How could this work?

Tapping VoIP calls will not be impossible, and not overly complicated.

All VoIP systems require signalling and therefore have a mechanism for control. It is simple a question of understanding how this control / signalling can be used with the transmission network to ensure the voice media can be directed to it's intended destination plus the location of the tapper.

I can imagine with sip based calls it would be a question of ensuring a 3 party call is made via the sip register when needed - suitable when a line is being watched and you can participate in call setup.

However if you want to tap a call in progress it will be more challenging, but not impossible. For example the VoIP operator will have a method for tracking call & states - needed for network management & billing. This info could be used to join the call.

While the actual implementation is a bit beyond me I am sure it is all possible, and WILL happen - it's a legal (in UK) & desirable (for the authorities) neccessacity.

What would stop the "bad guys" from setting up an IPSEC tunnel elsewhere, circumventing everything? There are just too many ways around this it seems. As far as DSL deregulation, in the U.S., the phone lines installations were funded by taxpayers. Therefore, the phone companies were highly regulated and forced into sharing those lines with competitors. I don't see the harm in that since it creates more competition, and allows you to buy DSL from really small ISP's that probably have a heck of a lot better customer service.

With DSL deregulation, much of this governmental oversight is being lifted, which will probably kill hundreds of small ISP's across the U.S. The reason I don't like it is that the government is essentially giving the phone companies the lines for free, while the cable companies paid to run their own lines. Kind of messed up, huh?

I think any attempt at monitoring network traffic on a large scale will have to rely on the fact that the mechanisms used for transit and encryption are standard and known. Thus, if on a small scale you develop something bespoke as a layer over the top then 'they' will have to expend bespoke effort to monitor it. Multiply that by hundreds of paranoids all doing something different and it quickly becomes impossible, even (especially?) for governments. I'm fairly convinced that monitoring is only done where groups/individuals are already known and suspected, yet at the same time there is an urban myth, which the government encourages by silence, that all our conversations are monitored in real-time by massive computer systems in underground bunkers and if you say the word "bomb" then a recording starts automatically. Nah, I don't thinks so...

Well as far as monitoring of digital transactions go.. it is a reality..
The FBI had 'Carnivore' -- which they openly acknowledge:
www.fbi.gov/congress/congress00/kerr090600.htm
(note that that is from the fbi.gov site). It's fairly well known what carnivore's capabilities were, and it has recently been renamed to take it out of the limelight.

There are other projects, notably Echelon and Altivore which do similar things.

The basic idea is that a mechanism is in place to tackle the technical difficulties of interception of data at the backbone level (we're talking major ISP sized pipes here....) Many governments are interested in this capability..

The Indian government was rather interested in having the geniuses at IIT (the Indian Institute of Technology) build what was essentially a packet sniffer that could monitor at the ISP level.

Many other similar projects have been undertaken by other governments. I was once fortunate enough (?) to consult on the technical difficulties that would be encountered with such a system. The end result of our discussion is... there are none -- assuming you have adequate resources.

The idea that you can have real-time conversation monitoring may seem strange, but I would not put it beyond the capabilities of say, the NSA. However, one must understand that a system like this would be highly targetted -- it couldn't trigger on keywords since that would generate too many false positives to be useful.

Think of it as Snort on a world scale

Oh yeah, as far as VoIP tapping goes, it's perfectly possible, if you want to do it -- check this out:
www.oxid.it/cain.html

Nice discussion -- if it goes on, I'll move it to 'Security & Firewalls' where it will get more readership.

Cheers,

I think it is an easy thing for people to get intimidated by the thought that the FBI can monitor the internet for really anything. Still, as The Bishop pointed out, the sheer amount of information going over a network, let alone the internet would probably overwhelm those who are monitoring it. They are still going to have to filter the majority of the internet traffic which is not explicitely illegal, and I think that is going to miss a lot. I think at a certain point, the bad guys will catch onto the fact that you just can't send an email with their evil plans over the internet. The Carnivore system and others then would be useless if they develop a code system like militaries do over radios.

As was seen on the news lately with Hurricane Katrina, there are lots of illegitimate charity sites that the FBI was seemingly overwhelmed to track and shut down. I think one place on the internet that has a lot more private information than the FBI will ever have is good old Google. I know I'm going off the topic of VOIP monitoring, but perhaps this discussion should be expanded to not only to the technical side of monitoring, but also the other aspects.

I think one place on the internet that has a lot more private information than the FBI will ever have is good old Google.

hmm what sort of private information? Everything google files is already public -whether intentionaly or not