop 
and move offshore?  I can tell you from firsthand experience that all 
the VoIP providers I've talked with are running on the assumption 
that they can deploy their models on 10-20% of the costs of a 
traditional telco, and even a slight deviation in this will send them 
scattering to look for alternatives to whatever costs are presented. 
Look at the on-line gambling industry for very relevant examples of 
this diaspora effect.


  3) It seems that the most easily graspable part of the industry is 
to somehow apply rules to any entity that uses number space out of 
the North American Numbering Plan (NANP) that is ultimately overseen 
by the US Government.  It's easy for the FTC/DOJ/FCC to say "You 
don't get the right to use, route, or sub-allocate numbers unless you 
adhere to our CALEA requirements, and force all your customers to 
adhere to those requirements as well."  That sounds easy, and it 
might even be possible.... for a while.  This quickly changes when 
non-US or non-national numbering (+878, anyone?) becomes more 
accepted by domestic US customers, and is completely irrelevant to 
those services which don't use NANP space and just provide anonymous 
or semi-anonymous gateways for outbound and two stage dialing for 
inbound (see FWD, Voiceglo, and others for examples of this.)  I 
think again CALEA will fall into a chaotic jumble by trying to apply 
laws to service providers or software developers to enforce basic 
identification criteria when those criteria will lose relevance in 
the next few years.
    Note: the long arm of the law having it's hand on NANP allocations 
might a pretty good "tax" handle as well - watch out for the 
triple-whammy of taxes, CALEA, and E911 being tied to NANP numbers, 
as has been discussed before in other forums with very visible 
momentum of approval.  This has positive and negative results.  Of 
this method of control/taxation, I haven't decided if I'm in favor or 
not.

   4) The last comment will agree with another comment made here 
previously: the smart (and possibly the most dangerous) criminals and 
terrorists will use widely-available crypto, tunnels, or darknets to 
move their VoIP packets.  CALEA agencies have got to get the method 
of interception closer to the source or destination of the 
communications to overcome these obstacles.  Are we implementing this 
huge expense, inconvenience, and market uncertainty to catch only 
dumb criminals, or should these energies and funds be focused 
elsewhere to have possibly "better" results?


PS: anyone want to draft the "US Telecommunications Discipline Pact"?  ;-)

PPS: Yes, I do run an ITSP, but these comments reflect my personal 
views, and not necessarily those of my current employer.

JT

• Previous message (by thread): S.2281 Hearing (was: Justice Dept: Wiretaps...)
• Next message (by thread): S.2281 Hearing (was: Justice Dept: Wiretaps...)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]