North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: S.2281 Hearing (was: Justice Dept: Wiretaps...)

  • From: John Todd
  • Date: Sun Jun 20 20:26:30 2004 
At 12:30 AM -0400 on 6/20/04, John Curran wrote:

At 12:06 AM -0400 6/20/04, Sean Donelan wrote:
[snip]
 >It sounds good, if you assume there will always be a PSTN.  But its

like defining the Internet in terms of connecting to the ARPANET.

Correct.  It's a workable interim measure to continue today's practice
while the edge network is transitioning to VoIP.  It does not address
the more colorful long-term situation that law enforcement will be in
shortly with abundant, ad-hoc, encrypted p2p communications.


What about Nextel's phone-to-phone talk feature which doesn't touch
the PSTN?  What about carriers who offer "Free" on-net calling, which
doesn't connect to the PSTN and off-net calling to customers on the

 >PSTN or other carriers.
[snip]

[I've been writing this over the past day or so in bursts; apologies if this re-hashes what others have said more succinctly or elegantly. I think there are still some points in here that haven't been addressed by others, so I'll respond to the most recent sub-thread]

I think that while the debate about CALEA's short-term legislative extension to cover VoIP services is certainly interesting and scary, I fail to see how it will be relevant in the coming years as the market progresses. Because of the quickly growing diversity of VoIP technology, interconnection methods, and customer/vendor hierarchies, I do not believe it will be possible to enforce (or even legislate) an interception policy that is effective without extensive and draconian technical and legal methods.

Comments to support my thesis:

1) In the debate thus far, it does seem reasonable that PSTN calls are subject to CALEA. It even sounds reasonable that services that interconnect from VoIP networks to the PSTN are subject to CALEA. But what information must be provided during an "interconnect"? What _is_ an "interconnect", anyway? If I have a service that hands off a call from my customer's SIP home media gateway to another carrier's SIP gateway device, am I obligated to tell the other carrier the real caller ID of the caller? Does caller ID provide adequate identification? What if there isn't a "real" caller ID? Which one of us must be subjected to CALEA rules? Both? How about a residential gateway (SIP->FXO) that participates in a global P2P mesh co-op to allow cheap/free local calls anywhere? (Hint: that's coming.) Is every member of such a mesh subject to CALEA?


2) Perhaps the most relevant point to my thesis is that the "service provider" may not fall under the jurisdiction of United States law, but that does not preclude them from offering service in the US that is equivalent to vendors who _do_ reside in the US. I will note that this is NANOG, and not USANOG. While the US has a significant influence in North American (and worldwide) intercept legislation, it certainly cannot require other nations to implement the same policy. We're all running scared about what the US will do, but it is a tempest in a teapot for providers who are packet-based and potentially mobile, or who are already outside of the USA.

Some sub-comments on geography/national authority:

a) Do you think that Skype (domain registered in Luxembourg, company in the Netherlands?) or any other non-US P2P network or software provider will implement CALEA into it's software or service because of threats by the US Department of Justice? Consistently?

b) Do you think that it will be illegal for overseas firms to contract with IP->PSTN gateway providers in the USA for call termination because the origins of their calls are unknown and thus are un-distinguishable by CALEA intercepts from non-targeted calls?

c) Do you think that it will be illegal for US Citizens or residents to send encrypted SRTP (or other media) streams to IP->PSTN gateways that are outside of the United States, where CALEA does not apply?

d) More broadly: Do you think it should or will be illegal to accept or generate a communication method without some authoritative method to trace the origin or destination of the communication? If you answer "No", then CALEA grows more worthless by the day. If you answer "Yes", then how does your government apply this across national boundaries, and more importantly, how does a government technically enforce it without becoming a police state?

e) Do you think any company will be inclined to stay in the US if the cost of doing business increases by X% due to CALEA requirements? To what number can X% rise before they close up shop and move offshore? I can tell you from firsthand experience that all the VoIP providers I've talked with are running on the assumption that they can deploy their models on 10-20% of the costs of a traditional telco, and even a slight deviation in this will send them scattering to look for alternatives to whatever costs are presented. Look at the on-line gambling industry for very relevant examples of this diaspora effect.


3) It seems that the most easily graspable part of the industry is to somehow apply rules to any entity that uses number space out of the North American Numbering Plan (NANP) that is ultimately overseen by the US Government. It's easy for the FTC/DOJ/FCC to say "You don't get the right to use, route, or sub-allocate numbers unless you adhere to our CALEA requirements, and force all your customers to adhere to those requirements as well." That sounds easy, and it might even be possible.... for a while. This quickly changes when non-US or non-national numbering (+878, anyone?) becomes more accepted by domestic US customers, and is completely irrelevant to those services which don't use NANP space and just provide anonymous or semi-anonymous gateways for outbound and two stage dialing for inbound (see FWD, Voiceglo, and others for examples of this.) I think again CALEA will fall into a chaotic jumble by trying to apply laws to service providers or software developers to enforce basic identification criteria when those criteria will lose relevance in the next few years.
Note: the long arm of the law having it's hand on NANP allocations might a pretty good "tax" handle as well - watch out for the triple-whammy of taxes, CALEA, and E911 being tied to NANP numbers, as has been discussed before in other forums with very visible momentum of approval. This has positive and negative results. Of this method of control/taxation, I haven't decided if I'm in favor or not.

4) The last comment will agree with another comment made here previously: the smart (and possibly the most dangerous) criminals and terrorists will use widely-available crypto, tunnels, or darknets to move their VoIP packets. CALEA agencies have got to get the method of interception closer to the source or destination of the communications to overcome these obstacles. Are we implementing this huge expense, inconvenience, and market uncertainty to catch only dumb criminals, or should these energies and funds be focused elsewhere to have possibly "better" results?


PS: anyone want to draft the "US Telecommunications Discipline Pact"? ;-)

PPS: Yes, I do run an ITSP, but these comments reflect my personal views, and not necessarily those of my current employer.

JT