New VoIP Encryption Challenges
FOR MANY YEARS, law enforcement officials at government agencies worldwide have had the ability to eavesdrop on phone conversations. With the traditional Public Switched Telephone Network, they could accomplish it with the help of the phone company or by placing a tap near a subject’s location. Voice over Internet Protocol (VoIP) telephony is also relatively simple for someone with the proper skills to tap: “packets” can be “sniffed” as they travel online. But this becomes far more difficult when VoIP is encrypted.
Many law enforcement agencies have expressed frustration at their inability to tap encrypted VoIP. A few months ago, a European justice body, Eurojust, announced that it was considering spearheading an effort to help its 27 constituent countries find a way to listen in on encrypted VoIP. Eurojust said it had received a request from Italian anti-mafia police, who were particularly frustrated by the popular VoIP provider Skype.
Skype has also presented challenges for U.S. law enforcement. In May 2007, VoIP providers that used encryption were required, under the Communications Assistance for Law Enforcement Act (CALEA), to give law enforcement a possible backdoor. But Skype, of Luxembourg, does not fall under the U.S. CALEA.
A new VoIP encryption product called Zfone might add to the law enforcement community’s frustration. Recently, Zfone, from the Palo Alto, California-based Zproject, was made available as a free download onto Microsoft Windows, Mac, and Linux operating systems. Technologically, Zfone differs from Skype in that it has an open-source architecture.
Making a product open source is one of the best ways to ensure that it doesn’t have any backdoors, says Peter Eckersley, staff technologist at the San Francisco-based Electronic Frontier Foundation. Because Skype’s encryption is proprietary, no one can be entirely sure that the company hasn’t secretly provided a backdoor to government authorities or legal bodies, he says.
Phil Zimmerman, Zfone’s creator, says he hasn’t felt any legal pressure on Zfone, but he’s not sure he won’t. Zimmerman is the creator of the widely used Pretty Good Privacy (PGP) e-mail and file encryption software; he spent three years in the early 1990s under government investigation for possibly violating laws against exporting encryption products after he published PGP’s encryption code online.
He says that because Zfone only involves the participation of end users, it’s unlikely to fall under CALEA. The law mainly targets VoIP companies and Internet service providers, he says.
Zimmerman says that VoIP should remain untappable because giving a backdoor to law enforcement will create a vulnerability that hackers and criminals would soon exploit. The reason there have not been a lot of VoIP attacks and eavesdropping by criminals so far is that it still represents a relatively small portion of the world’s calls, Zimmerman says. But just as organized crime moved into Internet crime as online commerce grew, VoIP will also likely be widely abused as it gains popularity.
Zimmerman says that law enforcement agencies can still review call logs, which have been valuable in intelligence and law enforcement.