Cringely on VOIP Privacy

Robert X. Cringely:


The Communications Assistance for Law Enforcement Act (CALEA — I’ve written about this one before) requires “managed” VoIP operators to provide law enforcement agencies a point of interception so they can tap your VoIP calls. What’s a “managed” VoIP service? Packet8, Vonage, Comcast, and AT&T all certainly qualify, but does Skype? Yes, if you think of billing as management, now that there is SkypeOut and SkypeIn. And given the current management at the U.S. Department of Justice, “managed” could mean pretty much anything.

VoIP interception is usually done at the SBC/proxy. The network operator’s SBCs perform decryption/encryption on the “secure” packets as they go through the node. It is a matter of “trust,” as they say in the industry. If you want to encrypt you must also be willing to trust an SBC/proxy in China, Russia, wherever. That’s the attack point.