My Web Stats

Legal Info

Privacy Issues with VoIP Telephony

by Jeremy Malcolm 1

Voice over Internet Protocol telephony (otherwise known as VoIP or Internet telephony) is either a new carriage medium to be incorporated into the existing telecommunications regulatory regime, or it is the latest new "killer application" for the Internet, much as the World Wide Web was a decade ago and email a decade before that. Which of these characterisations of the technology one adopts has a considerable bearing on one's attitude to how it should be treated by regulators.

For privacy advocates and regulators, the distinction between VoIP as carriage medium and VoIP as Internet application is relevant in two respects. First, the application of the Telecommunications Act 1997 and its associated codes and regulations to VoIP products and services involves laws designed for circuit-switched telephone networks (the PSTN) being applied to the Internet space, perhaps in unexpected ways. For example, the requirement for carriers to provide law enforcement agencies with the ability to intercept voice communications may be more difficult to accomplish over certain VoIP networks, and may raise fresh privacy issues.

Second, IP networks are not defined in geographical terms to the same extent as PSTN networks. It is an intrinsic feature of Internet routing that packets of data can be exchanged back and forth across national boundaries as the applications generating that data may require, and much less expensively than in the case of a circuit switched network. A result of this is that Australians may now access voice services from providers that are not present in or subject to Australian jurisdiction at all. This makes it much more difficult to be sure that consistent standards of privacy protection are being applied to the personal information and communications of the VoIP call originator and recipient.

VoIP services under the Telecommunications Act

Part of the difficulty in characterising VoIP in such binary terms as described above, that is to say as either a carriage medium for telecommunications, or an Internet service akin to email or the Web, is that within the diverse range of VoIP products and services, some fall clearly into one category or the other, and others straddle the boundary.

Those VoIP products and services that are most clearly subject to much of the same regulation as traditional PSTN telephony are, perhaps obviously enough, those which are interconnected with the Australian PSTN. To take an extreme example, many voice carriage service providers - usually unbeknownst to their customers - utilise IP networks to carry voice traffic over long distances, whilst initiating and terminating calls using traditional voice telephony hardware (ie. telephone handsets) and utilising the PSTN between that hardware and the telephone exchange if not further.

A less obvious example of a VoIP service that utilises the PSTN is one in which the VoIP provider's services require the use of "IP phones" that connect directly to a user's broadband Internet connection and which look and feel much like ordinary telephone handsets, or "telephone adapters" which convert an ordinary telephone handset into an IP telephony device. In neither case is the PSTN utilised for connection to the carrier, and the device may or may not be accessible by means of an ordinary telephone number. However, if the device allows telephone calls to be placed to Australian telephone numbers, it will for all relevant purposes be interconnected with the Australian PSTN.

The interconnection of these types of VoIP product and service to the PSTN will result in the VoIP provider assuming various obligations of a traditional telephone carrier under Schedule 2 of the Telecommunications Act 1997, including the provision of operator services, directory assistance, itemised billing, and co-operation with the integrated public number database (IPND). Further obligations arising pursuant to the Telecommunications (Consumers Protection and Service Standards) Act 1999 include the obligation to offer untimed local calls, to participate in the Telecommunications Industry Ombudsman scheme, and to offer emergency call services.

More specifically relating to privacy, VoIP service providers that fall subject to the Telecommunications Act are covered by part 13 of that Act. In terms of the simplified outline of that part in section 270, it relevantly provides that except as authorised in limited circumstances:

Carriers, carriage service providers, number-database operators, emergency call persons and their respective associates must protect the confidentiality of information that relates to:

  1. the contents of communications that have been, or are being, carried by carriers or carriage service providers; and
  2. carriage services supplied by carriers and carriage service providers; and
  3. the affairs or personal particulars of other persons.

There are further obligations imposed on such providers under an industry code of the Australian Communications Industry Forum, titled Protection of Personal Information of Customers of Telecommunications Providers.2 This code, based on the National Privacy Principles, expands on the obligations imposed on providers by section 13 of the Telecommunications Act.

Finally, VoIP providers subject to the Telecommunications Act will be provided to provide interception capabilities pursuant to the Telecommunications (Interception) Act 1979. This obligation limits to some degree the ability for VoIP service providers wishing to interconnect with the Australian PSTN to adopt technologies that are not susceptible to interception of communications.

VoIP services not subject to the Telecommunications Act

There are also a variety of VoIP products and services that are closer to pure Internet applications in that they tend only to operate over IP networks, and not to traverse over the Australian PSTN at all. For example, most of the popular text-based instant messaging products such as Yahoo Messenger and MSN Messenger also allow voice communications from computer to computer over the Internet, as does the popular VoIP-specific application Skype.

The Telecommunications Act does not govern the use of these products and services, and it can be persuasively argued that it does not need to. Those who utilise VoIP products and services of this class have no expectations of a telephony-grade service - they would not, for example, be likely attempt to make an emergency call using such a service.

Indeed, those who contend that VoIP is simply another application available to deploy on the Internet and other IP networks are quick to resist the application of the stringent regulatory models of traditional telecommunications to this new technology, in favour of the notion that the use of the Internet should continue to be predominantly unencumbered by national regulation.

On the other hand, the privacy issues raised by the use of this class of VoIP products and services are no less real simply because they are not appropriate to be regulated by the Telecommunications Act. How are users to know how their personal information is being kept? How are they to know whether and in what circumstances their communications are liable to be intercepted?

Jurisdictional problems

The key problem in addressing these issues is that as noted in the introduction to this article, VoIP services not interconnected with the Australian PSTN may be provided from any location in the world. This is not simply a theoretical possibility.

For example, SkypeOut is a commercial service of Luxemburg-based Skype Technologies SA that terminates calls initiated from the Internet (normally using a microphone attached to a computer, or a specialised handset) on the PSTN where they are answered on an ordinary telephone handset. But because there is no gateway interconnecting the Skype network directly with the Australian PSTN, and because Skype Technologies SA has no physical presence in Australia, users of the Skype network have no recourse to Australian privacy protections.

Recognising this, in its Review of the Private Sector Provisions of the Privacy Act 1988, the Privacy Commissioner stated, "The consequences of not having a globally consistent approach is that information may end up in the country with the lowest privacy protection standards".3 It recommended the Australian Government initiate discussions through appropriate international forums about how to deal with major international jurisdictional issues arising from global reach of new technologies such as VoIP.

The Australian Communication Authority has reached a similar conclusion, noting that the availability of VoIP services provided from overseas "may require increased cooperation with overseas regulators".4

Conclusion

What is called for, and does not yet exist in any real sense, is an international standard of privacy with which all VoIP service providers will comply or at least disclose their level of compliance. This might not be an international legal instrument as such. For example, TRUSTe5 is a private non-profit organisation that certifies online businesses for their adherence to privacy standards. In the absence of strong international legal regulation of the privacy practices of VoIP providers, such private sector certification could at least provide users with a yardstick against which to compare alternatives.

For now, however, users of VoIP products and services that do not fall under the Telecommunications Act will be required to make their own enquiries as to the privacy standards and practices of their VoIP service providers if they wish to be assured of the protection of their personal information and the confidentiality of their communications. As the scale of the recent spyware infestations that have swept the Net attests however, this is not necessarily a task at which Internet users are particularly adept.

  1. Jeremy Malcolm <jeremy@ilaw.com.au> is a sole practitioner specialising in IT law and currently conducting postgraduate research into Internet governance.
  2. ACIF C523:2003
  3. Office of the Privacy Commissioner. Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988. Canberra, March 2005, 266.
  4. Australian Communications Authority. Regulatory Issues Associated with Provision of Voice Services Using Internet Protocol in Australia. Canberra, October 2004.
  5. http://www.truste.org
Please Note: The information contained in this article is general in nature and cannot be regarded as anything more than general comment. Readers of this article should not act on the basis of this comment without consulting one of iLaw’s legal practitioners who will consider their particular circumstances