[unisog] VoIP question.
poepping at cmu.edu
Wed Mar 6 18:07:10 GMT 2002
Well, I should have thought of this before, but I sent a note to the
co-chairs of the Net at edu VoIP efforts
to see if they have these policy/privacy issues on the agenda. I think
they've mostly talked about enabling to this point, but they are not at
all unaware of security and privacy, so we'll see what they think. From
what I could tell, "security" so far is a one-liner on a "next workshop"
> -----Original Message-----
> From: Jim Dillon [mailto:Jim.Dillon at cusys.edu]
> Sent: Wednesday, March 06, 2002 12:18 PM
> To: 'Mark Poepping'
> Cc: SANS (E-mail)
> Subject: RE: [unisog] VoIP question.
> Actually, it is the implications for our current practices that I'm
> interested in. Do we have to treat each scan/monitoring session in
> the existing voice "laws and customs" once VoIP is in place? This
> have quite a chilling effect on network monitoring. Here's an
> 1. We declare email, data, an asset of the institution.
> 2. We declare the right to monitor email, data, since it is the
> institution's declared property.
> 3. We introduce VoIP without further declaration.
> 4. We monitor VoIP either purposefully or incidentally through our
> data/network management techniques.
> 5. We have now potentially violated the "laws and customs" you
> we have not explicitly addressed whether VoIP is "data" or "private
> conversation." Even if we do make a statement declaring it our data,
> do so legally given any existing voice/telecom statutes?
> It seems the common solution would be to disclaim usage, and then roll
> training to all points authorized to scan/monitor network traffic.
> likely very successful in a big university.) Perhaps we drop (by
> rules) VoIP packets. What I'm not sure about is whether this can
> done if the communication is lumped in with traditional voice
> communications. It seems that we may have to re-think policies
> network monitoring to adapt to this technology.
> You must disclaim that you are monitoring calls (customer service,
> telemarketing) by law (I believe), so should we be doing so with each
> every VoIP session? Law enforcement agencies are restricted from wire
> in all but recognized situations, and certainly the FBI has taken heat
> data monitoring - what if that data included VoIP?
> I received a good offline point, suggesting that VoIP is essentially a
> line type implementation. I countered that in a switched environment
> might appear to be more of a point to point communication. Some
> be given here...
> I recognize and agree with your other data points. The issue I'm most
> concerned with are these "other laws and customs" and how they impact
> day to day activities. I wanted to start this conversation because
> technology appears on the brink of being viable enough for greater
> I will want to advise intelligently on the topic. Thanks for the
> I'm sure we'll have to seek legal opinion in the area eventually, but
> looking to be prepared for those discussions, and think many of us
> in the same position soon if we aren't already.
> Best regards,
> Jim Dillon, CISA
> IT Audit Manager
> jim.dillon at cusys.edu
> Phone: 303-492-9734
> Dept. Phone: 303-492-9730
> Fax: 303-492-9737
More information about the unisog