Net phone customers brace for 'VoIP spam'

Some computer security and privacy experts are warning that such a day may not be far off for customers of new Internet phone services, which marry the immediacy of a voice call with the conveniences--and inconveniences--of e-mail.

That could be unwelcome news for those who believe telemarketing is already so bad it can't possibly get any worse.

"The fear with VoIP spam is you will have an Internet address for your phone number, which means you can use the same tools you use for e-mail to generate traffic, said Tom Kershaw, a vice president at security specialist VeriSign. "That raises automation to scary degrees."

So-called voice over Internet Protocol (VoIP) services have begun winning converts thanks to cheap rates and a slew of features that traditional phone companies can't match. But consumers who adopt the technology could pay a steep price if "VoIP spam" takes hold.

There are now only about 600,000 commercial Net phone subscribers, a market too small for the attention of big telemarketers. But the VoIP market is growing fast. Technology research firm IDC predicts VoIP revenue will grow from $3.3 billion in 2003 to $15.1 billion by 2007.

Once the numbers begin to add up, it's all but inevitable that new marketing techniques will spring up to take advantage of VoIP's strengths.

Like e-mail, VoIP calls find their way by locating an IP (Internet Protocol) address, a unique set of numbers assigned to each device connected to the Web. By contrast, calls made over the traditional phone network are routed by instructions taken from a 10-digit telephone number. Using VoIP, telemarketers can send messages to thousands of addresses at a time, rather than tying up a single phone line to make one call.

The biggest likely impact of VoIP spam will be on voice mail boxes. They'll dutifully record every message they receive, while a human answering the phone will likely hang up within a few seconds. That could have a tremendous effect on VoIP providers that offer free voice mail; they would have to expand their storage capabilities to handle the additional spam messages.

Consider software from Frederick, Mass.-based Qovia, which seeks out the IP addresses assigned to phones, then sends each a 30-second recording. Its pace--1,000 synthetic calls every five seconds--is a quantum leap from the automated "Demon Box" dialers that telemarketers use now.

Qovia Chief Technology Officer Choon Shim said the company didn't create its VoIP spam generator to send "30-second calls about Viagra to millions of phones." Rather, it was to serve as a wake-up call of what could be a devastating problem for the growing Net phone industry, Shim said.

Aside from the pride of proving a concept, there are some benefits to generating so many messages. There has been interest from government agencies, Shim said, which have begun exploring how to use the VoIP spam generator to replace emergency broadcasts over television and radio. Information technology managers at companies wrestling with a large number of mobile workers could use VoIP spam to better manage the devices.

"We are not about selling tools to telemarketers," Shim said. "But these things are very easy to write, as we've shown in our labs. We can't stop other people from creating their own tools."

A trickle for now
So far, there have only been isolated cases of spam to homes, and only one known example of a corporate VoIP network spammed so heavily it was paralyzed, according to a handful of carriers surveyed this week.

"There are just so few customers in relation to what's available over landlines, that there's really no reason for telemarketers to even begin to think about it," said Gary Morgenstern, a spokesman for VoIP dealer AT&T.

Still, the issue appears to be gaining attention in some influential circles. The nation's two largest long-distance companies, AT&T and MCI, say the VoIP spam issue is on their agenda. And about six weeks ago, the United States Telephone Association (USTA) identified VoIP spam as one of the next major headaches, from a regulatory and day-to-day operations perspective.

"This threatens to be a big problem in the future," a USTA representative said.

Notably, telemarketers that use VoIP to target Net phone customers may not be required to comply with the Federal Trade Commission's recently created Do-Not-Call list, computer security and privacy experts said, citing uncertainty over its status.

"VoIP spam fits very nicely into yet another void in existing regulation," said Ray Everett-Church, a principal with privacy consultants ePrivacy Group in Philadelphia.

Commercial VoIP carriers say they are working to protect their customers. For example, Vonage, the largest residential VoIP services provider with some 200,000 subscribers, said it assigns phone numbers along with IP addresses, making it more difficult for spammers to generate hundreds of calls per minute, according to a company representative.

An MCI spokeswoman said VoIP spam is "not an issue on the network because we are engineering a solution to prevent it." She said the company knows of no incidents to date of VoIP spam on the MCI network.

The problem is still so new that it has largely gone unnoticed, Everett-Church said.

One of the first Net phone spams didn't cause much of a stir, he recalled. The recipients thought the pre-recorded telemarketing call they received was a harmless error on the part of the phone company.

But when people with two Net phone lines, assigned sequential telephone numbers, got the same pre-recorded call within seconds of each other, "it was very clear to them that their phone was being spammed," he concluded.