Solicitor and commercial specialist Ross Woodham takes a technical
and commercial look at Voice over Internet Protocol (VoIP), as it grows
in popularity.
VoIP has existed since the early 1980’s, but was only given serious
commercial attention in the late 1990’s, since when the use of
VoIP-based technology has grown steadily.
With promises of low-cost communication solutions and
increased functionality and flexibility, many businesses are now
looking to VoIP-based services to form part of, or replace, their
existing communications network.
However, as with any new technology, they must carefully consider
the advantages and pitfalls of integrating VoIP into their day-to-day
operations, both from a technical and legal perspective.
What is VoIP?
VoIP describes transferring sound or speech as ‘data packets’ across the internet or other Internet Protocol (IP) network.
It does this by compressing voice data and dividing it up into small
‘packets’ of data, before sending it over a privately managed network
or the internet, where it is received by a second device designated by
a unique IP address (usually a computer). This then reassembles the
data packets into the original sound.
Where a traditional phone network requires the data signal to be
transmitted directly and through a single route, VoIP data packets can
be sent via multiple routes (allowing greater network efficiency), to
be collected at the other end and reassembled.
VoIP services are not a uniform technology, and use different methods to transfer sound over an IP network, including:
- standard network VoIP, which utilises a central network server and directs data packets to a client PC
- Peer to Peer (P2P) services, such as Skype, which decentralises the
IP Network, directing ‘traffic’ via a web of users rather than through
a main server
- secondary-line services, enabling users to connect from an IP network to a traditional phone network
- wireless technology, which allows users to connect over a Wi-Fi
network or on HSDPA networks on a mobile device, subsequently creating
unique problems and considerations
- a combination of the above, for example, a user of a P2P service
may connect to a receiving device on a standard network routed via the
network’s server
Advantages
VoIP can undoubtedly reduce businesses’ costs. It runs on virtually
any IP network, which nearly all businesses have, and any organisation
with a single computer can utilise VoIP through one of several online
providers.
This removes the need to establish or pay for expensive dedicated
networks and centralised switching equipment, as required for
traditional fixed-line networks. Further, because the data packets are
streamed via data networks to a virtual IP address (rather than a
physical receiver), it avoids costs associated with long-distance and
international calls over a traditional phone network, allowing for
complete geographical flexibility – much like receiving email via
logging onto a user account.
And because of its flexibility, services such a video conferencing are available at a fraction of the cost.
What’s the catch? Inherent problems with the technology
Because VoIP technology utilises existing IP Networks, it will be
directly affected where a powercut or other interruption causes a
network failure, so business communications could be vulnerable to the
likes of a Denial of Service (DoS) attack, disabling systems critical
to day-to-day operations.
Also in the event of an IP network failure, users would be unable to
contact the emergency services, which could be seen as a breach of the
Health and Safety at Work Act 1974 if it is employees’ only means of
contacting the emergency services.
It should be noted that not all VoIP services offer the
functionality to contact emergency services, something that has been of
particular concern to the Office of Communications (Ofcom).
Security
Just as traditional phone calls can be tapped, so can VoIP calls.
Using VoIP may result in data passing through a number of networks that
are both unknown and/or not trusted, creating numerous opportunities
for calls to be tapped, analysed or hacked, something that should be of
particular concern to businesses handling sensitive information.
Notable examples of VoIP security concerns include reports that
German authorities have tapped conversations, while the Chinese
authorities openly monitor and record messages and personal information.
Some VoIP providers and users encrypt data, but some phrases in
conversations can still be identified without the need to decrypt. This
might be particularly concerning where the passive observer has details
of the sender and recipient of the data, for example if they know that
the sender of the data is a customer talking to their bank.
Regulation
Regulation of VoIP services is primarily through EU regulations,
implemented in the UK by the Communications Act 2003, which established
Ofcom as the UK regulatory authority. The regulations are technology-neutral and apply generally to
providers of electronic communications networks. Although most
businesses using VoIP technology will not be directly affected by
regulation of VoIP services, they should be aware that until recently
Ofcom had taken a light-handed approach to VoIP technology to avoid
slowing its development.
The result is VoIP services with varying features and capabilities,
including whether or not emergency services are contactable, so
businesses should consider carefully the suitability of a specific
service, taking into account their legal obligations, both internally
and externally.
In the past year, the European Commission and Ofcom have increased
VoIP regulation, targeting greater access to emergency services and
requiring service providers to make certain information available to
customers. Increased regulation will continue as VoIP becomes a mainstream
technology, but companies must still be diligent when implementing it.
Our advice
Any business considering VoIP as part of their communications
network and/or business model should consider carefully its
appropriateness for each specific business use.
Not only do they need to comply with regulatory and statutory
requirements, such as those under the Data Protection Act 1998, they
must also consider their obligations relating to data protection and/or
confidentiality standards in contractual arrangements.
A good example of this is that payment providers, such as Mastercard
and Visa, require all members using their payment processes to meet
their security rules and procedures, including the Payment Card
Industry Data Security Standards. Any company receiving payment through
such providers must ensure that use of a VoIP service during the
payment process meets these requirements.
In implementing VoIP, businesses should ensure - as a minimum - that they review and consider:
- their statutory and regulatory obligations generally
- their current contractual obligations
- whether their Privacy Policy is aligned to the implementation of the VoIP technology
- whether their internal access and usage policies are sufficiently
rigorous to ensure compliance with relevant contractual and regulatory
standards
|