Delivered-To: dfarber+@xxxxxxxxxxxxxxxxxx
Date: Thu, 08 Jan 2004 12:18:55 -0800
From: Seth David Schoen <schoen@xxxxxxx>
Seth David Schoen writes:
> I'll ask Declan if he knows a docket number for this.
So I want to renew a point I had raised earlier.
In packet telephony, unlike in the traditional telco world, it is not
necessary for systems to be designed so that a "carrier" can access
the "content" of communications. Whether they are is an engineering
decision that might be influenced by other considerations, such as
economics and politics.
A strange assumption that carriers can get content in the first place
underlies the FBI's packet CALEA campaign. But designing the networks
that way is disfavored both by privacy advocates (that's us) and many
security engineers, who point out that risks of illicit interception
are enhanced. (It's kind of parallel to the Clipper Chip issue. If
you create a mechanism for law enforcement access, your system is
likely to be much less secure overall than if you don't. People other
than law enforcement can attack the system using the mechanisms that
were created for law enforcement. Nobody knows how to make a system
that merely provides law enforcement access while being in every other
respect just as secure as the alternatives.)
I haven't been able to figure out what is motivating companies to make
the design decisions they've been making. The results of those
decisions have been that people who use many commercial VOIP services
probably have significantly less privacy protection than people who
use decade-old open source VOIP software (that might happen to be less
user-friendly and less interoperable). In that sense, their decisions
have been a step backwards.
Is there anything we can do about this? Is there any way that we can
get VOIP companies to stop knowing what their customers are saying?
Here's what I wrote about this last week on Dave Farber's list:
> Here is a more fundamental question. When you make a VOIP call, why
> does your service provider know your session key? (Or, in the
> alternative, when you make a VOIP call, why isn't your conversation
> encrypted with a session key?)
>
> There have been software VOIP applications for years (PGPfone and
> SpeakFreely are the earliest I recall) that do end-to-end encryption.
> If VOIP "carriers" don't do that, they have taken a technological step
> backward.
>
> What a hollow "victory" over the Clipper Chip if all your voice session
> keys are "escrowed" down at some VOIP technology company (which is
> safeguarding them less well than the Clipper plan would have).
(One possible interpretation is that existing VOIP companies don't
have a privacy-friendly business model because they think of themselves
as selling _services_ instead of _devices_. If instead they sold VOIP
phones that worked with any ISP's data service and absent any future
relationship with the VOIP company, there might be many fewer
incentives not to include strong privacy protections, especially if
the VOIP devices themselves have to compete on feature set.)
--
Seth Schoen
Staff Technologist schoen@xxxxxxx
Electronic Frontier Foundation http://www.eff.org/
454 Shotwell Street, San Francisco, CA 94110 1 415 436 9333 x107