News:

On Tuesday September 6th the forum will be down for maintenance from 9:30 PM to 11:59 PM PDT

Main Menu

Privacy?

Started by htims, August 27, 2017, 04:45:11 PM

Previous topic - Next topic

htims

Hi,
What info does Obihai have access to when using the OBI200 solely for google voice calling (2 lines)?

Also I read that Obihai could/can have access to my device, is there a way to prevent that while keeping the unit operational (assuming this is true)?

Thanks

SteveInWA

OBi devices, and Obihai, Inc, do not have, nor store, your Google password.

During Google Voice setup on an OBi, the OBiTALK web portal has you log into your desired Google account (the one that holds your Google Voice number).  It then shows you a pop-up window, confirming you are logged into the right Google account, and asks your permission for the OBi to access only the Google Chat/XMPP service on your Google account, and nothing else.  Then, it uses Google's OAUTH authentication method to exchange secure tokens with your device.  Only that encrypted token is stored, not your password.

Don't worry about it.

htims

Ok thanks. I noticed the OAth authentication so that was good.

Is it true obihai can/does have access to the device?

SteveInWA

Yes, but only for limited purposes (e.g. for setup of Google Voice, for remote firmware updates, and to help customers diagnose problems), and there has never been a report of a security incident or breach as a result.  Obihai is a small company of engineers, with no interest in selling or otherwise using your personal information.

GPz1100

#4
This is what I see when I log into my google account/connected apps and devices.

Google hangouts access I can understand, but the email address and basic profile info.

From further research it appears basic profile info potentially includes the following: user's ID, name, photo, URL, country, language, timezone, and birthdate.

If you're curious what your profile shows, try this link https://developers.google.com/+/web/people/ .  Scroll down to the 'try it' button and click.  Sign in to the google account, then it'll show you what your profile looks like.

From the link above it looks like the following info: Nickname, gender, email addr, display name, family name (last name?), photo (if set).  That's a lot of information.



Now, in comparison, refresh token access for google voice access in a pbx reveals only the hangouts permission.  



http://www.obihai.com/legal statement reads like most others.  These days we get so much spam and junk in email that it's truly hard to determine where it originated from.  For what it's worth, the obi box was set up with a brand new gmail address.  We haven't received any spam (or any email for that matter) in that account since its creation.  Perhaps what is bothersome is the request for this info.  Why need it for internal purposes if it's not going anywhere beyond the company....

SteveInWA

That is a perfect example of reading comprehension being distorted by a pre-conceived belief, or expectation of sinister intent.  The Google developer page is discussing information that the user voluntarily authors and posts in their public Google+ profile.  Google+ is a social media platform.

You can see whatever you may have entered in the past, and then add/delete/edit it as you wish, here:  https://aboutme.google.com/  You are in complete control, and no, this is not allowing some stranger to discover anything about you other than what you enter for the public to read, much like a resume/CV or business card.

OBiTALK is accessing that scope so that it can read your email address and Google Voice phone number, again, with your permission, to use the service.

GPz1100

Steve, my point is that google's basic profile info is *not* needed for the obi device to function. 

The only permission needed is hangouts.  I much prefer to keep my information or as much of it as possible private.  If you recall, I asked in one of the other threads if manually generated oauth 2 refresh tokens can could used.  Obihai already has all the information they need from the obitalk account registration. I suppose one could argue there is sinister intent since Obihai provides no mechanism for obtaining these credentials without the use of obitalk and requiring access to your information.

If I'm in error above, please indicate how my google basic profile is necessary in obi device operation.  From what I can see only 3 pieces of info are needed; google email address, google voice number, and refresh token (password).

We see this with many smartphone apps too.  Apps asking for unneeded permissions. A calculator app should not need access to my contact list.

SteveInWA

You are making a point purely for pedantic reasons.  There's no real-world issue here.  I'm not going to debate with you how the security and authenticity of Google accounts is protected by this procedure.  If you don't like how Obihai and Google have worked out their authentication procedure, then use a SIP ITSP instead

GPz1100

Amen brother!

Rather than belittling my comments, why don't you support your position.  Why does obi need access to my basic google profile when they already have my information from the obitalk registration??

I have several apps linked to the google account that need access to google drive.  Looking at permission details under connected apps & sites (https://myaccount.google.com/permissions) only google drive is listed next to "Has access to".