[VOIPSEC] CALEA Enforcement

Joseph Burdick joseph.burdick at gmail.com
Tue May 9 10:16:47 CDT 2006 

I've been concerned with what type of monitoring Skype has on my end to end
encrypted calls, and 
I've dug into the full Skype user agreement and privacy policy and found:

"...in the event of a designated competent authority requesting Skype or
Skype's local partner responsible towards such authority, to retain and
provide Personal and/or Traffic Data, or to install wiretapping equipment in
order to intercept communications, Skype and/or its local partner will
provide all necessary assistance and information to fulfill this request."

Skype is organized under the laws of Luxembourg and coupled with new EU
directives like CALEA:

http://management.silicon.com/government/0,39024677,39155062,00.htm
The European parliament has today passed new, far-reaching data retention
legislation for the telecommunications industry.
"The directive, which will require ISPs and phone companies to keep data on
every electronic message sent or phone call made for between six months and
two years...including VoIP..."

So, they have left themselves legal room to wiretap and hand over
data/recordings to a "designated competent authority" (just about any
government in the world in my mind) and it seems like the EU will also get
them to store some "just in case" data for after the fact research.  I would
think that they have the actual ability to wiretap if they included it in
the privacy policy, and I don't think this only applies to SkypeIN/OUT calls
where it's easy to catch them as they decrypt and jump on the PSTN.  With
black box infrastructure, I'd say they have an easy way of applying a
redirect to your account so that recording can happen anytime you make a
call.

Maybe we can learn from this, maybe we should strive for a system that at
least makes this impossible.
All I can say is Skype user beware, AES 256 or not.

-Joseph



Date: Fri, 5 May 2006 15:33:50 -0500
From: "Gupta, Sachin" <s-gupta2 at ti.com>
Subject: [VOIPSEC] CALEA Enforcement
To: <voipsec at voipsa.org>
Message-ID:
	<772F5D89C5E0734B8A86D85DFC6A2024033464E0 at dlee03.ent.ti.com>
Content-Type: text/plain;	charset="us-ascii"

I came across an article which mentions the enforcement of CALEA . Would
this mean no end-to-end security ?
How would any kind of legal intercept be possible if there is end-to-end
security ? 
 
http://hraunfoss.fcc.gov/edocs_public/attachmatch/DOC-265221A1.pdf
 
Sachin

More information about the Voipsec mailing list