From Guardian Project Wiki

(Difference between revisions)
Jump to: navigation, search
m (Client Software: PrivateGSM in progress)
m (Legal/Regulatory Concerns)
Line 187: Line 187:
Some examples illustrating how different the regulation of VoIP can be from country to country and region to region:  
Some examples illustrating how different the regulation of VoIP can be from country to country and region to region:  

Revision as of 18:45, 13 June 2012


Open {Secure,Source,Standards} Telephony Network (OSTN)

We are working to define a defacto standard by which a voice over internet protocol service can be considered end-to-end secured, with verifiable encryption, minimal logging, and a decentralised model of deployment and use. From this standard, we will work to deploy a network of compliant server/service instances and client software, mobile and desktop, that are federated, audited and interoperable.


All of the necessary technologies and communications standards exist today for voice communications that is as secure as OpenPGP email. Many proprietary and open source solutions exist for desktop and mobile devices that already implement the necessary bits to provide a solution many times more secure than Skype, without dependence upon one global service provider. Yet people who are security conscious enough to use Skype to secure their computer based conversations will still hold sensitive discussion on mobile phones. The problem is simplicity, usability and reliability.

This project will provide an application for Android phones that will be only marginally more complex to use than dialing an existing phone number, while still being based entirely on open standards. The app itself is based on existing open source client code provided by the CSipSimple, pjsip and ZORG projects. We will coordinate with a network of audited, open service providers around the world who already provide free and commercial service to users, to ensure our users have an automated provisioning process to get connected.

OSTN will interface with a variety of projects to ensure compatible with new standards around peer-to-peer VOIP communication. We will seek interoperability from other competitive, proprietary solutions from private companies and propose our implementation become the reference design for privacy and security standards.

This project would not exist without the support of our good friends at Tanstagi http://tanstagi.net and Freeborn.Devio.us http://freeborn.devio.us/doku.php?id=freeswitchfreebsd


Project Output

Client Software

Name OSTN Tutorial License Security Platform Link
Ostel Available GPL TLS, ZRTP, SRTP Android https://ostel.me/
CSipSimple Available GPL TLS, ZRTP, SRTP Android http://nightlies.csipsimple.com/
Twinkle In Progress GPL TLS, ZRTP, SRTP Linux
Telephone    ? in progress MacOS
Groundwire Available closed TLS, ZRTP, SRTP iOS http://itunes.apple.com/us/app/groundwire-business-caliber/id378503081?mt=8
Jitsi In Progress open-source TLS, ZRTP, SRTP Linux, Win, Mac http://jitsi.org/
SFLPhone   open-source TLS, ZRTP, SRTP Linux http://sflphone.org/
PrivateGSM In Progress   TLS, ZRTP, SRTP Blackberry, Nokia, iPhone, Android http://www.privatewave.com/
PhonerLite   closed TLS, ZRTP, SRTP Windows

Server Software

Hosted VoIP Services

Service TLS/SSL SRTP ZRTP Personal Info Reqd Data Retention
Ostel.me Yes; RapidSSL RootCA No Yes Email
Tanstagi Yes; Self-signed Yes Yes No
PillowTalk Yes; Self-signed Yes Yes No



Legal/Regulatory Concerns

The legal regimes surrounding voice-over IP services varies by country; by being aware of the particular details and context for each national legal and regulatory regime, we aim to make sure OSTN functions across borders around the world. According to a recent (April 2012) Ipsos survey, only 14% of internet users in the 24 countries surveyed had used VoIP technology in the past three months. As these services become more popular, legal and regulatory regimes will continue to change.

Use Cases

Some examples illustrating how different the regulation of VoIP can be from country to country and region to region:

[Brazil] Brazil

Peer-to-peer end-use of VoIP services are not regulated in Brazil, as VoIP is not considered a telecommunications service as such by the Brazilian National Telecommunications Agengcy (ANATEL). Instead, VoIP is defined as a Value-Added Service, an activity that takes place via telecom media - VoIP service providers are considered "users," and must possess the relevant Brazilian telecom licenses for telephony. As such, VoIP cannot be provided by service providers (such as Pay TV companies) who do not already hold a license (either a PSTS/STFC or SCM license) for public telephony.

The Brazilian VoIP market is competitive, with a number of traditional telecom companies providing VoIP service via cable Internet. Though according to Ipsos only 4% of Brazilian Internet users use VoIP regularly, this figure may understate the number of users who use VoIP as part of a bundle of telecom services.

In Latin America more broadly, VoIP was apparently illegal as of 2007 in Bolivia, Guyana, Paraguay and Costa Rica (for international calls). However, the practical efficacy of government restrictions on VoIP seems generally low; VoIP services are widely available in Bolivian Internet cafes, for instance.


In Armenia, VoIP services are legal, but their providers must be authorized by the Public Services Regulatory Commission; many operators use the infrastructure of the formerly state-run and now-privatized telecommunications company ArmenTel without charge for VoIP, leading to fricton. Internet penetration was at 47.1% of the population at the end of 2011, up from just under 6% in 2008. 3G service is available in most major centers via ArmenTel; mobile provider VivaCell-MTS conducted a pilot project in 2011 providing 4G mobile access.


As of 2010, Azeri VoIP services are legal, but required to be licensed. The main telecommunications regulator in Azerbaijan is the Ministry of Communications and Information Technologies (MCIT). A variety of providers (the main land line provider and government-owned AzTelecom, the main mobile provider Azercell, Azeronline, Azerfone, Adanet, and the chief ISP AzEuroTel) offer telecom and internet service. Azerfone's 3G network was deployed in Baku and other urban centers in late 2009; Azercell and Bakcell were granted 3G licenses in late 2011. In March of 2012, Azercell received a license for 4G service to begin in May of 2012; however, uptake of 3G service from these providers is low (under 25% of users). At the end of 2011, overall Internet penetration was 44.1% of the population.


VoIP access in Australia is widespread, [www.acma.gov.au/.../main/.../changes_in_australian_voip_market.pdf with over 250 providers as of 2009] according to the Australian Communications and Media Authority (ACMA); in the recent Ipsos survey, 10% of users surveyed had used VoIP services within the last three months. According to the ACMA, VoIP providers are considered Carriage Service Providers (CSPs) under Australian law, and are regulated by the Telecommunications Act of 1997 and the Telecommunications (Consumer Protection and Service Standards) Act of 1999.

While the Australian Internet content filtering regime is quite restrictive vis a vis comparable countries, the widespread provision of VoIP services has not been deterred - for instance, the number of Australian Skype users increased from 876,000 unique users to 1.01 million unique users between June 2008 and June 2009, according to the ACMA. Among the requirements VoIP providers are subject to by law are provisions relating to "public interest obligations," including "Law Enforcement (interception and national interests)." It is unclear how VoIP services might directly be affected by these provisions, though at minimum they allow warrants for the collection of IP addresses and other UDIDs.

Burma (Myanmar)

The legal status and practical reality of VoIP services in Burma are currently in a state of flux mirroring that of the country's politics. Only two to three million people have mobile service; internet penetration, and particularly broadband penetration, is extremely low (only between 100,000 and 300,000 users by recent estimates. Under the Computer Science Development Law of 1996 and the Electronic Transactions Law of 2004, computers must be registered with the state telecom Myanmar Teleport (MMT); Service is provided by MMT and Myanmar Post and Telecommunication (MPT). Internet use is heavily concentrated in Rangoon and in the capital Napidaw; many access Internet through Public Access Centers (PACs) and internet cafes, both licensed and unlicensed. While data reporting requirements and surveillance on these access points is heavy and crackdown-prone, many cafes skirt these regulations.

Internet surveillance and censorship has been endemic in Myanmar in the past decade, and as recently as last year, VoIP services faced significant resistance from the Burmese government. The web portals for services like Google, GMail and Skype have been intermittently blocked by the main Burmese ISPs since 20006; in March of 2011, the ruling junta declared VoIP services illegal under existing telecom law, and initiated a crackdown of internet cafes that provided such services for a fee.

Recent (2012) trends towards some political and economic liberalization may change the legal and regulatory status of VoIP in Burma. As of April 2012, the government is considering a new telecommunications law that would open the Myanmar telecom market (including mobile and internet) to foreign competition. However, it is unclear whether these developments will affect the legality of VoIP services, and whether the government will continue to work to suppress them.


VoIP services were legalized in Kenya in 2004 in tandem with the end of the former main telecom operator Telkom Kenya's monopoly; prior to legalization, there was a large "grey market" of illegal providers that came into conflict with Telkom Kenya, which attempted to block VoIP traffic over its network. Kenya has a 25% Internet penetration rate.

VoIP usage has grown rapidly in Kenya since legalization and the issuing of regulations for VoIP - for instance, incoming calls to mobile phones using VoIP increased 2300% between the first and second quarters of 2008. In September of 2011, the Kenyan government announced it was seeking partners to develop a [af.reuters.com/article/investingNews/idAFJOE78407620110905 4G network]; Safaricom currently operates a 3G network on the country.

User Survey

Ostel User Survey

Useful Resources

Proposed Work Plan

Research Questions

  1. Real-time voice (VoIP) versus Async Voice (Push-to-talk)
    1. Is encrypted real-time voice calls the best solution to aim for, or does a push-to-talk model better address issues such as network latency and bandwidth limitations?
  2. Is pure standards based mobile SIP/VoIP viable as a solution? Do proprietary extensions need to be made to handle low-power modes and background notifications?
  3. Do encrypted VoIP protocols do anything to obfuscated the type of traffic, such to avoid network fingerprint and filtering of all SIP and VoIP communications?
  4. How well do public free SIP providers support secure configurations and best practices for protecting user privacy?
  5. Can VoIP communications be sent over single or multi-hop proxy services?


This work will consist of design a set of criteria for rating the security and privacy capability of various free services and software in order to develop an accurate model of the state of the market and available solutions.

  1. Audit security state of main free VoIP service providers
    1. TLS, SRTP, ZRTP capable, VPN capable
    2. Compatibility with CSipSimple Android open-source client
  2. Audit, Compare to RedPhone from WhisperSystems
  3. Interoperability between mobile and desktop clients (Jitsi, Twinkle)
  4. Audit security state of Freeswitch and Asterisk

Development & Deployment

This work will involve the development of customizations to existing software in order to ensure it is as secured as it can be within its known limits. This includes work on server software, such as Freeswitch, and on client software, such as CSipSimple for Android. All changes will be documented, tested and audited within an initial private testbed of servers. Once a level of stability has been reached, access to this network will be broadened to other qualified users and organizations, all still within the goal of verifying the proposed solutions. In this phase, we will also reach out to other partner testbed and audit projects, including the UC Berkeley DETER testbed, to help better understand how our solution performs in a simulated high-surveillance and filtering environment.

  1. Deploy small network of server instances
  2. Create customized turnkey Android client that connect to these servers
  3. Work with test group of users and organizations to verify from around the globe


The outcome of the auditing and deployment process will be the creation of two sets of documentation, one focused on server providers and organizations that wish to setup their own VoIP infrastructure in a secure best-practices manner. The other for end-user and application developers who want to understand how to properly configure an Android VoIP solution to be secure.

  1. Create Secure Setup Guides, Recipes, Scripts
  2. Freeswitch setup with all relevant security default
  3. CSipSimple Android Setup with all relevant security default


The process of making the tool public will be documented in a checklist to ensure that all the pieces are finished and ready to be launched.


Duration: 6 months - from: November 2011 to May 2012

Task Detail

  1. Auditing
    1. Existing software and services will be inspected, tested and vetted
  2. Development Sprint
    1. Each sprint will last 6 weeks
    2. All code will be managed and logged in a public version control system
  3. User Testing and Design Review
    1. Promote the current stable release of prototype to a select group of users
    2. Hold design review meetings with all team, partners and others relevant
  4. Publishing Papers / Specifications
    1. Publicly share proposal for any new specifications or services
    2. Post documentation of best practices determined

Timeframe Milestone
October 1 - December 31, 2011

Auditing of current solutions, components

Design implementation spec based on audit

Review of spec and planning

January 1 - March 1, 2012

Initial Testbed Setup

Android app customization

Server setup scripting

Initial End-User Testing / Feedback

March 1 - March 31, 2012

Broader End-User Testing

Create documentation, scripts, recipes and publish, share

Personal tools