[unisog] VoIP question.

Mark Poepping poepping at cmu.edu
Wed Mar 6 16:51:33 GMT 2002


I think there are two issues, and I'm not sure which you're asking:
 - What *can* you capture/store in ordinary network/security mgmt ops?
Are there laws or customs governing management of the data (for
instance, there certainly are laws about handling telephone call records
and recording voice conversations).
 - How much *must* you be able to capture/store/translate under
subpoena..

Other data points..
. There are tools that allow you to 'listen in' to a VoIP packet stream.
. There are HIPAA/FERPA issues in *any* packet stream, so I don't think
VoIP presents a new issue in that sense - if you capture/store this data
now, you already have the 'problem'.

Mark.


> -----Original Message-----
> From: Jim Dillon [mailto:Jim.Dillon at cusys.edu]
> Sent: Tuesday, March 05, 2002 5:55 PM
> To: SANS (E-mail); ISACA (E-mail)
> Subject: [unisog] VoIP question.
> 
> I've been asking some experts and most looked surprised and befuddled
by the
> question, but I think it will come to haunt us eventually, so I
thought I'd
> ask an assortment of security minded folks.  Sorry for duplication if
any of
> you are on both lists, but this one seems worth a multi-post to me.
> 
> Is anyone aware of any legislation or attempts at legislation
regarding the
> capture and monitoring of IP data that includes VoIP content?  My
concern is
> this:
> 
> 1. VoIP is a voice communication, using a different transmission
method,
> nonetheless a voice communication.
> 2. Sniffing or monitoring IP streams that including VoIP packets seems
to be
> paramount to a wire tap.
> 3. Storing, taping, backing up, and transmitting captured data streams
would
> appear to have FERPA, HIPAA, or other privacy regulation side-effects.
> 
> Here's my concern:  What are the costs necessary to address potential
> privacy problems for admins monitoring IP traffic once VoIP is in use?
> Training?  User warnings and disclaimers?  Changes in institution-wide
> management techniques and policies concerning the collection of data
and its
> storage now that this data may represent voice communications?  What
should
> we recognize as potential "entry costs" into this arena given these
> concerns?
> 
> Given the furor over Carnivore and other privacy topics, it is only a
manner
> of time before this may be an issue.  I'd appreciate any knowledgeable
> opinions on the topic, or any indicators that I'm all wet, but it
appears to
> be a looming risk/issue.  I am decidedly unaware of the actual
technology
> used, but it seems apparent that a set of IP packets that could be
> re-converted into a private conversation could represent trouble if
> mis-handled.  My concern is to bring a knowledgeable debate on the
topic
> into decisions to use VoIP, but I've yet to identify someone who
thinks they
> have a handle on any problem potential here.  Most have not given it
any
> thought.
> 
> Your informed opinions are coveted.
> 
> Best regards,
> 
> Jim
> 
> ======================================
> Jim Dillon, CISA
> IT Audit Manager
> jim.dillon at cusys.edu
> Phone: 303-492-9734
> Dept. Phone: 303-492-9730
> Fax: 303-492-9737
> ======================================




More information about the unisog mailing list