Privacy Law and Policy Reporter
The calling number identification privacy battle
Irene Graham ELECTRONIC FRONTIERS AUSTRALIA
Many people assume their wishes and directions about protecting their communications privacy, by way of silent/unlisted numbers and blocking transmission of calling number information, would be respected by telephone and internet service providers. Unfortunately, however, this is not always the case.
In an attempt to try to remedy this problem, three individuals (including the writer) jointly sent representative complaints to the Office of the Federal Privacy Commissioner (OFPC) and the Australian Communications Authority (ACA) in July last year. The complaints concern collection, disclosure and use of calling line identification (CLI) information, in particular, silent and other blocked calling numbers by telephone call carriers and internet access providers/internet service providers (ISPs). As stated in the complaints:
... some telephone call carriers are disclosing silent and other blocked calling number information to some ISPs. Some commenced doing so only in the past two months, and we understand others commenced doing so last year. We believe the vast majority of individuals who have silent and other blocked numbers are not aware that blocking is being over-ridden.
The disclosure of blocked calling number information to ISPs poses serious real world risks and consequences to individuals. We make this complaint first because we believe the respondents’ practices are in breach of law. Those breaches are all the more significant, however, because of the serious risks and consequences.
The complaints were lodged under the relevant provisions of the Privacy Act 1988 (Cth) and Telecommunications Act 1997 (Cth). Section 36 of the Privacy Act provides that ‘an individual may complain to the Privacy Commissioner about an act or practice that may be an interference with the privacy of the individual’. Section 509 of the Telecommunications Act provides that ‘[a] person may complain to the ACA’ about a contravention of the Act (including Pt 13 — Protection of Communications) and/or about a contravention of a Code registered under the Act. The individual complainants appreciated the assistance of Electronic Frontiers Australia, the Australian Privacy Foundation and the Baker & McKenzie Cyberspace Law and Policy Centre in the preparation of the complaints.
The practices alleged to be in breach of the law involve telephone call carriers who are overriding calling number information blocking for the purpose of intentionally disclosing silent and other blocked calling number information, that they have received in the course of carriage of a telephone call over their telecommunications network, beyond the terminating telephone exchange and into the local loop, so that the called party receives the blocked calling number. Specifically, this involves the following practices.
• The carriers are overriding blocking on calls terminating at 01983 numbers (and possibly other numbers). 01983 numbers are dial in internet access numbers provided by carriers to their ISP customers and in some cases to the carriers’ own subsidiary ISP. Customers of the ISPs use the 01983 numbers to dial in to an internet access service. The carriers have, evidently, relatively recently decided to place their ISP customers’ dial in numbers in an override category the same as, or similar to, that used to meet the requirement to disclose blocked calling numbers on calls made to ACA specified emergency services numbers. While overriding blocking on calls made to emergency services is specifically authorised by the Telecommunications Act, overriding on calls made to ISPs is not.
• Having overridden blocking, the carriers are disclosing silent and other blocked calling numbers to ISPs by way of:
— providing ISPs with a CLI based/caller name display (CND) service that includes silent and other blocked calling numbers (which would not be included same if the carriers had not overridden blocking); and/or
— collecting silent and other blocked calling numbers from the CLI information of incoming telephone calls that terminate on (are answered by) the carrier’s own telephone call answering equipment (for example, Telstra MegaPoP equipment), and subsequently forwarding or disclosing the blocked calling number information to ISPs in a message that has nothing whatsoever to do with telephone signalling system messages.
Attachment 3 to the complaints titled ‘How CLI and CND Services Work’ provides detailed information about the technical process by which Telstra and other carriers are taking unfair advantage of their privileged access to silent and other blocked calling numbers for the purpose of intentionally and unnecessarily disclosing these to ISPs. It shows that the capacity in which the ISPs are receiving the calling number information is the same as any other organisational customer of CND services and that calling number information is not necessary for the provision of dial-up internet access. That fact that the information is not necessary is also apparent from a media release from the Internet Industry Association (IIA) dated 21 July 2003 which states that IIA’s draft Cybercrime Code ‘does not require ISPs to capture caller line identification (CLI) or caller name display (CND) data’ and the draft Code states ‘CLI information is generally not made available to ISPs at this stage’.
The ACA advised the complainants in early August 2003 that the matters:
... are of considerable complexity, both legally and technically. The ACA’s intention is to bring forward the work program it had already scheduled in relation to this matter, but it is not possible to say at this stage when it will be in a position to make a substantive response.
A month later, the ACA advised that their investigation had commenced and they were ‘satisfied that most of the issues raised ... should be regarded as systematic issues and that it is appropriate for the ACA to investigate them’.
The Federal Privacy Commissioner verbally advised in early September that the OFPC and the ACA had discussed the matter and decided that, instead of both agencies conducting simultaneous investigations, the OFPC would await the ACA’s findings and decision. Depending on that outcome, the OFPC would then decide whether or not to commence its own investigation into some or all of the matters raised.
In November 2003, the complainants became aware that the ACA had sent letters to some, perhaps all, ISPs requesting information about their receipt and use of CLI by 1 December 2003. A copy provided by one of the recipients shows that the letter would have made some ISPs aware that they were, at the least, in breach of the ACA registered Industry Calling Number Display Code (CND Code) if they were receiving blocked calling number information without consent and had not notified their customers of that collection.
Subsequently a number of ISPs sent notices to their customers stating they are collecting blocked calling number information whether or not the customer consents to the overriding of blocking. Some of these notices would have given the ISPs’ customers the impression that the collection was perfectly legal because the collection is claimed to be in accord with the provisions of the CND Code.
Prior to lodging the complaints, the complainants were aware that some carriers and ISPs contend that all carriage service providers (including ISPs) are permitted to collect, disclose and use CLI information, including blocked calling numbers, for four purposes referred to in the CND Code. These are fraud prevention, billing, call management and credit control. As stated in the complaints, the complainants:
... believe that such carriers and ISPs have misinterpreted the CND Code, and even if they have not, an industry code does not permit or entitle a carriage service provider to collect, use or disclose information in circumstances that breach the law. The CND Code cannot replace or diminish the consumer and privacy protection obligations of carriers and carriage service providers imposed by the Telecommunications Act 1997 and the Privacy Act 1988.
Attachment 4 to the complaints, titled ‘The claimed needs of dial-up ISPs: fraud prevention, billing, call management or credit control’, addresses those claims in detail and shows that calling number information is not necessary for the operation of dial-up internet access services and is rarely, if ever, even useful for the claimed purposes in the absence of the relevant customer’s prior knowledge and consent. For example, ISPs cannot use calling number information to prevent fraudulent use of a dial-up internet access account unless the particular customer has previously notified the ISP of the number/s they will be calling from. Customers who wish to receive this type of value added security protection (and do not travel or otherwise call from numbers not known in advance) can be advised by the ISP that if they have line blocking implemented, they will need to dial the unblocking code in order to use their internet access account. There is no need to collect the information covertly, nor without prior consent. Similarly, dial-up ISPs cannot use calling number information for credit control unless they know in advance the number/s from which a customer will be logging in. Further, they do not use calling number information to identify the customer account for billing purposes; the relevant account is identified from the customer’s internet access login name and password.
Seven months after lodging the complaints (as at 3 March 2004), the complainants are still awaiting the outcome of the regulators’ investigations. Meanwhile, carriers and ISPs continue to ignore the privacy preferences of customers and, in the complainants’ analysis, the law.
Copies of the complaints, which include an analysis of the relevant laws, and related attachments are available on the EFA web site at <www.efa.org.au/ Issues/Privacy/cni-complaints/>. l
Irene Graham, Executive Director of Electronic Frontiers Australia, <www.efa.org.au/Issues/Privacy/cni-complaints/>.