[5890] in cryptography@c2.net mail archive
IP: IETF considers building wiretapping into the Internet
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Wed Oct 13 00:30:17 1999
To: cryptography@c2.net
From: "Perry E. Metzger" <perry@piermont.com>
Date: 13 Oct 1999 00:03:12 -0400
Message-ID: <87ln97nbzz.fsf@lazarus.piermont.com>
I thought this forward from "Interesting People" would be of interest
------- Start of forwarded message -------
Message-Id: <v04220807b429b072f0f4@[209.179.157.137]>
Date: Tue, 12 Oct 1999 20:44:03 -0700
From: David Farber <farber@cis.upenn.edu>
Subject: IP: IETF considers building wiretapping into the Internet
>
>
>http://www.wired.com/news/politics/0,1283,31853,00.html
>
> Wiretapping the Net: Oh, Brother
> by Declan McCullagh (declan@wired.com)
>
> 2:00 p.m. 12.Oct.99.PDT
> Since its humble beginnings as a
> 15-person committee in 1986, the
> Internet Engineering Task Force has had
> one guiding principle: To solve the
> problems of moving digital information
> around the world.
>
> As attendance at meetings swelled and
> the Internet became a vital portion of
> national economies, the
> standards-setting body has become
> increasingly important, but the engineers
> and programmers who are members
> remained focused on that common goal.
>
> No longer.
>
> The IETF is now debating whether to wire
> government surveillance into the next
> generation of Internet protocols. The
> issue promises to cause the most
> acrimonious debate the venerable group
> has ever experienced and could have a
> lasting effect on privacy online.
>
> To reach even a preliminary decision in a
> special plenary session of the IETF
> meeting in Washington next month,
> attendees must weigh whether law
> enforcement demands are more important
> than communications security and
> personal privacy -- a process that places
> technology professionals in the unusual
> position of taking a prominent political
> stand.
>
> "As Internet voice becomes a wider
> deployed reality, it is only logical that the
> subject has to come up," IETF chairman
> Fred Baker said. "We are deciding to bring
> it up proactively rather than reacting to
> something later in the game."
>
> The wiretapping issue arises as the IETF
> is wrestling with another prominent
> privacy issue in IPv6, the slated
> next-generation Internet protocol. As
> outlined, the proposal would include the
> unique serial number for each computer's
> network connection hardware as part of
> its expanded address.
>
> Many governments, including the United
> States, require telephone companies to
> configure their networks so police can
> easily wiretap calls. As more phone calls
> flow through the Internet, some experts
> predict that the FBI and similar agencies
> will demand additional surveillance
> powers.
>
> If the IETF takes no action and
> governments require IP telephony firms to
> use snoopable products, some veteran
> task force members fret that companies
> might simply start to use technology that
> won't talk to products from other
> manufacturers. It's a noxious prospect for
> a standards-setting body like IETF.
>
> Even worse: The products may divulge
> more information to an eavesdropper or
> introduce further security holes.
>
> "The basic problem is that the
> government will probably demand of IP
> telephony the rules that govern
> wiretaps," said University of Pennsylvania
> electrical engineering professor Dave
> Farber, a board member of the Electronic
> Frontier Foundation and the Internet
> Society. "...I wish we didn't have the law.
> But given that the law is there, it's wiser
> to make sure it just applies to the stuff
> that's IP telephony and not all of our data
> traffic."
>
> It's unclear whether the 1994
> Communications Assistance to Law
> Enforcement Act (CALEA), which requires
> wiretapping access, applies to IP
> telephony firms.
>
> "There are two independent questions to
> answer," says Chris Savage, a
> Washington attorney who represents
> Internet providers and phone companies.
> "First, is the provider of the service a
> 'telecommunications carrier' under the
> law? If the answer's no, CALEA does not
> apply. If you are a telecommunications
> carrier under the law and using packet
> communications, the FCC has said that
> compliance doesn't kick in until
> September 2001."
>
> Even if CALEA does apply to products IP
> telephony firms may use, the IETF can
> simply ignore what legislators say, as the
> group did when supporting stronger
> encryption standards than what
> governments preferred.
>
> IETF Chairman Baker said the organization
> has not received any direct requests from
> the FBI or other law enforcement
> officials, and some members of the media
> gateway control working group brought
> up the subject in August during a
> discussion on a mailing list. "Megaco's"
> goal is to figure out how to replace a
> telephone company's traditional phone
> switch with digital controllers.
>
> Some of the megaco members work for
> telephone companies that have long since
> bowed to law enforcement demands, and
> they seemed ready to compromise. One
> poster from Nortel Networks wrote on 24
> August that he hoped "our architecture
> allows government agencies to do what
> they require."
>
> But the IETF area director, Harvard
> University's Scott Bradner, said he
> thought the issue was too important to
> be decided by the handful of members in
> a working group. He brought it up during
> a September conference call of the
> Internet Engineering Steering Group,
> which acts as the IETF's executive
> committee.
>
> The IESG then decided the full
> membership should try to reach a rough
> consensus at the November meeting.
> Bradner and another IESG member
> created a mailing list for the topic and
> drafted an announcement released
> Monday.
>
> Privacy advocates say they're concerned.
> "If the mindset of the technical people
> involved in IETF has gotten to the point
> that they're voluntarily developing
> surveillance capabilities, that's a very
> disappointing development. The Internet
> community has been fighting to protect
> privacy from government intrusion for
> years and the IETF now appears to be
> doing the government's work," says David
> Sobel, general counsel for the Electronic
> Privacy Information Center.
>
> "Why doesn't the IETF start working on a
> key escrow encryption protocol? Where
> does it end if they're going to start
> anticipating what government mandates
> might be?"
>
> Jeff Schiller, an IESG member and MIT
> network manager, predicted libertarian
> sentiments would prevail at the November
> meeting.
>
> "We should not be building surveillance
> technology into standards. Law
> enforcement was not supposed to be
> easy. Where it is easy, it's called a police
> state," Schiller said.
>
> Schiller pointed to previous IETF decisions
> -- immortalized in a policy document,
> numbered 1984, which affirmed the
> group's opposition to weakening security
> to aid in government surveillance.
>
> More recently, the IETF agreed to include
> encryption in IPv6 even though US
> government regulations restrict its
> export.
>
> Peter Neumann, principal scientist at SRI
> International and moderator of the RISKS
> Digest, said the debate over wiretapping
> is similar to the one over encryption
> backdoors: Both imperil security.
>
> "It's the same argument. You're trying to
> put in a mechanism that's essentially
> misusable, corruptible, and
> compromisable. And you can't do it
> securely given the infrastructures we
> have. It's basically impossible," Neumann
> said.
>
> "The problem is any system or protocol
> that has a fundamental trap door in it is
> going to be misused ... Building in things
> that are fundamentally flawed does not
> make sense."
>
>###
------- End of forwarded message -------
