New Rules On Internet Wiretapping Challenged
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://www.washingtonpost.com/wp-dyn/content/article/2005/10/25/AR2005102501... or By Arshad Mohammed Washington Post Staff Writer Wednesday, October 26, 2005; Page D01 New federal wiretapping rules that would make it easier for law enforcement to monitor e-mails and Internet-based phone calls were challenged by privacy, high-tech and telecommunications groups in federal court yesterday. The groups argued that the rules would force broadband Internet service providers, including universities and libraries, to pay for redesigning their networks to make them more accessible to court-ordered wiretaps. The groups also said the Federal Communications Commission rules, scheduled to take effect in May 2007, could erode civil liberties and stifle Internet innovation by imposing technological demands on developers. "It's simply a very bad idea for privacy and for free speech for the government to design any technology, much less the Internet, to be surveillance-friendly," said Lee Tien, a senior staff lawyer with the Electronic Frontier Foundation, a nonprofit privacy rights group. The government was trying to "build tentacles of control throughout telecommunications networks," Tien said. The FCC rules make broadband Internet providers and voice over Internet protocol companies subject to a 1994 federal law that requires telecom companies to assist law enforcement agencies in carrying out court-ordered wiretaps. The Communications Assistance for Law Enforcement Act requires telecom carriers to design their networks so they can quickly intercept communications and deliver them to the government when presented with a court order. In adopting the rules, the FCC said it wanted to ensure the government could carry out wiretaps as more communications move from the traditional telephone system to the Internet. "It is clearly not in the public interest to allow terrorists and criminals to avoid lawful surveillance by law enforcement agencies," the commission wrote in its order. Opponents argued the law was tailored for a simpler, earlier era of traditional telephone service and could cripple the evolution of the Internet by forcing engineers to design products so they can be easily monitored by the government. The 1994 law "will have a devastating impact on the whole model of technical innovation on the Internet," said John Morris, staff counsel for the Center for Democracy and Technology in Washington, which filed an appeal of the rules with the U.S. Court of Appeals for the District of Columbia Circuit yesterday. "The Internet evolves through many tens of thousands, or hundreds of thousands, of innovators coming up with brand new ideas," he said. "That is exactly what will be squelched." Morris said his group did not dispute the idea that the government should be able to carry out court-ordered wiretaps, but rather argued that the 1994 law was a blunt instrument ill-suited for the Internet age. He said the matter should be referred to Congress, which "can tailor the obligations to the Internet context as opposed to importing the very clumsy [telephone system] obligations and imposing them on the Internet." The American Council on Education, a higher-education trade group, separately asked the court Monday to review the rules. "We fear that doing what they want will require every router and every switch in an IT system to be replaced," said Terry W. Hartle, the council's senior vice president. He estimated that the upgrades could cost colleges and universities $6 billion to $7 billion. "Our quarrel with them is fairly specific," Hartle said. "We are concerned about the cost, and the complexity, and the schedule on which they want this accomplished." Spokesmen for the FCC and the Justice Department declined comment on the court challenges. - ------- end ------- ...Raising my hand. My question is on Terry Hartle's comments, maybe someone with more insight into this could help clear my confusion. Why would it require to replace every router and every switch when my understanding is, FCC is looking to install *additional* gateway(s) to monitor Internet-based phone calls and emails. I can see some sort of network redesign happening in order to accodomate this but replacing every router and every switch sounds too drastic, unless I mis-understood it. Please, I'm not advocating this change but just trying to understand the impact from an operation standpoint. Any insight will be appreciated. regards, /virendra -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDX/AApbZvCIJx1bcRAktgAKDzp+GaIDlpp5vdYT61jOWzEciClACfRkkW uQBPWQSzNpsw1M80tUQgWdI= =4t1U -----END PGP SIGNATURE-----
Vicky Rode wrote:
...Raising my hand.
My question is on Terry Hartle's comments, maybe someone with more insight into this could help clear my confusion.
Why would it require to replace every router and every switch when my understanding is, FCC is looking to install *additional* gateway(s) to monitor Internet-based phone calls and emails.
In a datacenter you have lines coming in and lines going out. And you have internal equippment. You have to eavesdrop on all of this because the supposed terrorist might come in via ssh and use a local mail programme to send his email. So you have to eavesdrop on all incoming lines because you dont know where he comes in. Via aDSL? via cable modem? Via a glass fiber? And you have to monitor all internal switches because you dont know which host he might have hacked. Guess a cheap switch with 24 ports a 100 Mbit. That makes 2.4 Gig. You have to watch all of these. They can all send at the same time. Your switch might have 1 Gig uplink. But that uplink is already in use for your uplink and it does not even support 2.4 Gig. How about switches used in datacenters with 48 ports, 128 ports, ... Where do you get the capacity for multiple Gigs just for eavesdropping? On the other hand - most switches have a port for debugging. But this port can only listen on one port not on 24 or even 48 of them. So you have to invent a new generation of switches. How about the routers? They are even more complicated than a switch. As everybody should know by now - every router can be hacked. So your monitoring must be outside the router. The gouvernment will offer you an *additional* gateway. I wonder what that beast will look like. It must be able to take all input you get from a glass fiber. Or do they ask us to get down with our speed so they have time to eavesdrop.
I can see some sort of network redesign happening in order to accodomate this but replacing every router and every switch sounds too drastic, unless I mis-understood it. Please, I'm not advocating this change but just trying to understand the impact from an operation standpoint.
Yes, it is drastic. But if they want to eavesdrop that is the only way to do it.
Any insight will be appreciated.
regards, /virendra
Here in germany we accidently have found out why east germany had to finally give up: They installed equippement to eavesdrop and tape on every single telefone line. They could not produce enough tapes to keep up with this :) Not to mention what happened when they "recycled" the tapes and did not have the time to first erase them :) Kind regards, Peter and Karin -- Peter and Karin Dambier Public-Root Graeffstrasse 14 D-64646 Heppenheim +49-6252-671788 (Telekom) +49-179-108-3978 (O2 Genion) +49-6252-750308 (VoIP: sipgate.de) mail: peter@peter-dambier.de mail: peter@echnaton.serveftp.com http://iason.site.voila.fr http://www.kokoom.com/iason
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 comments in-line: Peter Dambier wrote:
Vicky Rode wrote:
...Raising my hand.
My question is on Terry Hartle's comments, maybe someone with more insight into this could help clear my confusion.
Why would it require to replace every router and every switch when my understanding is, FCC is looking to install *additional* gateway(s) to monitor Internet-based phone calls and emails.
In a datacenter you have lines coming in and lines going out. And you have internal equippment.
You have to eavesdrop on all of this because the supposed terrorist might come in via ssh and use a local mail programme to send his email.
How do you differentiate between a hacker and a terrorist? For all you know this so called "terrorist" might be coming from a spoofed machine(s) behind anyone's desk.
So you have to eavesdrop on all incoming lines because you dont know where he comes in. Via aDSL? via cable modem? Via a glass fiber?
And you have to monitor all internal switches because you dont know which host he might have hacked.
Guess a cheap switch with 24 ports a 100 Mbit. That makes 2.4 Gig. You have to watch all of these. They can all send at the same time. Your switch might have 1 Gig uplink. But that uplink is already in use for your uplink and it does not even support 2.4 Gig.
- ------------- There are ways to address over-subscription issues.
How about switches used in datacenters with 48 ports, 128 ports, ... Where do you get the capacity for multiple Gigs just for eavesdropping?
On the other hand - most switches have a port for debugging. But this port can only listen on one port not on 24 or even 48 of them.
So you have to invent a new generation of switches.
- ---------------- I don't believe this is the primary reason for replacing every router and every switch. I think (correct me if I'm wrong) it has to do with the way wiretap feature (lack of a better term) that .gov is wanting vendors to implement within their devices, may be at the network stack level. I guess it's time to revisit rfc 2804.
How about the routers? They are even more complicated than a switch.
As everybody should know by now - every router can be hacked. So your monitoring must be outside the router.
The gouvernment will offer you an *additional* gateway. I wonder what that beast will look like. It must be able to take all input you get from a glass fiber. Or do they ask us to get down with our speed so they have time to eavesdrop.
- ----------------- powered by dhs w/ made in china sticker :-) I'm not being smarty pants about this...it is actually happening. That's all I can say. regards, /virendra
I can see some sort of network redesign happening in order to accodomate this but replacing every router and every switch sounds too drastic, unless I mis-understood it. Please, I'm not advocating this change but just trying to understand the impact from an operation standpoint.
Yes, it is drastic. But if they want to eavesdrop that is the only way to do it.
Any insight will be appreciated.
regards, /virendra
Here in germany we accidently have found out why east germany had to finally give up:
They installed equippement to eavesdrop and tape on every single telefone line. They could not produce enough tapes to keep up with this :)
Not to mention what happened when they "recycled" the tapes and did not have the time to first erase them :)
Kind regards, Peter and Karin
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDaSmqpbZvCIJx1bcRAhU9AJoC54jYhsUMs7aO6xQ/5kEX79gt9wCcDWkT L8hApJtW2gqfibjYfq7E7Z0= =3yz1 -----END PGP SIGNATURE-----
Vicky Rode wrote:
Why would it require to replace every router and every switch when my understanding is, FCC is looking to install *additional* gateway(s) to monitor Internet-based phone calls and emails. I can see some sort of network redesign happening in order to accodomate this but replacing every router and every switch sounds too drastic, unless I mis-understood it. Please, I'm not advocating this change but just trying to understand the impact from an operation standpoint.
Many reasons. One is that the law (CALEA) requires that about 10% of all circuits in a (telco) exchange be monitored SIMULTANEOUSLY. None of our equipment does that, without redirecting and recording _ALL_ of the traffic and sorting it out later. That's why the entire network would need to be redesigned -- into essentially a "treework" with monitoring built-in to each level and device. YOu may also remember that back in 1997, when the telcos were fighting this massive redesign of their systems, the FBI apparently tried to "decertify" the entire Telecommunications Industry Association. In their testimony, the TIA and carrier trade group leaders blamed the FBI and called for the deadline's revision. Flanigan told the subcommittee that the FBI attempted to "stuff" balloting on the standard and spent two months trying to revoke TIA's accreditation with a national standards group, a move he called "unprecedented." I expect the same for the IETF, NANOG, or whomever else gets in the way. -- William Allen Simpson Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
YOu may also remember that back in 1997, when the telcos were fighting this massive redesign of their systems, the FBI apparently tried to "decertify" the entire Telecommunications Industry Association.
In their testimony, the TIA and carrier trade group leaders blamed the FBI and called for the deadline's revision. Flanigan told the subcommittee that the FBI attempted to "stuff" balloting on the standard and spent two months trying to revoke TIA's accreditation with a national standards group, a move he called "unprecedented."
I expect the same for the IETF, NANOG, or whomever else gets in the way.
Difference is that IETF and NANOG aren't exactly accredited by anything except community consensus. Will be very hard for FBI to revoke that, especially in this community. lol However, also means that IETF and NANOG may not carry much weight with legislators or the judiciary. It's definitely going to be an interesting fight, with what little is left of civil liberties in the US hanging in the balance. Frankly, I think we need to show the Senate and the House a movie titled "The Siege" and ask them if they really want to keep moving in this direction. Owen -- If it wasn't crypto-signed, it probably didn't come from me.
Owen DeLong wrote:
Frankly, I think we need to show the Senate and the House a movie titled "The Siege" and ask them if they really want to keep moving in this direction.
Owen
<TH> The real secret is that hollywood designs these films expressly as desensitizers, in cahoots with you-can-guess-who. </TH>
The 1994 law "will have a devastating impact on the whole model of technical innovation on the Internet," said John Morris, staff counsel for the Center for Democracy and Technology in Washington, which filed an appeal of the rules with the U.S. Court of Appeals for the District of Columbia Circuit yesterday.
"The Internet evolves through many tens of thousands, or hundreds of thousands, of innovators coming up with brand new ideas," he said. "That is exactly what will be squelched."
Implementation of the mechanisms for compliance is relatively straightforward. Depending on how scalable and/or automated the mechanisms are, the complexity certainly increases. However, I hardly agree that including these requirements in the design of the network hardware or architecture equates to the 'squelching' of innovation or a 'devastating impact' on the Internet. Especially when compared to the alternative of providing an unfettered command & control communications network for the miscreants. ___________________________________________________________ Wayne Gustavus, CCIE #7426 IP Operations Support Verizon Internet Services ___________________________________________________________ "Can you ping me now? Good!"
participants (6)
-
Joe Maimon
-
Owen DeLong
-
Peter Dambier
-
Vicky Rode
-
Wayne Gustavus (nanog)
-
William Allen Simpson