---

ACA Letter and Decision in response to complaint

Below is a copy of the Australian Communications Authority's letter and decision dated 19 August 2004 in response to a complaint sent on 28 July 2003 regarding disclosure of silent and other blocked calling number information to ISPs. (The below document has been converted to HTML from a Word format file).

(See separate page for Complainants' Commentary & Explanatory Notes on the ACA Decision, 9 Sep 2004)

---

[Australian Communications Authority letterhead]

File Reference:        ACA2004/469

M[s]Irene Graham
...

Dear M[s] Graham

The ACA has completed its investigation of the matters raised by you, Mr Roger Clark and Mr David Fitch in your correspondence of 28 July 2003. As indicated in my letter to you dated 23 March 2004 the complexity of the matters raised by you and the responsiveness of some parties has meant that the investigation has taken longer than initially anticipated.

In acknowledgement of the comprehensive manner in which your complaint was presented I present the ACA's analysis and findings report in some detail at Attachment 1. The report commences with some background comments, outlines how the investigation was conducted, discusses is some detail the various matters raised in your complaint and concludes with a series of decisions made by the ACA.

The ACA believes that the matters raised by you, Mr Roger Clark and Mr David Fitch have been comprehensively investigated and I thank you for your input to the investigation and for your patience.

The ACA does not at this time propose pursuing prosecution of any carrier or ISP regarding apparent breaches of the Act and the code. While I am aware this is not the redress sought by you, the ACA believes that given the absence of malicious intent the measures proposed by the ACA will correct inappropriate behaviours. In particular they will provide customers of ISPs with information regarding disclosure and use of CLI upon which they can make informed choice regarding their relationship with their ISP, and will allow the customers of phone services to understand the circumstances in which unlisted numbers and CND blocking may not effective prevent the disclosure and use of their CLI.

The ACA has an appreciation of the time and effort you, Mr Clark and Mr Fitch expended in developing and writing your submission of July 2003 and also appreciates that the matters you raised are legitimate and display you commitment to protecting the privacy of Australian telecommunication users. However as regulator of the telecommunications industry the ACA seeks to achieve a balance between individual rights and support for a telecommunications industry which is efficient, competitive and responsive to the needs of the Australian community and which promotes the long-term interests of end-users.

Given your interest in the privacy of Australian telecommunications users and strong advocacy skills might I suggest that you, Mr Clark and Mr Fitch consider contributing to a review of the code which is scheduled to take place in mid 2005. Notice of this review will be advertised in major newspapers and will also be advised on the ACIF Internet site.

As stated in decision 15 of the attached report the outcomes of this investigation will be conveyed to the Office of the Federal Privacy Commissioner.

If you would like to discuss any of the details contained in this letter I invite you to contact [... on telephone .... ...] has had carriage of this investigation and is best placed to discuss details with you.

Yours sincerely

John Haydon
Executive Manager
Community and Universal Service Obligation Group

19 August 2004

Enclosure

Attachment 1 Report of investigation, analysis and findings.

---

ATTACHMENT 1

Report of investigation of alleged breaches of the Telecommunications Act 1997 and the ACIF C522:2003 Calling Number Display Industry Code

Background

1.        On 29 July 2003 the ACA received a written complaint alleging breaches of the Telecommunications Act 1997 (the Act), the ACIF C522:2003 Calling Number Display Industry Code (the code) and the Privacy Act 1988.

2.        The written representation to the ACA was lengthy and complex, however claims discernable in the complaint are characterised as follows:

1. Telstra Corporation Limited (Telstra), Comindico Australia Pty Ltd (Comindico) and Optus Networks Pty Ltd (Optus) are providing calling line identification (CLI) to some of their Internet Service Provider (ISP) customers. CLI provides these ISPs with caller identification information regardless of whether permanent or per call blocking has been enabled on these lines. That is, the default blocking of calling number display (CND) for unlisted numbers and Optus customers, and caller initiated blocking of CND are not operative by virtue of the provisioning arrangement of these carriers. The complainants allege that this practice is in breach of the Act and the code;
2. in some circumstances the CLI of customers is being disclosed by carriers or used by ISPs where these customers have no relationship with either the carrier so disclosing or the ISP so using the CLI. A diagrammatic representation of this scenario at Attachment A to this report;
3. the provision by carriers of CLI to ISPs is in breach of the Act and as the Act takes precedence over the code, any use ISPs make of CLI, notwithstanding that it may comply with the code, is also in breach of the Act;
4. the majority of customers of ISPs are not aware that the ISPs are receiving CLI and more specifically are not aware that the identification of lines on which CND has been blocked is being provided to the ISPs (by virtue of the CLI being delivered);
5. contrary to section 5.8.1 of the code some ISPs are refusing to provide services to callers who choose to block CND;
6. carriers and ISPs cannot claim compliance with the Act and the code on the grounds that the provision of CLI is necessary for the provision of a carriage service. The complainants argue that provision of CLI is not necessary for the delivery of an Internet access service, has not been required in the past to achieve such a service and further that usernames and passwords, not CLI, are use to identify/authenticate the ISP's customer for the purpose of billing; and
7. CLI is provided to ISPs in a form which is divorced from the activity of achieving a connection between the client and the ISP, therefore when ISPs receive CLI they are in fact receiving the output of a CND service.

3.        One separate matter raised in the complaint; an unconfirmed allegation that forty businesses (not being ISPs) in a particular building in Perth were receiving blocked CND; was deemed not to be a regulator issue and was referred back to the complainants.

Relief sought

4.        The complainants requested that the ACA investigate the matters contained in their complaint and sought very specific redress as follows:

1. prosecution of carriers and ISPs which are in breach of the law;
2. the ACA to issue official directions to carriers and ISPs found to be acting contrary to the code;
3. the ACA to issue official warnings to all carries and CSPs (including ISPs) concerning compliance with the code and the Act; and
4. the ACA to instigate review of the code and if found deficient require the development and registration of an amended code or introduction of an industry standard.

Conduct of the investigation

5.        Based on information provided by Telstra, Optus and Comindico the ACA contacted 130 ISPs and questioned them regarding how they obtained, used and stored CLI; responses were achieved from 109 of these ISPs. The information provided by the carriers and the ISPs was evaluated against each of the different issues and allegations identified in the complaint and evaluated against the relevant sections of the Act and the code. Where available, supporting information was sourced from industry publications.

6.        In addition the ACA took legal advice regarding a number of matters and this advice informed the investigation and the findings.

Discussion of alleged breaches of the Act and the code

Breach of section 276 of the Act

7.        The investigation has established that carriers and ISPs are disclosing and/or using the CLI of customers; including the CLI of customers who have blocked CND either by way of default as an unlisted number or as an Optus customer, or by way of permanent or per call blocking initiation.

8.        Prima facie this activity appears to be in breach of section 276 of the Act; however a number of exemptions from section 276 are made available by sections 279 to 294 of the Act. The exemption provided by section 291 (Business needs of other carriers or service providers); in particular subsection 291(1), is cited by industry as enabling the exchange of CLI between carriers and ISPs.

9.        Subsection 291(1) is comprised of four elements and to claim an exemption to section 276 by virtue of subsection 291(1) all four elements must be satisfied. The investigation has identified that in most episodes of CLI disclosure/use carriers and ISPs can claim an exemption by virtue of subsection 291(1) as all four elements of subsection 291(1) are satisfied. However in the scenario discussed in the complaint; that is in circumstances where a customer accesses their ISP from a phone line controlled by another party and this phone line is either an unlisted number or has CND blocked, (refer Attachment A to this report) if, as specified by subsection 291(1)(c), the other party who controls the phone line is not a current or former customer of either the carrier or the ISP all four elements of subsection 291(1) are not satisfied and exemption from section 276 cannot be claimed.

10.        While legal advice notes that measuring detriment is not an element of section 276 the investigation has attempted to establish, in relative terms, some measure of the magnitude of breach of section 276 in circumstances where a customer accesses their ISP from a phone line controlled by another party and this phone line is either an unlisted number or has CND blocked. The following is what could be described as a set of filters which, when applied, endeavours to define the customer group which in the circumstances may suffer detriment from breaches of section 276, and the size of this customer group relative to all Australian Internet users.

11.        For an episode of breach of section 276 to occur in circumstances where a customer accesses their ISP from a phone line controlled by another party and this phone line is either an unlisted number or has CND blocked (refer Attachment A to this report):

1. the subject customer's CLI must be CLI which is traffic between a carrier and an ISP. As reported in the 2002-03 Telecommunications Performance Report at the end of March 2003 there were 5.1 million Internet subscribers in Australia; and
2. the subject customers' CLI must be CLI which is disclosed to an ISP. The number of CLI episodes being disclosed to ISPs is not known. The 2002-03 Telecommunication Performance Report notes that the seven largest ISPs (which included Telstra Bigpond and OptusNet) accounted for 70 per cent of total Internet subscribers, however Telstra and Optus provide CLI to some, not all, of their customer ISPs. Comindico on the other hand provides CLI to all its customer ISPs bundled in the connection service, however Comindico is understood to have a relatively small customer base, a subset of the 30 per cent not sourced from Telstra and Optus; and
3. the subject customer's CLI must be CLI which is CND blocked, either by way of default as an unlisted number or as an Optus customer, or by way of permanent or per call blocking initiation. Figures available to the ACA indicate that of the 40 million numbers recorded on the Integrated Public Number Database, 11 million are classed as unlisted; however this 11 million includes all mobile services which are, by default, unlisted but are not relevant to this issue. Figures regarding CND blocking which arises as a result of default (for example Optus customers) or which arise by way of customer initiated permanent blocking or per call blocking are not available, however it is believed that the number of CND block initiations is relatively low. This is especially thought to be the case for Telstra customers as Telstra is an 'opt-out' CND service provider; and
4. the CLI which is being disclosed/used must be the CLI of a customer who is not a current or former customer of the disclosing carrier or the ISP using the CLI. Given the dominance of Telstra, and to a lesser extent Optus, as providers of telephone lines it is reasoned that a large percentage of customers whose CLI remains after being filtered through the first three levels above will be excluded by virtue of these customers being current or former customers of the carriers disclosing or the ISP using the CLI.

12.        In addition, for a breach of section 276 to be sustained it would have to be established that an ISP was actually using the CLI. While it appears that in certain circumstances carriers are in breach for disclosing CLI to ISPs, an ISP in the same circumstances may only be in breach for episodes when they actually use the CLI.

13.        The number of customers whose CLI remains after being filtered through all four levels as described in paragraph 11 above is, relative to all Internet users, considered to be very small. The investigation has revealed that ten ISPs did not use the CLI they receive from Comindico and many others stated they used the CLI infrequently, mainly to settle billing disputes. Therefore it is possible that episodes of ISPs using the CLI which remains after being filtered thorough all four levels, relative to the episodes of transmission of all CLI between carriers and ISPs, could approach the infinitesimal.

Breach of sub-sections 5.1.2, 5.1.3, 5.1.5 and 5.2.1 of the code

14.        Investigation of the activities complained of indicates that prima facie carriers may be in breach of some sub-sections of Section 5 (Blocking and Enabling CND) of the code. However sub-section 1.1.4 of the code states:

'If there is a conflict between the requirements of this Code and any requirements imposed on a Supplier by legislation, the Supplier will not be in breach of this Code by complying with the requirements of legislation.'

15.        As discussed in paragraph 11 above, in circumstances where all four elements of section 291(1) of the Act are satisfied carriers and ISPs can claim exemption from the provisions of section 276. Prima facie carriers and ISPs are non-compliant with sub-sections 5.1.2, 5.1.3, 5.1.5 and 5.2.1 of the code; however when sub-section 1.1.4 is applied, they are non-compliant only in so far as the activity relates to CLI which does not meet all four elements of section 291(1), typically the CLI of customers who have CND blocked and who are not current or former customers of the carrier disclosing the CLI or the ISP using the CLI.

Breach of sub-section 5.8.1 of the code

16.        The complainants allege that four named ISPs are non-compliant with sub-section 5.8.1 of the code. Sub-section 5.8.1 directs that suppliers must not unfairly discriminate against customers who choose CND or CND blocking. The investigation has confirmed the terms and conditions and practices of three of these named ISPs do appear to breach sub-section 5.8.1 of the code. In addition the investigation has identified another ISP which appears to be in breach of sub-section 5.8.1 of the code.

Breach of sub-section 7.1.1 of the code

17.        Sub-section 7.1.1 permits a supplier to provide CLI to CSPs for the purposes of supporting the operation of a carriage service in accordance with the Act. This sub-section may apply to ISPs that act as wholesalers or intermediaries (that is those which trade between the carrier and the ISP) and which provide CLI to their customer ISPs. However similar to the breaches of Section 5 discussed in paragraph 15 above, carriers or ISPs which supply CLI to ISPs are in breach of sub-section 7.1.1 but only in so far as the activity relates to CLI which does not meet all four elements of section 291(1), typically the CLI of customers who have CND blocked and who are not current or former customers of the carrier disclosing the CLI or the ISP using the CLI.

Breach of sub-section 7.1.2 of the code

18.        Sub-section 7.1.2 requires a supplier which passes on CLI to a carriage service provider (CSP) to be satisfied that the CLI will be used only for the purposes of supporting the operations of a carriage service. Telstra, Optus and Comindico have all stated that they rely on contractual agreements with their customer ISPs to ensure compliance with 7.1.2.

19.        Legal advice indicates that it is likely all the supplier of CLI needs to satisfy itself is that the CLI will be used for the purposes of supporting the operation of a carriage service, there is no requirement that the supplier be satisfied the CLI was used for that purpose. Further, that to meet the requirements of 7.1.2 the supplier may only need to ask the ISP about how they intend to use the CLI, or the supplier could make a written declaration that the CLI was going to be used for the purposes of supporting the operation of a carriage service, or this could be specified in a contract.

20.        Unlike Comindico, Telstra and Optus do not provide CLI automatically to their customer ISPs as part of their basic service package. Those ISPs acquiring CLI from Telstra and Optus must first apply to be provided with CLI and must then enter into agreements which in part demands their compliance with ACIF codes and legislation.

21.        Comindico however provides full CLI to all its customer ISPs automatically as a part of its basic service package. Notwithstanding Comindico does have in place contractual agreements with its customer ISPs, the investigation has identified that some of Comindico's operating procedures make it arguable that Comindico is compliant with sub-section 7.1.2 of the code.

22.        In certain circumstances ISPs may also be in breach of sub-section 7.1.2. ISPs which act as wholesalers or intermediaries and which provide CLI to their customer ISPs may be in breach if they fail to take adequate steps to satisfy themselves that the CLI is intended to be used only to support the operation of a carriage service. While this issue has not been investigated in depth, anecdotal evidence indicates that few ISP wholesalers have an understanding of their responsibilities and obligations and indeed considered themselves quite divorced from the implications of the Act and the code.

Breach of sub-section 7.2.1 of the code

23        Sub-section 7.2.1 of the code permits ISPs that receive CLI to use the CLI for the purposes of fraud prevention, billing, call management and credit control. However similar to the discussion of breach of sub-section 7.1.1 in paragraph 11 above, it appears ISPs are in breach of sub-section 7.2.1 but only in so far as the activity relates to CLI which does not meet all four elements of section 291(1), typically the CLI of customers who have CND blocked and who are not current or former customers of the carrier disclosing the CLI or the ISP using the CLI.

24.        Of the 109 responses received from ISPs only one ISP indicated it may be using CLI contrary to the purposes permitted by 7.2.1.

Breach of sub-section 7.2.3 of the code

25.        Sub-section 7.2.3 requires ISPs to inform their customers if they are receiving CLI. Of the 109 responses received from ISPs only 20 per cent (22) informed their customers that they were receiving CLI, even fewer informed their customers of the privacy implications of this as required by the code.

Discussion of other matters raised in your complainant

ISPs do not need CLI to provide a carriage service

26.        The complainants argue that the provision of CLI to ISPs is a relatively recent development; that ISPs did not need CLI to achieve Internet access in the past and do not require CLI to provide access today. While the complainants are entitled to their opinion the ACA believes it is for the ISPs to decide what they need to operate their business. Legal advice provided to the ACA in regard to section 291 of the Act offers the opinion that there is no need to establish a 'needs test' as the provisions of the section very clearly state the criteria to be taken into account for this exception to apply. Further the ACA's legal advisors do not think the legislation intended to introduce a business needs test as such, rather, it intended for carriers to comply with the criteria it provides within the provisions.

27.        In discussion of this matter the complainants refer to one particular sentence in the Explanatory Statement to the code (paragraph 3 of page 1 of the Explanatory Statement) which they allege supports their contention that CLI should only be provided to ISPs on a needs basis. It is noted that no mention of 'need' is included in the operational sections of the code and ACA legal advice, similar to the discussion in paragraph 26 above, is that the code does not imply a 'needs test'.

Inaccurate definition of CLI

28.        In the complaint it is argued that the definition of CLI used in the code is inaccurate and the complainants advance the argument that information transmitted beyond the telephone network into the customer's access network or local loop, that is beyond the carrier to the ISP, is not CLI but a CND service based on CLI. While it is again acknowledged that the complainants are entitled to their view, the ACA does consider this view is relevant in any analysis of whether there has been a breach of the Act or the code. The Act does not proscribe a definition of CLI, and alleged breaches of the code can only be assessed against the definition provided in the code. The ACA does not consider that the complainants have provided any compelling argument why the definition in the code should be reviewed.

Overriding of CND affects the provisions of the Customer Service Guarantee

29.        In the complaint is it alleged that because CLI overrides CND choice, 'carriers have intentionally introduced this fault and service difficulty into their network', and that because this 'fault' was introduced deliberately carriers will escape their obligations for this 'fault' under the Telecommunications (Customer Service Guarantee) Standard 2000. In this the ACA considers the complainants have incorrectly represented correct CLI function as a CND failure; these are separate functionalities that are not aligned.

Users of the Internet are not aware their CLI is being disclosed and used

30.        It is alleged that the vast majority of individuals who have silent and other blocked numbers are not aware that blocking is being overridden, that ISP owners and staff do not understand their responsibilities regarding CLI and carriers misrepresent the extent to which CND blocking is effective.

31.        The investigation does indicate some support for these comments. The provisions of Section 6 of the code (Ensuring Customer Awareness) place the onus on carriers and CSPs/ISPs to keep their customers informed of how CND works and the privacy implications of disclosure and use of CLI. However in practical terms the requirements of Section 6 fall mainly to carriers as many of the requirements do not relate to the type of services provided by ISPs. Perusal of the Internet sites of Telstra, Optus and Comindico elicits little information regarding CND services and it is difficult to assess the degree to which these carriers comply with Section 6.

32.        Specifically for ISPs, sub-section 7.2.3 of the code requires ISPs to inform their customers if they are receiving CLI regardless of whether the customer has blocked sending it and the privacy implications for the customer. ISP compliance with this requirement has been previously discussed in paragraph 25.

33.        The complainants make the comment that the ACA's consumer fact sheet Calling Number Display does not reflect the current situation of CLI being provided to ISPs. The ACA agrees that the fact sheet should be enhanced to clarify in what circumstances CLI is disclosed and used.

Breach of other legislation

34.        Finally the complainants allege that carriers and ISPs participating in the activity complained of are in breach of National Privacy Principles of the Privacy Act 1988; are in breach of the Trade Practices Act and some State and Territory fair trading legislation and are in breach of confidence and the common law right of privacy.

ACA decisions

35.        In considering its response to the findings of the investigation the ACA has made a number of decisions which pursue a non-adversarial approach to remedy identified breaches of the Act and code and inappropriate behaviours. It is acknowledged that this approach is not that preferred by the complainants. The ACA however has decided on this approach for the following reasons:

• the investigation uncovered no evidence of malicious intent on the part of carriers and ISPs;
• there is reason to believe that the number of breaches committed by carriers is relatively very small with breaches committed by ISPs reasoned to be even considerably fewer;
• there is concern that carriers will be unable to definitively identify the CLI of customers who have CND enabled and who are not current or former customers of the carrier disclosing or the ISP using the CLI and, as a consequence, carriers may implement a technical solution whereby they cease to disclose any CLI to ISPs. Such a solution could disadvantage carriers and responsible ISPs in the conduct of their business, for example investigation and prevention of fraud; may diminish the capacity of carriers and ISPs to develop technology and business models which benefit the Internet user community and may hamper law enforcement agencies in the collection of information under warrant.

Decision 1

36.        That carriers and ISPs be required to ensure their customers are made aware of the circumstances in which CLI will be provided to ISPs; clearly identifying that the CLI of any phone line, whether it has an unlisted number or has CND blocked, used to access the Internet may be disclosed and used.

Decision 2

37.        That those ISPs identified as being in breach of sub-section 5.8.1 of the code (discriminating against customers who choose CND blocking) be advised of their non-compliance. That the ACA should, as a first compliance measure, seek their undertaking to refrain from such activity and to provide details to the ACA regarding remedial action they propose to implement to achieve compliance with 5.8.1.

Decision 3

38.        While arguably not in breach of sub-section 7.1.2 of the code, as discussed in paragraph 21 above, Comindico be advised of the ACA's concern that Comindico's operating procedures which are meant to ensure compliance with 7.1.2 are not adequate. Further that the ACA request Comindico to provide details regarding remedial action Comindico proposes to implement to ensure compliance with 7.1.2 of the code.

Decision 4

39.        Those ISPs acting as wholesalers and intermediaries identified by the investigation by advised as to their status and responsibilities under the code. Further, that ISPs so identified be requested to provide the ACA with an undertaking that they will fulfil all their responsibilities under the code, and provide details regarding remedial action they propose to implement to ensure compliance with 7.1.2 of the code.

Decision 5

40.        As discussed in paragraph 24 above, the ACA further investigate one ISP which was identified during the investigation as possibly not complying with sub-section 7.2.1 of the code. If found to be non-compliant, as a first measure of compliance, seek the ISP's undertaking to refrain from such activity and to provide details to the ACA regarding remedial action they propose to implement to ensure compliance with 7.2.1.

Decision 6

41.        In light of the disappointing level of compliance with sub-section 7.2.3 as discussed in paragraph 25, the ACA write to all the ISPs which the investigation has established are non-complaint, and as a first compliance measure, require them to inform their customers that they receive CLI and of the privacy implications of this. Additionally the ACA seek their undertaking to comply with sub-section 7.2.3 and to provide details to the ACA regarding remedial action they propose to implement.

Decision 7

42.        As a general measure in relation to ISP regulatory observance, the ACA develop and implement a broader strategy for engaging with and informing ISPs of their responsibilities under the Act and the code. It would appear suitable for this strategy to build on the work already being undertaken by the ISP Obligations Awareness Project of the Consumer and Universal Service Obligation Group.

Decision 8

43.        The complainants be advised that the ACA does not support their opinion that need should be an element of any test regarding the disclosure/use of CLI. The next review of the code is scheduled for mid 2005 and the complainants be advised that any contribution they choose make to the review would be welcomed and fully considered.

Decision 9

44.        The complainants be advised that the ACA does not support their opinion that the definition of CLI in the code and that which is used by the industry is not correct. Similar to the comment made in Decision 8, the complainants be advised that any contribution they choose make to the next review of the code would be welcomed and fully considered.

Decision 10

45.        The ACA advise the complainants that enhanced call handling features, of which CND is one, are taken into consideration when the Customer Service Guarantee is monitored.

Decision 11

46.        The ACA investigate the degree to which suppliers (being both carriers and carriage service providers) are ensuring customer awareness as required by Section 6 of the code. Further, suppliers be made aware of any deficiencies identified regarding customer awareness and be required to advise the ACA of remedial action to ensure compliance with Section 6 of the code.

Decision 12

47.        The ACA fact sheet Calling Number Display be amended to better reflect the circumstances in which CLI may be disclosed and/or used by carriers and ISPs.

Decision 13

48.        The ACA formally advise the Office of the Federal Privacy Commissioner of the outcomes of this investigation.

Decision 14

49.        Those law enforcement agencies which have expressed concern regarding possible curtailment of the use of CLI be formally informed of the outcomes of this investigation.

Decision 15

50.        The complainants be advised that the outcomes of this investigation will be conveyed to the Office of the Federal Privacy Commissioner. Further, the complainants be officially advised that it is not the mandate of the ACA to investigate alleged breaches of the Trade Practices Act, State or Territory fair trading legislation, breaches of confidence and the common law right of privacy; and that they may wish to direct alleged breaches of these provisions to the relevant Commonwealth, State and Territory bodies.

Decision 16

67.        The complainants be advised of the outcomes of this investigation, including what remedial action is proposed by the ACA. In particular the complainants be advised that contrary to the relief they have sought, the ACA will not at this time be launching prosecution against carriers or ISPs found to be in breach of the Act or the code.

---