Is VOIP Wiretapping a Privacy Threat?

News Analysis: To some, the FCC's decision to allow Internet bugging is no big deal, but others see it as regulatory overkill.

Has the Federal Communications Commission radically enhanced the powers of law enforcement with its new regulation to allow for Internet wiretapping, as some civil libertarians have been suggesting? Maybe.

The reaction in the legal community—and technology world—is decidedly mixed. One expert says the agency is merely changing its interpretation of existing wiretapping laws to include the Internet among other, more established telecommunications channels, like wire-line and wireless phones. Others lawyers and experts say that the move is questionable—and may be regulatory overkill by the FCC.

In the post-9/11 era, when terrorists communicate routinely online—jihadi Web sites where shuttered by British intelligence last month—the move was, however, somewhat expected. The FBI apparently has the ability right now to eavesdrop on the Internet, and under the law, will soon be able to do so after obtaining a warrant, just as FBI agents would do for other telecom networks. Judges will be able to issues warrants based on assertions of probable cause that national security or criminal threats will be detected in VOIP (Voice over Internet Protocol) traffic.

The new rule was published in response to a petition from the FBI, the Department of Justice and the Drug Enforcement Administration. The FCC has determined that certain broadband and interconnected VOIP services are "essentially" replacing conventional telecom services, like circuit-switched voice and dial-up Internet technology and services. Thus, those who run such networks should be "prepared," as the FCC said in a statement, to accommodate law enforcement wiretaps.

"This is not terribly surprising," said Jonathan Wilson, an attorney in Atlanta and general counsel at the Web hosting service, Interland, who is chairman of the American Bar Associations Internet Industry Committee. "What theyve done is interpret the meaning of telecommunications more inclusively to cover the Internet. That doesnt really sound all that objectionable."

What other lawyers object to, however, is whether the FCC actually has the power to implement this regulation now, or whether Congress will have to come back and grant the agency the authority to do so. "There is a very significant question as to whether Congress gave the FCC the legal authority to extend the law to VOIP providers," said Jack Nadler, a leading telecom attorney, with the firm of Squire, Sanders & Dempsey, LLP. "I expect that the decision will be appealed."

The decision, "however well intended," is "another case of knee-jerk decision making without regard to cost, consequences, or even consistency with past rulings," said Steve Titch, senior fellow at the Heartland Institute, a liberal public policy think tank, based in Chicago.

At issue is the FCCs interpretation of the Communications Assistance for Law Enforcement Act of 1994—crafted before the Internet was a mass communications medium, and was the province of university professors, assorted nerds and military personnel.

Civil liberties groups including the Electronic Frontier Foundation and the American Civil Liberties Union along with commercial organizations, such as Sun Microsystems, successfully lobbied Congress to amend the act to prevent law enforcement from interfering with the growth of online publishing.

"This is another step in the erosion of personal privacy," said Ted Demopoulos, a leading IT consultant and professional speaker, based near Concord, N.H., who is also the author of "Whats Next," a forthcoming book from Dearborn Trade Publishing.

Experts said it is hard to argue that a VOIP message from one terrorist to another exhorting the destruction of the Met Life Building, or another landmark, in New York City, is First-Amendment protected free speech.

Still, some say that the FCC may be moving too quickly with this new rule. "Ive seen no studies or analyses that examine whether CALEA has led to measurable improvements in public safety or homeland security," said Jerry Ellig, a senior research fellow at the Mercatus Center at George Mason University of Fairfax, Va. "This policy seems to be based on law enforcements assertion that they need to be able to wiretap phone calls, and perhaps some anecdotes showing instances where this has been helpful. But I havent seen any rigorous cost-benefit analysis."

/zimages/5/28571.gifThe FBI is seeking bids for a new data management system. Click here to read more.

Broadband Internet and interconnected VOIP providers will be given 18 months to comply with the new regulation, according to the FCC. The commission is also considering whether smaller, facilities-based broadband ISPs in rural areas should be covered under the regulation.

"The Commissions action is the first, critical step to apply CALEA obligations to new technologies and services that are increasingly used as a substitute for conventional services," said the FCC, in a statement announcing the new order. The FCC further states that the order "strikes an appropriate balance" between fostering competitive broadband and advanced services deployment and technological innovation on one hand, and meeting the needs of law enforcement on the other.

Some security professionals remain convinced that the FCC did the right thing—even though there are legal and policy making concerns over the ruling.

"Since 9/11, 3,000 terrorists have been apprehended, and over 100 attacks have been averted," said Robert Siciliano, an IT security expert, based in Boston. "Electronic snooping technologies using the Echelon, a global eavesdropping system run by the National Security Agency no doubt played a part. Big Brother is what it is, your big brother watching over your shoulder to protect you."

Gene J. Koprowski is a freelance computer journalist based in Chicago.

/zimages/5/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.