VoIP: What’s The Catch?
Solicitor and commercial specialist Ross Woodham takes a technical and commercial look at Voice over Internet Protocol (VoIP), as it grows in popularity.
VoIP has existed since the early 1980’s, but was only given serious commercial attention in the late 1990’s, since when the use of VoIP-based technology has grown steadily.
With promises of low-cost communication solutions and increased functionality and flexibility, many businesses are now looking to VoIP-based services to form part of, or replace, their existing communications network.
However, as with any new technology, they must carefully consider the advantages and pitfalls of integrating VoIP into their day-to-day operations, both from a technical and legal perspective.
What is VoIP?
VoIP describes transferring sound or speech as ‘data packets’ across the internet or other Internet Protocol (IP) network.
It does this by compressing voice data and dividing it up into small ‘packets’ of data, before sending it over a privately managed network or the internet, where it is received by a second device designated by a unique IP address (usually a computer). This then reassembles the data packets into the original sound.
Where a traditional phone network requires the data signal to be transmitted directly and through a single route, VoIP data packets can be sent via multiple routes (allowing greater network efficiency), to be collected at the other end and reassembled.
VoIP services are not a uniform technology, and use different methods to transfer sound over an IP network, including:
- standard network VoIP, which utilises a central network server and directs data packets to a client PC
- Peer to Peer (P2P) services, such as Skype, which decentralises the IP Network, directing ‘traffic’ via a web of users rather than through a main server
- secondary-line services, enabling users to connect from an IP network to a traditional phone network
- wireless technology, which allows users to connect over a Wi-Fi network or on HSDPA networks on a mobile device, subsequently creating unique problems and considerations
- a combination of the above, for example, a user of a P2P service may connect to a receiving device on a standard network routed via the network’s server
VoIP can undoubtedly reduce businesses’ costs. It runs on virtually any IP network, which nearly all businesses have, and any organisation with a single computer can utilise VoIP through one of several online providers.
This removes the need to establish or pay for expensive dedicated networks and centralised switching equipment, as required for traditional fixed-line networks. Further, because the data packets are streamed via data networks to a virtual IP address (rather than a physical receiver), it avoids costs associated with long-distance and international calls over a traditional phone network, allowing for complete geographical flexibility – much like receiving email via logging onto a user account.
And because of its flexibility, services such a video conferencing are available at a fraction of the cost.
What’s the catch? Inherent problems with the technology
Because VoIP technology utilises existing IP Networks, it will be directly affected where a powercut or other interruption causes a network failure, so business communications could be vulnerable to the likes of a Denial of Service (DoS) attack, disabling systems critical to day-to-day operations.
Also in the event of an IP network failure, users would be unable to contact the emergency services, which could be seen as a breach of the Health and Safety at Work Act 1974 if it is employees’ only means of contacting the emergency services.
It should be noted that not all VoIP services offer the functionality to contact emergency services, something that has been of particular concern to the Office of Communications (Ofcom).
Just as traditional phone calls can be tapped, so can VoIP calls. Using VoIP may result in data passing through a number of networks that are both unknown and/or not trusted, creating numerous opportunities for calls to be tapped, analysed or hacked, something that should be of particular concern to businesses handling sensitive information.
Notable examples of VoIP security concerns include reports that German authorities have tapped conversations, while the Chinese authorities openly monitor and record messages and personal information.
Some VoIP providers and users encrypt data, but some phrases in conversations can still be identified without the need to decrypt. This might be particularly concerning where the passive observer has details of the sender and recipient of the data, for example if they know that the sender of the data is a customer talking to their bank.
Regulation of VoIP services is primarily through EU regulations, implemented in the UK by the Communications Act 2003, which established Ofcom as the UK regulatory authority. The regulations are technology-neutral and apply generally to providers of electronic communications networks. Although most businesses using VoIP technology will not be directly affected by regulation of VoIP services, they should be aware that until recently Ofcom had taken a light-handed approach to VoIP technology to avoid slowing its development.
The result is VoIP services with varying features and capabilities, including whether or not emergency services are contactable, so businesses should consider carefully the suitability of a specific service, taking into account their legal obligations, both internally and externally.
In the past year, the European Commission and Ofcom have increased VoIP regulation, targeting greater access to emergency services and requiring service providers to make certain information available to customers. Increased regulation will continue as VoIP becomes a mainstream technology, but companies must still be diligent when implementing it.
Any business considering VoIP as part of their communications network and/or business model should consider carefully its appropriateness for each specific business use.
Not only do they need to comply with regulatory and statutory requirements, such as those under the Data Protection Act 1998, they must also consider their obligations relating to data protection and/or confidentiality standards in contractual arrangements.
A good example of this is that payment providers, such as Mastercard and Visa, require all members using their payment processes to meet their security rules and procedures, including the Payment Card Industry Data Security Standards. Any company receiving payment through such providers must ensure that use of a VoIP service during the payment process meets these requirements.
In implementing VoIP, businesses should ensure - as a minimum - that they review and consider:
- their statutory and regulatory obligations generally
- their current contractual obligations
- whether their internal access and usage policies are sufficiently rigorous to ensure compliance with relevant contractual and regulatory standards