[Asterisk-Users] CALEA?

[John Todd]

At 3:39 PM -0600 2/4/04, Steven Critchfield wrote:
>On Wed, 2004-02-04 at 15:24, Tilghman Lesher wrote:
>>  On Wednesday 04 February 2004 01:26, Ryan Finnesey wrote:
>>  > What are my support options for CALEA with Asterisk?
>>
>>  Not many.  Basically, if you have Zaptel devices, you can use
>>  ZapBarge to listen to those conversations without having to
>>  physically tap the lines.  Beyond that, there isn't a capability
>>  to selectively listen to portions of calls.  You could choose to
>>  record all calls with Monitor, for example.
>>
>>  IANAL, but this seems like a legal grey area, as the FCC has
>>  been pushing against regulating VoIP services, which may mean
>>  that VoIP services are not legally considered communication, which
>>  would exclude them from CALEA.  However, this is for lawyers to
>>  argue in court and for a judge to decide.
>
>>From what I remember reading, Powell doesn't want to regulate VoIP to
>VoIP as it is just an application which happens to pass audio data. He
>may well have to step in for PSTN to VoIP as the PSTN part is without a
>doubt a telephone call. Of course the only people who really need to
>worry much about that would be those considered as a CLEC right? The
>majority of us here are acting as PBX operators and aren't required to
>intercept.
>--
>Steven Critchfield  <critch at basesys.com>

Note: CALEA is a term used in the USA, but the concepts apply 
worldwide to interception of voice traffic or recording of call 
transactions.

This all boils down to a fundamental question:

"Do you believe that individuals have the right to communicate 
verbally without the government having the ability to listen to the 
conversation?"

If your answer is "No", then CALEA applies to VoIP, regardless of 
method, switching location, equipment, interconnection to PSTN, or 
numbering schemes.  Any _network_ provider would need to filter or 
block traffic which, based on their BELIEF of ability to transport 
voice communication, be un-interceptable.  This is fundamentally 
impossible without de-activation of much of what we know as the 
Internet (at the protocol level) and I do not seriously consider 
people who reply in the negative.

If your answer is "Yes", then things get a little more grey.  Where, 
exactly, does the (admittedly useful and "good") intercept right of 
the government stop?  At any interconnection with the PSTN?  At any 
system that uses an e.164 numbering scheme?  At any system that 
charges money for access?  The real and only legal teeth that could 
be enforced on this boils down to numbering and addressing methods. 
If there is a single, unified number allocation mechanism that is 
universally accepted, then control of any traffic has an authority 
chain that can be tracked to a responsible party, who can either a) 
be denied access to the numbering scheme based on certain criteria, 
or b) be compelled to allow interception or signalling tracing lest 
they be faced with (a).   Once you move outside of the numbering 
("authority") space, you're outside of anyone's ability to enforce 
compliance with any laws regarding intercept or session tracing: the 
directory servers can be in other nations, and the end users are 
difficult or impossible to detect if they have clever clients.

This is the same problem the Internet faces today.  There is no 
reason that someone couldn't start up another "Internet" using the 
ipv4 address space.  But they don't, because it wouldn't be _the_ 
Internet.  (don't argue with me about bogon route announcements - 
those are do not have the attention of any government on them at this 
point, or they'd be solved.)  Thus, there is a control mechanism that 
can be placed on telephony as well - there is a "root" to all phone 
numbers, and someone is assigned those numbers.  The ubiquity and 
universally expected functionality of those numbers is what prevents 
others from making up their own schemes and creating independent and 
regulation-free environments (sorry, FWD and others - unless you're 
on e.164, you won't get very far in a non-hobbyist environment.)  The 
only hope are the peer-to-peer type systems that have decent scaling 
factors, but still, gateways into the PSTN are difficult to manage 
with those platforms.

Law enforcement fails to recognize this larger issue of authority, 
and is focusing on the tactical situation of "how do we snoop on any 
call?"  Well, sorry boys, the answer is: you can't.  It will only get 
harder as time goes on.  Just like you can't read my email (easily) 
if I choose to make it difficult, I should be able to perform the 
same snoop-proofing on my telephone calls.

The good news for LEA is that court orders here in the US still have 
some traction.  If I, as a PBX operator, IPCSP, ISP, or hosting 
provider get a court order that says that I must open my records for 
search, or allow interception equipment to be installed on my 
network, I will have no problem honoring that request to the best of 
my ability.  However, that ability may be very limited based on the 
fact that the media streams never go through my system, or cannot go 
through my system without the conversational parties knowing that 
they are being intercepted.  I will not go out of my way to cripple 
my customers and create broken and un-scalable systems whose only 
flaw would be my pandering to law enforcement's requirements.  At the 
same time, I will never block or prevent LEA from doing their jobs, 
and in fact, I will help them the best I can (for both personal 
beliefs and also to prevent being thrown in jail.)

Back to the practical: Asterisk is actually quite well suited for 
CALEA in a limited fashion.  I have discussed creating a CALEA PRI 
intercept box with Asterisk, and I'd be surprised if nobody has 
already done this.  It could just as easily sit on an ethernet 
segment and suck up traffic from SIP, h.323, MGCP, IAX, SCCP.  It's 
an ideal development platform for CALEA intercept technology; anyone 
want to pay me $1m for development of such a tool?  I didn't think so 
- gov't looks for GSA contracts - Open Source is pretty much the 
Devil's work.

Now, should anyone running Asterisk worry about CALEA?  I will put my 
neck out and say "No" unless you're a service provider that 
interconnects to the PSTN.  Then, I suspect your PSTN network will 
fall under the focus of the gov't here in the US.  You could head 
them (the LEA) off at the pass by programming features into your 
Asterisk server that allow for easy recording or live monitoring of 
certain "accounts" or calls going to certain destinations.  The court 
can compel you to do pretty much anything, so if you build a system 
where it is _possible_ for interception to occur, you should consider 
tools for that interception as integral in the construction of the 
system.

I'll spell this out for those of you who couldn't catch my point in 
that last sentence: design systems where it is _impossible_ for 
interception to occur, at least from the standpoint of the network 
provider.  We're a long, long way from that (with the possible 
exception of Skype, but since they're closed source, we can't be 
sure, can we?)

JT