The recent headlines about the NSA capturing data related to phone calls brings up a familiar topic – security. I’ve been managing a session border controller product for the past year and I’ve often been asked if the product supports security. This can be a frustrating question for a product manager, since security is a blanket term that can cover so many areas and this kind of naive question means that the discussion needs to start at a pretty basic level. However, the question can be turned around. One logical response is to ask what kind of security the person wants to know about. An even better response is to get back to basics and ask what are they — typically a customer — trying to protect. In other words, what are the threats?
In the world of international telecom standards, the definition of security starts with the analysis of threats. The National Standards Institute (NIST) wrote a fine paper on security for Voice over IP networks which can be found here. The authors analyzed potential threats to such networks and then proposed solutions. This is preferable to the approach that is often taken of prescribing a security solution before understanding what the goals of the security solution are.
Returning to the topic of the NSA, the President offered a response to critics saying that NSA was not recording phone calls, as if that was the only issue in play here. But if we look at this from a threats perspective, if you are an individual subscriber of phone services, you might want assurances from the service provider of privacy protecting both the content of your communications and the records of who you are talking to. We’ve all seen television shows where the police get a warrant to dump the cell phone records of a potential suspect and just by analyzing the call patterns, are able to figure out who they were calling, when and for how long. This kind of information is often called “traffic analysis” and it can be very revealing. If your company is discussing a merger deal with another company, getting access to these kinds of phone records might reveal the potential merger participants in advance of any public announcement. So is there an incentive for businesses and individuals to protect against people who want to do traffic analysis on their voice (or other) communications? You bet.
I’ve been hearing that argument that if people participate on Facebook and Twitter their public activities are an open book for anybody with Internet access. Sure, that’s true to an extent, though there are battles going on between Facebook and their members about where the privacy lines get drawn. However, I think most phone subscribers, be they individuals or businesses, expect that their private communications will remain so.
On the technical side, this story boils down to a question of where to draw the lines between security and privacy. If this story and the resulting publicity causes individuals and businesses to consider what information they’d like to remain private and which data is considered “fair use” by the government and under what guidelines, then maybe we can have a useful public debate on these matters and not “leave it to the experts.”