FRAMINGHAM (03/21/2000) - As expected, the Internet Engineering Task Force (IETF) has rejected a proposal to develop protocols that would make it easier for law enforcement agencies to intercept communications over the Net.
The IETF yesterday announced that its leadership has approved a policy against building a wiretapping capability into its protocols. The new policy states that the international standards development group is the wrong forum for designing protocols to meet the wiretapping or privacy laws of specific countries. The group also voiced concern that a built-in wiretapping capability would lessen the security and increase the complexity of its protocols.
The organization's decision is a boon to corporate network managers, many of whom feared that any hole built into the Internet for legitimate law enforcement purposes would be abused by hackers.
"IETF's policy against adding wiretapping support in protocols means that the security of IETF protocols will not be compromised in the name of adding wiretapping support," says Keith Moore, a co-director of the IETF's applications area.
IETF leaders say that corporate network managers who need to monitor or capture employee communications can do so using existing tools such as protocol analyzers. However, these tools will not work if end-to-end encryption is employed for such applications as secure browsing.
"I think this policy will have a long-term impact on the architecture of the Net," says Scott Bradner, a co-director of the IETF's transport area. "More protection will be moving to the edges of the network. Companies will be relying more on secure browsers and secure servers rather than firewalls, because firewalls are minimally effective."
The debate over whether to build wiretapping into the Internet emerged from the IETF's work on protocols that will support telephone calls over the Net.
A wiretapping capability is already built into central office telephone switches, and various countries including the U.S. require carriers to intercept or report on communications at the request of government agencies.
IETF participants who work for companies that sell telephone switches worry that there will be no market for their combined voice/data switches unless they can support wiretapping, which they expect will be required by government agencies.
IETF leaders say it will be possible for switch manufacturers to add wiretapping capabilities to their products without building it into the Net's underlying communications protocols. In fact, the IETF's wiretapping policy allows its participants to post information about wiretapping strategies on the group's Web site.
"People who are building switches are going to have to do something in this area," Bradner says, adding that it is just not the role of the IETF to conduct this type of work.
The IETF's position on wiretapping - a document entitled draft-iab-raven-01.txt - can be found on the group's Web site at http://www.ietf.org/.