Bid to allow 'Net wiretaps draws fire

By Carolyn Duffy Marsan
Network World, 10/25/99

Citing security risks, network managers are lining up to oppose a proposal within the Internet engineering community to develop protocols that would make it easier for law enforcement agencies to intercept communications over the 'Net.

Network managers say any hole built into the Internet for legitimate law enforcement purposes would be abused by hackers, and the existence of such a hole could undermine consumer confidence in the Internet and slow the growth of electronic commerce.

IETF position paper and call for discussion

"This proposal would be a big worry," says Chris Kozlov, network administrator for Arlington Industries, a Libertyville, Ill.-based distri-butor of imaging supplies that accepts online purchases via credit card. "Security is very important to our business because it's extremely important to our customers. . . . If you're putting in a back door to the Internet, somebody is going to eventually find it that isn't in law enforcement."

"I don't want it to be easier for someone to hack into my system. I want it to be difficult," says Dwight Gibbs, chief technical fool at The Motley Fool, an Alexandria, Va.-based Web site that features investment advice. "We give all of our information away for free . . . but we do have some stuff we would like to keep private."

The issue of whether a wiretapping capability should be built into the Internet promises to be the hottest topic at the next Internet Engineering Task Force (IETF) meeting, which will be held in Washington, D.C. in November.

Since the issue was put on the meeting agenda several days ago, e-mails have been flying between IETF members, many of who oppose the idea.

Work sparks debate

The wiretapping debate emerged from the IETF's work on protocols to support telephony over the Internet. A wiretapping capability is built into central office telephone switches, and various countries, including the U.S., require carriers to intercept or report on communications at the request of government agencies. At issue is whether these requirements will apply to voice communications over the Internet.

There is no specific proposal coming from the U.S. government requiring carriers to support wiretapping over the Internet. However, there is an existing law - the Communications Assistance for Law Enforcement Act of 1994 (CALEA) - that requires carriers to have wiretapping capabilities built into the phone system and fines them $10,000 per day if they don't comply. Carriers are afraid that CALEA will apply to voice over IP.

Several IETF members who work for companies that manufacture telephone switches fear they won't be able to sell combined voice and data switches to carriers unless the switches support wiretapping. The members want to build wiretap support into a gateway protocol that converts voice traffic into Internet data packets.

The IETF's leadership decided to put the issue before the entire organization to determine if there is a consensus.

IETF Chair Fred Baker says the wiretap proposal would affect more than voice communications over the Internet.

"If I can tap voice communications, I can tap anything," he says. "I can tap keystrokes. I can tap files that are downloaded. The capability would wind up being used for all sorts of interceptions."

Baker is against the proposal.

"I don't think it's necessary to have anything in the pro-tocols to support wiretapping," he says, adding that network sniffing equipment works fine. "All it would take [to intercept voice-over-IP conversations] is to open up a tunnel to the router . . . and then put in some kind of filter [like a sniffer] to see the traffic and fire a copy of it down this tunnel to somewhere else."

Also opposed to the idea is Keith Moore, director of the IETF's applications area. Moore argues that the IETF is an international organization and shouldn't be concerned about wiretapping laws in particular countries.

"The IETF has traditionally insisted on good security in its protocols despite the insistence by some in government and law enforcement that they need to be able to eavesdrop on network communications," he says.

Helping the feds?

Regardless of how the IETF votes on this proposal, network managers who employ encryption may end up supporting wiretaps of Internet traffic more frequently. When communications are encrypted over the 'Net, carriers can't intercept them, so the burden of supporting wiretaps is on the organization that is sending or receiving the information.

"Today, corporate network managers are not required by federal statute to help support wiretapping," says Scott Bradner, director of the IETF's transport area and initiator of the wiretapping debate. Bradner predicts that in the future, when voice, data and video are all sent over the Internet, network managers "may be asked by the legal powers that be to provide unencrypted data."

Liability concerns

The issue of liability for wiretapping may influence the type of encryption that corporate network managers buy. If encryption occurs at the desktop, the network manager can't intercept the communication. But if en-cryption occurs at a device on the edge of the network, the network manager can intercept the communication on its way to the desktop.

"If I could encrypt everything that came in and out of the company, I would," Arlington Industries' Kozlov says.

The company already encrypts employee e-mail, as well as purchase orders that come in over the 'Net.

"The whole idea behind encryption is to prevent people from looking at information. What would be the point if wiretapping were built into the Internet?" he asks.

Another concern for network managers is that the cost of combined voice and data equipment is likely to rise if wiretapping capabilities are built in.

"It doesn't seem reasonable to require everyone to build wiretapping into their equipment, which is going to increase costs," Moore says.

Reaction: Here's what some Fusion users are saying about this issue: What do you think? Add your comments to the thread