17 March 2004—In all the excitement about moving telephony to the Internet, it turns out there's a downside: a loss of one's privacy rights. According to a paper to be published in the Michigan Law Review this summer, the traditional U.S. legal standard for conducting wiretaps does not apply to what is called stored communications. Normally consisting of such things as e-mail, credit card receipts, and telephone records of who was called and when, the category of stored communications might well include voice over Internet protocol (VoIP) calls, if they are archived in the same way e-mails are.

If VoIP calls are considered stored communications, law enforcement officials would not be held to the stringent burden of evidence required to conduct wiretaps, which is stricter even than the requirements to search a home. In stark contrast, the standard for examining stored communications is much lower.

In the Michigan Law Review paper, Peter P. Swire, a professor at Ohio State University's Michael E. Moritz College of Law, notes that entering someone's home requires the police to show "probable cause" that evidence of a crime is contained inside. That standard is grounded in the U.S. Constitution's Fourth Amendment, which protects citizens from "unreasonable searches and seizures." To wiretap someone's telephone, law enforcement must not only have probable cause, but also show that it has exhausted any alternatives to conducting the wiretap.

To review stored communications, on the other hand, the government can get a court order under the much lower standard that such records are "relevant to a legitimate law enforcement inquiry." Indeed, one provision of the controversial USA Patriot Act, passed by the U.S. Congress in the wake of 9/11, "allows the government to secretly get many stored records without any order from a judge," says Swire.

That VoIP is the future of telephony almost no one doubts anymore. [See "Internet Telephony: Switching to Unswitched," IEEE Spectrum, January 2004.] In the United States alone, about 300 000 households already buy VoIP telephone service from their cable providers, and many millions more worldwide have downloaded telephony software from services like Free World Dialup and Skype. Hundreds of thousands more buy VoIP service from companies like Vonage, whose fees are about half those of traditional carriers, such as Verizon or Sprint.

There are even schemes to create IP-based cellphone networks. One, by Flarion Technologies Inc. of Bedminster, N.J., is being tested by a major cellular carrier this month.

But with VoIP, telephone calls become little more than audio files, which VoIP software can store in the same way that Adobe Photoshop makes pictures and Microsoft Word makes text documents. It is a virtue of the digital universe we live in that such files can, and probably will, be routinely kept on the servers of our employers and telephony providers.

This feature of VoIP software exposes its Achilles' heel. Stored records have, by longstanding decisions of the U.S. Supreme Court, no "reasonable expectation of privacy." As a result, searching of those records with much the same purpose as a wiretap can be conducted without VoIP calls having any Fourth Amendment protection.

Swire served as chief counselor for privacy in the Clinton administration's Office of Management and Budget, a position that no longer exists. He points out that European privacy law gives more legal protection to stored communications than U.S. law does. The standard there is still lower, however, than that for wiretaps of traditional phone calls.

How easy or hard true VoIP wiretaps would be technically, as opposed to legally, is an open question. The Communications Assistance for Law Enforcement Act of 1994 (CALEA) requires traditional telephone carriers to make their networks available to law enforcement—to facilitate, in other words, the limited number of traditional wiretaps currently conducted.

To what extent that law applies to nontraditional VoIP carriers is a matter that will be determined by Federal Communications Commission regulation, the courts, or further legislation. But that law would apply only to VoIP calls while they are in progress, not the stored versions of them that can reside on the hard disks and backup tapes of Internet providers and system owners.

In corporate settings some phone conversations are already stored, notes Deb Kline, a spokesperson for Avaya Inc., a Basking Ridge, N.J, manufacturer of VoIP equipment. Chief among stored calls are those to sales and customer service that are recorded "for quality assurance."

What is more, some companies—stock brokerages, for example—are required by law to store e-mail and instant messaging; as VoIP technology becomes more widely deployed, phone conversations may also be included.

On the other hand, none of the phone carriers currently archives conversations, though it's possible that some might opt to do so soon as a customer service. Some conference calling services offer this feature already.

Daniel Berninger, an independent technology analyst in Washington, D.C., who was involved in several VoIP start-ups, including Vonage and Free World Dialup, says that while some systems, such as Vonage, have central gateways through which all VoIP traffic passes, most systems do not. Packets just fly through the Internet in all directions. If the CALEA bill or other rules apply, such central storage points would have to be created by the systems that don't have them.

Once telephone conversation files exist, they will be no harder to get hold of than e-mail archives. As students of high-profile cases like the Enron debacle know, unless files are deliberately destroyed, they'll be sitting on hard disks and archive tapes just waiting to be accessed in times of flood, fire, or felony.