Chapter 9 VoIP Security and

the Law
nternet telephony, an inexpensive alternative to traditional telephone
service, has been facing regulatory backlash that could slow adoption of
the fast-growing technology, raise prices, and put financially shaky
start-ups out of business. The Federal Communications Commission
(FCC) could adopt new rules for VoIP operators, signaling the end of
the honeymoon for an industry that’s operated to date with no official
oversight. Many believe that if a company is operating as a phone
company, then it must follow requirements regardless of whether the
calls are made over the Internet or not. Most significant of these
requirements is the concern over VoIP emergency 911 services that has
been raised by several states. Higher prices, slower introductions of new
Internet telephony services, and the demise of some of the same start-
ups will more than likely result if regulations force VoIP providers to
offer essential 911 services.
As U.S. IP telephony subscribers have dramatically increased in
numbers, a growing number of states and the FCC have begun exploring
whether to put VoIP providers on their regulatory radar. As a
telecommunications service, IP telephony providers such as Vonage and
Packet8 would likely have to carry the monstrous load of common-
carrier regulations, including contributions to the federal universal-
service funds and perminute access charges levied on calls that
terminate on the networks of other phone carriers, which are mostly
likely to be the Baby Bells. There remain many questions about whether
the Internet Tax Freedom Act exempts IP telephony providers from
federal excise tax. Telephone regulators in several states are in various
stages of drafting some IP telephony regulations. A good Web site to
access to stay up to date on state-specific regulatory issues is
www.cybertelecom.org/voip.states.htm.
The Federal Bureau of Investigations (FBI) has recently put pressure
on regulators to seek rules requiring VoIP and broadband Internet
service providers (ISPs) to ensure the ability of law enforcement to
conduct wiretaps
 on VoIP subscribers. The FBI wants the FCC to bring Internet calling
under provisions of the 1994 Communications for Law Enforcement
Act (CALEA), which requires phone carriers to provide the FBI with
direct access to phone lines. Because voice calls over the Internet travel
in digital packets, it is relatively easy to encrypt conversations, or to use
secure tunnels, making them difficult for law enforcement to access.
IP telephony providers face an uphill effort against the lobbying
machines of the local-telephone companies. The Baby Bells, with their
huge war chests and political influence, will prove to be an ominous
opponent. Cable providers have taken serious steps toward launching
VoIP telephone services and are considered a major challenge to the
dominance of phone companies. This competition has driven telephone
companies—most notably, BellSouth and SBC Communications—to
argue that it’s time for regulators to level the competitive landscape.
Earlier this year, Qwest Communications International broke ranks with
the other Bells, in that it wants IP telephony to be regulated but believes
the FCC should draft separate, lighter rules for the start-up services
compared with those traditional telephone companies must follow.[1]
AT&T was the second major phone company to break ranks this year
and join those rallying against IP telephony regulations as well. In April
2004, the FCC rejected a petition from AT&T Corp. that would have
allowed the company to avoid paying its telecommunications
competitors access charges on telephone calls partly carried on IP
networks.[2] Interestingly enough, on August 23, 2004, AT&T
announced that the retail chain Best Buy will be among the first national
retailers to offer AT&T’s residential VoIP phone service, AT&T
CallVantageSM Service, in its 628 stores nationwide and online at
www.bestbuy.com.[3]

9.1 Regulatory Issues

To date, the most significant national-level legislation has been the
VoIP Regulatory Freedom Act of 2004 (S. 2281). On July 22, 2004, the
Senate Commerce, Science, and Transportation Committee passed this
VoIP Bill, which requests a report from the General Accounting Office
(GAO) that will do the following:

• Assess the technical capability of law enforcement to intercept and

analyze IP transmissions

 
 • Assess problems encountered by law enforcement when
intercepting communications over the Internet or using IP

• Assess options for law enforcement agencies to acquire the skills and
equipment necessary to analyze Internet communications
• Assess the impact of the first 10 years of CALEA implementation
and compliance along with a cost-benefit analysis

The bill also requires a study from the FCC to assess the first 10
years of CALEA; however, the bill does not affect VoIP telephony
provider obligations under CALEA. The Act regulates VoIP at the
federal level and preempts state law with three major exceptions:

1. States may still enforce laws and regulations of general

applicability, including consumer protection laws and
prohibitions against fraud and unfair trade practices.
2. States and local governments may still require 911 and E911
services.
3. States may still regulate transmission facilities and require
VoIP providers to pay compensation to incumbent carriers for
the use of facilities and contribute to the universal service fees.
[4]

Recent increase in the popularity of VoIP services has accelerated the

pace at which lawmakers are moving to define IP telephony’s place
within the larger scheme of telecommunications regulation, but there
remains considerable disagreement in Congress over the roles federal
and state regulators should play. Earlier this year, the FBI and the
Justice Department renewed their efforts to wiretap voice conversations
carried across the Internet. They asked the FCC to order companies
offering VoIP service to rewire their networks to guarantee police the
ability to eavesdrop on subscribers’ conversations. They predicted, in a
letter that was signed by the Drug Enforcement Administration (DEA)
to the FCC in December 2003, that without such mandatory rules,
criminals, terrorists, and spies (could) use VoIP services to avoid
lawfully authorized surveillance.[5]
In July 2004, commerce committee senators approved the VoIP
Regulatory Freedom Act after amending it to preserve some authority
for the states. However, the absence of a solid consensus makes it
unclear whether the measure will be brought to a vote in the full Senate
later in 2004. Sen.

John Sununu, R-N.H., who authored the bill, wants to not only prevent
state regulators from meddling in the emerging technology but also
restrict the FCC’s authority. Sununu and Sens. Maria Cantwell, D-
Wash., and Ron Wyden, D-Ore., warned the FCC this month to resist
pressure from the FBI and the DEA to impose wiretap requirements on
the Internet application. Cautioning that applying wiretap rules to VoIP
would put law enforcement “in the role of mandating design features for
Internet applications,” the senators urged the FCC to reject law
enforcement’s request.[6]
The FBI has pressured regulators to seek rules requiring VoIP and
broadband ISPs to ensure the ability of law enforcement to conduct
wiretaps on VoIP subscribers. The FBI wants the FCC to bring Internet
calling under provisions of CALEA, which requires phone carriers to
provide them with direct access to phone lines. Internet privacy
advocates, such as the San Francisco–based Electronic Frontier
Foundation, are backing Pulver who launched Free World Dial-Up
(FWD). Jeff Pulver, the President and CEO of FWD. FWD is the largest
open network service provider for person-to-person, advanced, real-time
IP communications. Earlier this year, the FCC ruled that FWD VoIP
service is an information service, not a telecommunications service. But
even requiring FWD to provide access to voice communications will
probably be of little use to the FBI if a caller is determined to block
eavesdropping. Because voice calls over the Internet travel in digital
packets, it is relatively easy to encrypt conversations, or to use secure
tunnels, making them inaccessible to law enforcement.[7]
The current lack of definitive regulatory requirements or guidelines
specific to VoIP security and the law do not negate the legal
requirements for security that currently exist within the IP domain. As
with the IP security risks inherited by VoIP, the laws appropriate for
both IP and the plain old telephone service (POTS) are also inherited by
VoIP. With the rash of cyber-incidents that have taken a huge financial
toll on governments and businesses within the last decade, legislators
began to see that laws needed to be enacted to control the Wild West
environment that existed in cyberspace. Laws have been enacted to
protect privacy, infrastructure, people, companies, and just about
anything or anyone that uses a computer or any form of computer
technology. We will discuss the most significant of those laws and how
they impact corporate security operations in the remaining parts of this
chapter.