[unisog] VoIP question.

Jim Dillon Jim.Dillon at cusys.edu
Wed Mar 6 17:17:51 GMT 2002


Actually, it is the implications for our current practices that I'm most
interested in.  Do we have to treat each scan/monitoring session in light of
the existing voice "laws and customs" once VoIP is in place?  This seems to
have quite a chilling effect on network monitoring.  Here's an example.

1. We declare email, data, an asset of the institution.
2. We declare the right to monitor email, data, since it is the
institution's declared property.
3. We introduce VoIP without further declaration.
4. We monitor VoIP either purposefully or incidentally through our existing
data/network management techniques.
5. We have now potentially violated the "laws and customs" you mentioned, as
we have not explicitly addressed whether VoIP is "data" or "private
conversation."  Even if we do make a statement declaring it our data, can we
do so legally given any existing voice/telecom statutes?  

It seems the common solution would be to disclaim usage, and then roll out
training to all points authorized to scan/monitor network traffic. (Not
likely very successful in a big university.)  Perhaps we drop (by filter
rules) VoIP packets.   What I'm not sure about is whether this can even be
done if the communication is lumped in with traditional voice
communications.  It seems that we may have to re-think policies regarding
network monitoring to adapt to this technology.

You must disclaim that you are monitoring calls (customer service,
telemarketing) by law (I believe), so should we be doing so with each and
every VoIP session?  Law enforcement agencies are restricted from wire taps
in all but recognized situations, and certainly the FBI has taken heat over
data monitoring - what if that data included VoIP?

I received a good offline point, suggesting that VoIP is essentially a party
line type implementation.  I countered that in a switched environment it
might appear to be more of a point to point communication.  Some thought to
be given here...

I recognize and agree with your other data points.  The issue I'm most
concerned with are these "other laws and customs" and how they impact our
day to day activities.  I wanted to start this conversation because the
technology appears on the brink of being viable enough for greater use, and
I will want to advise intelligently on the topic.  Thanks for the feedback.
I'm sure we'll have to seek legal opinion in the area eventually, but I'm
looking to be prepared for those discussions, and think many of us will be
in the same position soon if we aren't already.

Best regards,


Jim Dillon, CISA
IT Audit Manager
jim.dillon at cusys.edu
Phone: 303-492-9734
Dept. Phone: 303-492-9730
Fax: 303-492-9737

-----Original Message-----
From: Mark Poepping [mailto:poepping at cmu.edu]
Sent: Wednesday, March 06, 2002 9:52 AM
To: Jim Dillon
Cc: 'SANS (E-mail)'; 'ISACA (E-mail)'
Subject: RE: [unisog] VoIP question.

I think there are two issues, and I'm not sure which you're asking:
 - What *can* you capture/store in ordinary network/security mgmt ops?
Are there laws or customs governing management of the data (for
instance, there certainly are laws about handling telephone call records
and recording voice conversations).
 - How much *must* you be able to capture/store/translate under

Other data points..
. There are tools that allow you to 'listen in' to a VoIP packet stream.
. There are HIPAA/FERPA issues in *any* packet stream, so I don't think
VoIP presents a new issue in that sense - if you capture/store this data
now, you already have the 'problem'.


> -----Original Message-----
> From: Jim Dillon [mailto:Jim.Dillon at cusys.edu]
> Sent: Tuesday, March 05, 2002 5:55 PM
> To: SANS (E-mail); ISACA (E-mail)
> Subject: [unisog] VoIP question.
> I've been asking some experts and most looked surprised and befuddled
by the
> question, but I think it will come to haunt us eventually, so I
thought I'd
> ask an assortment of security minded folks.  Sorry for duplication if
any of
> you are on both lists, but this one seems worth a multi-post to me.
> Is anyone aware of any legislation or attempts at legislation
regarding the
> capture and monitoring of IP data that includes VoIP content?  My
concern is
> this:
> 1. VoIP is a voice communication, using a different transmission
> nonetheless a voice communication.
> 2. Sniffing or monitoring IP streams that including VoIP packets seems
to be
> paramount to a wire tap.
> 3. Storing, taping, backing up, and transmitting captured data streams
> appear to have FERPA, HIPAA, or other privacy regulation side-effects.
> Here's my concern:  What are the costs necessary to address potential
> privacy problems for admins monitoring IP traffic once VoIP is in use?
> Training?  User warnings and disclaimers?  Changes in institution-wide
> management techniques and policies concerning the collection of data
and its
> storage now that this data may represent voice communications?  What
> we recognize as potential "entry costs" into this arena given these
> concerns?
> Given the furor over Carnivore and other privacy topics, it is only a
> of time before this may be an issue.  I'd appreciate any knowledgeable
> opinions on the topic, or any indicators that I'm all wet, but it
appears to
> be a looming risk/issue.  I am decidedly unaware of the actual
> used, but it seems apparent that a set of IP packets that could be
> re-converted into a private conversation could represent trouble if
> mis-handled.  My concern is to bring a knowledgeable debate on the
> into decisions to use VoIP, but I've yet to identify someone who
thinks they
> have a handle on any problem potential here.  Most have not given it
> thought.
> Your informed opinions are coveted.
> Best regards,
> Jim
> ======================================
> Jim Dillon, CISA
> IT Audit Manager
> jim.dillon at cusys.edu
> Phone: 303-492-9734
> Dept. Phone: 303-492-9730
> Fax: 303-492-9737
> ======================================

More information about the unisog mailing list