A column I wrote here caused a bit of a stir over the past few days.

Here’s a brief recap:

Andy Abramson opined that Fonality, a Southern California-based developer of PBXes built on top of the open-source Asterisk PBX, is “better poised” to move Asterisk into the large enterprise world than Digium, the Alabama-based company that developed and maintains Asterisk.

I wrote that it’s hard to disagree with that assessment because Fonality does “an exceptional job of marketing” and I don’t predict well. But I expressed concerns about security issues inherently related to Fonality’s approach, which puts much of the product’s front-end functionality on Fonality’s servers, requiring a Virtual Private Network (VPN) connection between the customer’s premises and Fonality in order to access much of that functionality.

There’s no question that Fonality’s approach makes Asterisk easier to install and use, but the trade-offs related to security — namely, that, in most office networks (specifically, those that do not put the PBX on a separate subnet) the solution requires a potentially risky VPN connection back to Fonality, and that Fonality has access to call detail records and chat logs that a business may want to keep secret.

In fairness, there are two things I should correct from my initial post:

First, I wrote that “all chats are logged by the central server. Any sensitive IM information within and outside the office through the local box is available to Fonality.” This is not technically correct. Chats are logged on the local premises computer. However, such logs are accessible, therefore available, to Fonality through the VPN.

Second, I regret writing that “. . . Digium doesn’t require an outside computer to be listening in . . . ” Though not written with that intent, I can see how this can be construed as implying that Fonality has access to actual phone conversations, which it does not.

These two slight corrections notwithstanding, I stand by the conclusion that “Fonality may very well be a good solution for some businesses. But those concerned about keeping company secrets are probably better served by Digium’s offering.”

The issues raised in the mini-uproar that followed my column, can be summarized as follows:

1. The Voxilla Store carries “a number of PBXs, none of which are from Fonality.” (Fonality CEO Chris Lyman on VoIPSupply’s Garrett Smith’s blog, also reprinted in entirety in the comments section of my original post.).

2. A Fonality customer can disconnect and reconnect the VPN at will (Lyman on Smith’s blog).

3. “[E]very phone company in the world” keeps call detail records (CDRs) (Lyman on Smith’s blog).

4. Fonality needs the call detail records because the company’s “high-end reporting functionality,” if run on underpowered customer premises computers, “would spike those CPUs into a coma, effecting audio quality. Remember, these premise boxes are designed to pass great audio, not crunch thousands of call records in under a second.” (Lyman on Smith’s blog);

5. The differences between Fonality’s products and a stock Asterisk installation is that Fonality is a partially hosted solution. “All hosted services have to deal with the issues raised by Marcelo . . . ” but “[m]ost premises based services don’t have all the benefits hosted models offer, and may be less cost effective, but deliver greater control of customer data.” (Alec Saunders). Along similar lines, Dameon Welch-Abernathy wrote that “as an IT person, it is your job to do your ‘due diligence’ to find out exactly how any software you deploy might ‘phone home’ or do anything you don’t like.”

There were a few others, but ultimately void of original material: I sell Fonality and disagree with “with most of what Marcelo had to say” because I agree with Lyman. (VoIPSupply’s Garret Smith). And Marcelo’s portrayal is “inaccurate . . . [but] I’m going to stay out of that battle” and point you to Chris Lyman’s point-by-point rebuttal to Marcelo’s assertions.” (Tom Keating, in a fawning review of Fonality’s most recent offering, PBXtra Professional Edition).

As they don’t add much to the discourse, I’ll pass on Smith and Keating. I will take a stab at the others.

1. The Voxilla Store carries an internet communications server (email, IM, contacts, calendar and PBX) developed by Communigate Systems. The Voxilla Store also carries the Linksys SPA9000, a PBX-key system hybrid limited to a maximum of 16 extensions that does not include voice mail capability. Neither of these products is based on Asterisk, and the Voxilla Store does not carry a single item from Digium. The point of my column was that Digium may present a more secure option to business than Fonality. Pointing out that we carry other PBXes on the Voxilla Store is a thinly veiled accusation of self-interested bias, even though Voxilla has nothing to gain when I compare two products we do not carry .

2. Of course, as Lyman writes, a Fonality customer can shut down the VPN, enabling it only when a PBX configuration change is needed. Such steps add a layer of complexity and essentially cripple much of Fonality’s usefulness. And they do not eliminate the security issues raised. A VPN connection is still required to make configuration changes, which then opens up the on-premises computer (call logs, chat logs, etc.) and the network within which it resides. And whenever the VPN connects the local network to Fonality’s, the local network is only as secure as Fonality’s. For some businesses, this may not be an issue, but I suspect that, for many, it’s an important consideration.

3. Yes, phone companies keep call detail records, but Fonality is a PBX company, not a phone company. When I make a cell phone call over the Cingular network, I am aware that Cingular is keeping a record of that call. But phone companies like Cingular (and AT&T, Verizon, etc.) are regulated, both at the federal and state levels. A PBX company is not regulated. The only protection a Fonality customer has is the company’s rather weak Privacy Policy. It states: “records may be viewed if required so by law, or if there is a suspected Terms of Use violation.” Only Fonality, not its customers, determine if there is a “suspected Terms of Use violation.”

4. The argument that Fonality needs to keep CDRs on its servers because on-premise computers are potentially too underpowered to parse them is just false. A record for a single call on an Asterisk PBX is about 200 bytes in length. In its press releases, Fonality claims the company currently services 1,300 customers with a total of 18,000 users. That’s an average of about 14 users per installation. Let’s exaggerate and say that, on average, each of those users makes and takes 1,000 calls (or about 40 a day). For any given month, then, the total size of the call detail logs for an average Fonality customer is about 7 megabytes, which any computer manufactured in the past 5 years can search and output results from in milliseconds.

5. In essence, Saunders and Welch-Abernathy are suggesting the same thing I originally wrote, though Saunders considers himself “an unabashed fan of hosted models.” As I wrote, and Saunders reiterated, the hosted approach has some advantages, including “ease of use.” But it does come with trade-offs.

I pointed out those trade-offs, Fonality CEO Chris Lyman chose to respond by asserting that what I wrote is “inaccurate” (and, on one count — in relation to where chat logs are stored — he is technically correct, though the security concern I raised still exists).

In the end, Lyman’s argument can be boiled down to this: What we do is no different than what the phone company does and “Fonality’s employees pride themselves on their ethics and it is an important part of our corporate culture.”

I have no reason to question Fonality’s ethics and nothing I wrote was meant to besmirch either Lyman or his employees. But Fonality’s offering is, in its very essence, a hosted PBX. In as much, it comes with certain risks that a business deciding between Fonality’s version of Asterisk and Digium’s version of Asterisk should be aware of.

I got a taste of how IOTUM’s Relevance Engine for personal communications works when I called IOTUM CEO Alec Saunders for an interview.

I was told by a nice ladylike voice that IOTUM had decided that Saunders wasn’t available to take my call. I was allowed to leave a voicemail and Saunders called me back from his car. Unfortunately, it was when my three phones were ringing simultaneously. If I had IOTUM that wouldn’t have happened.

The Ottawa-based company is going after the well-documented communications overload that most of us experience today.

We’re not imagining that we have so many interruptions that we can’t get any work done. Research by Gloria Marks of the University of California, Irvine reports that office workers are interrupted an average of every three minutes.

But tools like “do not disturb” aren’t much of an answer. Their operation is black and white — let all the calls through or shut everybody out. They don’t let allow you, for example, to take that call from your mother about your father’s heart attack.

Saunders thinks his company can bring some needed intelligence to that grey landscape between black and white. “We can’t help you with the guy who wants to come into your office to talk about his weekend but we can help with the phone,” he says.

IOTUM’s Relevance Engine manages communications based on your preferences and contextual information like where you are and what you’re doing — what IOTUM calls ‘context.’

The system uses things that an administrative assistant would use to make the same decision — for example, are you in a meeting or out of the office, or is it your children’s school calling. It looks at your calendar, your IM status, and the caller.

Iotum routes calls automatically to your cell phone when you’re out of the office and notes calling trends — like back-and-forth calls to the same person - to let important calls cut through the clutter. It even gives a higher priority to calls from people with whom you’re scheduled for a meeting that day, anticipating that it may indicate a change of agenda or that the meeting has to be rescheduled or postponed.

This sounds great. But too often smart systems demand a lot of configuration effort from users — relegating them to the “good idea, too much work” file. Saunders says that IOTUM has simplicity designed in from the start. “It’s a three step setup.”

First, you tell the system what numbers to reach you. The system automatically reads contacts from Microsoft Outlook. Second, you categorize your contacts — IOTUM will read the contact categories from Outlook. Third, you tell the system when you want and don’t want to be contacted. “IOTUM takes care of the rest,” says Saunders. “It’s very unobtrusive.”

The Relevance Engine resides on the network and integrates with all the places you have information about yourself like your address book, calendar, and instant messaging client.

IOTUM comes with an open XML interface and built in integration with the popular open source PBX, Asterisk. IOTUM can interface with any PBX, softswitch or media gateway, says Saunders. While the Asterisk interface is the company’s most popular, he says, “If there’s a programmatic interface it’s likely we can interface with it.”

IOTUM is also planning to integrate AIM phone and this feature will be available early next year.

The night before starting to write the first ever item for my first ever so-called blog, an incisive Alec Saunders (http://saunderslog.com/), Founder and CEO of Iotum (iotum) and one of the deservedly more prominent members of the so-called VoIP Blogosphere, laid down the gauntlet.

At a whiskey bar in Boston, where we both are attending the Fall VON show, I was yapping away (as I probably too often do, whiskey or no) about the sorry state of media coverage of VoIP and internet communications, which I causally linked to the fact that blogs and VoIP entered the mainstream at about the same time.

Here’s the life of a typical VoIP story, I told Alec (BTW: Any semblance to the actual conversation I had with Alec is intentional).

A new super cool gadget is built in a city somewhere near Guangzhou and a Public Relations Agent in Santa Monica sends out a press release to thousands of media workers (a list which, naturally, includes bloggers these days) in a language that closely approximates English but not enough so that the typical editor at newspaper can actually understand without having to consult Wikipedia every three words or so.

In the mean time, one VoIP blogger wakes up first after a long night of talking to his (sorry, in the world of VoIP blogging, it is almost always a he) new best friend in Hamburg using the latest super-cool, can’t-miss, USB-device for Skype that everyone … EVERYONE … should be using (until next week, of course, when a more super Skype device comes out).

The early canary (let’s call him Tim) reads the press release and understands instinctively that this new super cool gadget will solve all of VoIP’s problems (except, he forgets, all of the ones that actually matter). Through the magic of Ctrl-C and Ctrl-V (readers: replace CTRL with Command if you use an OS that works), Tim puts the press release online in a language that now more closely approximates Flemish. “Remember, you read it here first,” Tim types in at the end, knowing that, at least for one morning, the click-throughs to the PPC ad on the top of his blog are going to double from three to six and he’ll actually net 37 Google cents).

A half-hour later, a second blogger (let’s call him Alfred) wakes up and glances at the RSS reader that has been churning all night long at the Ikea desk in his bedroom. Alfred sees Tim’s entry, and knows instinctively that he has a job to do (afterall, being second is second-best to being first), and he gives “kudos” to Tim for breaking this all important story and then reprints the press release in a language that approximates no known language.

As the other VoIP bloggers come online and see that, to salvage any portion of the daily Google take, they have to comment on the new gadget Tim discovered in his email.

“I’ll be getting one of these babies soon,” writes one.

“Not me,” writes another. “How can they be using the Bluetooth stack 1.1? I have a version 2 dongle on my core duo with 32 gigs of memory and five 500-gig discs of RAID 10 SATA. The throughput on this dinosaur is 4 percent lower than it should be.”

“An interesting toy, but will it pass the “wife test?” asks a particularly boorish wannabe journo. (Note to wives of bloggers who ever use that term: The Nolo Press book on divorce is a lot less expensive than a lawyer and just as good.)

Another blogger who sees the press release, decides to write up the item without having checked to see if his fellow commentators on all things voice have covered it, at which point an indignant and clearly ego-bruised Tim fires back a 15 paragraph tirade against this blogger for not having mentioned that Tim had reprinted the press release first. “This is the problem with the liberal MSM,” writes Tim, in language and intellect shaped by a third-grade teacher at a New England prep school. “And now the problem is making its way into the blogosphere?!?!?!? How very very very … VERY … sad.”

When the king of all VoIP bloggers — you can call him EF Hutton, I’ll call him Omar — weighs in from his MacbookPro sitting at a wi-fi enabled espresso house in a city too blue to be carrying around a Texas Dell in — the VoIP blogosphere comes to a nano-second of silence.

“No real story here,” writes a non-impressed Omar as he sips on a Splenda-laced quad latte.

End of story in the blogosphere, which immediately moves on to the more important continuing question at hand of how the Vonage IPO killed VoIP and whether Voice 2.0 can save it.

By this time, it’s close to noon, and the news story is no longer news and has no place in a newspaper until Markoff or Mosberg mention it in passing a few weeks later, giving Tim more fodder to rant about. And the story hits the blogosphere again for another few hours.

Now Alec is a very nice man (he’s from Canada, where nice is still a good thing), and he allowed me to finish my monologue and then said to me that, given the fact that I toiled in the written word biz (at a couple of those so-called liberal MSM rags) for many years, I should do a blog myself and just STFU (or something like that, but much more tactful).

Challenge taken, Alec. Item #1 done. I’ll write about VON as soon as I find something newsworthy.