FCC: If you want privacy, call VoIP-to-VoIP

| Comments (1) |
The FCC has decided that they are going to require "facilities-based broadband Internet access and interconnected VoIP services" to provide CALEA access by May 14, 2007:
The current CALEA proceeding was initiated in response to a Joint Petition filed by the Department of Justice, Federal Bureau of Investigation, and Drug Enforcement Administration in March 2004. These parties asked the Commission to address several issues so that industry and Law Enforcement would have clear guidance as CALEA implementation moves forward. The First Report and Order in this proceeding concluded that facilities-based broadband Internet access and interconnected VOIP providers were covered by CALEA. This Order addresses remaining issues raised in this proceeding and provides certainty that will help achieve CALEA compliance, particularly for packet-mode technologies.

First, the Order affirms that the CALEA compliance deadline for facilities-based broadband Internet access and interconnected VoIP services will be May 14, 2007, as established by the First Report and Order in this proceeding. The Order concludes that this deadline gives providers of these services sufficient time to develop compliance solutions, and notes that standards developments for these services are already well underway.

I think "facilities-based broadband Internet access" means "ISPs" and "interconnected VoIP services" seems to mean VoIP providers which connect to the PSTN. As I've mentioned before, tapping VoIP calls where they gateway to the PSTN is straightforward, since the encryption obviously has to end at the PSTN boundary. So, the real question for me is whether VoIP providers which do gateway to the PSTN (like Skype) are going to be required to provide CALEA access to calls which never go through the PSTN. If the protocols have been designed properly--which is to say end-to-end encryption between the clients, then this should be pretty difficult.

In the particular case of Skype, because they (1) control the CA and (2) control the clients, they can mount a man-in-the-middle attack on the connections, and the FCC could require them to be able to do so. Such an attack is theoretically detectable in some circumstances (if you've talked to the other person before you can cache their public key) but one could imagine the feds requiring Skype's software not to do this. None of this applies to open VoIP systems which let you use your own software, since it's not clear that the FCC has jurisdiction to require manufacturers who aren't service providers to do anything.

1 Comments

Another way Skype could enable its users to detect MITM attacks would be for the client to display a hash of the shared AES key. In a MITM attack, each side has a different key, so if the users read their hashes to each other, they will detect the difference.

Leave a comment