[VOIPSEC] Truths on "Truth in Caller ID Act" (possible industry solution)
John Todd
jtodd at loligo.com
Fri Oct 6 14:02:48 CDT 2006
I would agree that this becomes a trust federation issue. I have a
proposal at the end of this message which may interest some of you,
so please skip to the "POSSIBLE SOLUTION" section if you want to hear
about action instead of more pontificating.
For several firms that I have worked, including my current employer,
the caller ID issue has been of central concern. Users without E.164
numbers, users with several E.164 numbers, users wanting to move
E.164 numbers to their calling device and network of choice - these
are only some of the things that arise with the development of mobile
and VoIP infrastructures that decouple devices with E.164 addresses.
It's going to get much more complex and customized from the user's
perspective, and it's up to us as an industry to figure out how to
provide accountability for our customers and ourselves.
This document really only speaks about E.164, and the "VoIP" part of
this is only relevant to this list insofar as there seems to be the
greatest disconnect between VoIP<->PSTN transmissions and identity
assurance. The methods of SIP authentication and auditing seem to be
easier to solve, though by no means trivial.
Assertions:
1) Caller ID (and ANI) is insufficient for authentication purposes
other than as a "hint". It is wildly irresponsible to assume that
the person attached to a device is "authenticated" merely by using
that device, when control of those devices has no additional security
policy that is universal or even commonplace.
2) I agree that identity presentation should be separate from the
network provider. As users become more and more distinct from
telephony devices, this will only become more pronounced. This
applies to E.164 numbering as well as other identity methods.
3) I do not agree that there is a technical solution to this problem
that works on the front-end. SIMs, or biometric authentication, or
other methods are too complex, or at the least are going to be
selected independently by each vendor. (but I do think there is a
solution on the back-end - keep reading.)
4) Law enforcement does need a way to determine who made a call, or
at least to what company a warrant should be presented for further
data. Currently that does not seem to be the case.
5) I think that the "Truth in Caller ID Act" is probably more
political grandstanding than actual effective legislation, since as
mentioned there already exist wirefraud statutes which make false
impersonation a crime, and I seem to recall (though I cannot find
reference) that there have been already-prosecuted cases on the topic
of caller ID. This pre-existing law will not prevent assertion #6...
6) Law enforcement in the United States currently can ask for and
receive almost anything they want as far as legislation. As soon as
an investigation reveals that caller ID re-writing was integral to
some type of "terrorism", the industry will suddenly find itself at
the wrong end of an even more-poorly written legislative cannon which
will crush companies and investment. Other nations are already in
situations where certain products are illegal or grey market due to
bad legislation, and some will follow the lead of the US. Being
prepared for this in advance with a solution that is pre-built is the
only way to avert a crisis.
Problems to overcome with any solution:
A) Many "next-generation" telephony/mobile application firms who are
receiving funding right now use Caller ID as a key to their services.
I don't think their investors have been shown the potential for fraud
yet or understand the threat of legislative hysteria. Didn't
everyone learn from the calling card business yet?
B) The PSTN cannot turn on a dime and restrict ANI/CLID from clients.
It is used too widely for completely legitimate purposes. A
"check-ahead database" that is consulted before call completion at
any/every border is unworkable as a matter of cost and willpower, I
believe.
C) Most firms are unwilling to participate in a system where their
user data or CDRs with user relationships are centrally managed, as
they have serious legal and commercial privacy concerns about control
of that data.
So clearly, we have a looming problem. There does not seem to be any
solution that is feasible that works on the front-end (authentication
before completion.) And there is a legitimate fear of any
centralized databases since many of the service providers don't want
to expose their customers to an unknown trust element in the center
of the network ("Wait! You mean we can't trust AT&T not to give our
records to the NSA?" <cough>) Legislation _WILL_ happen if nothing
else is inserted into the vacuum, and it will be far more unpleasant
than that which is currently proposed. So, what to do?
POSSIBLE SOLUTION:
I would suggest an industry-neutral, non-profit entity that provides:
a) A set of agreed-upon rules for member participants regarding:
i) Methods of user and E.164 authentication
ii) Acceptable caller ID/ANI re-write circumstances
iii) Acceptable CDR formats, user data, and archive guidelines
for internal use
iv) Common interface specifications for CDR transmission and LEA access
v) LEA interaction guidelines
b) A set of penalties for rules transgressions (removal from membership?)
c) A central database that members update with call events
d) A method to authenticate law enforcement request entities
e) A method to deliver data to law enforcement upon valid warrant
presentation
f) A central focus for technical legislative advisory advice ("lobbying")
g) A central focus for development and implementation funding
that is tax-sheltered
This membership-based organization would serve as a trust broker,
both from the perspective of providing "legitimate" firms a safe
haven from further regulatory heavy-handedness, as well as providing
Law Enforcement Agencies (LEA) with an effective method of pursuing
warrants for criminal investigations. The members would be able to
safely transmit call data for LEA use without revealing their
customer's identities, and the LEA would have a single first point to
contact if there were calls about which they would like to gather
more data.
Members would be any firm that re-writes caller ID and inserts that
into a PSTN or even a VoIP-only network. This can range from VoIP
providers who create "on-the-fly" caller ID on PSTN calls for users
with no E.164 address (Skype) to firms which allow users to specify
their caller ID on outbound VoIP calls.
"What is in the database?" you might ask. The database would contain
only a minimal amount of data, that which would be necessary to
determine from what member a particular call originated, but NOT the
identity of the end call originator. (originating_member,
destination_number, originating_clid, originating_ani,
call_start_time, call_end_time to name only the most important
fields.) Data would be inserted into the database after call
completion, so this is a "back-end" tracking system and not an
authentication system of any kind. The data associating a call event
with an end user would be kept by the member organization which
created or proxied the call, and would be uncovered by the LEA
contacting that member directly. However, the central database would
allow LEA to determine what organization was the correct recipient of
the next warrant, which I believe is a significant portion of the
burden during investigation. The LEA could come to the clearinghouse
and ask "Were there any calls to 1-XXX-XXX-XXXX starting at
approximately 2006-10-06 22:02 from CLID 1-YYY-YYY-YYYY?" The trust
broker would then look through the database, and respond with
something like: "Yes, there was a call matching your request, and for
further information you should talk to FooTelecom, Inc. since all we
know is that such a call took place but have no data on the end user
who made the call." The important thing to note that this is NO MORE
DATA than is currently exposed in the PSTN, but it allows
accountability to which company made the call. It would seem odd for
a firm to object to the data requirements unless they were providing
illegitimate use cases to their customers, but that might become more
self-evident as time goes on and membership grows.
To speak for my own company: we are happy to comply with any warrant
presented to us, but at the moment there is no clear way for a LEA to
know that they should give the warrant to _us_ as opposed to any
other telephony firm that is interconnected to the PSTN. For every
company in our position it would be inefficient to set up an LEA
system, since the LEA would then have to ask every company the same
question, and the rules and expectations would almost certainly be
different for each relationship. That clearly would not scale, so
the concept of a central registry for call events sounds more
reasonable.
This would obviously not solve the problem completely. There is
nothing saying that membership would be universal, nor does it say
that only members can accept calls from other members - that is their
decision to make independently. I am not a proponent of making such
an organization legally required. However, it is what I think is a
first good step towards that the industry could make towards
preventing further legislation which may become more technically
impossible and stifling. Members that do not join may eventually be
seen as less-legitimate, and it may be the case that they are not
allowed to interconnect with CLID/ANI capabilities (though this
certainly remains to be seen.) Just like many ISPs will not peer
with other ASNs if there is no written policy of ingress filtering,
it may be the case that membership in this organization becomes the
"policy" precursor for interconnection.
Anyone wanting further information on this concept should contact me
off-list. My company is looking to provide basic funding for the
construction of a non-profit and participation in the database, and
we will only act if others are willing to minimally invest in the
experiment. Please forward this message to technical or executive
staff of firms that you feel have an interest in keeping their "Phone
2.0" businesses unregulated in this regard. Additionally, I am
interested in the LEA perspective here - I haven't contacted anyone
on this thread yet, and it would be useful to hear about the current
state of the art and thoughts from law enforcement on the future.
JT
At 11:08 AM -0400 2006/10/5, Geoff Devine wrote:
>
>I see this as a trust federation. Today, you can be fairly confident
>that a wireline phone connected to the PSTN is not spoofing CallerID.
>Today, you can be fairly confident that an MSO PacketCable phone
>connected to the PSTN is not spoofing CallerID. Today, you can be
>fairly confident that a cellular telephone connected to a cellular
>provider is not spoofing CallerID. The problem is that there is this
>new breed of service providers who should not be allowed into the trust
>federation. You can certainly set up VoIP so it's unlikely that users
>will spoof CallerID. Issue them something like a GSM SIM chip. Have a
>contract with them. Use AAA methods that are at least as hardened as
>what is used today on the cellular network. If a service provider
>doesn't conform to these requirements, they're not allowed to join the
>trust federation. If you don't like it, use a SIP URI rather than an
>E.164 number and live in the mayhem created by the IETF.
>
>Geoff
>
>-----Original Message-----
>From: J. Oquendo [mailto:sil at infiltrated.net]
>Sent: Thursday, October 05, 2006 10:51 AM
>To: Geoff Devine
>Cc: voipsec at voipsa.org
>Subject: Re: [VOIPSEC] Truths on "Truth in Caller ID Act"
>
>Geoff Devine wrote:
>> So....
>>
>> Why would a "truth in Caller ID" law be bad? If you placed the burden
>> on telephony service providers to prevent spoofed CallerID and made it
>a
>> crime for an individual to spoof CallerID, I'd classify it as sound
>> public policy.
>It's not that its a bad idea, it just won't work the way it's pitched.
>First of all, placing the burden of all telephony provider to support
>this may work in the country of origin but it won't work in Nigeria
>
>> If it doesn't happen, my telephone is going to start
>> ringing at 3 AM with spoofed calls from Nigeria claiming to be my
>> employer or a family member. Unlike Email spam, a telephone call is a
> > very intrusive thing. There may be an emergency where I absolutely
>need
>> to have my phone ring at 3 AM.
>>
>> Geoff
>>
>>
>I've yet to see one response as to why this will work with proof of it
>working. How does the US government intend on having telephony providers
>
>outside of the US following suit and conforming to this? So let's make
>you a provider with this law passed and create the following scenario:
><scenario> Yourcompany gets a call from a Nigerian hosted spoofed caller
>
>ID site. Yourcompany passes the call. Yourcompany now gets sued for
>passing that call.</scenario> How much sense does that make to you?
>Makes little to me. There is NOTHING, absolutely NOTHING the United
>States is going to do that will completely stop this from happening
>(spoofing). All that *WILL OCCUR* will be the introduction of frivolous
>lawsuits to Yourcompany since it did not stop this spoofed call from
>coming through your network along with you having to conform to this
>"Truth in Caller ID" policy as well as Yourcompany spending money on
>"compliant" equipment that you *HOPE* will stop this from happening.
>
>So how is it a bad idea, simple, its may be practical in the United
>States, but worldwide it means nothing.
>
>Mpierce1 at aol.com wrote:
>
> >. It can not be, if used as defined in American National Standard
>T1.625
> > and several equivalent ITU-T Recommendations.
>
>Note the word "Recommendations"
>
> > , the industry finds ways to stop the abuse, so that the telephone
> > system continues to be a fairly secure, protected way for people to
> > communicate. The use of CLI for identification is appropriate for
>certain purposes.
>
>Using CLI for identification purposes is moronic from my view hence my
>previous example that I shall re-paste: If I stepped into a bank and
>asked to make a courtesy call, I can engineer information from someone
>since (what you call verifiable and ABSOLUTE) CID will show the
>information from a bank. Takes no technology to pull this off.
>
> > It seems that part of the
> > original comment was based on a belief that there are perfectly good,
> > legitimate reaons for spoofing CLI.
>
>There is no perfectly legitimate reason so this was not a portion of the
>
>original post I made. The original point I was making was and will
>continue to be that this is a moronic law which will 1) cost more
>carriers money to conform to, 2) not deter someone from spoofing (it may
>
>in the US but the US is not the world's government).
>
> > And it results in things like the ridicule of a proposed US
> > law (which began this string) which tries to deal with this emerging
>scourge
> > on our communication system.
>
>It is ridiculous and imposing nothing more nothing less.
>
>So here is your sane response to your comments and something of a
>reverse role.... China, Korea, Russia and the EU have decided that when
>calls come into their countries, their caller ID's should NOT pass
>information. Their governments decided it was intrusive to their people
>to have information being passed over telephony so they've decided to
>make a law that states "Should any telco pass any information through
>telephony, they can be held liable for invasion of privacy. Those not
>conforming to this standard will be fined". US carriers pass information
>
>off to these countries and lawsuits begin. ChinaTelephonyCo is suing
>USTelcoCom for not following their rules and passing on CID information.
>
>Is that fair? This is what you're purporting here in a reverse fashion.
>
>US GOVERNMENT: If someone from anywhere passes off *SOMETHING WE DON'T
>LIKE* they will be held liable for breaking the law.
>
>Sounds Dictatorish to me and it won't work. It won't work because there
>is nothing under the sun at this point in time I can find to cite,
>quote, ponder on, etc., that proves me wrong other than someone's
>personal view.
>
>--
>====================================================
>J. Oquendo
>http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
>sil . infiltrated @ net http://www.infiltrated.net
>
>The happiness of society is the end of government.
>John Adams
>
>
>_______________________________________________
>Voipsec mailing list
>Voipsec at voipsa.org
>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
More information about the Voipsec
mailing list