I use Google Voice along with other apps on Android (like GrooVe IP) and Windows 8 to leverage the VoIP features that Google offers. One of the most valuable features is how easy Google Voice makes it to give out a single number that can be programmed to forward voice calls to multiple different numbers. This can free you from the need to pay porting charges and allows you to configure your Google Voice number to ring incoming calls to other locations. With many contacts and friends in Sacramento, I keep my Google Voice number so that my friends in California will be sure to reach me, regardless of what phone I currently carry and what area code it is assigned.
My first indication of the potential trouble came when I was reviewing phones for TechRepublic. I'm normally paranoid about demo phones, but in order to review a mobile device accurately, you’ve got to use the way you normally would. This means taking the device with you when you walk out the door. After a very hectic prior day, I woke up and could not find the demo device I was reviewing. I dialed the number in a panic, hoping to hear it ringing. I walked around the rooms listening for it, letting it ring, and was shocked to hear a voice answer. The person on the other end seemed unintelligible and disoriented. Figuring I must have misdialed and woken a complete stranger, I quickly hung up.
Later, I confirmed the number I had dialed was correct. When I realized they matched, it dawned on me that I had called the person who had physical access to the phone.
I called back and the same person answered. This time she was coherent and upset about being called at 4:00 AM. Confused, I explained that I reviewed mobile devices for an online technology blog. I had misplaced a demo device I was trying to track down, and I didn’t understand why dialing that device was ringing her home. Surprised, she said that she was also a technology blogger, but she couldn’t see any other connection. She was still relatively upset about being disturbed.
It was only later that I realized she must be forwarding her devices through a service like Google Voice to ring to her home. I considered calling her back to explain, but I figured after enough 4:00 AM wakeup calls from other bloggers, she would put it together herself.
Months passed, and the story slipped my mind until recently. A friend sent me a series of texts involving an elaborate prank that culminated with an inappropriate picture. The image never arrived in my inbox though. Instead, I received two delayed and cryptic responses. The first, “Ha ha… hook line and sinker… u can use the joke;” and the second, “note taken… number deleted.”
Following up with the sender revealed that after he sent the picture, he received a response never to text to that number again or that I would call the police. The only problem was, I never sent that response. My friend had deleted my contact information and de-friended me on Facebook by the time I responded, certain that he had offended me.
Unfortunately, I was on the road at the time and had limited resources to figure out what was going on. It took me a while to realize that my friend was sending texts to my Google number, and that was what any response was listed as originating from. My texts were going to him, but his texts were going to me and someone else. In addition, when that other person responded, their texts only went to him. Neither the mysterious third party nor I ever saw the other side of the conversation, leading to a very disjointed exchange.
Here's what happened. Recently, I activated an old Droid X on an inexpensive pre-paid regional carrier. These carriers have smaller pools of phone numbers and a high turnover rate. When I settled in Arizona, I activated a Droid DNA on Verizon and allowed the regional number to lapse. The number was quickly put back into the available pool, and someone in NE Ohio selected it as their new one. Unfortunately, I had enabled Google Voice number forwarding to make my transient number transparent. Worse, I had forgotten to disable the number when I switched. All of my voicemail, texts, and even phone calls were still ringing through to that old number, which was now the number of an underage girl’s phone. Worse yet, her irate father was threatening to call the police on my friend over a very unfortunate misunderstanding.
As soon as I was back at a PC and could fix the issue, I did. I also sent a very apologetic text to the actual number, explaining the situation and assuring the recipient that the issue was fixed.
I'm troubled that the person on the other end had access to all of my texts, voicemail, and incoming calls and never followed up with senders until offended. It speaks to the basic insecurity of text messaging and why it's really unsuitable for sending sensitive data. I know how to manage these features, and it simply slipped my mind. Google’s ubiquitous services make it easy for BYOD employees to enable solutions like these without notifying IT, so these services are a legitimate threat. Although the experience was embarrassing and unfortunate, I thought it worth sharing to help other IT professionals put this on their radar as a potential liability in keeping their confidential company data secure.
Donovan Colbert has over 16 years of experience in the IT Industry. He's worked in help-desk, enterprise software support, systems administration and engineering, IT management, and is a regular contributor for TechRepublic. Currently, his professional role is as a Linux support engineer for a fast-growing Linux/FOSS consultancy group. You can follow him @dcolbert on Twitter or his personal blog, located at http://donovancolbert.blogspot.com.