Tapping the 'Net

By Scott Bradner
Network World, 11/29/99

Last week I wrote about the debate in the IETF over wiretapping the Internet. Two undercurrents of that debate are worth exploring in greater detail: that legal intercept (as it's euphemistically called) for voice is only the first step in the general tapping of the Internet; and that the desire for intercept may be thwarted by the Internet architecture anyway.

A strong thread that ran through the discussion on the IETF's raven mailing list (If you don't know where the mailing list name comes from, then re-read your Edgar Allen Poe) was the fear that the call for voice intercept was only a stalking-horse for governments' real goal - to do general tapping of the Internet. This thread was second only to one that claimed wiretapping violated basic human rights and that governments had no intrinsic right to do this.

Unfortunately, however justified this feeling may be, it does not stop governments from making laws that mandate just this sort of thing. And one can expect that laws will be coming soon mandating that ISPs be ready to tap any Internet datastream. Claiming that governments do not have the right to pass such laws is unlikely to change the fines that the ISPs will have to pay if they fail to comply.

The second undercurrent of the wiretapping discussion, as I mentioned, has to do with the Internet's architecture, which is basically point-to-point.

Data flows from one edge device, such as a Web server, to another, such as a PC running a Web browser. In some cases, there may be a device in the middle, such as a Web proxy, through which some of the data flows.

But such a device is not a required part of the architecture. In the case of Internet telephony, data almost always flows directly between the end points. Signaling information might be sent to some central servers, but the data flows directly between the end points for normal person-to-person calls. In the case of conference calls, the data does have to go through a central mixing server.

But the lack of a central data forwarding server for handling normal phone calls means that there is no easy way to tap IP calls without letting the user know it is happening. At the same time, there is no central server to send you a bill. I have been told that some regional telephone companies are using the argument that point-to-point IP calls are hard to tap in their effort to get the Federal Communications Commission to mandate that the data for all phone calls go through central servers. The side benefit that the telephone company can then bill for such calls is, of course, secondary.

This architecture, coupled with the availability of good encryption software for the end nodes, may mean that people who don't like the idea that the local government, or anyone else, is listening in can keep that from happening.

Disclaimer: Harvard's architecture runs from Richardson to Le Corbusier, but does not facilitate wiretapping. The above hope is my own.