Is VOIP secure?

USANomad asked the Answer Line forum if people can eavesdrop on Voice Over Internet Protocol (VOID) phone calls.

Yes, they can.

But that's true with cell phones and old-fashioned landlines, as well. From a technical point of view, phone companies and governments can pretty much listen to any wired or wireless conversation they want to. That's why we need privacy laws requiring search warrants to protect us.

Of course, phone companies and governments don't always follow the law. And even criminals without government or corporate connections can find a way to spy on your calls if they want to badly enough.

But these existing privacy issues get worse with VOIP calls, which have all of the security issues of the Internet and personal computing. If the person you're calling has a conventional phone line, you've got both kinds of security threats.

The digital data of a VOIP call can be intercepted anywhere along the complicated path from your router through the multiple servers until it goes out to the analog phone network. Assuming your VOIP service doesn't encrypt calls, whoever intercepts it can listen to it, as well.

Which raises the question: Does your VOIP service encrypt calls?

Skype does, with very strong, 256-bit AES encryption. You can read the details here.

But others are not as cautious. I know that Google Voice doesn't encrypt their calls because a Google spokesperson told me so. Yahoo didn't respond to my query, so I think it best to assume the Yahoo Voice (the service that USANomad uses) also lets their calls go out unprotected.

While encryption increases your safety, it doesn't guarantee it. Your own computer may be the weak point in your VOIP security chain. If your PC is infected, whoever is controlling the malware may be able to monitor your phone calls and get useful information off of them. I have yet to hear of a malicious program that monitors transmitted audio data for key words like "credit card number," but it's certainly possible.

The best solution is to do what you're probably already doing: Keep your security software up-to-date, scan weekly with another security program, avoid suspicious websites, and generally practice safe computing.

And, of course, your end is only half the problem. If the person you're speaking to is also on a VOIP phone, they have the same security issues. If they're using a cell or landline phone, their phones can still be tapped.

In the final analysis, there's no such thing as a totally secure phone call, but unless you have reason to believe that someone powerful has it out for you, you can achieve a reasonable degree of privacy. For more on the issue, I suggest this excellent blog post by Bruce Schneier.

Read the original forum discussion.

Contributing Editor Lincoln Spector writes about technology and cinema. Email your tech questions to him at answer@pcworld.com, or post them to a community of helpful folks on the PCW Answer Line forum.