A group of companies which develop and implement lawful intercept solutions for VoIP have issued a “rebuttal” to a report from the IT Association of America (ITAA) spelling out potential obstacles for service providers in complying with the Communications Assistance for Law Enforcement Act (CALEA).

In June, the ITAA, a group of network engineers which includes Internet pioneer Vinton Cerf, issued a report outlining potential problems for VoIP service providers trying to meet a May 14, 2007 deadline for CALEA compliance. The report asserted, among other things, that the cost of installing equipment and contracting third party support in order to meet compliance was overly-burdensome for service providers, many of whom are struggling to make a profit from VoIP (which is currently being marketed to the public on the basis of its low cost).

In addition, the report also raises questions with regard to the ability to develop industry standards for CALEA as it applies to VoIP. Because there are many different types of VoIP service - some PSTN-based, some peer-to-peer based - some based on standards such as SIP, others based on proprietary code - the ITAA report asserts that it will be difficult, if not impossible, for law enforcement to develop a consistent and reliable methodology for harvesting call data. It asserts that the mixed bag of network infrastructures and signal types will make it very hard to achieve industry-wide compliance, and that service providers and network operators will need to modify, perhaps even compromise, their network architectures in order to adhere to the FCC’s (News - Alert) Order. This, in turn, will have a negative impact on innovation, as networks will not be able to “evolve” around the elements required for CALEA compliance.

The ITAA report also suggests that allowing law enforcement to create an “architected security breach” on a provider’s network will create a convenient “back door” for anyone looking to hack into that network, thus raising a potentially serious security concern. Similarly, the ITAA says CALEA compliance for VoIP providers could also lead to privacy concerns for customers.

The rebuttal from the Global Lawful Interception Industry Forum (GLIIF), however, refutes nearly every point raised in the ITAA report. The whitepaper, entitled “Security Implications in Applying the Communications Assistance for Law Enforcement Act and Related Requirement to Voice Over IP,” asserts that 1) network architecture is irrelevant when it comes to applying CALEA to VoIP, because there is a lawful intercept solution for every type of network, 2) there is no legal requirement to develop standards for CALEA compliance as it pertains to VoIP, therefore it is not necessary to develop any, 3) complying with CALEA is not prohibitively expensive, and in fact “costs less than a penny per subscriber per month,” 4) CALEA compliance makes networks more secure, not less, and 5) CALEA will not result in any privacy related issues beyond what exists under current wiretapping laws.

“Over the past decade, well-meaning technical experts have occasionally bandied together and launched critical campaigns against CALEA, including related laws imposing national security, consumer, and infrastructure protection requirements,” the GLIIF whitepaper (recently obtained by TMCnet through SS8 Networks) states. “With only minimal understanding of the actual legal and forensic requirements, such critics have typically produced dismissive pronouncements and papers asserting broad brush incompatibilities with contemporary network technologies, dismissing existing public policy and industry forums, and asserting unspecified ‘risks.’”

The whitepaper goes on to add that the only real risks involved “are the delays in implementing significant, trusted forensic capabilities for VoIP and other IP-Enabled services that include CALEA.”

“The species of cybercrime are multiplying as fast as the legitimate applications, and often scaling faster than number of users,” the whitepaper states. “This doesn’t even include non-economic crime such as protection against the terrorists, drug cartels, pedophiles, and other organizations and individuals with criminal intent. Forensic detection, analysis, and capture capabilities for these kinds of activities are needed no matter what the technology.”

In May of this year, the Federal Communications Commission adopted a “Second Report and Order and Memorandum Opinion and Order,” the primary goal of which is to ensure that Law Enforcement Agencies (LEAs) have the resources needed to conduct wiretapping through facilities-based broadband Internet access providers and interconnected VoIP providers. The decision to adopt the Order was based on a request from federal law enforcement agencies, made in the fall of 2005, which shed light on the fact that law enforcement lacks the technological means to tap VoIP calls and other forms of IP communications.

As per the Order, VoIP service providers need to have the appropriate equipment installed on their networks in order to facilitate lawful intercepts of call data. Basically, this is an “architected security breach” located at a point close to the edge of the network where law enforcement can tap in and harvest call record data, as well as record call content, which is then copied to an LEA’s secure network for storage and analysis. In May of this year, the FCC issued an additional Order requiring all VoIP service providers to have the appropriate security procedures in place by Aug. 1, 2006.

During an interview with TMCnet in July, Scott Coleman, director of marketing for lawful intercept, SS8 Networks - a provider of CALEA/VoIP solutions - said he was “surprised” by some of the assertions contained in the ITAA report, some of which he referred to as being “a bit over-the-top.” For one thing, he said although it is true that VoIP comes in a lot of different flavors and there are a lot of different types of network architectures used for delivery, that doesn’t necessarily mean it will be impossible to come up with a lawful intercept solution for each type of VoIP service.

“First of all, it is important to realize that most VoIP service providers have already implemented their own solutions,” Coleman said, adding that by his estimate, roughly 90 percent of all fixed line and wireless operators already have CALEA compliance solutions in place. “They’ve known for years [since 1994] that this was coming … and they knew that there was no ducking that the FCC considers VoIP an information service. So what we’re really talking about here are the 10 percent or so which still don’t have solutions in place.”

The GLIIF whitepaper confirms this when it states: “It is worth noting that most providers today already implement forensic acquisition capabilities similar or even more extensive than those sought by law enforcement – to protect criminal behavior directed against their own network infrastructure and services.”

Furthermore, Coleman pointed out that because the FCC has not mandated the formation of industry-wide standards for CALEA compliance, it is up to each service provider to develop its own solution, “and that solution can be specific to the type of service they are providing.” This built-in flexibility, he said, was intended to help hold down costs for service providers.

Coleman said he was surprised by the assertion in the ITAA report that the wide variety of network architectures and signal protocols used for VoIP is a serious hindrance to universal CALEA compliance.

“There is a solution for every type of service, every type of architecture, that is out there,” he said, adding that, as per the FCC’s Order, VoIP service providers can implement whatever type of solution they wish, just so long as law enforcement agencies can tap into the data. “There doesn’t have to be any one standard – and a lot [of standards] have already been developed.”

Furthermore, he pointed out that companies such as SS8 have been developing solutions for a wide variety of services and networks – including hybrids of all sizes and varieties – for years. Therefore, there is a rather large segment of the industry which has already developed a huge knowledge base for implementing such solutions.

“Under CALEA in the U.S., no standards are specified to implement a compliance solution – only generic requirements,” the GLIIF whitepaper states. “This approach was chosen by Congress and underscored in FCC decisions to allow providers the flexibility to pursue their own solutions. This policy approach is covered at some length in the FCC Second Order released on 12 May. In most other countries, specific lawful interception standards are mandated and enforced through both regulatory and regular administrative testing practices. This is not the case in the U.S. where the CALEA approach provides greater flexibility and minimizes effects on infrastructure design and evolution.”

Coleman said another thing in the ITAA report that jumped out at him was the figure used to represent the “average cost” to a service provider seeking to implement a CALEA compliance solution. Quoting a report from the Inspector General of the Department of Justice, the ITAA report states that a particular service provider recently paid a trusted third party (TTP) a whopping $100,000 for a CALEA compliance solution. In addition, the ITAA report states that a TTP could charge anywhere from $14,000 to $15,000 a month (or up to $2,000 per intercept) for support.

“I don’t know where that figure came from but it is way out of the ball park from what we’ve been seeing,” Coleman said, adding that the average cost for equipment is around $50,000 (but that scales depending on how many customers the service provider has and how vast the network is), and that the average contract for support “is around $15,000 a year, not $15,000 a month,” as the ITAA report states.

Coleman said although there is a cost to service providers for CALEA compliance (mainly for equipment) which scales based on traffic volume, that cost is “spread evenly across the industry,” so whatever one service provider pays, its competitors will have to pay a relative amount.

“This is the cost of doing business,” Coleman said, sounding somewhat unapologetic. “The FCC has mandated that this must happen. There aren’t any options here.”

Coleman pointed out that while most large service providers will be supporting their own solutions in house, the majority of small- to medium-sized service providers will be employing the services of a TTP (such as NeuStar) to develop a solution. This, he said, provides an “affordable and more reliable alternative” to in-house support/operation.

As for the notion that CALEA compliance will “open the door for security breaches,” Coleman said nothing could be farther from the truth.

“In fact,” he said, “CALEA will make the network more secure through the strengthening of existing security features.”

“CALEA’s customer identification, network security, security office, and new ‘proof of performance’ requirements also significantly add to the technical, operational, and administrative capabilities of providers,” the GLIIF whitepaper states. “This additional set of security capabilities – whether instituted by the provider or a Trusted Third Party – improves network security and end user privacy at both local and national levels.”

However, while the whitepaper talks of improved security and privacy resulting from CALEA compliance, at the same time it almost seems to imply that there must be some sort of trade off between network security and the overall need for public safety:

“Perhaps the foremost security enhancement is enjoyed by the subscribers using the communications network – knowing that other users engaging in criminal conduct ranging from fraud and drug dealing to child predators and kidnappers can be effectively investigated and prosecuted for their conduct via the network,” the whitepaper states. “Network providers themselves enjoy similar security enhancements in being able to better protect their network facilities and systems against hackers by enabling their investigation and prosecution by law enforcement.”

“The principal reason why CALEA and its equivalent lawful interception capabilities have been imposed worldwide - whether for VoIP or any other application - is because it is necessary,” the whitepaper states. “When someone has been kidnapped; when pedophiles are stalking children; when drug dealers or terrorists or all manner of criminals conspire or prey on a victim – it is often necessary to acquire real-time evidence. There are no other choices. This means wiretapping, and increasingly with today’s widespread interoperable IP-Enabled networks combined with nomadic users and applications, this means CALEA capabilities. It is not possible anymore to have government Geek Squads running around trying to attach their own equipment.”

With regard to the notion that CALEA will result in the stifling of innovation, the GLIIF whitepaper has this to say:

“CALEA critics often impute dire consequences to network innovation and subscriber use if CALEA requirements are imposed on VoIP providers. An especially amusing USA-centric admonition is the assertion that providers and innovators will simply leave U.S. shores as a result of CALEA. What the critics ignore is that relative ease and minimal cost by which the capabilities can be implemented, as well as the reality that countries worldwide have similar if not more extensive law enforcement support requirements. In fact, the deficient lack of CALEA Internet and VoIP requirements compared to the rest of the world that has long imposed them, has resulted in a global network forensics and analysis marketplace where some of the most innovative vendors in that market exist outside the U.S. The more imposing requirements outside the U.S. is also reflected in the work of the European Telecommunication Standards Institute as the principal venue for innovative global lawful interception specifications.”

Coleman said just the same as CALEA compliance solutions can be adapted to work on any network or service, they can also be modified as networks are upgraded. In fact, he said most of SS8’s CALEA compliance revenues are derived NOT from installing new systems, but rather from updating existing systems due to the introduction of new technologies.

“New interfaces for new technologies is where most of the revenue lies,” he said. “I would say about 90 percent of our work is in this area. As I said before, there is solution out there for every type of network and every type of service – and new ones are being developed all the time.”

Trying to put it all into perspective, Coleman pointed out that many service providers “may never end up having their networks tapped” for law enforcement purposes - but nevertheless they must be compliant. He said as of present, LEAs are only requesting, on average, about 1,700 Title III wiretaps (where calls are listened in on) per year, nationwide, and a vast majority of those taps (roughly 90 percent) are applied to mobile numbers.

Nevertheless, when the FBI or local police department comes knocking on your door asking to drop in a wiretap, as of May 14, 2007, you had better be ready.

To see a copy of the GLIIF whitepaper, visit http://www.gliif.org/GLIIF/Security_Implications_of_LI_1.0.pdf

To see a copy of the ITAA report, visit http://www.itaa.org/news/docs/CALEAVOIPreport.pdf.

For more information about SS8 Networks, visit http://www.ss8.com/.

-------

Patrick Barnard is Associate Editor for TMCnet and a columnist covering the telecom industry. To see more of his articles, please visit Patrick Barnard’s columnist page.