Fwd: FC: IETF considers building wiretapping into the Internet

Rohit Khare (rohit@uci.edu)
Tue, 12 Oct 1999 15:07:17 -0700

>From: Declan McCullagh <declan@well.com>
>Subject: FC: IETF considers building wiretapping into the Internet
> Wiretapping the Net: Oh, Brother
> by Declan McCullagh (declan@wired.com)
> 2:00 p.m. 12.Oct.99.PDT
> Since its humble beginnings as a
> 15-person committee in 1986, the
> Internet Engineering Task Force has had
> one guiding principle: To solve the
> problems of moving digital information
> around the world.
> As attendance at meetings swelled and
> the Internet became a vital portion of
> national economies, the
> standards-setting body has become
> increasingly important, but the engineers
> and programmers who are members
> remained focused on that common goal.
> No longer.
> The IETF is now debating whether to wire
> government surveillance into the next
> generation of Internet protocols. The
> issue promises to cause the most
> acrimonious debate the venerable group
> has ever experienced and could have a
> lasting effect on privacy online.
> To reach even a preliminary decision in a
> special plenary session of the IETF
> meeting in Washington next month,
> attendees must weigh whether law
> enforcement demands are more important
> than communications security and
> personal privacy -- a process that places
> technology professionals in the unusual
> position of taking a prominent political
> stand.
> "As Internet voice becomes a wider
> deployed reality, it is only logical that the
> subject has to come up," IETF chairman
> Fred Baker said. "We are deciding to bring
> it up proactively rather than reacting to
> something later in the game."
> [...]

>The IETF's position on technology to support legal intercept
>* To: IETF-Announce: ;
>* Subject: The IETF's position on technology to support legal intercept
>* From: The IESG <iesg-secretary@ietf.org>
>* Date: Mon, 11 Oct 1999 15:47:10 -0400
>* cc: raven@ietf.org
>* Reply-to: raven@ietf.org
>* Sender: scoya@cnri.reston.va.us
>The use of the Internet for services that replace or supplement
>traditional telephony is, predictably, causing discussions in many
>countries about the point at which special rules about telephony
>services begin to apply to Internet service providers. In many
>countries, these rules could impose new legal obligations on ISPs,
>particularly requirements to comply with requests from law enforcement
>agencies or regulators to intercept, or gather and report other
>information about, communications. For example many traditional
>telephony devices, especially central-office switches, sold in those
>countries are required to have built-in wiretapping capabilities to
>allow telephone carriers to fulfill these obligations.
>A number of IETF working groups are currently working on protocols to
>support telephony over IP networks. The wiretap question has come up
>in one of these working groups, but the IESG has concluded that the
>general questions should be discussed, and conclusions reached, by the
>entire IETF, not just one WG. The key questions are:
> "should the IETF develop new protocols or modify existing protocols
> to support mechanisms whose primary purpose is to support wiretapping
> or other law enforcement activities"
> and
> "what should the IETF's position be on informational documents that
> explain how to perform message or data-stream interception without
> protocol modifications".
>We would like to encourage discussion of these questions on the new
>raven@ietf.org mailing list. Subscription requests should be mailed to
>raven-request@ietf.org OR subscribe via the web at
>Time will be allocated at the Plenary session at the November IETF to
>discuss this orally and try to draw a consensus together. (PLEASE
>In addition to the general questions identified above, we believe it would
>be helpful for mailing list comments to address the following more specific
> Adding wiretap capability is by definition adding a security hole.
> Considering the IETF's commitment to secure protocols, is it a reasonable
> thing to open such a hole to meet these requirements?
> Should the IETF as an international standards organization shape its
> protocols to support country-specific legal requirements?
> If the companies who employ the IETF participants and deploy the
> IETF's technology feel that having wiretap capability is a business
> necessity due to the regulatory requirements in the countries where
> they want to sell their products, would that make a difference to the
> IETF position on this subject?
> What is the appropriateness or feasibility of standardizing mechanisms
> to conform to requirements that may change several times over the life
> cycle of equipment built to conform to those standards?
> When IPv6 was under development, the IETF decided to mandate an
> encryption capability for all devices that claim to adhere to those
> standards. This was done in spite of the fact that, at the time the
> decision was made, devices meeting the IPv6 standard could not then
> be exported from the U.S. nor could they be used in some countries.
> Is that a precedent for what to do in this case?
> Could the IETF just avoid specifying the part of the technology that
> supports wiretapping, presumably assuming that some industry consortium
> or other standards organization would do so? Would letting that
> responsibility fall to others weaken the IETF's control over its own
> standards and traditional areas?
> If these functions must be done, is it better for the IETF to do them
> so that we can ensure they are done in the most secure way and, where
> permitted by the regulations, to ensure a reliable audit capability?
> What would the image of the IETF be if we were to refuse to standardize
> any technology that supported wiretapping? In the Internet community?
> In the business community? To the national regulatory authorities?
>The goal of the mailing list and then plenary session is to address the
>broad policy and direction issue and not specific technical issues such
>as where exactly in an architecture it would be best to implement
>wiretapping if one needed to do so. Nor are they to address what
>specific functions might be needed to implement wiretapping under which
>countries' laws. The intent is basically to discuss the question of
>what stance the IETF should take on the general issue.