Certificates, compliances and Security in VoIP

This article describes various Certificates and compliances, Bill and Acts on data privacy, security and prevention of Robocalls as adopted by countries around the world pertaining to Interconnected VoIP providers, telecommunications services, wireless telephone companies etc

Compliance certificates by Industry types

Deals with privacy and security of personal medical records and electronic health care transaction

Applicability: If VoIP company handles medical information

Includes :

  • Not allowed Voice mail transcription
  • Should have End-to-End Encryption
  • Restrict using unsecured WiFi networks to prevent Snooping
  • User security, strong password rules and mandatory monthly change
  • Secure Firmware on VoIP phones
  • Maintaining Call and Access Logs

Also known as SOX, SarbOX or Public Company Accounting Reform and Investor Protection Act

Applicability: if managing the communications operations of a regulated, publicly-traded company

Includes :

  • Retain records which include financial and other sensitive data
  • ways employees are provided or denied access to records or data based on their roles and responsibilities
  • do an information audit by a trusted third party.
  • Retention and deletion of files such as audio files like voicemails, text messages, video clips, declared paper records, storage, and logs of communications activities
  • Physical and digital security controls around cloud-based VoIP applications and the networks

Privacy Related Compliance certificates

prohibits deceptive marketing to children under the age of 13, or collect personal information without disclosure to their parents.

Any information is to be passed on to a third party, must be easy for the child’s guardian to review and/or protect

A 2011 amendment requires that the data collected was erased after a period of time.

2014 FTC issued guidelines that apps and app stores require “verifiable parental consent.”

CPNI (Customer Proprietary Network Information) in united states is the information that communication providers acquire about their subscribers. This Individually identifiable information that is created by a customer’s relationship with a provider, such as data about the frequency, duration, and timing of calls, the information on a customer’s bill, and call identifying information. This processing information is governed strictly by FCC and certification should be renewed on an annual basis

The provider can pass along that information to marketers to sell other services, as long as the customer is notified

In 2007, the FCC explicitly extended the application of the Commission’s CPNI rules of the Telecommunications Act of 1996 to providers of interconnected VoIP service.


Communications Assistance for Law Enforcement Act (CALEA) conducts electronic surveillance by imposing specific obligations on “telecommunications carriers” for assisting law enforcement, including delivering call interception and call identification functionality to the government with a minimum of interference to customer service and privacy.

Read more about CALEA and its roles in VoIP here Regulatory and Legal Considerations with WebRTC development

Supersedes the 1995 Data Protection Directive

Establishes requirements of organizations that process data, defines the rights of individuals to manage their data, and outlines penalties for those who violate these rights.

No personal data may be processed unless this processing is done under one of six lawful bases specified by the regulation ( consent, contract, public task, vital interest, legitimate interest or legal requirement). When the processing is based on consent the data subject has the right to revoke it at any time.

Controllers must notify Supervising Authorities (SA)s of a personal data breach within 72 hours of learning of the breach.

Consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses.

Allows consumers to know whether their personal data is sold or disclosed, to whom.

Allows opt-out right for sales of personal information

Right to deletion — to request a business to delete any personal information about a consumer collected from that consumer

This bill introduces various private and sensitive protection frameworks like restriction on retention of personal data, Right to correction and erasure (such as the right to be forgotten) , Prohibition and transparency of the processing of personal data. It also classifies data fiduciaries including certain social media intermediaries.

The Bill amends the Information Technology Act, 2000 to delete the provisions related to compensation payable by companies for failure to protect personal data.

Other data privacy acts similar to GDPR

  • South Korea’s Personal Information Protection Act 2011
  • Brazil’s Lei Geral de Proteçao de Dados (LGPD) 2020
  • Privacy Amendment (Notifiable Data Breaches) to Australia’s Privacy Act 2018
  • Japan’s Act on Protection of Personal Information 2017
  • Thailand Personal Data Protection Act (PDPA) 2020

Features offered by VOIP companies for Data privacy

  • Access Control & Logging
  • Auto Data Redaction / Account Deletion policy
  • SIEM (Security information and event management) alerts
  • Information security, Encrypted Storage For Recordings & Transcripts
  • Disclosing all third-party services that are involved in data processing too
  • Role-Based Access Control and 2 Factor Authentication
  • Data Security Audits and appointing data protection officer to oversee GDPR compliance

Against Robocalls and SPIT ( SPAM over Internet Telephony)

Implementation of Do not call registry against the use of robocalls, automatic dialers, and other methods of communication

Do-Not-Call Implementation Act of 2003

if a business has an established relationship with a customer, it can continue to call them for up to 18 months. If a consumer calls the company, say, to ask for information about the product or service, the company has three months to get back to him.

if the customer asks to not receive calls, the company must stop calling, or be subject to fines.

Exemptions — Calls from a not-for-profit B organisation, informational messages as flight cancellations, Calls from sales and debt collectors etc

Implemented to curb identity theft and computer hacking. Sensitive personally identifiable information includes the victim’s name, social security number, home address, fingerprint/biometrics data, date of birth, and bank account numbers.

Any company that is breached must notify the affected individuals by mail, telephone, or email, and the message must include information on the company and how to get in touch with credit reporting agencies

If the breach involves government or national security, the company must also contact the Secret Service within fourteen days

A solution mechanism has already been standardised and active in adoption called STIR / SHAKEN ( Secure Telephony Identity Revisited / Signature-based Handling of Asserted information using toKENs) described in another article here.

Emergency services

Unlike traditional telephone connections, which are tied to a physical location, VOIP’s packet-switched technology allows a particular number to be anywhere making it more difficult for it to reach localised services like emergency numbers of Public Safety Answering Points (PSAPs) . Thus FCC regulations as well as the New and Emerging Technologies 911 Improvement Act of 2008 (NET 911 Act), interconnected VoIP providers are required to provide 911 and E911 service.

Originally published at http://telecom.altanai.com on January 20, 2020.

VOIP , WebRTC , SIP, ML , media streaming , Algorithms, R&D , Quantum Computing https://telecom.altanai.com/