It’s a well-known fact that conversations using Voice-over-IP (VoIP) technologies need to be encrypted to ensure privacy; after all, tools like Wireshark offer special modes for reconstructing a phone conversation from a packet capture. But according to this paper (warning: PDF file), encryption might not be enough.
From the paper abstract:
Despite the rapid adoption of Voice over IP
(VoIP), its security implications are not yet fully un-
derstood. Since VoIP calls may traverse untrusted
networks, packets should be encrypted to ensure
confidentiality. However, we show that when the
audio is encoded using variable bit rate codecs, the
lengths of encrypted VoIP packets can be used to
identify the phrases spoken within a call. Our re-
sults indicate that a passive observer can identify
phrases from a standard speech corpus within en-
crypted calls with an average accuracy of 50%, and
with accuracy greater than 90% for some phrases.
Clearly, such an attack calls into question the effi-
cacy of current VoIP encryption standards. In ad-
dition, we examine the impact of various features of
the underlying audio on our performance and dis-
cuss methods for mitigation.