The Calling Number Identification Privacy Battle Silent numbers, CLI, carriers and ISPs

1. The Calling Number Identification Privacy BattleSilent numbers, CLI, carriers and ISPs Irene Graham Electronic Frontiers Australia Inc. www.efa.org.au 8 September 2003

2. Session Outline • Brief overview of EFA • Covert privacy invasive practices • Carriers over-riding calling number blocking • ISPs collecting unnecessary info regardless of customer expressed privacy choice • Complaints to regulators - ACA & OFPC • Jointly lodged by three individuals, 28 July 2003 • Breach of privacy protection laws • Serious risks and consequences

3. About EFA • Non-profit nation-wide association • Representing Internet users concerned with online rights and freedoms • Established in 1994 • Funded by membership subs & donations • Independent of government & commerce • Not a branch or affiliate of USA EFF • similar goals, policy may sometimes differ

4. The Battle Begins “CND (Calling Number Display) could be turned on by Telstra for all calls to Internet points of presence. We want it turned on.” – Justin Milne, Chair of IIA’s Cybercrime Virtual Task Force and Chair of IIA 2002 in Big Brother is looking to read your e-mail, Sydney Morning Herald, 7 May 2002

5. Telstra Cites Obstacles “[Telstra] is citing technical, commercial and privacy concerns as obstacles to clear before it can allow ISPs to override blocks on caller line identification. ... Mr Court said ISPs were unlikely to be given caller line identification en masse. Telstra might charge a fee for the service and this would be determined by negotiation with ISPs on an individual basis.” ISPs want caller ID, The Australian IT, 25 June 2002

6. Privacy Rights Ignored • Carriers began covertly over-riding caller choice blocking in 2002 • On dial-up calls to some, not all, ISPs • Very few telephone users made aware • Telstra notification 2003 unclear • Line Blocking Service “Not available for calls to 000 or MegaPoP National access service” (Tiny footnote in Telstra News Issue 8, Dec-Feb 2003) • No notice by other carriers, e.g. Optus, Comindico, to telephone subscribers

7. How Blocking is Over-ridden

8. Privacy Issues & Risks • ISPs have a massive amount of personal info and ability to datamine and match... “And here's the somewhat scary bit. ...there's not much we [ISP OzEmail] couldn’t find out about the online life of our customers. ... This is becoming irresistible to both marketers and governments, who often share the view that they have a God given right to access private information about the general public.” – Justin Milne, General Manager of OzEmail ISP, May 2000 http://www.austlii.edu.au/au/journals/PLPR/2000/26.html

9. Privacy Issues & Risks • ISP staff access to CN info operates much like a reverse phone-book • Look up who lives with who, who visits who • Track individual’s travel, geographic location • Disclosure, even to customer, could result in bodily harm or death • Risk of blackmail of ‘anonymous’ participants in online chat forums, etc. • Security of CN info often inadequate • No audit trail, risk of hacking/cracking, etc.

10. Privacy Protection Laws • Telecommunications Act 1997 (C'th) • Part 13 - Protection of Communications • Penalty - imprisonment for max. 2 years • Silent number use/disclosure restricted • Industry to develop calling line ID Code • Privacy Act 1988 (C'th) • Applies to private sector organisations (incl. telec. industry) from Dec 2001 • However, most businesses with turnover under $3m p.a. exempt • Estimated 70% of ISPs exempt (400 of 560)

11. Calling Number Protection • AUSTEL guidelines/rules 1997 • “Line and per call blocking must be able to be implemented and be effective on all calls, including calls to Intelligent Network services (IN services) such as 1800 and 13 services” except on calls to specified emergency services • ACIF CND Industry Code 2000 • Registered, enforceable by ACA • 2003 revision: “Suppliers (including ISPs) must not take steps to override a Caller’s Permanent Line Block without the Caller’s consent.”

12. Claimed Needs of ISPs • Spam prevention • Spammers using pre-paid anon accounts • Far more effective and non-privacy intrusive technical methods available to ISPs • Fraud prevention, bill, call management or credit control • Telstra “Detrimental Effect Advertisement” 2002 • From CND Code re use by carriers, not ISPs • Assist LEAs as “reasonably necessary” • No legal obligation to routinely collect or retain

13. Summary • Calling number info is not necessary for provision of dial up Internet access • Can facilitate value added services • Rarely if ever even useful to ISPs without customer prior knowledge and consent • Customer privacy choice should prevail • To be seen whether regulators have/ acquire sufficient technical knowledge to see through ambit claims of industry

14. The Tip of the Iceberg? • Covert disclosure may be widespread • Allegedly blocked calling numbers also being disclosed to: • Recipients of calls to 13 and 1800 numbers where recipient pays part or all cost of call • All offices/tenants in buildings where building owner has a particular type of arrangement with a carrier for telephone services to building

15. More Information • Copies of complaints to ACA and OFPC http://www.efa.org.au/Issues/Privacy/cni-complaints/index.html • How CLI and CND Services Work http://www.efa.org.au/Issues/Privacy/cni-complaints/cni-technical.html • The Claimed Needs of ISPs http://www.efa.org.au/Issues/Privacy/cni-complaints/cni-isps-noneed.html • Privacy Risks http://www.efa.org.au/Issues/Privacy/cni-complaints/cni-isps-risks.html