The following text is copyright 2004 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.

 

Looking for the dumb ones

 

By Scott Bradner

 

A few weeks ago I wrote about the directions that U.S. law enforcement seemed to be taking when considering wiretapping VoIP and other Internet-based services.  ("Blindly looking in the wrong place" http://www.nwfusion.com/columnists/2004/0216bradner.html)  We now know almost what the U.S. law enforcement community wants and some of their desires make more sense than others.

 

On March 10th the U.S. Department of Justice, Drug Enforcement Administration and the Federal Bureau of Investigation   sent a "Joint petition for Expedited Rulemaking" to the FCC.    In response the FCC two days later published a request for comments on the request.  (http://hraunfoss.fcc.gov/edocs_public/attachmatch/DA-04-700A1.{pdf|doc|txt})  The request for comments wants responses by April 12th.

 

Conspiracy theorists may wonder why the announcement of the FCC request for comment and the law enforcement request are so hard to find on the FCC web site - they are not on the first page, which is what one would expect for issues of this importance, and I never found a copy of the law enforcement request on the FCC site (and there is no pointer to it in the FCC request for comments).

 

Basically, the law enforcement request is to be able to wiretap the Internet itself and to wiretap services running over the Internet.  The law enforcement request asks the FCC to declare that Internet service providers, including broadband access providers such as cable and DSL companies, and providers of switched services over the Internet, including VoIP and maybe instant messaging, are subject to the 1994 Communications Assistance for Law Enforcement Act (CALEA). 

 

The law enforcement request uses the threat of "criminals, terrorists and spies" to try to get the FCC to act.  From what I understand, there is a legitimate legal question of whether the FCC can make a declaration of the type that the law enforcement request wants them to do under the current law.  As I suggested in the last column, the law enforcement people may have to go back to congress for such a declaration. 

 

At least one thing is clear, the FCC is trying to deal with this complex issue with unseemly haste.  They provided only a month for public comment, far too little time than needed to provide reasoned responses.  The law enforcement request tries to imply that modern civilization  is doomed if the FCC does not jump to their bidding instantly.  Since this issue, as well described in the law enforcement request, has been festering for many years, I fail to see how taking a few months to have a public debate on the tradeoffs between a free society and law enforcement in the area of Internet-based communications would have any significant impact.

 

The Internet industry is working on the technical parts of this problem.  For example, Fred Baker and others from Cisco Systems are commendably being quite public (the best way to get good security) in their work.  (See draft-baker-slem-architecture-02.txt (http://www.ietf.org/internet-drafts/draft-baker-slem-architecture-02.txt) and draft-baker-slem-mib-00.txt (http://www.ietf.org/internet-drafts/draft-baker-slem-mib.00.txt))  ISPs can order this CALEA support from Cisco today.

 

But there are some major potential problems with the law enforcement request when it comes to wiretapping switched services over the Internet.  This request goes to the heart of my previous column - the bad guys will easily bypass any wiretapping of such services.

 

A number of years ago I asked an FBI person why they were pushing key escrow (law enforcement keeping a copy of all encryption keys) since it was so easy for the bad guys to avoid it by using their own end-to-end encryption.  He responded that there were enough dumb criminals  to make it worth while.  I do not think there are enough dumb terrorists and spies to make this part of the proposal worth the negative impact on the innovation of Internet applications.  Please respond to the FCC request if you have your own opinions.

 

disclaimer:  Harvard does not purposely train criminals, but any that get trained here are, by definition, not dumb.  The above opinion is mine not that of the university.