Brian Stauffer

The telecommunications world was a much simpler place in 1994, when the U.S. Congress passed a landmark wiretapping law. At the time, the statute was meant to take advantage of the new fact that instead of doing wiretaps the old-fashioned way—by walking into a local phone company office with a warrant and some alligator clips—law enforcement officers now could conduct a wiretap centrally on a carrier's network by duplicating a phone call digitally and directing the copy to police headquarters.

Starting on 14 May, the 1994 law, the Communications Assistance for Law Enforcement Act (CALEA), will also apply to some voice over Internet Protocol providers, and the U.S. Federal Bureau of Investigation has asked that it eventually be extended to all Internet-based communications. The wiretapping statute was originally designed for traditional telephone companies, which use circuit switching to create a dedicated channel for each phone call. But today, using Internet telephony, almost anyone can be a telecommunications carrier, including Google, Skype, Vonage, and Yahoo, to name just four companies that didn't exist in 1994.

Internet telephony involves turning phone calls into two-way streams of data chopped up into small data packets, which, after traveling separately to their destinations, are reassembled in their original order. "Interconnected" VoIP providers—the specific group now affected by CALEA—have the ability to route calls over the traditional telephone network, even if only some calls end up traveling that way.

In order to have that capability, an interconnected provider like Vonage has to route all calls through servers it maintains, regardless of whether the destination is a traditional or an IP phone. Those servers provide a location for a tap. On the other hand, with peer-to-peer VoIP services such as Skype, voice packets are mingled with all other Internet traffic and don't necessarily pass through the company's servers.

According to a spokesperson at the Federal Communications Commission, no VoIP provider has filed for an extension on the deadline—meaning that they all expect to be in compliance by mid-May. Vonage, however, is still testing its wiretapping method and won't provide details, according to its vice president for emergency and law enforcement services, Lynne Fleck. The Baller-Herbst Law Group, a Washington, D.C.—based firm, has estimated that implementation of the CALEA requirement could cost each provider up to US $150 000.

But the bigger issues are just down the road.

Last year, the FBI let it be known on Capitol Hill that it would like to extend CALEA to virtually any Internet-based application that allows two people to communicate. Naturally, as VoIP becomes ubiquitous, law enforcement would like to maintain the ability to wiretap. Consumers continue to switch in growing numbers to VoIP services like Skype, and leading companies like Microsoft and Apple have added VoIP features to their videoconferencing software. Both have embedded VoIP in their instant-messaging applications, and the Microsoft Xbox game machine has built into it a way for players to chat during a game, a feature that teenagers sometimes use as a way of making free and convenient phone calls.

But stretching CALEA to encompass all possible VoIP architectures could significantly restrict the number of lawful VoIP system architectures in the United States. That would render it less useful and more vulnerable, claims a June 2006 Information Technology Association of America report, "Security Implications of Applying the Communications Assistance to Law Enforcement Act to Voice over IP." The report suggests that the physical security of networking equipment may be compromised, because VoIP provider employees, who may have minimal experience with wiretapping, will need to reconfigure the equipment themselves, possibly introducing problems or exposing it to tampering by others.

"I worry about any kind of security holes that are introduced into communications technology, especially one that already has such poor security as Internet communications," says Susan Landau, one of the report's coauthors and distinguished engineer at Sun Microsystems Laboratories, in Burlington, Mass. "Internet technology is remarkably nimble and able to route around a crisis. If CALEA were to destroy that or introduce security holes into the communications infrastructure, it would be a lose-lose situation."

What the FBI has sought would be nearly impossible to meet in practice, says John Morris, a lawyer at the Center for Democracy and Technology in Washington, D.C. At present, accessing the content of a purely IP call is beyond reach. "Either the Department of Justice is going to say, 'You can't use that architecture [that bypasses central servers],' or the idea of CALEA compliance in an IP context has to be radically different," Morris says.

Imagine how law enforcement agents might try to wiretap a roving customer, who uses a peer-to-peer service and places phone calls while using wireless networks in public places. According to the letter of the law, agencies must minimize their taps to a specific target. So sifting out the data generated by one person among many sitting in a Wi-Fi-enabled coffee shop or hotel lobby presents a substantial hurdle. Tapping the entire location violates the terms of the act.

Add to that the difficulty of knowing when or where someone may next sign on to a public network-and the possibility that the call recipient, too, may be roaming between airport terminals, hotels, and offices. Unless law enforcement agents can predict a person's movements, they don't know where to watch for a target's Internet activity, or what the person's IP address is at that moment. "Such a communication is realistically uninterceptible because nobody knows who is communicating with whom, and therefore selective targeting is impossible," comments Michael Caloyannides, chief scientist at Ideal Innovations Inc. (I³), a government contractor in Arlington, Va.

Do such communications then become illegal? Caloyannides notes that even without VoIP, a determined caller can still easily place a totally anonymous phone call by buying a disposable cellphone at a convenience store, paying with cash, and tossing the phone after one call. "All the interception in the world will never show who placed that call, and unless every single call in the universe is tapped, that brand-new phone will not be in the FBI's or anyone else's list of targeted phone numbers."

It remains to be seen how the federal government moves next, especially in the wake of the revelation in March that the FBI improperly used national security letters from 2003 through 2005 to obtain thousands of telephone records without judicial approval. "After 9/11, everybody was in favor of letting the FBI do this sort of thing, and of course now people are a little less willing to do that," says Denise Culver, a research analyst at Light Reading, a telecom publication in New York City. What political climate prevails may well determine whether the VoIP of tomorrow looks anything like the VoIP of today.