________________________________________________________________________________ Wired News Wiretapping the Net: Oh, Brother by Declan McCullagh 7:00 p.m. 12.Oct.99.PDT Since its humble beginning as a 15-person committee in 1986, the Internet Engineering Task Force has had one guiding principle: To solve the problems of moving digital information around the world. As attendance at meetings swelled and the Internet became a vital portion of national economies, the standards-setting body has become increasingly important, but the engineers and programmers who are members remained focused on that common goal. No longer. Now the IETF is debating whether to wire government surveillance into the next generation of Internet protocols. The issue promises to cause the most acrimonious debate the venerable group has ever experienced and likely will have a lasting effect on privacy online. To reach even a preliminary decision in a special plenary session of the IETF meeting in Washington next month, attendees must weigh whether law enforcement demands are more important than communications security and personal privacy -- a process that places technology professionals in the unusual position of taking a prominent political stand. "As Internet voice becomes a wider deployed reality, it is only logical that the subject has to come up," IETF chairman and Cisco engineer Fred Baker said. "We are deciding to bring it up proactively rather than reacting to something later in the game." The wiretapping issue arises as the IETF is wrestling with a separate but also prominent privacy issue in IPv6, the slated next-generation Internet protocol. As outlined, the proposal would include the unique serial number for each computer's network connection hardware as part of its expanded address. Many governments, including the United States, require telephone companies to configure their networks so police can easily wiretap calls. As more phone calls flow through the Internet, some experts predict that the FBI and similar agencies will demand additional surveillance powers. If the IETF takes no action and governments require IP telephony firms to use snoopable products, some veteran task force members fret that companies might simply start to use technology that won't talk to products from other manufacturers. It's a noxious prospect for a standards-setting body like IETF. Even worse: The products may divulge more information to an eavesdropper or introduce further security holes that could have been prevented if savvy IETFers aided in the design. "The basic problem is that the government will probably demand of IP telephony the rules that govern wiretaps," said University of Pennsylvania electrical engineering professor Dave Farber, a board member of the Electronic Frontier Foundation and the Internet Society. "...I wish we didn't have the law. But given that the law is there, it's wiser to make sure it just applies to the stuff that's IP telephony and not all of our data traffic." The debate also pits large US firms like Nortel and Lucent that -- thanks to government regulations -- may need to market snoopable products against privacy advocates and the generally libertarian-leaning IETFers. It's unclear whether the 1994 Communications Assistance to Law Enforcement Act (CALEA), which requires wiretapping access, applies to IP telephony firms. "There are two independent questions to answer," says Chris Savage, a Washington attorney who represents Internet providers and phone companies. "First, is the provider of the service a 'telecommunications carrier' under the law? If the answer's no, CALEA does not apply. If you are a telecommunications carrier under the law and using packet communications, the FCC has said that compliance doesn't kick in until September 2001." Even if CALEA does apply to products IP telephony firms may use, the IETF can simply ignore what US legislators say, as the group did when supporting stronger encryption standards than what the Clinton administration preferred. IETF Chairman Baker said the organization has not received any direct requests from the FBI or other law enforcement officials, and some members of the media gateway control working group brought up the subject in August during a discussion on a mailing list. "Megaco's" goal is to figure out how to replace a telephone company's traditional phone switch with digital controllers. Some of the megaco members work for telephone companies that have long since bowed to law enforcement demands, and they seemed ready to compromise. One poster from Nortel Networks wrote on 24 August that he hoped "our architecture allows government agencies to do what they require." But the IETF area director, Harvard University's Scott Bradner, said he thought the issue was too important to be decided by the handful of members in a working group. He brought it up during a September conference call of the Internet Engineering Steering Group, which acts as the IETF's executive committee. The IESG then decided the full membership should try to reach a rough consensus at the November meeting. Bradner and another IESG member created a mailing list for the topic and drafted an announcement released Monday. Privacy advocates say they're concerned. "If the mindset of the technical people involved in IETF has gotten to the point that they're voluntarily developing surveillance capabilities, that's a very disappointing development. The Internet community has been fighting to protect privacy from government intrusion for years and the IETF now appears to be doing the government's work," says David Sobel, general counsel for the Electronic Privacy Information Center. "Why doesn't the IETF start working on a key escrow encryption protocol? Where does it end if they're going to start anticipating what government mandates might be?" Jeff Schiller, an IESG member and MIT network manager, predicted libertarian sentiments would prevail at the November meeting. "We should not be building surveillance technology into standards. Law enforcement was not supposed to be easy. Where it is easy, it's called a police state," Schiller said. Schiller pointed to previous IETF decisions -- immortalized in a policy document, numbered 1984, which affirmed the group's opposition to weakening security to aid in government surveillance. More recently, the IETF agreed to include encryption in IPv6 even though US government regulations restrict its export. But some longtime IETF members criticize other decisions. William Simpson points out that one proposed standard supports weak encryption, which allows for easy wiretapping. "The IETF is being pushed around by the large vendors and the US government a great deal. And there's not much we can do about it... There's a lot of politics and a lot of money involved," said Simpson, an independent security consultant. Harvard's Bradner acknowledges that the group's membership has changed since the early days. "It's one thing when IETF was a group going off and doing this sort of research-y network stuff and the network was something us geeks played with. It wasn't an infrastructure," Bradner said. "It's only in the very recent past that there's all this talk of convergence and talk of moving all the telephony infrastructure of the world onto the Internet." Peter Neumann, principal scientist at SRI International and moderator of the RISKS Digest, said the debate over wiretapping is similar to the one over encryption backdoors: Both imperil security. "It's the same argument. You're trying to put in a mechanism that's essentially misusable, corruptible, and compromisable. And you can't do it securely given the infrastructures we have. It's basically impossible," Neumann said. "The problem is any system or protocol that has a fundamental trap door in it is going to be misused ... Building in things that are fundamentally flawed does not make sense." http://www.wired.com/news/politics/0,1283,31853,00.html ================================================================================ Wired News Net Wiretapping: Yes or No? by Declan McCullagh 10:30 a.m. 13.Oct.99.PDT The FBI says the Internet's standards body should craft technology to facilitate lawful government surveillance. A spokesman said Wednesday that the bureau supported the Internet Engineering Task Force's recent decision to debate whether the ability to wiretap should be part of future Internet standards. "We think it's a wise and prudent move," said Barry Smith, supervisory special agent in the FBI's Digital Telephony and Encryption policy unit. "If court-authorized wiretaps are frustrated, effective law enforcement is jeopardized, public safety is jeopardized, and policymakers are going to have to figure out how to rectify the problem." On Monday, the IETF announced it would consider whether to wire government surveillance into the next generation of Internet protocols, an issue that promises to cause the most acrimonious debate the venerable group has ever experienced. A meeting is scheduled for next month in Washington. Smith said members should recognize that the United States isn't the only country that allows government wiretapping. "I'm not aware of any country that does not allow for the use of electronic surveillance. This is an issue that has no country bounds," he said. "If a standards-setting body is going to fully carry out its mission in addressing the needs of all groups, you've got to recognize government's legitimate need to protect public safety and, under specific circumstances, conduct surveillance." Many governments, including the United States, require telephone companies to configure their networks so police can easily wiretap calls. Members of the Internet Engineering Steering Group, which acts as the IETF's executive committee, decided to take this issue to the full membership as a pre-emptive measure before the US government requires it of Internet telephony firms or ISPs. "The worst case scenario is if the standard doesn't include provisions to address court-authorized electronic surveillance," Smith said. "...If ISPs that are under this obligation don't ensure this type of capability, criminals will communicate even more frequently through the use of ISPs." On a mailing list created by the IETF, participants are already dividing themselves into two categories: Members who argue that a principled, no-cooperation approach is wisest, and those who advocate a "pragmatic" approach. Smith sides with the self-described pragmatists. "If this standard setting body chooses to turn a blind eye to reality, they can make a statement, but companies are going to have to function in the real world and meet their governmental obligations," he said. Jeff Schiller, an IESG member and MIT network manager, predicted libertarian sentiments would prevail at next month's meeting. "We should not be building surveillance technology into standards. Law enforcement was not supposed to be easy. Where it is easy, it's called a police state," Schiller said on Tuesday. But Smith said he hoped most members would take a different view. "I think the group will be pragmatic and realize the standard needs to include these provisions and recognize the reality of the situation," he said. http://www.wired.com/news/politics/0,1283,31895,00.html ________________________________________________________________________________ no copyright 1999 rolux.org - no commercial use without permission. is a moderated mailing list for the advancement of minor criticism. more information: mail to: majordomo@rolux.org, subject line: , message body: info. further questions: mail to: rolux-owner@rolux.org. archive: http://www.rolux.org