You are here: EFA Home » Issues » Privacy » Calling Number Display » Complaints re blocked calling number disclosure » Complaint to OFPC 29 July 2003

28 July 2003


Mr Malcolm Crompton
Federal Privacy Commissioner
GPO Box 5218
SYDNEY NSW 2001


Dear Mr Crompton

Complaint: Unlawful Collection, Disclosure and Use of Calling Line Identification information by Carriers and Internet Access/Service Providers

Irene Graham, Roger Clarke and David Fitch jointly lodge this representative complaint on behalf of those Australian customers of Internet Access Providers/Internet Service Providers ("ISPs") and/or of telephone call carriers who are affected or potentially affected by the practices complained of herein. For reasons set out below, the size of these classes is difficult to ascertain but the number affected could reasonably be estimated to be in the thousands or tens of thousands.

Ms Graham is the Executive Director of Electronic Frontiers Australia Inc. ("EFA"). Dr Clarke is an officer of the Australian Privacy Foundation ("APF") and a board member of EFA. However, the complainants lodge this complaint in their capacities as members of the class of people affected by the practices complained of, not in their capacity as a member or officer of an organisation. Mr Fitch is not a member or officer of either EFA or APF.

This complaint concerns collection, disclosure and use of Calling Line Identification ("CLI") information, in particular, silent and other blocked calling numbers by telephone call carriers and ISPs.

The term "blocked calling number" herein means a number from which a caller initiated an outgoing telephone call with instructions that their calling number not be displayed or provided to the called party.

The term "blocking" herein means the method by which calling number display/provision is prevented. The blocking of calling number display/provision may be effected either by way of a permanent line block or by dialling the blocking code.

The calling number is "personal information" in that it is information from which the identity of the subscriber can reasonably be ascertained, as discussed later herein.

This complaint is set out in the following sections:

Risks and Consequences of Disclosure of Blocked Calling Number Information

1.   As detailed later herein, some telephone call carriers are disclosing silent and other blocked calling number information to some ISPs. Some commenced doing so only in the past two months, and we understand others commenced doing so last year. We believe the vast majority of individuals who have silent and other blocked numbers are not aware that blocking is being over-ridden.

2.   The disclosure of blocked calling number information to ISPs poses serious real-world risks and consequences to individuals. We make this complaint firstly because we believe the Respondents' practices are in breach of law. Those breaches are all the more significant, however, because of the serious risks and consequences they give arise to.

3.   The potential impact on the privacy and well-being of individuals arising from ISPs having access to silent and other blocked calling number information, without the individual's consent, is significant because:

  • ISPs already have a massive amount of information about individuals, as well as the ability to datamine and datamatch;
  • an ISP having access to blocked calling number information operates on a practical level much like a "reverse phone-book". It can be used by an ISP staff member, or a temporary contractor, or anyone obtaining access to the information, to match an anonymous arbitrary identifier (phone number) to a real-world identity and to the physical whereabouts of an individual;
  • statements made by some ISP owners and/or staff in public discussion forums have indicated they have little, if any, knowledge about their privacy protection obligations under telecommunications and privacy laws. Anecdotal evidence and reports suggest a significant number of ISP personnel may lack such knowledge due to complexity of the relevant laws and insufficient, if any, training;
  • some ISP owners and/or staff fail to recognise that blocked calling number information may be information that if disclosed could result in bodily harm or death;
  • some, perhaps many, ISPs store login-in information, which includes user names and blocked calling numbers, on computers connected to the Internet which carries a risk of unauthorised access by crackers and hackers;
  • an ISP staff member/contractor or other person gaining access to an ISP's login records could match the IP address being used by an otherwise anonymous participant in an online forum or in sending emails, against the ISP's login records to find out the number the person dialled in from, which may then be used to find out their physical whereabouts. (This information may be information that would not be ascertainable by the person without knowledge of the blocked calling number.) This situation exposes a wide range of classes of law-abiding individuals to potential blackmail, bodily harm, or pressure intended to repress the individual's behaviour or speech as a result;
  • examples of classes of individuals who may be particularly at risk as a result of disclosure of their blocked calling number or use of same to identify their physical whereabouts include: victims of domestic violence and stalking, people in sensitive occupations such as psychiatric health care, womens' shelters, prison management, counsellors, VIPs, celebrities, politicians, notorieties, sex-workers and their clients, political activists/lobbyists, gay and lesbian people, whistleblowers, protected witnesses, judges and other court officials, ex-criminals trying to go straight and avoid their previous colleagues, probation officers, undercover law enforcement and security officers, etc.

4.   More detailed information concerning risks and consequences, together with supporting information and examples, is provided in Attachment 1.

General Principles

5.   The general principles at stake in the lodgement, investigation and resolution of this complaint include that:

  • The use of personal information about individuals should be limited to that for which it was originally collected, unless the owner of the information (the data subject) has given express and informed consent (AUSTEL Privacy Report 1992 [1]). This principle underlies the informed choice condition under which carriers in Australia were permitted to commence selling or otherwise disclosing individuals' calling number information in 1997. The same principle was re-endorsed by the government and the Parliament in the amendments to the Privacy Act 1988 effective from December 2001.
  • Divergences from general principles or laws governing privacy issues should occur only where the telecommunications industry is demonstrated to be unique or at least so special as to require telecommunications specific treatment (AUSTEL Privacy Report 1992 [1]).
  • Any such divergence should not occur unless it has been demonstrated that there is a public interest in permitting businesses to invade an individual's privacy that outweighs, to a substantial degree, the public interest in requiring businesses to respect individuals' rights to privacy, and that the public interest objective cannot be achieved by a less privacy invasive means.
  • Traditionally, all telephone service subscribers and users of telephone services have been entitled to the same degree of privacy protection in their use of telephone services. Carriers have not provided any legitimate explanation concerning why individuals who use a telephone service to access the Internet should have less protection in their use of telephone services than other individuals.
  • Individuals who pay for a silent/unlisted number have decided their privacy is so important to them that they are willing to pay to have their number kept private. At the time most current silent/unlisted number subscribers entered into a contract with a telephone service provider, carriers were not disclosing silent/unlisted numbers to ISPs without prior consent. Such individuals had clearly not assumed a risk of disclosure of their personal information and thus have a reasonable expectation that their privacy be protected.

Respondents and Practices the subject of this complaint

6.   The Respondents to this complaint are:

  1. the telephone call carriers Telstra Corporation Ltd, Comindico Australia Pty Limited, Optus Networks Pty Ltd, and any other carriers or carriage service providers engaging in the complained of practices (including resellers of carriers' services to ISPs) ("the carrier Respondents"); and
  2. an unspecified number of ISPs who are providers of a dial-up Internet access service, including but not limited to Netspace Online Systems Pty Ltd, Ihug-The Internet Group Ltd, Bluejoy Pty Ltd trading as Froggy ISP and Froggy Internet ("Froggy"), Telstra Bigpond, Optus Internet Pty Ltd ("OptusNet"), and other ISPs who are customers of either Telstra's MegaPoP service, or Comindico's Dial IP service, or any similar service provided by Optus or other carriers ("the ISP Respondents").

    (It should be noted that there are currently many more ISPs collecting blocked calling numbers than those named in this complaint and the number will continue to increase until current industry practices are stopped. Attachment 2 contains a list of ISPs that we have been able to identify as customers of the carrier Respondents' services providing blocked calling number information and we expect there are many more. However, it seems probable that the vast majority listed in Attachment 2 may be covered by the small business exemption in the Privacy Act 1988. Also one is a Queensland local government entity.)

7.   The carrier Respondents are over-riding blocking for the purpose of intentionally disclosing silent and other blocked calling number information, that they have received in the course of carriage of a telephone call over their telecommunications network, beyond the terminating telephone exchange and into the local loop, so that the called party (B-party) receives the blocked calling number. Specifically:

  • the carriers are over-riding blocking on calls terminating at 01983 numbers (and possibly other numbers). 01983 numbers are dial in Internet access numbers provided by carriers to their ISP customers and in some cases to the carriers' own subsidiary ISP. Customers of the ISP Respondents use the 01983 numbers to dial in to an Internet access service.

    The carriers have, evidently, relatively recently decided to place their ISP customers' dial in numbers in an over-ride category the same as, or similar to, that used to meet the requirement to disclose blocked calling numbers on calls made to Australian Communications Authority ("ACA") specified emergency services numbers. While over-riding blocking on calls made to emergency services is specifically authorised by Section s279(5) and s286 of the Telecommunications Act 1997, over-riding on calls made to ISPs is not; and
  • having over-ridden blocking, the carriers are disclosing silent and other blocked calling numbers to ISPs by way of:
    • providing ISPs with a CLI-based/CND Service that includes silent and other blocked calling numbers (which would not include same if the carriers had not over-ridden blocking); and/or
    • collecting silent and other blocked calling numbers from the CLI information of incoming telephone calls that terminate on (are answered by) the carrier's own telephone call answering equipment (e.g. Telstra MegaPoP equipment), and subsequently forwarding/disclosing the blocked calling number information to ISPs in a message that has nothing whatsoever to do with telephone signalling system messages.

8.   The fact that Telstra is over-riding blocking is stated in Telstra News Issue 8 dated "December 2002/January/February 2003". The newsletter states, in minuscule print in a footnote, that Telstra's Line Blocking Service is "Not available for calls to 000 or MegaPoP National access service". Since that footnote came to one of the complainant's attention in April 2003, recent further investigation has revealed that Telstra commenced over-riding blocking on calls to the MegaPoP service on Saturday 23 March 2002, the day after Telstra claims to have published a "Detrimental Effect Advertisement" [2] in the public notices section of The Australian newspaper regarding amendments to Telstra's Standard Form of Agreement, that is, blocking ceased to be effective on such calls well over a year after Telstra's MegaPoP product was launched in November 2000. Blocking has only become "not available" because Telstra has chosen to configure its telephone network/equipment to over-ride the blocking instructions it receives with telephone calls, so that Telstra can include silent and other blocked numbers in a CLI based product that Telstra has chosen, apparently for commercial reasons, to package with the MegaPoP product it sells to ISPs.

9.   Our investigations have revealed that Comindico is also over-riding blocking on calls made to, at the least, ISP customers of their equivalent of the MegaPoP product. This information has been provided to us by managers and staff of several ISPs who use Comindico's services. In addition, we have been provided with a copy of a Memorandum of Understanding for the Use of CND on the Comindico / Ozdial Networks (see copy attached). This document was provided to an ISP by Ozdial Pty Ltd, a reseller of Comindico's services, and makes clear that a CND Service (not "CLI") is being provided to ISPs. Optus is also over-riding blocking on calls made to OptusNet [3] and probably also to ISP customers of their equivalent of the MegaPoP product.

10.   Attachment 3: How CLI and CND Services Work contains detailed information in the section titled Forwarding of CLI data to Internet Access/Service Providers about the technical process by which Telstra and other carriers are taking unfair advantage of their privileged access to silent and other blocked calling numbers for the purpose of intentionally and unnecessarily disclosing same to ISPs. The attachment also explains the process used by ISPs to collect and record the calling number information. As the attachment shows, calling number information is not necessary for the provision of dial-up Internet access. That fact is also apparent from the Internet Industry Association ("IIA")'s media release [4] dated 21 July 2003 which states that IIA's draft Cybercrime Code "does not require ISPs to capture caller line identification (CLI) or caller name display (CND) data" and that the draft Code states "CLI information is generally not made available to ISPs at this stage".

11.   We allege that the carrier Respondents are in:

  • Breach of National Privacy Principles 1, 2, 4 and 8 of the Privacy Act 1988; and
  • Breach of Section 276 (or in some cases, Section 302) of Part 13-Protection of Communications of the Telecommunications Act 1997, and that none of the exemptions to the prohibitions on use and disclosure are applicable to the disclosures addressed herein; and
  • Breach of Sections 5 and 7 of the Calling Number Display Industry Code (C522) registered by the ACA on 25 June 2003 ("CND Code") (and Sections 4 and 6 of the previous Code registered in October 2001); and
  • Breach of Confidence; and
  • Breach of Common Law Right of Privacy.

12.   We also allege that the ISP Respondents are in:

13.   Detailed information concerning the above is provided later herein.

14.   With regard to NPPs 1 and 2, we expect that Optus Internet Pty Ltd ("OptusNet") is probably a related body corporate of the carrier Optus Networks Pty Ltd and we are aware that Telstra Bigpond is the ISP trading name of Telstra Corporation Limited. However, the sharing of information practices being engaged in by these organisations are not fully exempt from the provisions of the Privacy Act 1988, as discussed later herein.

Complaints made to Respondents

15.   Complaints were made by telephone to both Telstra and Optus in April 2003. The complainant was advised the matter would be investigated and a response provided. No response has been received.

16.   Written complaints were sent to Telstra, Optus and the other carrier and ISP Respondents named above on 29 and 30 June 2003. The Respondents were advised that in the absence of a satisfactory response within 14 days, representative complaints would be sent to the OFPC and the ACA. Telstra and Optus advised, in letters dated 2 and 3 July, that they will investigate the matter and provide a response, as they did in April. Comindico, OptusNet and Netspace have provided responses, the contents of which demonstrate they consider they are permitted to disclose and/or to collect and use blocked calling numbers. We disagree. Copies of relevant correspondence are attached hereto.

Members of Class Represented

17.   We assert that the facts set out herein address s38(1) and (2) of the Privacy Act 1998.

18.   With regard to s38(2)(a) we assert that any individual who is a telephone service account holder is a member of the class represented, because anyone may potentially wish to use, or permit another person to use, their account to dial an ISP using calling number blocking, or may wish to change their account to silent or line blocking and to then use it to dial an ISP. Every account holder is potentially prejudiced by the practices in issue, in relation to their use of their existing telephone service account.

19.   With regard to s38(1)(a) we assert that the class members have complaints against the same Respondents because any individual may potentially wish to change their telephone service provider or Internet access service provider and/or may have no choice but to do so when a telephone service provider or an ISP ceases business or is purchased by another organisation. The latter is particularly common in the ISP industry. In addition, while currently not all ISPs are receiving and collecting blocked calling number information, individuals' ability to make privacy choices is decreasing as the industry practices complained of herein become increasingly wide-spread. Presently, it is very likely that in some regional and country areas, individuals have no choice.

Relevance of Privacy Act, Telecommunications Act and CND Code

20.   This letter principally addresses breaches of the Privacy Act 1988.

21.   Breaches of the Telecommunications Act 1997 and the CND Code are addressed in the attached copy of our letter of complaint to the Australian Communications Authority. It sets out the basis of our belief that the Telecommunications Act 1997 does not authorise or require the disclosure of blocked calling number information to ISPs and hence such disclosure is a breach of both the Privacy Act 1988 and the Telecommunications Act 1997.

22.   We request that you take into account the matters detailed in the attached letter as if they were part of this complaint, to the extent that they are relevant to this complaint.

23.   With regard to collection by ISPs, it should be noted that is covered only by the Privacy Act 1988. The Telecommunications Act 1997 creates offences only in relation to disclosure and use, not in relation to collection, of personal information.

24.   We also note that although the ACIF Calling Number Display Industry Code may appear to have some relevance, the Code is not relevant to this complaint to any extent that it may appear to authorise or permit collection, disclosure or use, because nothing in an industry code replaces or diminishes obligations imposed by the Privacy Act 1988. As you would be aware, the Telecommunications Act 1997 was amended by the Privacy Amendment (Private Sector) Act 2000 and the Explanatory Memorandum to the Bill states:

"The aim of the amendments to Part 6 of the Telecommunications Act is to recognise and promote the pre-eminence of the Privacy Act and the role of the Privacy Commissioner within the telecommunications environment without diminishing the integrity of the current telecommunications self-regulatory regime"
and that
"New clause 116A [to the Telecommunications Act] provides that nothing in an industry code registered under Part 6 of that Act or an industry standard determined under Part 6 of that Act replaces or diminishes any obligations imposed by the Privacy Act 1988 or an approved privacy code as defined in that Act".

Calling Numbers are Personal Information

25.   A calling numbers is "personal information" in that an individual's identity is reasonably ascertainable from the information.

26.   The call may have been made by the subscriber, or by someone else. In either case, the data is associated with an individual, the subscriber. And where that inference is wrong, the privacy impact may be even more serious than where it is correct.

27.   In the case of a carrier disclosing its own customer's telephone number, the number is obviously personal information as the carrier uses the calling number to identify the individual who is to be billed for the call. In the case of a carrier disclosing the number of a telephone service provided by another carrier, in the vast majority of cases the calling number is personal information because an individual's identity can be ascertained in one of a number of ways including, but not limited to:

  • reverse lookup directories, containing approximately 9 million telephone numbers extracted from the White Pages, which are available on CD for as little as $91;
  • searching for a telephone number using Internet web search engines;
  • the carrier's records of its past customers (e.g. persons who have ported their number to another service provider) or the customer records of the carrier's related bodies corporate and/or other divisions;
  • the Integrated Public Number Database ("IPND"). Although under legislation and an Industry Code, only a limited range of persons/organisations are permitted to access the IPND and only for specified limited purposes, this does not prevent the possibility of its unlawful use to identify an individual and/or their whereabouts and it is of no comfort to an individual whose name/address may be disclosed that a use or disclosure was unlawful. For example, Pacific MicroMarketing claims on its website [5] to be receiving daily updates of IPND data from Telstra and using that information to update the marketing databases it sells and its customers' telemarketing databases. That practice appears to be in breach of the law and Code regulating use and disclosure of IPND data. In addition, human error or technological fault may result in unintended disclosure and availability of personal information from the IPND as apparently occurred in 2002 (Telstra Database Mistake, OFPC Media Release 12 August 2002 [6]).

28.   Silent/unlisted numbers are also personal information in that an individual's identity can often be ascertained from the disclosing carrier's, and in some cases the recipient ISP's, records of their current or past customers, as well as from the IPND. Whether an individual's identity can reasonably be ascertained from other sources depends on the particular unlisted number and circumstances. An individual's identity may be ascertainable by searching for the unlisted number in a reverse lookup directory on CD, given they are compiled from information in the White Pages which in 2002 included unlisted numbers published without the individual's prior knowledge and consent, apparently due to human error or lack of adequate security on the IPND. In addition, some individual's names and unlisted numbers are able to be found on the Internet as a result of publication without the individual's prior knowledge and consent.

29.   In the context of the recipient ISP collecting a calling number, the number is (and if not previously, becomes on collection) personal information about the ISP's customer. The calling number is recorded in a Remote Access Dial-In User Service ("RADIUS") accounting start record, which is created when a user logs in and includes the following and other information:

Time Tues Jul 8 9:30:11 2003 Time Record received by RADIUS (within seconds of time user logged in).
User-Name bsmith Name user logged in with. Used by ISP to identify customer billing account.
Called-Station-Id 0198 308 111 The number called by the user.
Calling-Station-Id 02 1111 1111 Telephone number the user dialled from.

30.   In addition, the identity of another person may be ascertainable by the ISP from its customer records. For example, where two or more individuals dial in from the same telephone number, the ISP will have the number recorded with identifying information about two of its customers. A simple search of the ISP's records for that number will identify both individuals, and provide information about their personal affairs, such as that they share the same residence or work together or, at least, know each other. In May 2002, one ISP remarked on an ISP mailing list that he was surprised to discover, by using calling number information records, how many customers called from the same number as other customers [7].

31.   It should also be noted that although some ISPs claim they are only collecting personal information they already have, this is not factual. In instances where the calling number is the number of the ISP's customer, the ISP may not already know that information about the individual because the individual may have provided a mobile or business contact telephone number, not their home telephone number, when opening an account with the ISP. Further, the ISP's customer may be calling from a number for which they are not the subscriber and so the identity of another individual is reasonably ascertainable from the number.

Breaches of the Privacy Act 1988

Use and Disclosure by Carriers - NPP 2.1

32.   We allege that the carrier Respondents are in breach of NPP 2.1 because:

  1. a carrier's disclosure of blocked calling numbers to an ISP is a secondary use and disclosure that is not related to the primary purpose of collection, namely, providing a telephone call service that enables a calling party to establish a connection with a called number and billing the cost of the telephone call carriage service to the originating carrier or relevant telephone service subscriber (NPP 2.1(a)(i)). The ISP has no role in the transmission of the telephone call and a carrier does not need to disclose the calling party number to the ISP in order to undertake its function of delivering the call to the called number;
  2. the disclosure of a blocked calling number is clearly contrary to the express wishes of the subscriber to that line (and/or the caller) hence the individual would certainly not expect a carrier to use or disclose the information for the secondary purpose of selling, or freely giving, that information to an ISP (NPP 2.1(a)(ii)); and
  3. none of the other exceptions to NPP 2.1 apply either. This includes the "authorised by or under law" exception (NPP 2.1(g)); and
  4. the disclosure is not permitted by any of the exceptions to the prohibition on disclosure contained in Part 13 of the Telecommunications Act 1997. Information in this regard is provided in the attached copy of our related complaint to the Australian Communications Authority concerning breach of the Telecommunications Act 1997.

33.   In the case of carriers and ISPs who are related bodies corporate or divisions of the same organisation (e.g. Optus/OptusNet and Telstra/Bigpond), while a carrier's disclosure of blocked calling number information to their related ISP appears to be an exempt practice under the Privacy Act 1988, the use of blocked calling number information for a secondary purpose is not an exempt practice. Telstra and Optus are using the information for the secondary purpose of providing a CND (Calling Number Display) type service to their related ISP who is then, apparently, also using the information for additional secondary purposes. These secondary purposes are not related to the primary purpose of collection by the carrier, i.e. billing of telephone calls (NPP 2.1(a)(i)) and 2.3) and individuals who have attempted to block their calling number have expressly indicated they do not consent to, and do not expect (NPP 2.1(a)(ii)) such information to be used for purpose of providing a CLI-based/CND Service to the called party.

Use by ISPs - NPP 2.1

34.   We allege that any use of blocked calling number information by ISPs is a breach of NPP 2.1 because collection of such information was unlawful in the first place, as discussed in the following section.

35.   Use by Bigpond and OptusNet of blocked calling number information collected from their related carrier is also a breach of NPP 2.1 as discussed in the foregoing section.

Collection by ISPs - NPP 1

NPP 1.1 and 1.2

36.   We allege that ISPs routinely collecting blocked calling numbers are in breach of NPP 1.1 and 1.2 and that any ISP who does so will inevitably be in breach of same. The collection of all such information is not necessary for the provision of dial-up Internet access, nor is it used to identify/authenticate the ISP's customer for the purpose of billing the ISP's customer. In addition, information from 'blocked' lines or calls is collected by unfair means (NPP 1.2).

37.   Attachment 3: How CLI and CND Services Work contains detailed information demonstrating that calling number information is not necessary for the provision of dial-up Internet access. That fact is also apparent from the Internet Industry Association ("IIA")'s media release [4] dated 21 July 2003 referred to earlier herein.

38.   ISPs have long been managing their relationship with account holders adequately without knowing the telephone number from which a customer is dialing in - and of course many Internet users dial in from a wide range of different telephone services - including many for which they are not the subscriber. ISPs receiving blocked calling numbers will in many cases be invading the privacy of telephone service subscribers who are not the ISP's customer.

39.   Such ISPs are to all intents and purposes no different from any other business with a telephone line, receiving calls from customers and providing them with a service - in this case Internet access via a connection between a telephone line and an Internet access system. The telephone line is used in the same way as a call to information services provided by other businesses whereby a customer dials a number and provides details such as a PIN number/password to identify/authenticate themselves in order to use the service.

40.   Attachment 4 addresses the claims of some ISPs regarding blocked calling number information allegedly being necessary for the purposes of fraud prevention, billing, call management and credit control.

41.   With regard to Bigpond and OptusNet, while the collection of blocked calling number information directly from their related entity (Telstra and Optus respectively) appears to be an exempt practice, none of those entities are exempt from the requirements of NPP 1.3 and 1.5. This matter is addressed later herein.

NPP 1.4

42.   We also allege that ISPs who collect blocked calling numbers from a telephone call carrier are in breach of NPP 1.4. It is reasonable and practicable for an ISP who would like to receive calling numbers to collect such personal information from the caller, that is, with the caller's consent, instead of covertly from the call carrier despite the caller's expressed instructions to the contrary.

43.   Dial up Internet users must configure their computer/modem settings to dial a number advised to them by their ISP. A caller who wishes to provide their calling number to the ISP, even though they have a permanent block on their line, can have their modem dial the blocking override code before the ISP's number. This would signify informed consent to collection of the number by the ISP (unless the ISP provided the customer with an automated computer set-up disk that automatically inserted the blocking override code without the customer's consent).

44.   However, if an ISP denies services to a caller who does not choose to provide their calling number, this would be in breach of the non-discrimination provisions of the ACA registered Calling Number Display Industry Code.

NPP 1.3 and 1.5 - Carriers

45.   While the primary breach is the unauthorised disclosure, this is compounded by the lack of notice.

46.   Telstra, Optus, and probably all other carriers who provide telephone services, are in breach of NPP 1.3 and 1.5 in that they have not taken reasonable steps to make telephone service customers and other callers reasonably aware that they themselves and other carriers are disclosing silent and other blocked calling numbers to ISPs. On the contrary, most notices about CND state that blocking is effective for all calls except those made to emergency service numbers.

47.   With regard to Telstra, although their newsletter (Telstra News Issue 8 dated "December 2002/January/February 2003") stated, in minuscule print in a footnote, that Telstra's Line Blocking Service is "Not available for calls to 000 or MegaPoP National access service", we believe that the vast majority of the population do not have any idea what MegaPoP is and in the context of the Telstra statement may assume it is some type of emergency service. Furthermore, even if a caller knows what MegaPoP is, it is very unlikely they will know whether their ISP is a customer of Telstra's MegaPoP service.

48.   In addition, while Telstra claims to have published a "Detrimental Effect Advertisement" [2] in the public notices section of The Australian on Friday 22 March 2002 stating:

"Calling Line Identification Change
On and from 23 March 2002, Carriage Service Providers (CSPs) that use Telstra's MegaPoP National Access services will receive Calling Line Identification presentation for the purposes of fraud prevention, billing, call management or credit control of their Internet access services. [See Attachment 4 regarding these four claims.]
Accordingly, line and call blocking will not operate on calls made to CSPs using Telstra's MegaPoP National Access services from that date."

49.   such an advertisement does not comprise reasonable steps to make individuals aware of Telstra's intention to commence invading their privacy without their consent. Even if all Telstra's customers read The Australian, including the public notices section, giving less than one day's notice of the commencement of invasions of privacy is inadequate. Telstra was entirely capable of prominently notifying its customers well in advance of the change when sending customers a telephone bill. There was no need, let alone urgency, for this detrimental change to Telstra's agreement with its customers - the MegaPoP service had been operating efficiently for some sixteen months previously without Telstra over-riding blocking.

50.   Moreover, Telstra has not made its customers aware that blocking is not effective on a variety of other calls that have nothing to do with the MegaPoP system. For example, when a Telstra telephone service customer makes a call to an ISP who is a Comindico customer (not a MegaPoP customer), Comindico over-rides the blocking instruction transmitted to them with the call by Telstra.

51.   Similarly, the Optus newsletter to customers dated February 2003 states: "Note: Your number will be automatically sent when a call is placed to an Emergency Service Number. This is regardless of your CND status". The statement fails to notify customers that even if Optus sends their call with blocking in place, Telstra, Comindico, or another carrier over-rides the Optus blocking instruction when the call is transported, in part, over another carrier's network to an ISP. (It should also be noted that Optus's default line status is blocked, i.e. customers who wish to have CND sending enabled must specifically request this service, while Telstra's default is to send CND. Hence a significantly larger number of Optus customers than Telstra customers are likely to have blocking implemented and believe their number is being blocked).

52.   However, whether or not a carrier has complied with NPP 1.3, the primary breach of unauthorised disclosure remains.

NPP 1.3 and 1.5 - ISPs

53.   While the primary breach is the unauthorised, unnecessary and unfair collection, this is compounded by the lack of notice.

54.   In the highly unlikely event that a particular dial-up ISP can justify a claim that routine collection of blocked calling numbers is necessary for the provision of Internet access, they will nevertheless be in breach of NPP 1.3 and/or NPP 1.5 if they have not taken reasonable steps to make persons dialing their numbers aware of the true situation regarding collection, use and disclosure of personal information (although we recognise that some, perhaps many, ISPs may not be required to comply with NPPs due to the small business exemption).

55.   Extensive searching (in May 2003) using the Google search engine reveals only one Australian ISP whose privacy policy informs about collection of blocked calling numbers. It does not, however, inform of the consequences for the customer if the ISP was not able to collect blocked calling numbers, probably because this would not make any difference to the ISP's ability to provide the Internet access service.

56.   Searching the ISP Respondents web sites (in June 2003) does not reveal any notification to existing customers or potential customers, who are invited to open an Internet access account via the web site, that blocked calling numbers will be collected (other than the OptusNet site), nor do any of the ISP Respondents' privacy statements available on their web site. OptusNet added information to their web site in late May or early June 2003 informing that they had commenced collecting blocked calling numbers although the same page [3] makes clear that the calling number is not needed for billing purposes - the page states that callers can dial in from "a telephone service that's not billed directly to [the Internet access customer], for example ... a hotel phone line". Obviously OptusNet uses the customer's Internet access username to identify the billing account, the same as Telstra Bigpond does (as stated in the Telstra Bigpond Member Agreement) and all other ISPs do.

57.   However, whether or not an ISP has complied with NPP 1.3 or 1.5, the primary breach of unauthorised, unnecessary and unfair collection remains.

NPP 8

58.   We allege that the carrier Respondents are in breach of NPP 8, which requires that: "Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation".

59.   It is clearly both lawful and practical for carriers to deliver calls to dial up Internet access numbers without disclosing identifying information to the ISP about the telephone service subscriber, who in many cases is not even the ISP's customer. Telephone service subscribers who wish to allow another person, e.g. a flatmate, to use their telephone service to connect to an ISP's Internet access system, should not be denied the right to be anonymous in relation to that transaction involving their telephone line.

60.   Similarly, the ISP Respondents collecting blocked calling numbers are in breach of NPP 8, for the same reason as the carriers. The ISP is able to identify their customer by the username entered to gain access to the ISP's Internet services. They do not need the calling number information which in many cases is capable of identifying a person who is not the ISP's customer.

NPP 4

61.   In the case of the carrier Respondents, while the primary breach is the unauthorised disclosure, we also claim that in their acts of disclosure the Respondents have failed to take reasonable steps to protect the personal information they hold concerning complainants.

Breach of Confidence and
Breach of Common Law Right of Privacy

62.   The carrier Respondents held silent number, line blocked and call blocked telephone number information concerning complainants which was information capable of being the subject of a breach of confidence and was held under circumstances of confidence. We claim that the carriers' disclosure of this information was unlawful in that it was a breach of confidence. It was also unlawful in that it was a breach of complainants' common law right of privacy. Similarly, we claim the ISP Respondents' collection of this information is a breach of complainants' common law right of privacy and, if disclosed by an ISP, would also be a breach of confidence.

Breaches of the Telecommunications Act 1997 and the CND Code

63.   As mentioned earlier herein, the attached copy of our letter of complaint to the Australian Communications Authority addresses breaches of the Telecommunications Act 1997 and the CND Code and we request that you take into account the matters detailed in that letter as if they were part of this complaint, to the extent that they are relevant to this complaint.

Related Matters

64.   We request that the following matters also be taken into consideration during investigation of this complaint:

  • many callers from silent and other blocked calling numbers are unlikely to be aware that their privacy is being invaded because their telephone service provider's notices about CND incorrectly state that blocking is effective for all calls except those made to emergency service numbers;
  • in many cases the individual is not a customer of the disclosing carrier, for example, to the best of our knowledge Comindico does not provide originating call services to residential customers, although it does disclose, to ISPs, blocked calling numbers that it receives from an originating and/or intermediary carrier;
  • an originating carrier may not know that its customers' blocked calling numbers are being disclosed by a terminating carrier, nor have a means of finding out whether a particular complainant's number has been disclosed by another carrier;
  • callers and telephone subscribers have no adequate means of knowing which carriers are involved in the transmission of their calls and hence may be disclosing blocked calling numbers;
  • Most dial-up Internet users, current and future, are unlikely to know how to find out whether or not their ISP is a customer of one of the MegaPoP type services and therefore receiving blocked calling number information;
  • many ISPs who receive calling numbers cannot know whether a customer's complaint, that the ISP has collected, or is collecting, their silent or other blocked calling number, is factual. This is because the manner in which the carriers disclose the numbers to ISPs does not include blocking status information. (This has been confirmed to us by various ISP personnel who have checked the situation by dialling in themselves with a line block in place).

65.   In addition, we believe some carriers may be disclosing blocked calling numbers to end-recipients of calls other than ISPs. In this regard, on 19 July 2003 we received information alleging that some 40 businesses in a particular building in Perth see blocking calling number information (if they have screens that display CND received with incoming calls). Reportedly, such screens display blocked and silent numbers in the format "Private - (xx) xxxx xxxx" and "Unlisted - (xx) xxxx xxxx". We have not yet attempted to verify this information, but can provide details as to the particular building etc on request.

Form of Relief Sought - s52 Determination Required

66.   In order to obtain sufficient legal certainty in relation to this complex matter, and so as to be able to obtain enforceable remedies to allow us to proceed under Section 55A for enforcement if necessary, we request and require that this complaint be dealt with under Section 52, not under Section 41.

67.   We seek a Section 52 determination that includes:

  1. a declaration that carriers and carriage service providers who have disclosed blocked calling numbers to dial-up ISPs (and to any other type of carriage service provider that is the end recipient of a telephone call), and ISPs who have collected same, have engaged in conduct constituting an interference with the privacy of an individual and must not repeat or continue such conduct; and
  2. a declaration that carriers must issue a written apology to all holders of silent numbers and other blocked numbers whose numbers have been disclosed; and
  3. a declaration that individuals referred to in (ii) above are entitled to compensation for loss or damage suffered as a result of the carriers's actions; and
  4. a declaration that carriers must provide a new silent number, without fee for change, to any holder of a silent number referred to in (ii) above who requests same.
  5. a declaration that ISPs who have received blocked calling number information must take reasonable steps to comply with NPP 4 (Data Security), in particular to destroy or permanently de identify blocked calling number information that has been unlawfully collected and/or is not permitted to be used or disclosed under NPP 2;
  6. a declaration that ISPs who have received blocked calling number information, if they are not able to destroy or permanently de identify same, must prevent access to databases and records containing such information by staff other than specifically authorised staff who need access to other information in the database or records to undertake a necessary function; and establish an enquiry audit trail on such databases and records so that staff accesses can be recorded and the audit trail can be used in the investigation of any future alleged disclosure or misuse of that personal information (as discussed in OFPC Complaints Case Notes 3 of 2003 [8]).

We will be pleased to provide any further information that may assist in investigation of this matter.

We advise that, for ease of communication, we nominate Ms Irene Graham as the primary point of liaison between ourselves and your office. Ms Graham can be contacted during business hours at Tel: 07 3424 0201, Fax: 07 3424 0241, Email: [...].

We look forward to your response.

Yours sincerely


Irene Graham     Roger Clarke     David Fitch

Attachments:

  1. Privacy risks of supply of blocked calling numbers to ISPs
  2. List of ISPs receiving blocked calling number information
  3. How CLI and CND services work: detailed information about the CND Service provided by carriers to ISPs
  4. The claimed needs of dial-up ISPs: fraud prevention, billing, call management or credit control
  5. Copy of letter of complaint to Australian Communications Authority
  6. Copies of letters of complaints sent to Respondents and responses received
  7. Copy of Memorandum of Understanding for the Use of CND on the Comindico / Ozdial Networks

References:

  1. AUSTEL Privacy Report 1992
    http://www.privacy.org/pi/countries/australia/austel_1992_privacy_report.txt
  2. Telstra Detrimental Effect Advertisements (469 Kb)
    http://www.telstra.com.au/sfoa/docs/detr-ads.doc
  3. OptusNet 0198 331 111 Frequently Asked Questions
    http://www1.optusnet.com.au/helpdesk/0198faqs.html#cli
  4. Internet Industry Association media release, 21 July 2003
    http://www.iia.net.au/news/070301.html
  5. Pacific MicroMarketing, What is Australiandata-online
       "About to undertake a telemarketing campaign?
        If you are about to undertake a telemarketing campaign, simply submit your file and Pacific Micromarketing will return it with telephone numbers appended from the latest version of the Integrated Public Number Database (IPND). Pacific Micromarketing receive updates from the IPND file from Telstra every night and their matching software has been tuned to deliver the highest accurate match rate available."
    http://www.pacmicro.com.au/pdf/ausData/Australian_Data_Online.pdf
  6. OFPC Media Release, Telstra Database Mistake, 12 August 2002
    http://www.privacy.gov.au/news/media/02_19.html
  7. Message posted to Oz-ISP mailing list
    http://archive.humbug.org.au/aussie-isp/2002-05/msg00200.html
  8. OFPC Complaints Case Notes 3 of 2003
    http://www.privacy.gov.au/act/casenotes/ccn3_03.html


You are here: EFA Home » Issues » Privacy » Calling Number Display » Complaints re blocked calling number disclosure » Complaint to OFPC