[unisog] VoIP question.

Mark Poepping poepping at cmu.edu
Wed Mar 6 18:07:10 GMT 2002


Well, I should have thought of this before, but I sent a note to the
co-chairs of the Net at edu VoIP efforts
	http://www.educause.edu/netatedu/groups/ics/
to see if they have these policy/privacy issues on the agenda.  I think
they've mostly talked about enabling to this point, but they are not at
all unaware of security and privacy, so we'll see what they think.  From
what I could tell, "security" so far is a one-liner on a "next workshop"
agenda.

mark.


> -----Original Message-----
> From: Jim Dillon [mailto:Jim.Dillon at cusys.edu]
> Sent: Wednesday, March 06, 2002 12:18 PM
> To: 'Mark Poepping'
> Cc: SANS (E-mail)
> Subject: RE: [unisog] VoIP question.
> 
> Mark,
> 
> Actually, it is the implications for our current practices that I'm
most
> interested in.  Do we have to treat each scan/monitoring session in
light of
> the existing voice "laws and customs" once VoIP is in place?  This
seems to
> have quite a chilling effect on network monitoring.  Here's an
example.
> 
> 1. We declare email, data, an asset of the institution.
> 2. We declare the right to monitor email, data, since it is the
> institution's declared property.
> 3. We introduce VoIP without further declaration.
> 4. We monitor VoIP either purposefully or incidentally through our
existing
> data/network management techniques.
> 5. We have now potentially violated the "laws and customs" you
mentioned, as
> we have not explicitly addressed whether VoIP is "data" or "private
> conversation."  Even if we do make a statement declaring it our data,
can we
> do so legally given any existing voice/telecom statutes?
> 
> It seems the common solution would be to disclaim usage, and then roll
out
> training to all points authorized to scan/monitor network traffic.
(Not
> likely very successful in a big university.)  Perhaps we drop (by
filter
> rules) VoIP packets.   What I'm not sure about is whether this can
even be
> done if the communication is lumped in with traditional voice
> communications.  It seems that we may have to re-think policies
regarding
> network monitoring to adapt to this technology.
> 
> You must disclaim that you are monitoring calls (customer service,
> telemarketing) by law (I believe), so should we be doing so with each
and
> every VoIP session?  Law enforcement agencies are restricted from wire
taps
> in all but recognized situations, and certainly the FBI has taken heat
over
> data monitoring - what if that data included VoIP?
> 
> I received a good offline point, suggesting that VoIP is essentially a
party
> line type implementation.  I countered that in a switched environment
it
> might appear to be more of a point to point communication.  Some
thought to
> be given here...
> 
> I recognize and agree with your other data points.  The issue I'm most
> concerned with are these "other laws and customs" and how they impact
our
> day to day activities.  I wanted to start this conversation because
the
> technology appears on the brink of being viable enough for greater
use, and
> I will want to advise intelligently on the topic.  Thanks for the
feedback.
> I'm sure we'll have to seek legal opinion in the area eventually, but
I'm
> looking to be prepared for those discussions, and think many of us
will be
> in the same position soon if we aren't already.
> 
> Best regards,
> 
> Jim
> 
> ======================================
> Jim Dillon, CISA
> IT Audit Manager
> jim.dillon at cusys.edu
> Phone: 303-492-9734
> Dept. Phone: 303-492-9730
> Fax: 303-492-9737
> ======================================




More information about the unisog mailing list