In its report, Security Implications of Applying the Communications Assistance to Law Enforcement Act [CALEA] to Voice over IP, the group points out that tapping a VoIP call requires accessing the public routers closest to the two machines between which a call is made. Such a tap opens up a vulnerability that those with malicious intent could then exploit.

The panel notes that such routers are not kept uniformly secure and in the hands of malicious parties, tapping technology could easily grab any type of traffic passing through the router. It could even be an access point for man-in-the-middle attacks in which data in a stream is altered. "By opening up the communications to an unacknowledged third party, wiretapping is an architected security breach; the combination of wiretapping with remote delivery elevates the risk that communications security can be violated with minimal risk of discovery," the report says.

The report says that the technology, if misused, could also yield identity information about individuals as well as passwords.

The report was written by a group that includes Internet pioneer Vinton Cerf, public-key cryptography developer Whitfield Diffie and Internet Engineering Task Force security leader Steven Bellovin.

In addition to security risks, the report says, the CALEA-enabling technology is also likely to be expensive, which may prove crippling for smaller ISPs that may lack the expertise to install it and be forced to hire consultants. "Would these ISPs have the resources to properly configure and maintain the complex support that real-time wiretapping of VoIP communications would entail? Or might the wiretapping requirements drive the small ISPs out of business?" the report asks.

The report points out that security concerns may also force legitimate businesses to get around these weaknesses by encrypting end-to-end and tunnelling through service providers outside the U.S. "This would not only be bad for American business, it would destroy certain advantages currently enjoyed by U.S. intelligence," the study says.

With respect to its implementation, the report says that the complexities of VoIP - its decentralization, the ease with which users can change IP address, the ability to easily open new VoIP accounts - make the enforcement of VoIP CALEA very difficult. This is a problem ISPs, other service providers and law enforcement officials will have to mull over seriously.

The report says that businesses should assume that all traffic can be intercepted and made vulnerable to devastating attacks.

Accordingly, it advises that businesses should take appropriate measures to protect VoIP now. It also says that businesses should consider that the CALEA restrictions might be expanded to any type of Internet communication, such as instant messaging and e-mail, and so they must take similar precautions to safeguard them as well.