Paul Bensley X-on CEO - GDPR legislation will provide power over our own data

Paul Bensley

Are Phone Calls Data? Discuss…

Are Phone Calls Data?

Information Governance has never been such a lively discussion topic nor so athletically regulated. In finance, PCI-DSS attempts to secure our credit card data, penalising those who merrily jotted card details on a Post-it on the journey to the card machine. For those (of us) processing many thousands of transactions, the requirements of Level 1 PCI Accreditation are technically strenuous. With the thieves having their beady eyes on real cash, it's easy to see why it needs to be that way.

In healthcare, the issues are more complex. We don't want our clinical records to be circulated to all and sundry, lest we become uninsurable or unemployable, or merely get sympathetic (or nervous) glances from our colleagues. Yet if AI machines are to supplement our stressed GPs with learned diagnoses, data has to be shared across organisations and permission structures put in place.

With impending GDPR legislation (still to be clarified) we will all get power over our own data, allowing it to be removed on demand. And organisations who lose it through carelessness (or sell it for profit) will have to own up and receive eye watering penalties.

All of the above can be addressed with expertise and sufficient technical and process resource. Consultation is expensive - data security experts are the new insurance salesmen, selling peace of mind. But when it comes to information that passes through the phone network (or remains there, as a recording or audit log), the system breaks down. The experts have to avert their eyes and mutter "out of scope". Advice takes on a duality with some of the information protected by iron bars and guard dogs, and the rest roaming freely around the countryside, virtually naked.

The problem is that parts of the phone network (the PSTN - the 'P' stands for Public) were put in place when Hitler was around, or certainly Mrs Thatcher. If you are devious with a head for heights, a pair of crocodile clips and some headphones, you can still leg up a telegraph pole and listen in on a selection of conversations, some of which will have credit card details and information about your medical symptoms and, hopefully unrelated, illicit affairs. These copper wires cannot be patched or fire-walled. The word 'telegraph' is in itself a giveaway. The calls cannot be encrypted, unless you are lucky enough to own a device called a scrambler (and are talking to a friend with the other one). Even recent voicemail systems, as most celebrities will attest, can be hacked by any Daily Mail journalist - you don't have to be a Russian ex-KGB agent.

Phone calls have been non-explicitly excluded from the data classification, a decision which becomes more patently nonsensical by the day. Run a selection of recorded phone calls though Google Speech Recognition (or Amazon, or Azure) and index and analyse them to save manual effort. The result will contain as much interesting data as any nonencrypted database.

This situation is not completely fixable (in the sense that PCI-DSS would like your data network completely and unambiguously locked down) but there is an opportunity to make the phone network more like the data network and deliver higher levels of security. As an increasing proportion of voice traffic is transmitted as VoIP, it could be subject to the same levels of encryption that you would expect from other data traversing the Internet. Organisations supplying call recording services or equipment can adhere to the same standards of data security that is expected from those handling sensitive data.

Yet, currently a tiny proportion of calls using industry standard SIP protocol are encrypted between carriers and handsets or desktop (technical note: the SIP and the audio are two parts of the call and both require encryption using SIPS and SRTP). The technology is available to do it but few bother to use it - BT don't even offer it at their interconnects. Well, why would they - you just need crocodile clips. Although a private network such as MPLS to the premises may improve data security on the last mile, it is almost certain that at some point each phone call will have traversed the Internet, let alone the PSTN. It could be argued that some carriers are ignoring this point in order to sell more MPLS connections.

So there is an opportunity here for IT and IG professionals to start asking questions of suppliers about how voice is delivered to their organisations and request a higher degree of data security than the norm. Even if the standards are turning a blind eye to the risk of phone data (and video) being hacked, this will enable them to take the moral high ground when the next major breach happens. Soon, some might predict.