CALEA necessary for VoIP

You probably didn't celebrate May 14, the date set by the FCC for carriers to be in compliance with the Communications Assistance for Law Enforcement Act, or CALEA, rules, which require public carriers to be able to lawfully intercept IP and voice-over-IP sessions.

Lost in the political hubbub over possible illegal wiretapping of U.S. citizens is that it is mostly us good guys who can be wiretapped — legally or illegally. Smart bad guys know to use VoIP, which is almost impossible to intercept in the U.S. This is especially true for encrypted VoIP, the preferred way enterprise-based VoIP sessions are done to avoid eavesdropping, denial of service attacks on your phone system, etc. Enterprises were exempt from the CALEA rules, and providing the key for decryption to operators and public authorities is not in the cards anyway. (Enterprises may be exempt from CALEA because they are private communications; however, that does not preclude them from getting a court order for an interception.)

I am not a fan of Big Brother or illegal wiretapping, but it is disconcerting that a critical piece of homeland security is not yet a meaningful part of our networking and law enforcement arsenals.

Some quick history: Unlike IP communications, tapping traditional TDM voice is a straightforward process generally performed through interfaces to switching systems. The delivery of intercepted data to law enforcement by carriers usually follows a standard. But it took years for switch and monitoring vendors and operators to adapt their TDM systems to handle CALEA-compliant wiretapping — in many cases, long after FCC-mandated deadlines. Thus, it was no surprise that on May 14, many carriers were not CALEA compliant for IP and VoIP — or that it will be months or years before they are because the FCC seems disinterested in enforcement.

Everything about this is problematic. There is no checklist, test or certification authority that deems whether a IP or VoIP network is CALEA compliant. Also, in the mid-1990s, Congress allocated $500 million for carrier upgrades to their TDM networks. No such provision was made for IP and VoIP networks. Law enforcement is waiting for carriers to comply before updating their systems, so if/when an IP and/or VoIP operator wants to be compliant, they may find law enforcement agencies are unable to accept their intercepted signals. Federal agencies are generally ahead of the curve, but CALEA IP and VoIP interception is new to them, too.

Standards to provide “safe harbor” IP and VoIP compliance under CALEA have been published in the last few months. Getting equipment to work, however — especially interconnecting systems from multiple vendors — remains difficult and time-consuming, requiring interception experts' attention.

Although the government can covertly intercept IP, bringing IP interception to public networks — where ordinary technicians and police perform interception — is a complex matter. Dealing with technologies that assure isolation of targeted traffic (so users are not tapped); the privacy rights of targeted subscribers; and real-time collection, formatting and clean delivery of the data to law enforcement are non-trivial activities. Few IP carriers, let alone small ones, and most police departments have the expertise to implement IP and VoIP interception.

Plus, VoIP interception is inherently difficult. Call support data can take a different path than the media content on a VoIP call. Interception may have to occur at two or more separate points — from call managers, gateways, routers, etc. — while the data collection from these points and subsequent formatting and delivery all must be synchronized. Conversely, TDM interceptions of call data and content are usually from one switch point.

Finally, many equipment providers and integration services have jumped onto the CALEA bandwagon. These are often organizations that had no idea what CALEA was as little as four months ago. Buyer beware. It could get ugly.

Yes, smarter criminals know alternatives to avoid being wiretapped. CALEA interception of IP and VoIP will not mean interception of all such communications because of encryption challenges. However, it would be bad if the FCC continues to not get tough with the industry about compliance.

Peter A. Bernstein is president of Peter A. Bernstein Associates. He can be reached at pabernstein@optonline.net.