AustLII Home | Databases | WorldLII | Search | Feedback

Privacy Law and Policy Reporter

Privacy Law and Policy Reporter (PLPR)
You are here:  AustLII >> Databases >> Privacy Law and Policy Reporter >> 2003 >> [2003] PrivLawPRpr 10

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

Clarke, Roger --- "ENUM - a case study in social irresponsibility" [2003] PrivLawPRpr 10; (2003) 9(10) Privacy Law and Policy Reporter 181

ENUM - a case study in social irresponsibility

Roger Clarke

ENUM is a proposal to tie together the longstanding voice telephony system and ,the newfangled Internet. Specifically, it is meant to provide a means of mapping from telephone numbers to IP addresses. As its proponents express it: ‘Today, many addresses; with ENUM, only one.’

Any such capability would be extremely dangerous, providing governments, corporations and even individuals with the ability to locate and to track other people, both in network space and in physical space. The beneficiaries would be the powerful who seek to manipulate the behaviour of others. It would do immense social, sociological and democratic harm.

The astounding thing is that the engineers responsible for it are still adopting the naïve position that its impact and implications are someone else's problem. With converged computing and communications technologies becoming ever more powerful and pervasive, engineers must be shaken out of their cosy cocoon, and forced to confront the implications, along with the technology and its applications.

ENUM's beginnings

Around 1980, an attempt was made to create a 'superdirectory' of people. It was undertaken through the International Standards Organisation (ISO) and took the form of the X.500 series of standards. For a variety of reasons, including its scale, technical weaknesses and the explosion of the Internet, X.500 failed to catch on. One element has survived, however, in the form of the (Lightweight) Directory Applications Protocol (LDAP).

A new attempt is being made to create an extensive directory of people. An alliance between the Internet Engineering Task Force (IETF) and the International Telecommunication Union (ITU) is seeking to create a standard called ENUM. The initiative appears to have originated in 1993 and was developed within an IETF Working Group (WG) from 1998 to 2000, but came to notice within the broader Internet community only in September 2000.

The initial specifications are in the process of being articulated, in part by the relevant IETF WG, and in part by an ad hoc industry association called the ENUM Forum.

Outline of ENUM

The specification is declared in an IETF Request For Comments (RFC) document, RFC 2916.[1] This in turn refers to a number of other IETF RFCs, in particular 2131, 2543, 2782, 2806 and 2915.[2] Reference material is consolidated at NGI (2001-).[3]

In RFC 2916, ENUM is described as 'the use of the domain name system (DNS) for storage of E.164 numbers'.[4] E.164 is the ITU standard that defines the format for telephone numbers, specifically for international and domestic long distance dialling. For example +61 2 6288 1472 is interpreted as an international dial code 61 (Australia), followed by the subscriber trunk dialling code 2 (which covers most of NSW and the ACT), followed by a local telephone number within that domain.

Put another way, E.164 enables series of digits ('telephone numbers') to be assigned to devices in countries throughout the world, so as to achieve uniqueness, and enable reliable selection of a desired device to connect with by means of the Public Switched Telephone Network (PSTN). The ENUM proposal ,is intended to establish a mechanism whereby E.164 numbers can be mapped to the IP addresses of devices that are not on telephone networks, but are Internet connected. The primary focus has been ,on voice, because Voice over IP (VoIP) ,is developing quickly; but the proposal would have application to all forms ,of data connection as well.

The scope is actually much broader than simplified descriptions like the one above suggest. More fully,

ENUM enables the use of phone numbers as identifiers of services defined as URIs ,on the Internet as well as facilitate the interconnection of systems that rely on telephone numbers with those that use URIs to route transactions.[5]

URI (short for Universal Resource Identifier) is a generic term for all kinds ,of object-identifiers used on the Internet, including web page addresses (correctly called URLs) and email addresses.

The Australian Communications Authority explains it this way:

The ENUM protocol is aimed at translating numbers stemming from the International Telecommunications Union (ITU-T) E.164 Recommendation into Internet Domain Names. ENUM will allow the linking of telephone numbers with other communications media such ,as email, fax and mobile numbers. For example, ENUM could enable one number to be used for home, work, mobile and email contact, allowing users to organise when and how they wish to be contacted eg 9 am - 5 pm at work (except between ,1 pm and 2 pm when email is preferred), after 5 pm on a mobile and after 9 pm ,via email. It provides the link between telephone numbering and computer naming and addressing.[6]

The redirection of calls to an appropriate number was provided by the Telstra One Number service, using 0-500 prefixes. That service was withdrawn on 1 September 2002, because it failed to attract enough business. Services of the kind ENUM is designed to enable do not appear to have attracted much interest from consumers to date.

The primary driver appears to be the cost saving that large corporations could achieve by routing voice traffic over the Internet rather than via telcos. They are supported in this by relevant technology providers. The concern is that the design of the scheme may be to the serious detriment of consumers and citizens, because of the additional power that ,it is capable of providing to corporations and governments.

The proposals as expressed in RFCs 2916 and 2915 are fairly vague, defining data structures but not populating them, and creating potentials but not explaining what they are. The vagueness might just be a byproduct of applying the design technique sometimes referred to as 'top-down with step-wise refinement', leaving many details for subsequent articulation. But a sceptic would interpret the purpose as being to obscure some of the real intentions and capabilities of the scheme, and thereby to get the specifications accepted before their implications ,become apparent.

Considerable activity is currently ,being undertaken by an ad hoc industry association, the ENUM Forum, whose purpose is to complete the objective of defining a deployment of RFC 2916 in the US, and potentially other countries within the North American Numbering Plan (NANP), which includes the USA, Canada and some of the Caribbean.[7]

The current proposal is fraught with technical problems, and has attracted a great deal of criticism on those grounds alone. The primary concerns of this document, however, are with:


In order to identify the ENUM proposal's implications, it is first necessary to recognise the inroads that have already been made into the freedoms of citizens and consumers by the expansion of data surveillance methods, including identification and identity authentication, and location and tracking technologies.

A telephone number for many decades identified a socket in a wall to which a telephone was attached; the number was associated with a location. It could be inferred to be associated with a household, or a small group within an organisation, and hence with specific individuals; but such associations varied in their reliability, and needed to be considered in context. Hence, for decades, anonymous and pseudonymous calls ,were feasible.

For some time now, telephone numbers have been migrating away from being socket identifiers. For mobile or cell phones, they identify a handset, or a chip card within a handset. The handset or chip card is in most cases much more directly associable with an individual than was the case with wall sockets and fixed telephones.

A further feature of the telephone system through much of the 20th century was that the caller's location was not disclosed to the called party (although, of technical necessity, it was known to the service providers involved in the call). The default was inverted during the 1990s, with Calling Line Identification (CLI) imposed in order to benefit corporations. The vast majority of consumers are forced to accept the imposition, unaware that their number is disclosed or that they can block it on a per-line or per-call basis. ,(In Australia, it is almost impossible to find information about blocking on the telcos' websites, and the proportion of consumers who are aware of the per-call blocking pre-dial code (1832) appears to be miniscule).

Moreover, locating handsets in physical space is intrinsic within the design of cellular technology. The system has to know which small (several kilometre radius), geographical cell the handset is currently within, in order to enable communications between the handset ,and the nearest base station. The policy implications of such person location and tracking technologies are analysed by ,the author elsewhere.[8]

A movement is in train intended to make handsets locatable to within a few metres, in the near future. This is being driven by an alliance of national security, law enforcement and corporate marketing interests, using as a justification the location of callers to emergency numbers such as US 911 and Australian 000. For people outside the 'club', these proposals are very difficult to track down. On an international level, they appear to be driven by a US initiative called Automatic Location Identification (ALI) and embodied in an ITU specification, set ,out in IMT-2000 and described in Recommendation ITU-R M.816. In Australia, they are being developed by ,an industry association, the Australian Communications Industry Forum (ACIF), under the codename Mobile Origin Location Indication (MOLI). The process has successfully avoided any significant public participation or even public exposure. As has been the case for most of the time since the project's inception, there were 'no documents for viewing' at 26 November 2002. At 7 March 2003, a few documents were locatable, each of them two to three years old, and none ,of them comprehensible.

Meanwhile, governments have been busily taking advantage of the increased public concerns about terrorism by increasing the ease with which national security and law enforcement agencies can gain access to call records, the content of conversations and message transmissions, and the location data contained within telecommunications systems.

Implications of ENUM

Rather than being seen as just an engineering challenge, the ENUM initiative has to be considered in the context of these rampant increases in the collection and storage of data that reveals people's communications and movements, and in the accessibility of that data. Note that the concerns are about privacy as it is understood by the population generally, not in the very narrow sense used by some computer scientists (that is, as data transmission security, or even just data transmission secrecy).[9]

Despite the fog that surrounds what ,the ENUM proposals actually are, the following aspects are apparent.

Firstly, the data that associates (or routes) an E.164 telephone number to a socket or device is currently managed ,by a system called called SS7.[10] This is a secure system, and the data is accessible only by telcos and (under various circumstances) national security and law enforcement agencies. At least some of that data would now be stored in the domain name system (DNS), and hence accessible by everyone.

Secondly, the data that associates an E.164 telephone number to a person is currently maintained by the telco with whom the person is subscribed, and hence the databases in which that data is stored are highly dispersed. The person's identity is, in many cases, subject to relatively limited authentication. The records are subject to considerable restrictions on access, and to consider-able data security. It is unclear what the ENUM proposal is or will be, but it quite possibly involves data about subscribers becoming part of the domain registry data schema (stored in what is commonly referred to as the RIPE database, or more popularly as ,the 'whois' database).[11] The contents ,of the domain registry databases are unprotected, and open to all comers. Some interpretations of the intention of the ENUM design expressly mention that personal information might be included within the scheme.[12]

Thirdly, everyone has very good ,reason to be concerned about the open availability of personal data associated with their telephone subscriptions, not least because of the way in which it would be abused by direct marketers. Large and still increasing numbers of people attempt to limit exposure of the data by paying in order to be 'ex-directory' or have 'silent' numbers. Some of those people seek obscurity because of their criminal activities or their attempts to avoid ,paying debts; but most do so for entirely legitimate reasons. Some just want a peaceful life, while 'different thinkers' who are 'swimming against the stream' want to be able to avoid pressure from the powerful interests they are speaking out against, generally large corporations or government ministries. The most ,direct problem is the many categories ,of 'persons at risk'[13] who desperately need the data to be hidden and/or pseudonymised in order to avoid threats to their safety.

Fourthly, the ENUM proposal expressly leaves open to each country whether it provides any choice to its citizen/ consumers about the use of the service. Given the lack of freedoms in many countries, and the assault on freedoms currently being conducted by terrorists and governments alike, it is extremely unlikely that ENUM would be implemented other than in a highly privacy invasive form. IETF's association with the ITU in relation to ENUM appears to have resulted in abject caving in by the IETF WG to the desires of national governments, in a way that previous IETF WGs have never done.

ENUM would therefore carry much further the trend towards the strangulation of rights to anonymous ,and pseudonymous speech, and to concealment of one's location. If the scheme were successful, it would establish a unique contact number for each person. That number would be used as a personal identifier, and would facilitate surveillance of communications, and location and tracking of any and every person. That would, in turn, result in all of the chilling of non-conformism and the dire threats ,to privacy, freedoms and democracy that such social control mechanisms entail.[14]

The Australian Privacy Foundation recently submitted to a government agency study[15] that:

Electronic Frontiers Australia (EFA) identified the following issues for consumers:[16]

EFA found the following privacy issues:

For the EFA, the ENUM design also gives rise to a number of serious concerns in the areas of:

Responses by the ENUM WG

In an enlightened era, it might be expected that the ENUM initiative would be the subject of careful consideration from a public policy perspective. Nothing could be further from the truth. The intended standard is being devised by engineers who resent intrusions by people who don't belong to the fraternity, and who fail their responsibility to ensure that the idea is subjected to open, public debate.

The original documents demonstrate ,no appreciation of, or concern about, ,the implications of the initiative. The document contains neither the word 'privacy', nor any other reference to the proposal's social implications. When the question was raised with the Co-Chair of the WG, Richard Shockey, immediately after publication of RFC 2916 in late 2000, he merely attempted to rationalise the appropriateness of the Working Group, ignoring the concerns expressed ,to him.

Additional evidence of the moral poverty of the initiative is as follows.

None of the many privacy advocates that I have been in contact with is aware of any advocacy bodies having had any significant interaction with the IETF WG. This includes the primary organisations in the area, Electronic Privacy Information Center (EPIC), the Center for Democracy and Technology, and Privacy International.

A US Government document shows that this blasé attitude to social impact is rife. In three short paragraphs in a 39 page document, an Advisory Committee to the Department of State declares that 'consumers should be cognisant of privacy implications'.[18] But it abjectly fails its duty to the American public to force the responsible engineers, and relevant policy makers and government officers, to even be cognisant of the massive privacy problems, let alone do something about them.

The attempt to sustain an amoral stance appeared at first to be carried over into discussions in Australia. For example, a slide set used in a joint presentation by the Australian Communications Authority (ACA), CSIRO and AARNet in May 2002 made a throwaway mention of privacy in its final slide, buried among implementation and business issues. Fortunately, the Discussion Paper issued by the ACA in September 2002 was a little more circumspect. The document expressly recognised that threats to privacy were embodied in the proposal,[19] and the questions it posed included several that related to policy issues, risks to the public, opt-in, and alternative approaches to security and privacy. It is unclear whether the ACA have taken on board the criticisms and recommendations in this paper, and the submissions of the Australian Privacy Foundation (APF) and Electronic Frontiers Australia (EFA).

In a belated acknowledgement that serious privacy issues arise from the ENUM proposal, Shockey wrote an Internet Draft, which was published in October 2002. This repeats the excuse that 'administration, management and control of the zones and administrative portions of the E.164 plan are nation-state issues'.[20] The Draft canvasses ways in which identification data could be obscured, but fails to reach any conclusion, and it fails ,to propose any changes to the draft standards: 'The concept of a Service Resolution Service has not been defined ,in the IETF, however it is within the realm of technical possibility'.[21]

Worse, Shockey specifically rejects the notion that the design should embody consumer and privacy protections:

A variety of businesses and enterprises may wish to expose and individually describe the maximum number of contact points ,in the global DNS in order to facilitate communications by calling parties by ,the most convenient means available. Consumers may prefer information about them to be masked or aliases in the DNS, in order to benefit from advanced IP communications, such as SIP, while preserving personal preferences and privacy. What is important is ENUM ,and the global ENUM system is flexible enough to permit either concept.[22]

Shockey, Fältström, their fellow WG members and the corporations that stand behind them, are trying to hide behind ,the lame old excuse that technology is neutral. They know that in some countries the technology that they propose will be used by powerful marketers to abuse consumers' interests; and that in some countries it will be used by agencies of government to abuse citizens' rights. But they seek to avoid culpability for the harm that will arise should their design be implemented.


Fifteen years ago, it was already abundantly clear that information technologists had to:

Contemporary information technologies are enormously powerful, and pervasive. The failure of the designers of ENUM to reflect the public interest, and to ensure informed public debate, is either inexcusably naïve or inexcusably amoral. The movement needs to be exposed, and the ITU and IETF forced to either abandon their tool for despots, or recognise the enormous implications of such a standard, abandon the pretence that their work is value neutral, and open the activity up ,to public scrutiny and participation.

ENUM, as presently conceived, must ,be comprehensively rejected. The IETF Working Group must be told to start again, with an expanded set of objectives and constraints, an expanded membership (with public interest advocates directly involved in the process), and an express responsibility to inform and involve public interest advocates and the public more broadly.

Next steps

The purpose of this paper has been to identify and explain the serious negative implications that ENUM has for citizens and consumers, and to decry the abject failure of the engineers responsible for ,the proposal to act appropriately.

To switch into problem solving mode is fraught with difficulties, because of the lack of digestible information available, and the lack of a privacy advocate and consumer voice in the relevant fora. ,The following suggestions are therefore necessarily tentative indications of the kinds of measures needed to address the problem.

For technologies as powerful and threatening as this, it is not sufficient ,to rely on legislation, codes of practice, Memorandums of Understanding and undertakings, nor on secondary privacy enhancing technologies that mitigate the harm in the primary privacy invasive technology, nor even on privacy protective features within the primary technology. Privacy has to be 'designed in' to make,it inherent within the technology and to create difficulties for corporations and governments that want to implement it ,in a manner aggressive to the interests ,of consumers and citizens. This is what Lessig had in mind when he wrote about 'west coast code' (computer and network architecture) as compared to 'east coast code' (laws).[24] To defer consideration of privacy until the technology is in place is just as morally repugnant as the designers of nuclear weapons assuaging their consciences by urging funding for research into nuclear bomb proof shields and radioactive decontamination methods.

Opt-in must be intrinsic, and not left ,to the choices of nation-states. Most countries are undemocratic, abusive ,of citizens' rights as espoused in international instruments, and unprotective of consumers' rights. The concept of 'calling party control' would appear to be at the heart of the problem. Making the alternative of 'called party control' the sole mode of operation might make a very substantial contribution ,to relieving the scheme of its sting.

It is especially critical that nymity protections be intrinsic, not afterthoughts, not deferred for future consideration, and not optional extras. This can only be achieved if nymous proxies are designed-in, such that the scheme will not function without them. (A future article in PLPR will further develop that notion. In the meantime, see Clarke (1999a)).[25] Yet the critical feature referred to as the 'Service Resolution Service' has been left undefined. IETF cannot shelter behind a simple hierarchical view of technologies, and permit its Working Groups to define the hard-but-important questions to be out of scope, and someone else's problem.

The sights of the designers must be raised far beyond the narrow confines of the US. These standards will apply to the world, and must belong to the world. They cannot simply be considered within the context of US telecommunications infrastructure, political economy, and law. The international and non-US nature of the IETF and ITU makes that clear enough. Another reason is that ENUM products will be made for the world market, and US companies routinely trial their more privacy-invasive technologies in less free countries (like Thailand, the Philippines, Vietnam, the PRC). The technologies that are deployed in the US will therefore contain the same privacy intrusive features that made them attractive to governments of unfree countries.

Roger Clarke, Principal,

XamaX Consultancy.


Roger Clarke acknowledges the efforts of others who have conducted analyses of the ENUM proposal, including: EPIC in Washington DC; Julie Cameron of the APF; and Richard Chirgwin and Irene Graham of EFA. Thanks also to John Morris, who is responsible for CDT's Standards Project.

Roger Clarke is a Director of both ,the APF and EFA. The judgements and remarks in this paper are his, not those ,of his colleagues, nor of any of the organisations he is associated with.

An earlier version of this paper was presented at the ISOC-AU Forum on New Protocols and Standards-Setting ,in Australia, 3 December 2002. The PowerPoint slides to support the presentation are at <>. A version of this paper containing hot-links is at <>.

Further references

ACA 'ENum' Australian Communications Authority 2002 at <>.

Borland J 'Technology uses one number to find you on any device' Nowhere to hide column CNet News 17 May 2001 ,at <>.

Cybertelecom 'DNS: ENum' 2002 at <>.

EPIC 'ENUM' 2001 at <>.

Huston G 'The Lord of the numbers' ISP Column May 2002 at <>.

IETF WG 1998 at <>.

ITU (2001) 'ITU ENUM Activities' International Telecommunication Union ,at <>.

Rosencrance L 'Phone number-to-email service raises privacy concerns' Computerworld 5 October 2001 at <,4814,64475,00.html>.

Rutkowski A 'The ENUM golden tree: the quest for a universal communications identifier' inform 3 2 April 2001 (97-100) at <>.

The Times 'One number and no escape anywhere' 3 September 2001 at <,3-2001303964,00.html>.

[1] IETF (2000d) 'E.164 number and DNS' RFC 2916 Information Engineering Task Force September 2000 at <>.

[2] 2. IETF (1997) 'Dynamic host configuration protocol' RFC 2131 March 1997 at <>.

IETF (1999) 'SIP: session initiation protocol' RFC 2543 March 1999 at <>.

IETF (2000a) 'A DNS RR for specifying the location of services (DNS SRV)' RFC 2782 February 2000 at <>.

IETF (2000b) 'URLs for telephone calls' RFC 2806 April 2000 at <>.

IETF (2000c) 'The naming authority pointer (NAPTR) DNS resource record' RFC 2915 September 2000 at <>.

[3] NGI (2001-) 'ENum Reference Materials' Center for Next Generation Internet at <>.

[4] Above note 1 p 1.

[5] Shockey R 'Privacy and security considerations in ENUM' Internet Draft October 2002 at <> p 3.

[6] ACA 'Introduction of ENUM in Australia - discussion paper' Australian Communications Authority September 2002 at <>.

[7] See <>.

[8] Clarke R 'Person-location and person-tracking technologies: risks and policy implications' Proc 21st Int'l Conf Privacy and Personal Data Protection ,13-15 September 1999 pp 131-150. Revised version in Information Technology & People 14, 2 (Summer 2001) 206-231 at <>.

[9] Clarke R 'Introduction to dataveillance and information privacy, and definitions of terms' August 1997 ,at <>.

[10] Such as PT 'SS7 Tutorial' Performance Technologies Inc at <>.

[11] RFC 2650 (1999) 'Using RPSL ,in practice' August 1999 at <>.RIPE (2002) 'RIPE database reference manual' 15 August 2002 at <>.

[12] Such as Darling P 'NGN issues - numbering and addressing' Australian Communications Industry Forum (2002) at <> slide 15.

[13] Clarke R 'Persons at risk' in 'Research challenges in emergente-health technologies' July 2001 at <>.

[14] Clarke R 'Just another piece of plastic for your wallet: the "Australia card" scheme' Prometheus 5,1 (June 1987) at <>.

Clarke R (1988a) 'Information technology and dataveillance' Commun ACM 31,5 (May 1988) 498-512 at <>.

Clarke R (1988b) 'Economic, legal ,and social implications of information technology' MIS Qtly 12,4 (December 1988) 517-9 at <>.

Clarke R 'Human identification in information systems: management challenges and public policy issues' Information Technology & People 7,4 (December 1994) 6-37 at <>.

Clarke R 'Chip-based ID: promise and peril' Proc Wksp on 'Identity cards, with or without microprocessors: efficiency versus confidentiality' at the Int'l Conf on Privacy Montreal 23-26 September 1997 at <>.

[15] APF 'Submission to the Australian Communications Authority' Australian Privacy Foundation 2 November 2002 ,at <>.

[16] EFA 'Submission to the Australian Communications Authority' Electronic Frontiers Australia 18 November 2002 ,at <>.

[17] Such as at <>.

[18] ITAC-T 'Report of the Department of State ITAC-T Advisory Committee Study Group A Ad Hoc on ENUM' 6 July 2001 p 24 at <> (viewed and printed in late 2001, directory no longer accessible on 18 November 2002).

[19] Above note 6 pp 8-9.

[20] Above note 5 p 2.

[21] Above note 5 p 6.

[22] Above note 5 p 7.

[23] Above note 15 (1988b); Clarke R 'Asimov's laws of robotics: implications for information technology' IEEE Computer 26,12 (December 1993) 53-61 and 27,1 (January 1994) 57-66 at <>.

[24] Lessig L Code and Other Laws of Cyberspace Basic Books 1999; Lessig L The Future of Ideas Random House 2001.

[25] Clarke R 'Identified, anonymous and pseudonymous transactions: the spectrum of choice' Proc User Identification and Privacy Protection ,Conf Stockholm 14-15 June 1999 at <>.

AustLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback