University of Colorado Policy Lab

Policy Lab Picture


Projects are vaguely conceptual, in process, or substantially complete. We're always open to new project ideas - modest, technically oriented experimentation - that would be helpful; please send us yours!

CALEA and VoIP: Reasonable Expectations?Substantially Complete
The Communications Assistance for Law Enforcement Act requires telecommunications carriers to wiretap when so ordered by a court. The FCC, in response to a joint petition of the Department of Justice, Federal Bureau of Investigation, and Drug Enforcement Agency, opened a Notice of Proposed Rule Making (FCC 04-187) to determine how CALEA should apply to VoIP. Commentators have pointed out that it may be difficult to make CALEA effective for VoIP. We make this concrete: two visiting undergraduate researchers - in the space of a couple of months - demonstrated a number of ways to initiate an end-to-end encrypted VoIP call with no keys known by a carrier. See their summer paper.

CALEA Hacking Tools and Implications Vaguely Conceptual
The ease of circumventing traditional carrier based wiretapping demonstrated in our "CALEA and VoIP: Reasonable Expectations?" project begs the question: is there anything law enforcement agencies can reasonably do? If the medium is the internet, than the techniques of the internet - hacking - become the new tools. The FBI's "Key-Logger-System" and Magic Lantern virus are examples of this trend. How far could this reasonably go? How can we capture the implications in a way that would stimulate an informed debate about what can be done to harness hacking for law enforcement and how it should be constrained and managed?

Certification of E911 for VoIP Substantially Complete
Emergency service calling capability (E911) has been a requirement of circuit switched telephony providers and recently the FCC moved to also require VoIP carriers that interconnect to the traditional circuit switched network to also support E911. However, many VoIP services will not look like traditional carrier provided telephony and there is an open question: if one wants some, likely varying, forms of emergency services to be available, how can this reasonably be accomplished? In this paper, we suggest that industry led certification and labeling may be a better model than traditional command-and-control regulation.

Valuing E911 Variants Vaguely Conceptual
VoIP - and the internet generally - could spawn many variants on traditional emergency calling. Some could be less than we are used to, and may be appropriately so given the tradeoffs involved with that particular application (what kind of emergency services should we insist on for voice enhanced internet gaming, voice instant messaging, or VoIP intercoms?). Some could be better emergency signaling than we are used to. We think it would be valuable to estimate the value consumers place on different emergency service capabilities. This is challenging since consumers have difficulty in valuing unlikely but catastrophic events, but a combination of effective technology demonstration and recent techniques developed in experimental economics could be helpful.

Analog Hole Limits of DRM In Process
The "analog hole" is the process of circumventing any digital rights management system (designed to enforce the copyright of content owners over content such as digital songs or movies) by capturing the content as it is being played out in analog form, re digitizing it, and then making it available to others. The analog hole fundamentally limits what any DRM system can achieve, but at some impact to the quality of the content. Given this loss in quality, how much exactly does the analog hole limit DRM? We are using different analog hole copying variants on audio, video, and text along with econometric techniques to answer the question in terms of consumer value measured in dollars. See this student paper from summer 2005.

Privacy in Wireless Networks Vaguely Conceptual
Wireless networks are increasingly ubiquitous and useful. Information in wireless networks can be used to estimate location (see our "E.911 Location for VoIP over WiFi" project, for example). Just what are the practical limits in terms of intentionally cloaking location while using commonly available wireless networking techniques? This involves a "threat" and "counter-threat" investigation - generate cloaking strategies then try to break them through estimation and probabilistic regression.

E911 Location for VoIP over WiFi In Process
VoIP can work over many different physical networks, including 802.11 WiFi (with appropriate quality of service enhancements). In the absence of a wired or cellular telephony network mandated to provide location information, what is the likelihood that a VoIP over WiFi device could estimate its location precisely enough to meet FCC requirements for E911 location accuracy? This student paper studies accuracy achieved using the Placelab and Wigle databases of WiFi hot spot locations. But these databases are not entirely reliable; a more pragmatic extension will consider the effectiveness of this approach in municipal WiFi networks with well known radio locations.

Broadband Access and Robustness in Disasters Vaguely Conceptual
The FCC and others have a high level of interest in promoting diverse broadband access technologies and service providers (e.g., cable modem, DSL, broadband over powerline, wireless internet service providers, cellular broadband data services, broadband over satellite) primarily for availability and competition reasons. Beyond competition, such diverse networks could also add to communication robustness in the case of natural or man-made disasters such as 9/11 or Hurricane Katrina. But what mix of technologies would be the most robust for any particular hazard, and what framework of regulation or incentives might most effectively encourage good, geographically appropriate mixes?

Beyond the Telephone Relay Service Vaguely Conceptual
National policy has historically taken specific steps to provide reasonable access for people with disabilities to communication services. In much the same way that the meaning of E911 blurs when considered relative to the broadening array of possibilities with VoIP, disability access becomes more complicated, both with instances in which it may no longer be reasonable to retain requirements and others in which it is easy to imagine doing a much better job of serving the disabled at little or no incremental cost. Here we would like to focus on a shift away from traditional Telephone Relay Service (TRS) for the hearing disabled toward more commodity based platforms, such as personal computing devices. Specifically, we would like to develop requirements for such platforms and provide an exemplary prototype.

Incenting Interconnection Vaguely Conceptual
the technical underpinnings of interconnection change dramatically when moving from traditional telecommunications to the internet (which has evolved a set of zero cost peering points and non-zero cost transit arrangements where traffic is exchanged between networks). But the control of interconnection can be one of the most important areas in promoting competition in industries with significant economic network effects. We would like to examine the technical form and feasibility of implementing incentives for terminating access providers when explicit regulation erodes. Specifically, we are interested in the role of bill-and-keep and other arrangements in an environment with limited competition (e.g., robust in cases of an effective local monopoly or duopoly) and consistent with a trend towards reactive rather than prescriptive regulation.

Security Behavior and Dynamic Agents In Process
Security behavior is the way individual users interact with information technology to increase or diminish their security and that of their organizations. We can broaden our concept of technology and organizational design beyond the traditional perspective of enforcing desired behaviors to include new strategies based on persuasion, when the cost of enforcement outweighs its benefit, and alignment, a novel framework for delegating decisions to users motivated and informed sufficiently to make those decisions in the organization’s interest. Implementing these new approaches requires efficient and effective dynamic agents to (1) measure a user’s deviation from prescribed security policies and practices, (2) affect the user’s security behavior, and (3) allow the user to better understand the security policies of an organization and the rationale behind these policies

VoIP Security Vulnerability Tools In Process
Security tools such as protocol analyzers, vulnerability assessment utilities and security monitoring utilities are among the common tools in a security professional’s arsenal. With the expectation that an increasing fraction of telephony will be carried over VoIP, the desirability of comprehensive and effective tools for evaluating vulnerabilities is increasing. We are engaged in analyzing such tools and developing and maintaining a taxonomy.

Bad Actor Identification in Wireless Networks Vaguely Conceptual
With increasing reliance on wireless networking, and in particular flexible and dynamic spectrum sharing as envisioned in recent technical and policy initiatives around software defined and cognitive radio,, questions of reliability and robustness become acute. Bad actors are wireless nodes that fail to operate within the policy constraints expected in a network or that do not correctly interoperate with other wireless nodes. Here we propose to investigate both the detection of bad actors and policy and enforcement frameworks to manage the impact of bad actors.

Certification of Frequency Agile Software Defined Radio In Progress
Radio devices are commonly certified through national regulatory agencies to ensure that the device operates as intended. However, a convergence of technology trends are changing the operational and design characteristics of these devices, and thereby raising interesting questions concerning the certification of such devices. The first of these technology trends is software defined radio (SDR), which allows much of what was done on predefined hardware, such as signal processing, to be programmed in software. Second are devices that can change how and where they operate within the radio spectrum, moving among a set of frequency bands in response to interference or other constraints. Third is cognitive radio technology, where the device can autonomously make decisions about its operation, in response to environmental changes, such as interference. Such capabilities enable SDRs to vary waveforms and frequencies within their hardware constraints, as well as to reconfigure the operation of their network protocols. The questions stem from this ability to reconfigure the operational characteristics of the device. The most fundamental are, how can we ensure that SDRs stay within their assigned spectrum, donít interfere with safety of life aviation, public safety or other allocated areas, and are not capable of being hijacked by hostile parties? See Avionics Weekly article and IEEE DySpan paper.

Models for RegulationSubstantially complete.

About Us | ©2005 University of Colorado at Boulder