VoIP question.

Jim Dillon Jim.Dillon at cusys.edu
Tue Mar 5 22:54:52 GMT 2002


I've been asking some experts and most looked surprised and befuddled by the
question, but I think it will come to haunt us eventually, so I thought I'd
ask an assortment of security minded folks.  Sorry for duplication if any of
you are on both lists, but this one seems worth a multi-post to me.

Is anyone aware of any legislation or attempts at legislation regarding the
capture and monitoring of IP data that includes VoIP content?  My concern is
this:

1. VoIP is a voice communication, using a different transmission method,
nonetheless a voice communication.
2. Sniffing or monitoring IP streams that including VoIP packets seems to be
paramount to a wire tap.
3. Storing, taping, backing up, and transmitting captured data streams would
appear to have FERPA, HIPAA, or other privacy regulation side-effects.

Here's my concern:  What are the costs necessary to address potential
privacy problems for admins monitoring IP traffic once VoIP is in use?
Training?  User warnings and disclaimers?  Changes in institution-wide
management techniques and policies concerning the collection of data and its
storage now that this data may represent voice communications?  What should
we recognize as potential "entry costs" into this arena given these
concerns?

Given the furor over Carnivore and other privacy topics, it is only a manner
of time before this may be an issue.  I'd appreciate any knowledgeable
opinions on the topic, or any indicators that I'm all wet, but it appears to
be a looming risk/issue.  I am decidedly unaware of the actual technology
used, but it seems apparent that a set of IP packets that could be
re-converted into a private conversation could represent trouble if
mis-handled.  My concern is to bring a knowledgeable debate on the topic
into decisions to use VoIP, but I've yet to identify someone who thinks they
have a handle on any problem potential here.  Most have not given it any
thought.

Your informed opinions are coveted.

Best regards,

Jim

======================================
Jim Dillon, CISA
IT Audit Manager
jim.dillon at cusys.edu
Phone: 303-492-9734
Dept. Phone: 303-492-9730
Fax: 303-492-9737
======================================



More information about the unisog mailing list