[unisog] VoIP question.

Jim Dillon Jim.Dillon at cusys.edu
Thu Mar 14 19:23:15 GMT 2002


Mark,

Technically I can't argue with you, the stuff (voice/digital voice and
traditional IP) is converging, but reality speaks differently based on the
"perception" and "type" of the communication being undertaken. 

It is common practice to declare our data streams as company property, and
to be able to manage them under that umbrella declaration.  VoIP is a data
stream.  I can't argue that technically there is little difference.
However:

I do not believe many of us declare our phone lines and the conversations
that occur on them as "company property" and use this umbrella to protect
our right to that form of communication/data.  Seems to me we have to
disclaim when we are monitoring help desk calls up front in the call, and
set the expectation that this is not a private communication.  

The difficulty is establishing the case law about the aspects of privacy
that may be infringed by gathering/storing/or monitoring.  It will have to
do a lot with the "reasonable expectation for privacy" inherent in the type
of communication, VOICE.  We (as private citizens) are used to "expecting" a
wire tap to require a court order and evidence for just cause.  I contend we
will have that same expectation with VoIP, or people will declare it
unlawful search and seizure or some other such thing when it is in their
benefit to do so.  It is only a matter of time until someone figures out
that sniffing and tapping are essentially the same anymore and this stuff
will begin to come to a head.

For all I know, some of the case law relating to this may have already been
established, but my queries have not identified any clear authoritative
source yet.  If you know of any let me know, else, please consider the
implications and perhaps someone more in touch with the proper "authorities"
will be able to guide us with an educated guess about how this will play in
court some day.  If I can garner a realistic authoritative source, I will
share the results with the lists.

So far all private communications say, yep, there's an issue, but they
generally don't see a difference.  I contend the difference is in the
consumer/user expectation of privacy, and that we will be forced to manage
that expectation or we will be found liable for the consequences.  That
opinion and 50 cents will get you a local phone call at this point.

Best regards,

Jim


======================================
Jim Dillon, CISA
IT Audit Manager
jim.dillon at cusys.edu
Phone: 303-492-9734
Dept. Phone: 303-492-9730
Fax: 303-492-9737
======================================

-----Original Message-----
From: Mark Poepping [mailto:poepping at cmu.edu]
Sent: Wednesday, March 06, 2002 9:52 AM
To: Jim Dillon
Cc: 'SANS (E-mail)'; 'ISACA (E-mail)'
Subject: RE: [unisog] VoIP question.


I think there are two issues, and I'm not sure which you're asking:
 - What *can* you capture/store in ordinary network/security mgmt ops?
Are there laws or customs governing management of the data (for
instance, there certainly are laws about handling telephone call records
and recording voice conversations).
 - How much *must* you be able to capture/store/translate under
subpoena..

Other data points..
. There are tools that allow you to 'listen in' to a VoIP packet stream.
. There are HIPAA/FERPA issues in *any* packet stream, so I don't think
VoIP presents a new issue in that sense - if you capture/store this data
now, you already have the 'problem'.

Mark.



More information about the unisog mailing list