Privacy Issues in UCaaS and Voice Services

Alexey Aylarov
May 27, 2019 · 5 min read
Image for post
Image for post

Nowadays, businesses of almost any size tend to transfer their communications on platforms developed by a third-party. The last couple of years have seen UCaaS (Unified Communications as a Service) become a very popular solution but there are several issues raised around personal data security.

Let’s find out what personal data exists on the Voximplant platform and how company deals with privacy and security.

First, we’ll begin with the personal information from our corporate customers that want to purchase phone numbers for outbound business calls. This procedure differs from country to country. For example, the United States has the most lenient requirements requiring just a desire to purchase, whereas in Germany, regulators require some proof of residence. In this case, there is a loss of privacy when access is requested by state authorities.

Second, there is the private data that is imported to our platform (for example, call lists) and calls that are made from and through our platform. Voice calls contain data that is meaningless unless it is analyzed

As for speech recognition, most of this is outsourced from Google. After this data is transcribed, it is returned as text blocks that we then send back to our customers. In fact, Voximplant just runs volumes of data to and from without analyzing the contents of the data.

Information that could be attributed to personal data is that which is loaded into services such as Smartcalls. For example, a pair “full name-contact number” contains private information; however, it is contained in Voximplant infrastructure and only a restricted group of employees have access to this. Most commonly this is support, customer service, or customer representatives that are dealing with a settlement or conflict resolution.

The public always asks: “If personal information is protected, then how do spammers get my phone number?” It’s quite easy to answer — nobody can dismiss the human factor! And this cannot be solved with regulatory tools. Only more recently, have people begun taking steps to protect their private data, but there are still ways for spammers to access this information. Actually, phone spamming is not the top problem. In general, all legislative actions are a result of identity theft cases. Getting back to the phone spamming issue — an individual can always address the watchdog that looks down the whole communication chain to find out if any security breach caused data to be used illegally.

UCaaS: Is there safety in the cloud?

If a company’s infrastructure is built in one or several clouds, the number of points where data flows tends to increase: provider, data centers, suppliers of cloud solutions, etc. At first glance, it may seem that this increases the risk of security breaches, but that is not entirely true.

Image for post
Image for post

First, no one knows of any exact data location except for the people who load it. For data center employees, it is just a piece of hardware containing some information. Everything remains discreet in that piece of hardware until a client needs an employee to access this data to solve an issue. In that case, the employee gains access with the consent of the client who is the owner and operator of the data.

The situation is similar in places like banks where there is a lot of sensitive private information but employees are only given access to this information in an emergency or if a customer specifically requests the employee to use this information to solve a problem.

Hacks, on the other hand, are an entirely different story.Most intruders won’t hire an expert hacker and pay them thousands of dollars to steal information and then spam these customers whose information has been stolen, as this just isn’t cost-effective. What usually happens is that hackers exploit data center employees and arrange a deal to access sensitive information.

Machine learning, voice recognition, and identification

Everyone seems to be talking about machine learning these days. It is based on how a machine is taught to analyze voice clips and learns how to respond correctly. The learning is provided at any data center with personal identifiers removed. The voice itself is de-identified and non-personal as well. The important question to ask here is who determines what data can be used for these purposes. What non-disclosure contracts and agreements are signed with the companies that engage in machine learning?

Image for post
Image for post

Voice identification, for example at banks, has very little relation to personal data. At a bank, a digital voice footprint — encrypted into a hash — is kept; it requires a secure algorithm to be decrypted, and it cannot be associated with a real name because the identification process is based only on a short recording of the caller’s voice. This recording is also encrypted with the algorithm into a hash and both hashes are compared in real time.

How has GDPR affected UCaaS?

We need to understand that any large scale regulatory actions have more behind them than meets the eye. If we dig a little deeper, it becomes clear that the Europeans have tightened regulations because they can see how American corporations control all digital life and activity. It bothers the Europeans and their citizens that there aren’t enough regulations in place in America on what these companies can or cannot do, or what’s not allowed at all.

Second, Europe seems to be worried about where this information is flowing and what it is being used for. That’s why it is important to them to be able to exercise some control over this matter but the answer remains ambiguous — what they want to obtain, who they want to obtain it from, and what they want to protect. Concerns about private users seems to be an excuse.

How has GDPR changed how Voximplant conducts business? It’s very clear that European companies need to allocate several of their staff to compliance but for us, nothing new or groundbreaking has happened. We have always been protecting our customers’ private data. In the United States, we use local American privacy firms and in Europe, we use European ones.

Our priorities

The first questions that our customers ask are about platform or solution functionality, toolbox, and price. This doesn’t mean that keeping private data safe is not our top priority. The point is that private data safety itself is not separate from general safety so it is usually not examined separately.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store