If you’re following TechCrunch at all, then you’ll have seen its coverage of the Viber iPhone app: Another VOIP solution, reputedly with extremely good voice quality, using phone numbers as identifiers.
When you start the viber app, it’ll actually transmit all mobile phone numbers in your address book to the service, and match them to other Viber users. You’re then given a menu that shows you those entries in your address books who correspond to Viber users. All very intuitive and nice, and a great user experience. Who wants five different phone books that aren’t in synch?
But, of course, there are a few questions to be asked here: What does Viber do with those data? Am I signing up my colleagues and friends for free telephone harrassment? What if I change my mind and move on? What’s the business model? (apparently, spending VC money and coming up with value added services later)
But then there’s this: “Viber also maintains call and connection logs to the system. These logs contain your internal Viber identification which is a combination of your account identification (i.e., your phone number) and Apple Unique Device Identification (“UDID”) or Android Device ID. All call and connection logs are maintained indefinitely.” Traffic data retention, here we come.
The second one relatest to data retention. NGOs like EDRI are rightly upset at EU plans at long-term and broad telecommuniations data retention. But what does this particular game look like with VOIP companies? Some players, like Google Voice, give users a lot of control, and (beyond that) make sure they anonymize call data that they keep for their own purposes. Some players (like Skype, or Apple with FaceTime) are less than clear on what happens to call histories. Yet others, like Viber, retain your communication behavior indefinitely, without any anonymization, but at least tell their users, if they know where to look.
It’s a shame that, as users of these services, we can’t just assume that call histories will be treated as the highly sensitive data they are. It’s also a shame that we apparently can’t even expect to be told up front (and outside a policy document — even a well-written one) what the VoIP service providers will do with those data. That needs to change.