If you’re following TechCrunch at all, then you’ll have seen its coverage of the Viber iPhone app: Another VOIP solution, reputedly with extremely good voice quality, using phone numbers as identifiers.
When you start the viber app, it’ll actually transmit all mobile phone numbers in your address book to the service, and match them to other Viber users. You’re then given a menu that shows you those entries in your address books who correspond to Viber users. All very intuitive and nice, and a great user experience. Who wants five different phone books that aren’t in synch?
But, of course, there are a few questions to be asked here: What does Viber do with those data? Am I signing up my colleagues and friends for free telephone harrassment? What if I change my mind and move on? What’s the business model? (apparently, spending VC money and coming up with value added services later)
Cue the viber privacy policy. It’s pleasantly short, doesn’t come in unreadable gray small print, and sounds fairly reasonable as far as the use of the address book data is concerned. That’s all very good.
But then there’s this: “Viber also maintains call and connection logs to the system. These logs contain your internal Viber identification which is a combination of your account identification (i.e., your phone number) and Apple Unique Device Identification (“UDID”) or Android Device ID. All call and connection logs are maintained indefinitely.” Traffic data retention, here we come.
The lessons?
At least two come to mind. The first one is that, as network applications offer useful services based on highly private data (like my address book), they need to be extremely clear about the implications. When I first tried Viber, it didn’t tell me anything about the way in which those data would be used. While Viber’s privacy policy is fairly reasonable as far as the contact data are concerned, I needed to search for it online. I shouldn’t have to, the app should be clear right away about what it promises (or doesn’t promise).
The second one relatest to data retention. NGOs like EDRI are rightly upset at EU plans at long-term and broad telecommuniations data retention. But what does this particular game look like with VOIP companies? Some players, like Google Voice, give users a lot of control, and (beyond that) make sure they anonymize call data that they keep for their own purposes. Some players (like Skype, or Apple with FaceTime) are less than clear on what happens to call histories. Yet others, like Viber, retain your communication behavior indefinitely, without any anonymization, but at least tell their users, if they know where to look.
It’s a shame that, as users of these services, we can’t just assume that call histories will be treated as the highly sensitive data they are. It’s also a shame that we apparently can’t even expect to be told up front (and outside a policy document — even a well-written one) what the VoIP service providers will do with those data. That needs to change.
No Such Weblog 
NO free meals… Dialers can be download for free but calls cost money and cant give for free…
Hi,This is a representative of Viber Media company (Viber application). Regarding the fact we collect users??? information. First, it is important to be accurate ??? we only collect names and phone numbers, nothing else. Naturally, we collect users’ information not because we are curious of its content, but in order for functional reasons, and for us to enable the service we, as a company, promise to provide. Without that information, Viber cannot function. This is not different from any other major social network/communication service provider in our world nowadays.Why do we maintain call logs? in order to better understand and maintain our system. For example, we had a bug causing some calls to drop after 10 seconds. We discovered it by analyzing call logs and seeing that we had a disproportionate number of 10 second calls (we fixed most of it in Viber 1.0.5 and Viber 1.1 will have a complete solution for this). If it weren’t for call logs we wouldn’t have known about this issue. Imagine if we had issues related to certain operators, countries, phone versions, software versions, connectivity type (say, a 3G issue) – without logs, we can’t find out about these issues. Those logs, of course, and completely anonymous, and can be accessed by a few of our technical personnel. That???s it.I would like to clarify again: we DO NOT sell users’ information to anyone, and we keep this information WELL locked in our servers, with extremely limited access to it. The line in our Privacy Policy that refers to giving the information third parties does not mean that we sell it. sometimes it is necessary to pass to one or two companies in order, for example, to send an SMS with activation code (again – functional reasons).In our contracts with those companies, we make sure the information we send it deleted immediately after its functional use.So why is Viber free?For now, Viber’s focus is on adding platforms, adding features (such as text messages) and improving overall system performance. At the same time, we are working on additional future premium services that will generate revenues. The basic Viber service – Viber to Viber phone calls, and soon text messages, will always be free.If you have further questions – please do ask. this is why I’m here.Thank you,Viber.
Thanks for the response — much appreciated; the clarification about the handling of contact data and making sure service providers delete data immediately is particularly valuable. <br/> <br/>There is one point in what you write that I wanted to follow up on, concerning the call logs: "Those logs, of course, [are] completely anonymous, and can be accessed by a few of our technical personnel. That???s it." Here’s what your privacy policy says about the same logs: "Viber also maintains call and connection logs to the system. These logs contain your internal Viber identification which is a combination of your account identification (i.e., your phone number) and Apple Unique Device Identification ("UDID") or Android Device ID. All call and connection logs are maintained indefinitely." <br/> <br/>First, according to that text, your call logs include a combination of the user’s phone number and a unique device ID (that, unfortunately, is probably shared with any number of ad tracking companies — not through your fault!). That’s by no means anonymous. Instead, logs like those can be used to reconstruct communication profiles at quite some detailed level. If you were to anonymize them, you’d make sure that users are in large-ish anonymity sets. For example, you’d throw away enough digits of the phone number that you only keep information about the operator in question, but not about the user. You wouldn’t keep the UUID. That’s not what you do. <br/> <br/>Second, also according to that privacy policy, you’re keeping the logs indefinitely. How likely is it that you’d need identifiable logs from even half a year ago for troubleshooting? Communications history, kept for eternity, is risky data to collect (I wouldn’t want you to have those logs, whether or not you want to sell them), and is risky data to have (I could see any number of parties interested in getting them, through subpoenas or otherwise). <br/> <br/>In short: If you keep call logs, you need to really anonymize them. Even if you anonymize them, it’s safer to throw them away after a while. Right now, your policy about call logs doesn’t cut it.
Hi,Thanks for the reply.About the lack of emphasis in our Privacy Policy regarding the matter – you are absolutely right. In fact, TODAY we uploaded a NEW version of our Privacy Policy, addressing all these problems you wrote about.i STRONGLY encourage you, and all readers, to thoroughly take a look at our new Privacy Policy and see how important users’ privacy concerns are to us.I will answer your questions here, even though they are handled in our new Privacy Policy:- we don’t keep logs indefinitely. we keep them for 30 months, and the reason is that sometimes, in order to fix a technical issue, you need a very large perspective (yes – even 1 or 2 years back, for comparison methods).- it is now clearly emphasized in our Policy that the analysis we do with the information we take is COMPLETELY anonymous. furthermore, as i mentioned, the access to the information is EXTREMELY limited (a few workers can access it and draw information from it).Regarding your claim that we could have taken less information and extract the same problem-solving advantages – that is not correct. sometimes full numbers are necessary in order, for example, to solve canonization issues (correlation between phone numbers between countries, and that’s just 1 of many examples).Look – of course, in theory, we could look at our users’ all day and all night. We are offering a very clear, transparent policy that gives users a decision. this isn’t different from any major service you use today (yes, including Google, Facebook, and even other VERY famous VoIP products).Again i ask – please take a look at our new policy. we would appreciate if you took the time to update your readers with a new article, telling about the updates made.Of course – if you would like to consult with me, as a representative of the company, before writing such article, i would be delighted to help.Thank you.
Thanks, that’s great news. <br/> <br/>It’s good that you’ve clarified your handling of address book data further, and 30 months are certainly better than "indefinite". But they’re still very long. <br/> <br/>Looking at the new privacy policy, the text about retaining call records now says: "All log analysis is done in an anonymous, aggregate, non-personally identifiable manner. We may look into a specific Call Detail Record in response to a customer support request. We maintain CDRs for a period of no more than 30 months." A quick observation: You might perform your own log analysis on aggregate data. But if you can look into individual records in response to customer requests, then that suggests that the records you keep are, indeed, identifiable. It’s a good idea to be explicit about that in the privacy policy. <br/> <br/>(And, of course, it’d be better from a privacy perspective if you’d anonymize the data you keep after a short while, instead of keeping it all for 30 months.)
Well, in the battle between helping our users with legitimate requests (such as: "the service you promsie to provde is not working) and EXTREMELY thin observations within our Privacy Policy, we unfortunately let the first win.It is more important to us that a few of our workers would be able to access user’s details in order to help him/her use it (again – without any correlation between the Phoebook and the actual user’s phone number, thus not identifying the user in reality).The anonymization refers to the fact that for us these logs are just a bunch of "numbers", for that matter. we don’t want (or practically we dpn’t have the ability) to identify them with names, or even know which phonebook belogs to which Viber user, etc.