A column I wrote here caused a bit of a stir over the past few days.

Here’s a brief recap:

Andy Abramson opined that Fonality, a Southern California-based developer of PBXes built on top of the open-source Asterisk PBX, is “better poised” to move Asterisk into the large enterprise world than Digium, the Alabama-based company that developed and maintains Asterisk.

I wrote that it’s hard to disagree with that assessment because Fonality does “an exceptional job of marketing” and I don’t predict well. But I expressed concerns about security issues inherently related to Fonality’s approach, which puts much of the product’s front-end functionality on Fonality’s servers, requiring a Virtual Private Network (VPN) connection between the customer’s premises and Fonality in order to access much of that functionality.

There’s no question that Fonality’s approach makes Asterisk easier to install and use, but the trade-offs related to security — namely, that, in most office networks (specifically, those that do not put the PBX on a separate subnet) the solution requires a potentially risky VPN connection back to Fonality, and that Fonality has access to call detail records and chat logs that a business may want to keep secret.

In fairness, there are two things I should correct from my initial post:

First, I wrote that “all chats are logged by the central server. Any sensitive IM information within and outside the office through the local box is available to Fonality.” This is not technically correct. Chats are logged on the local premises computer. However, such logs are accessible, therefore available, to Fonality through the VPN.

Second, I regret writing that “. . . Digium doesn’t require an outside computer to be listening in . . . ” Though not written with that intent, I can see how this can be construed as implying that Fonality has access to actual phone conversations, which it does not.

These two slight corrections notwithstanding, I stand by the conclusion that “Fonality may very well be a good solution for some businesses. But those concerned about keeping company secrets are probably better served by Digium’s offering.”

The issues raised in the mini-uproar that followed my column, can be summarized as follows:

1. The Voxilla Store carries “a number of PBXs, none of which are from Fonality.” (Fonality CEO Chris Lyman on VoIPSupply’s Garrett Smith’s blog, also reprinted in entirety in the comments section of my original post.).

2. A Fonality customer can disconnect and reconnect the VPN at will (Lyman on Smith’s blog).

3. “[E]very phone company in the world” keeps call detail records (CDRs) (Lyman on Smith’s blog).

4. Fonality needs the call detail records because the company’s “high-end reporting functionality,” if run on underpowered customer premises computers, “would spike those CPUs into a coma, effecting audio quality. Remember, these premise boxes are designed to pass great audio, not crunch thousands of call records in under a second.” (Lyman on Smith’s blog);

5. The differences between Fonality’s products and a stock Asterisk installation is that Fonality is a partially hosted solution. “All hosted services have to deal with the issues raised by Marcelo . . . ” but “[m]ost premises based services don’t have all the benefits hosted models offer, and may be less cost effective, but deliver greater control of customer data.” (Alec Saunders). Along similar lines, Dameon Welch-Abernathy wrote that “as an IT person, it is your job to do your ‘due diligence’ to find out exactly how any software you deploy might ‘phone home’ or do anything you don’t like.”

There were a few others, but ultimately void of original material: I sell Fonality and disagree with “with most of what Marcelo had to say” because I agree with Lyman. (VoIPSupply’s Garret Smith). And Marcelo’s portrayal is “inaccurate . . . [but] I’m going to stay out of that battle” and point you to Chris Lyman’s point-by-point rebuttal to Marcelo’s assertions.” (Tom Keating, in a fawning review of Fonality’s most recent offering, PBXtra Professional Edition).

As they don’t add much to the discourse, I’ll pass on Smith and Keating. I will take a stab at the others.

1. The Voxilla Store carries an internet communications server (email, IM, contacts, calendar and PBX) developed by Communigate Systems. The Voxilla Store also carries the Linksys SPA9000, a PBX-key system hybrid limited to a maximum of 16 extensions that does not include voice mail capability. Neither of these products is based on Asterisk, and the Voxilla Store does not carry a single item from Digium. The point of my column was that Digium may present a more secure option to business than Fonality. Pointing out that we carry other PBXes on the Voxilla Store is a thinly veiled accusation of self-interested bias, even though Voxilla has nothing to gain when I compare two products we do not carry .

2. Of course, as Lyman writes, a Fonality customer can shut down the VPN, enabling it only when a PBX configuration change is needed. Such steps add a layer of complexity and essentially cripple much of Fonality’s usefulness. And they do not eliminate the security issues raised. A VPN connection is still required to make configuration changes, which then opens up the on-premises computer (call logs, chat logs, etc.) and the network within which it resides. And whenever the VPN connects the local network to Fonality’s, the local network is only as secure as Fonality’s. For some businesses, this may not be an issue, but I suspect that, for many, it’s an important consideration.

3. Yes, phone companies keep call detail records, but Fonality is a PBX company, not a phone company. When I make a cell phone call over the Cingular network, I am aware that Cingular is keeping a record of that call. But phone companies like Cingular (and AT&T, Verizon, etc.) are regulated, both at the federal and state levels. A PBX company is not regulated. The only protection a Fonality customer has is the company’s rather weak Privacy Policy. It states: “records may be viewed if required so by law, or if there is a suspected Terms of Use violation.” Only Fonality, not its customers, determine if there is a “suspected Terms of Use violation.”

4. The argument that Fonality needs to keep CDRs on its servers because on-premise computers are potentially too underpowered to parse them is just false. A record for a single call on an Asterisk PBX is about 200 bytes in length. In its press releases, Fonality claims the company currently services 1,300 customers with a total of 18,000 users. That’s an average of about 14 users per installation. Let’s exaggerate and say that, on average, each of those users makes and takes 1,000 calls (or about 40 a day). For any given month, then, the total size of the call detail logs for an average Fonality customer is about 7 megabytes, which any computer manufactured in the past 5 years can search and output results from in milliseconds.

5. In essence, Saunders and Welch-Abernathy are suggesting the same thing I originally wrote, though Saunders considers himself “an unabashed fan of hosted models.” As I wrote, and Saunders reiterated, the hosted approach has some advantages, including “ease of use.” But it does come with trade-offs.

I pointed out those trade-offs, Fonality CEO Chris Lyman chose to respond by asserting that what I wrote is “inaccurate” (and, on one count — in relation to where chat logs are stored — he is technically correct, though the security concern I raised still exists).

In the end, Lyman’s argument can be boiled down to this: What we do is no different than what the phone company does and “Fonality’s employees pride themselves on their ethics and it is an important part of our corporate culture.”

I have no reason to question Fonality’s ethics and nothing I wrote was meant to besmirch either Lyman or his employees. But Fonality’s offering is, in its very essence, a hosted PBX. In as much, it comes with certain risks that a business deciding between Fonality’s version of Asterisk and Digium’s version of Asterisk should be aware of.

I won’t dispute my friend Andy Abramson’s assertion, later echoed by the knowledgeable Ted Wallingford, that Southern California Asterisk front-end reseller Fonality is better poised to bring the open-source PBX into the large enterprise space than even Digium, the company behind Asterisk.

I won’t because I long ago gave up playing Swami in the unpredictable world of IP communications and because I can see that Fonality has done an exceptional job of marketing its product, its company and its CEO, Chris Lyman.

Still, I wonder whether Fonality is indeed the right solution for businesses — particularly those businesses concerned about security.

The company’s products include a $1,000 “Standard” Asterisk PBX and a $3,000 “Call Center” edition that features unlimited call queues, recording and other bells and whistles.

Each of the offerings packs a well-designed front end that makes the notoriously prickly Asterisk easier to use. But, unlike a stock Asterisk installation, Fonality’s offerings require a constant — and potentially worrisome — connection to the company’s own servers.

Though one can use Fonality’s products with any SIP- or IAX-based termination services provider, the company builds a Virtual Private Network (VPN) back to Fonality from all its installed PBXes.

Ostensibly, there are good reasons for this, particularly that all upgrades to the product occur seamlessly and with no need for operator interaction. Also, because all configuration changes to an installed PBX are made by logging into an account with Fonality’s servers, and those changes are then pushed back to the local PBX, the risks of operator error are somewhat mitigated.

But there is reason for concern. Ease-of-use comes with trade-offs.

First, because the link is over VPN, it is possible for someone at Fonality to enter the local PBX in a virtually undetectable manner. An unscrupulous employee can then run a network sniffer on the PBX and, if the local PBX computer is part of the office network (as is likely to be the case in most offices), the employee potentially has access to all the computers on the network.

Second, the level of information logged by and maintained on the Fonality server is staggering. The PBX comes with a built-in IM chat client and all chats are logged by the central server. Any sensitive IM information within and outside the office through the local box is available to Fonality.

The central server also maintains a log of all call detail records (CDR). Fonality uses the CDRs when its customers want to see a calling history (i.e.: all outgoing sales calls made by an employee, all incoming customer support calls, etc.).

It can be argued, of course, that the phone company has a list of those calls (but not inter-office calls) as well. But Fonality is a hardware and software vendor, not the phone company.

Fonality may very well be a good solution for some businesses. But those concerned about keeping company secrets are probably better served by Digium’s offering. It may be a bit harder to configure (though Digium is working feverishly to make Asterisk more user-friendly), but Digium doesn’t require an outside computer to be listening in and keeping track.