In the second article of this series, we looked at an innovative applications world opened up by IP telephony: data management and manipulations techniques based on computer analysis of digitized phone-call content. While such VoIP-based technologies can unquestionably be a boon to certain kinds of businesses—call centers, airline reservations systems, and the like—they can also constitute a serious threat to something we all hold dear: privacy.
This is by no means a narrowly held view.
“The consequences of failing to establish privacy protections for users of VOIP-based services will be staggering,” wrote Marc Rotenberg, Executive Director of the Electronic Privacy Information Center (EPIC), a Washington, DC watchdog group.
VoIP privacy is “huge,” according to Will Stofega, analyst at the research firm IDC. “It’s such a big concern,” says Stofega.
Although VoIP applications are not the sole focus of IP telephony privacy concerns, they do magnify the possibility of a VoIP version of identity theft or call hijacking “once attackers become more savvy,” warns David Endler, chairman of the VoIP Security Alliance.
This call may be recorded . . .
Atlanta-based Witness Systems is credited with the ubiquitous phrase “this call may be recorded for quality assurance.” With the number of IP phones lines expected to surpass traditional analog PBX connections next year (according to Forrester Research), VoIP-based recording will jump 39 percent from 2003 to 2008, said researchers at Term Systems.
While Witness Systems’ eQuality application suite can comfortably record all corporate VoIP conversations today, other vendors are bringing similar capabilities to the consumer arena. United Virtualities‘ HotRecorder allows VoIP users to record PC-based IP conversations from such popular VoIP services as Skype or Net2Phone. The application developer says HotRecorder also works alongside instant messaging apps, such as AIM and Yahoo Messenger.
“The creation of HotRecorder responds to the growing demand of users throughout the world, for a tool that will allow them to record, play, save, send, and search their voice communications,” according to the United Virtualities Website.
VoiceLog, which bills itself as a “provider of on-demand call recording and monitoring,” recently announced VirtualLogger, which records a call center conversation and links the recordings to other services.
While recording analog calls entails physically tapping into a conversation, with VoIP, conversations are converted to digital files, as accessible as any other computer file, says IDC’s Stofega.
In a January report that triggered moves to increase VoIP security, the U.S. National Institute of Standards and Technology urged federal agencies to avoid “softphones,” which allow users to place calls from their laptops. Rick Kuhn, co-author of the report, has suggested malicious software could easily be made to keep a log of calls sent from your computer. Exploits have likely been written doing such, believes Stofega.
For some time, companies have archived e-mail and instant messages due to regulatory requirements. Storing VoIP conversations might well be the next step.
“The SEC and NASD require broker-dealers to archive their email and IM conversations—if voice becomes just another IP stream, there is no logical reason to believe that the SEC and NASD would not also require VoIP traffic to be archived, as well,” says Michael Osterman of Osterman Research.
Searching for the needle
But even with the ability to record VoIP conversations, little has been done with the mass of material already collected. A new off-shoot of VoIP recording called audio analytics adds the power of data-mining to the mix. This new field has attracted the attention of the CIA among other agencies.
Designed to provide call center managers with a more complete picture of customer response and employee output, call analytics can turn any mountain of audio recordings into a searchable database, regardless of content—or intent. In a ‘legitimate’ application, it would be helpful if every time a customer said they were dissatisfied with service, the conversation would be flagged for review.
But it’s not difficult to think of more questionable uses of such technology—uses that directly counter our normal concepts of appropriate privacy.
Striking a balance
Caller analytics startup CallMiner produces VoIP applications able to tease data from Internet-based telephone conversations. Along with such mundane uses, CallMiner technology has also been used by the U.S. prison system to eavesdrop on prisoner conversations, looking for patterns. In one example, the application discovered the codeword prisoners were substituting when speaking about drugs. Depending on your convictions, this might be viewed favorably or unfavorably. In any case, without call mining, by the time prison officials had unearthed the connection through normal channels, the codeword would likely have changed.
“We have tapped CallMiner’s expertise in the development of speech analytics applications to serve in the United States national security interest,” said Gilman Louie, President and CEO of In-Q-Tel earlier this year. In-Q-Tel is a venture fund financed by the CIA. In the past, the ‘spooky’ VC has invested in other high-tech companies of interest to U.S. national security.
One of the most promising VoIP applications is ‘presence-awareness,’ the ability to track a person’s availability so as to be able to communicate using the most appropriate means at a given moment. While the advantages to enterprises seeking to maximize contact with customers is obvious, presence has also given rise to privacy worries and a new concept: Geo privacy. Concern has reached such proportions that the Internet Engineering Task Force (IETF) is working on a way applications can provide presence-aware data without invading personal privacy. “The challenge is to balance the need to share this information with users’ personal privacy,” said Jon Peterson, author of last year’s IETF GEOPRIV proposal.