One night last spring I called counsel in Saudi Arabia from home. Skype had Saudi Arabia rates that would allow me to avoid Verizon's undisclosed--and likely exorbitant--charges. (When I asked Verizon for the cost of a call to Saudi Arabia, the rep said he couldn't tell me--I'd be charged based on whatever they were billed). Since I had downloaded Skype in the US, was using Skype in the US, and Skype offered the service, I was fine, right? Actually, no.
It turns out that IP telephony ("IPT") or VoIP is illegal in Saudi Arabia--even when limited to locations on a company's WAN. Since I don't travel to or have an office in Saudi Arabia, it was unlikely the Saudi government could/would come after me for one call. And because the person I was calling was on a cell phone, they would be receiving the call from an authorized carrier under Saudi law, and would be protected. But a multinational company's risk analysis could be quite different depending on the countries involved, the consequences, and its backup plans. And ignorance of those risks won't be bliss if, as is possible, bad things happen. Companies have to know the risks and mitigate them.
Know Your Risks
The risks an organization faces when using IPT range from trivial to huge. Where they fall along that continuum depends on the country, the manner in which IP telephony is being implemented, the underlying provider, the terms of the customer's contract with that provider, and/or the origination and termination points for calls. Risks can also vary based on the entity purchasing the underlying telecom services, equipment and software licenses used in connection with IPT, and whether IPT-related transfer pricing or other fee arrangements are in place between different parts of an organization.
All of this can be daunting. Saudi Arabia is only one of a number of countries in which IPT is simply illegal. Ethiopia recently joined that list--there, users of Internet telephony face significant jail time. In other countries, an organization that carries voice calls over its WAN may be deemed a telecom provider, meaning that it requires a license or comparable authority and is subject to a range of regulatory requirements. In all countries, IPT is legal only when IPT and/or the underlying telecom transport over which the voice call is made is purchased from a provider that holds the proper telecoms license or has appropriate authorization.
Different countries define "provider" differently. In Hong Kong, Skype is considered a provider of VoIP under Hong Kong law; in the US, Skype is not a telecommunications carrier under US law. In India, folks can use Skype over their Internet connection only between computers and only if they bought the Internet connection from a transport provider that holds the ISP license. So there are a lot of different subtleties you need to be aware of.
Many organizations assume IPT within the US and from the US to foreign countries--whether provided over their WAN or via SIP trunks bought from an authorized provider--is allowed. Not quite. While IPT is legal in the US, it cannot be used for international calls from the US if the foreign country objects.
In the EU, folks make a similar assumption about IPT's legality, but again they are only half right. Although IPT is allowed in the EU, that doesn't answer the question of whether an organization using IPT becomes subject to telecoms regulation. In most cases it will not, but there are some unexpected exceptions: In Italy for example, if one member of an organization orders telecoms services for another member with an Italian location, the member placing the order may be treated as a provider of electronic communications services. In Romania, the exchange of funds even tangentially related to IPT between entities within an organization can render one a provider of electronic communications services; without such exchange, you may be able to proceed with your plans without worry.
While off-net calls in the EU are not generally a problem, in both Ireland and Germany there are risks. In Ireland, for example, an organization that uses its WAN to transport voice calls and then terminates them off-net may be treated as a provider of electronic communications services unless all of the off-net calls are related to the organization's business or (arguably) the organization has a clear policy limiting employee use. In Germany, an entity using IPT for off-net calls may need to comply with certain consumer protection, secrecy and law enforcement access requirements.
Next Page: Other countries
The analysis for other countries--inside and outside the EU--can be equally nuanced. In APAC and EMEA countries such as the United Arab Emirates (UAE), India, Japan, Singapore and Taiwan, the age old concept of closed user group (CUG) comes into play--with the CUG having different meanings in different countries. IPT may be permitted for on-net calls between entities in the CUG and prohibited for other calls. And the permission may be revoked--rendering a company subject to regulation as a provider--if money changes hands. In South Korea, an organization needs a telecoms license if it sends IPT over its WAN, while in Singapore a license is needed only for off-net calls or on-net calls over the WAN between entities that are not majority owned affiliates.
Most multinational corporations have a significant presence in China these days, and in the PRC you can enjoy large cost savings by using IPT. Unfortunately, IPT in the PRC is fraught with risk unless you buy it from China Telecom, China Unicom or China Mobile. Chinese laws make clear that only majority PRC government owned entities (i.e., CT, CU and CM) can provide "basic"--meaning voice--services in China, and that using VPNs for "business activities" is prohibited. What the laws don't explain is whether VPNs mean those on the public Internet or include those over an MPLS or other private network.
Is your head spinning yet? Bottom line: It's difficult to generalize about how IPT is treated because treatment can differ--even within a country--based on the factors described above. You want clear, simple answers, and there are none.
Mitigate the Risks
What you can do is mitigate the risks you face. Knowing those risks is a necessary first step. If they are acceptable, you can move forward; if not, you need to consider ways to avoid/mitigate them, or just avoid IPT. Just as there are no clear answers to the questions above, there's no single list of mitigation tactics all organizations using IPT should follow. It all depends on an organization's planned rollout of IPT and its tolerance for risk.
Organizations with little or no risk tolerance may choose not to deploy IPT in any country where its use is illegal or requires authorization to act as a telecom provider. Others may be willing to obtain such authorizations and comply with ongoing regulation--particularly where failing to do so means foregoing the benefits of unified communications platforms. Still others may limit use of IPT to certain types of calls--e.g., between employees at company locations or between company locations in a single country. Some may be willing to forgo transfer pricing arrangements or limit IPT to business-related calls. A few may be willing to turn off encryption in countries that limit the length of encryption keys. Still others may believe it unlikely they will be caught, and simply take their chances.
For all but the last group, waiting for the authorities to knock on your door, or take down your service, or worse, because your use of IPT is violating local law is not a good option. You can (and should) protect yourself and your company by appreciating the risks you face and taking cost-effective steps to reduce or eliminate exposure to them.
