You are here: EFA Home » Issues » Privacy » Calling Number Display » Complaints re blocked calling number disclosure » Attachment 4 29 July 2003

Attachment 4

Calling Line Identification
The Claimed Needs of Dial-Up ISPs

25 July 2003

In 2002, some eight or more years after commercial ISPs commenced providing dial-up Internet access services in Australia, some but not all ISPs and telephone call carriers commenced claiming that ISPs need to receive silent and other blocked calling number information for four purposes: "fraud prevention, billing, call management and credit control".

This document discusses the common four, and other, claims and shows that calling number information is not necessary for the operation of dial-up Internet access services and is rarely, if ever, even useful for the purposes in the absence of the relevant customer's prior knowledge and consent.

Contents

Introduction

Commercial ISPs have been providing dial-up Internet access services in Australia since at least 1994. During the first eight years, these services were provided without ISPs receiving silent and other blocked calling number information. It was not until 2002 that some telephone call carriers decided to start over-riding blocking in order to sell, or freely provide, blocked calling number information to some, but not all, ISPs.

Obviously, if calling number information was necessary for the operation of dial-up Internet access services, all ISPs would currently be receiving same and would have been since Calling Number Display services became available in Australia in late 1997. Dial-up Internet access services would not have been available before 1997.

In fact, calling number information is not necessary for the provision or operation of dial-up Internet access services and whether or not a particular ISP receives blocked calling number information is the result of a commercial decision made by a telephone call carrier (and the ISP in cases where the carrier charges the ISP a fee for the information). Telstra publicly stated that fact in June 2002:

"Telstra spokesman John Court said [Telstra] activated caller line identification on its MegaPOP network in March [2002] - meaning Telstra Wholesale, Telstra Retail and Telstra resellers had access to the service but the rest of the ISP world did not.
...
Mr Court said ISPs were unlikely to be given caller line identification en masse. Telstra might charge a fee for the service and this would be determined by negotiation with ISPs on an individual basis."

(ISPs want caller ID, by Caitlin Fitzsimmons, The Australian IT, 25 June 2002)

Telstra claims to have published a "Detrimental Effect Advertisement" [1], advising of changes to its Standard Form of Agreement with its telephone service customers, in the public notices section of The Australian on Friday 22 March 2002 stating:

"Calling Line Identification Change
On and from 23 March 2002, Carriage Service Providers (CSPs) that use Telstra's MegaPoP National Access services will receive Calling Line Identification presentation for the purposes of fraud prevention, billing, call management or credit control of their Internet access services.
Accordingly, line and call blocking will not operate on calls made to CSPs using Telstra's MegaPoP National Access services from that date."

Notably Telstra did not claim disclosure of blocked calling number information is necessary for the provision of dial-up Internet access services, nor for the operation of the MegaPoP service, and claims to be only over-riding blocking on calls made to ISP customers of Telstra's MegaPoP service, not on calls to other ISPs. (For information about the means by which Telstra and other carriers can over-ride blocking and unnecessarily disclose blocked calling number information to ISPs, see paper: How CLI and CND Services Work.)

Telstra is not the only member of the telecommunications industry to claim over-riding blocking is for the purposes of: "fraud prevention, billing, call management and credit control". However, such claims are rarely made publicly (they are most often made in email and phone discussions with critics of the practice) perhaps because such claims do not survive under close scrutiny, as detailed later herein.

When an ISP claims to need blocked calling number information to operate their business, questions must be asked: How did they survive before MegaPoP and Comindico's similar service came along (approximately two years ago) and commenced giving them this information? If it is claimed that "things have changed" such that they did not "need" it before, but they do "need" it now, then what was the monumental change that necessitated this invasion of customers' privacy (beside the fact that since the information has become readily available to them, they've created a pretext to collect, use and keep it)?

Asking such questions reveals that the four claimed purposes are nothing more than a convenient litany. They are the purposes listed in the Calling Number Display Industry Code ("CND Code") for which telephone call carriage service providers may use CLI which they automatically receive during carriage of telephone calls between an originating and terminating telephone exchange. However, there is no legislative basis for the proposition that the four claimed uses entitle carriers to disclose to ISPs and ISPs to collect and use blocked calling numbers without consent, whether or not the purpose is a use listed in the CND Code.

As set out in detail below, dial-up ISPs do not need to receive blocked calling number information for the claimed purposes and, in fact, such information is rarely, if ever, even useful for the claimed purposes in the absence of the relevant customer's prior knowledge and consent.

Billing

As telephone call carriage service providers bill the cost of a call to the owner of the calling telephone number, it is clear they need to know the number a call is made from in order to bill the call to their customer. This is not, however, the means by which ISPs identify and bill their dial-up Internet access customers.

ISPs identify the owner of an Internet access account for billing purposes by the username and password provided to them when the user logs in. When a user calls the ISP's dial up number, after the telephone call is answered by the login system, the user's computer sends the username and password to the login system.

The username and password has nothing to do with the user's calling number. The customer could be dialling in from a hotel room or a friend's home, etc. Several customers who share a house or flat can have separate accounts with the same ISP and dial in from the same phone number using their own username and password. The ISP does not need to know the calling number in order to bill the correct customer's account; the ISP uses the username to identify the billing account.

The same method of identification is used by companies such as Telstra and Optus who provide both a telephone call carriage service and a dial-up Internet access service to a customer, even when the cost of Internet access is billed on the same account as telephone calls.

In the case of Optus, a page on the OptusNet site [2] states that calling numbers (including blocked calling numbers) are being collected for "billing purposes". However, the very same page makes clear that the calling number is not used for billing purposes. It informs customers they can dial in to OptusNet from "a telephone service that's not billed directly to you, for example...a hotel phone line". Obviously OptusNet uses the customer's Internet access username to identify the billing account, the same as all other ISPs do.

In the case of Telstra, as stated in the Telstra's Bigpond Member Agreement [3], Bigpond customers can pay Internet access charges by having same billed to either a Telstra telephone account number or to a credit card. However, even when the charges are billed to a telephone account, the Internet username is used to identify the billing account, not the calling number. This is made clear in the Member Agreement which states:

"13. If you nominate a Telstra [telephone] Account Number [for billing], you will be allocated a unique identifier Internet and Data Service Number ('IDS Number'). You authorise us to charge all fees incurred for use of the Service through your member identification and password to your IDS Number".

In other words, the username (member identification) and password are used to identify the customer's unique IDS Number which is linked to the Telephone Account Number that the customer has nominated for billing of the cost of Internet access. In this way, customers can have the convenience of one bill for both telephone calls and Internet access, and can dial in to the Bigpond service from anywhere in the country. Telstra does not need to know, nor do they even use, the number a Bigpond customer is calling from for billing purposes.

In summary, ISPs do not need, and do not even use, calling numbers for the purpose of billing. A claim that calling number information is necessary for "billing" is often actually a claim that the information is needed for the purposes of credit control.

Credit Control

Some ISPs claim calling number information is necessary for credit control. However, calling number information cannot be used to control an ISP's provision of credit unless a customer has informed the ISP, in advance, of the number/s from which they will dial in (which is problematic if not impossible, for example, for customers who travel). Otherwise, at most, calling number information may be of some help in attempting to resolve a particular billing dispute between a customer and an ISP.

For example, if a customer disputes a bill from their ISP, on the ground that they were not logged in to the ISP system at a particular time, an ISP can use calling number information received at the time of the disputed login to see if the incoming call was from one of the telephone numbers normally used by the customer.

However as calling number information does not identify the individual who made the call, only the telephone number/service used to make the call, it cannot be used to conclusively prove whether or not the customer was using that telephone service to log in. The customer could have been using someone else's telephone service (e.g. calling from a hotel or friend's home), or someone else could have been using the customer's telephone service. Some ISP's may be willing to make assumptions in this regard and withdraw a charge for a particular login, and some customers of such ISPs are likely to be happy to provide calling number information in case it may turn out to be useful in a future dispute concerning a charge by the ISP. It is not a legitimate ground for over-riding a customer's choice to block calling number information, nor for requiring all ISP customers to provide calling number information to ISPs.

An ISP who wishes to provide an enhanced service to customers by preventing logins to a customer's account from calling numbers not previously notified to them by the customer, can provide such a service without carriers over-riding call blocking and without ISPs collecting blocked numbers without consent. Customers who desire such a service, even if they have a permanent block on their line, can dial the blocking over-ride code. Such an enhanced service is provided by, for example, WestNet who state:

"CALLER ID AUTHENTICATION
Caller ID Authentication is a feature that can be enabled on any dial-in Internet account to increase security for customers. This feature makes it possible to dial into your Internet account from only one phone line, meaning that even if your username and password is compromised*, people will not be able to use your account.
Please note this service is not available to users of our National service." [4]

It is notable that the enhanced credit control type service is not even available on WestNet's National service, which uses 01983 dial in numbers provided by Comindico and Telstra.

Call Management and Route Selection

Some ISPs say they "need" calling number information for "call management". This means they "need" it because it is useful to them for the purpose of offering value added services to their customers, such as "managing" calls by restricting logins to calls from customer pre-notified numbers, as discussed above.

Others refer to "call management and route selection". However, CLI (which includes calling number information) is a telephone network signalling capacity. CLI data is not used for route selection or routing traffic around the Internet. The telecommunications network providers across whose networks Internet traffic flows have no need to know dial-up Internet users' calling numbers.

A claim that ISPs need calling number information for "call management and route selection" means they "need" the information for the purpose of offering a value added service. The ISP does not use the calling number for routing or re-directing the call to another number, they simply prevent calls from connecting to a particular number. For example, calling number information can be used by ISPs who wish to offer a service that automatically checks whether their customer is dialling into the correct POP (ISP point of presence). If they are not, they could be charged STD call rates by their telephone service supplier, not by their ISP. This is not "routing" of a call, although it is what some ISPs refer to when asked how they use and why they claim to "need" calling number information for "call routing". The service is useful for customers who want to avoid the risk of accidentally dialling a non local number to log in and who are willing to provide calling number information to their ISP in order to use the checking service. It is not a legitimate ground for over-riding a customer's choice to block calling number information, nor for requiring all ISP customers to provide calling number information to ISPs.

Moreover, in the case of calls made to 01983 numbers (such as to the MegaPoP and similar services), calling number information is not necessary, and is not even useful, for the above purpose. The ISP's customers cannot be charged long distance call fees because telephone call service providers are prevented, by law, from charging more than the cost of a local call for calls made to 01983 numbers.

Furthermore although OptusNet claims [2], in response to the question "Why does OptusNet collect my Calling Line Identity (CLI)?", that they collect calling number information "even if you have blocked your CLI" because it is "used to direct your call to the nearest Local Access Point", it is not necessary for OptusNet to collect such information. When a caller dials an 01983 number, as used by OptusNet, the telephone network signalling system uses CLI to direct the call to the appropriate (usually nearest) terminating telephone exchange to which, for example, an OptusNet "Local Access Point" is connected. There is no need whatsoever for Optus to transmit the calling number information from the terminating telephone exchange to the called party (i.e. to OptusNet or any other ISP customer of Optus). The same applies to Telstra and calls to customers of its MegaPoP service; the telephone network signalling system directs calls to a relevant terminating exchange to which a MegaPoP access point is connected.

In this regard, 01983 numbers are no different from 1800, 13 and 1300 numbers. Prior to CND Services being permitted to be introduced in Australia in 1997 Optus and Telstra were required, by the Minister for Communications, to undertake to comply with the AUSTEL Privacy Advisory Committee Guidelines which stated, in part, "line and per call blocking must be able to be implemented and be effective on all calls, including calls to Intelligent Network services (IN services) such as 1800 and 13 services". 01983 services did not exist in 1997, if they had no doubt 01983 would have been listed as another example of IN services.

No doubt some ISPs receive complaints from customers who have dialled a non-local charge number and later received an unexpectedly high telephone bill from their telephone service supplier, not the ISP. However, ISPs should be capable of explaining to customers the importance of dialling the correct/local number and, if possible, offering an opt-in automated check service for customers willing to provide calling number information. That some ISPs may not bother to explain this, and/or some customers may not take sufficient notice of information provided, is not a valid justification for ISP customers to have no choice regarding disclosure of their calling number information. It is important to remember that it is not necessary for ISPs to know their customers' calling number in order to bill them for dial-up Internet access services, and, if a customer disputes call costs on their telephone service bill, such a bill is received from their telephone service provider, not from their ISP. It is the customer's responsibility to familiarise themselves with the cost of calls to particular numbers. If some do not, that is not a justification for telephone call carriers to over-ride the privacy choice of every caller who wishes to block their calling number.

Fraud Prevention

Some ISPs claim they "need" calling number information for the purpose of "fraud prevention".

However, ISPs cannot use calling number information to prevent fraudulent use of a dial-up Internet access account unless the particular customer has previously notified the ISP of the number/s they will be calling from, as discussed in relation to credit control above. Customers who wish to receive this type of value-added security protection (and do not travel or otherwise call from numbers not known in advance) can be advised by the ISP that if they have line blocking implemented, they will need to dial the unblocking code in order to use their Internet access account.

Fraudulent use of a dial-up account can occur when an unauthorised person has (by stealing or guesswork) obtained and used another customer's username and password. If an ISP knows the calling number/s used by the authorised user/s of an account, the ISP can configure its login facilities to prevent that account's username and password from being used by persons calling from any other telephone number. This type of value-added service does not justify over-riding customer choice to block their calling number. Moreover, many Internet users dial in from different numbers at different times (e.g. those who travel) and do not know the number in advance, and in any case, do not wish to disclose calling number information which can enable data matching and identification/tracking of a customer's physical whereabouts from time to time.

There are a number of non-privacy intrusive means of significantly minimising the potential for unauthorised use of usernames and passwords, such as requiring customers to use passwords that are not easily guessed (and technically preventing use of passwords that consist of ordinary words, etc.) and educating customers about the need to keep passwords secret. There are also less privacy invasive reactions to an instance of use of a stolen password, such as simply changing the password, and also the username if considered necessary.

This type of "need" for calling number information is no different from any other organisation claiming they "need" calling number information from everyone who uses their services in case someone uses a stolen account ID and password to access services provided by telephone, or uses a stolen credit card when paying for goods or services by telephone. When ISPs receive calling number information with an incoming call they are the end-recipient of a call just like any other organisation that receives calling number information. For example, banks in Australia that provide telephone banking services do not (and are not permitted to) make it a condition of use that their customers present calling number information in addition to an account ID and PIN/password. ISPs are not special and should not be permitted to invade an individual's privacy without consent any more than any other business.

Except in very limited circumstances as set out above, provision of calling number information to ISPs cannot prevent fraud. It cannot prevent fraudulent use of an Internet access account, nor of any online service accessible after a customer has logged in. At best, calling number information can be used to investigate a specific instance of fraud after the event, but it does not provide proof as to who was using the telephone service to dial in to an ISP's system.

It should also be noted that provision of calling number information to dial-up ISPs cannot prevent fraudulent use of the telephone service to which the calling number information relates, nor prevent the fraudulent use of telephone service networks in general.

Spam Prevention

Some ISPs have called for mandatory provision of calling number information to ISPs on the claimed ground that this would reduce spam (unsolicited bulk email).

According to newspaper reports [5] in 2002, the principal advocate of this largely ineffective, and highly privacy invasive, idea is Justin Milne, who at the time was Chair of the Internet Industry Association (IIA) and CEO of OzEmail ISP (until October 2002, subsequently head of Telstra Bigpond as at mid 2003). OzEmail has long been widely criticised for allowing spammers to use its mail servers. As a result, other ISPs have from time to time blocked all email from OzEmail mail servers [6]. Eventually, in June 2002, OzEmail announced "Spammers tend to use pre-paid accounts to send their junk email, so we have re-engineered our pre-paid products to make spamming very difficult - if not impossible" [7]. OzEmail were evidently able to do that without receiving blocked calling number information.

Mandatory provision of calling number information to ISPs, or anyone else, will not reduce spam and is an extraordinarily privacy invasive idea for dealing with the spam problem - a problem that could be significantly reduced by far more effective, non privacy invasive, means. Detailed information in this regard is contained in EFA's submission to the National Office for the Information Economy (NOIE) which is available at:

EFA Submission to NOIE re NOIE Spam Review Report, 16 Sept 2002
   http://www.efa.org.au/Publish/efasubm_noiespam.html

Law Enforcement

Claims that ISPs "need" to routinely collect calling number information from every Internet user for law enforcement purposes are not factual. Such routine collection breaches the National Privacy Principles in the Privacy Act 1988 and is not required or even authorised by the Telecommunications Act 1997. It should be noted that ISPs are authorised on lawful request of a law enforcement agency to collect calling number information pertaining to calls made from particular numbers during particular periods, such as when a law enforcement agency is investigating the activities of an individual suspected of engaging in an unlawful activity. This is an entirely different matter from routine collection of all calling numbers.

Conclusion

Calling number information is not necessary for the operation of dial-up Internet access services and is rarely, if ever, even useful in the absence of the relevant customer's prior knowledge and consent.

The fact that ISPs, just like any other recipient of telephone calls, can use calling number information for the purpose of offering value added services to their customers is not a legitimate reason for over-riding a caller's choice to block calling number information, nor for requiring all ISP customers to provide calling number information to ISPs. The privacy choices of Internet users and telephone service subscribers who do not want an ISP and/or their staff to see and collect the calling number must be respected to the same extent as any other telephone caller's privacy choice.

Any ISP who claims to need blocked calling number information to operate their business must be required to publicly explain exactly why the service cannot be provided without receipt of that personal information without the customer's prior consent. Subjecting such claims to scrutiny will show that the information is not necessary other than because a particular ISP has decided to configured its system to reject calls that do not present calling number information, thereby intentionally discriminating against callers who choose to block their calling number. Such discrimination is in breach of Clause 5.8.1 (previously 4.20) of the ACA registered and enforceable Calling Number Display Industry Code.

References:

  1. Telstra Detrimental Effect Advertisements (469 Kb)
    http://www.telstra.com.au/sfoa/docs/detr-ads.doc
  2. OptusNet 0198 331 111 Frequently Asked Questions
    http://www1.optusnet.com.au/helpdesk/0198faqs.html
  3. Telstra's Bigpond Member Agreement
    http://www.bigpond.com/home/access/join/memberagreement/default.asp
  4. WestNet
    http://www.westnet.com.au/products/additional/other/default.shtm
  5. Media Report extracts
    http://www.efa.org.au/Issues/Privacy/cndnomand.html#media
      The Australian IT, ISPs want caller ID, Caitlin Fitzsimmons, 25 June 2002
      Sydney Morning Herald, Big Brother is looking to read your e-mail, Nicole Manktelow, 7 May 2002
      The Australian IT, Spying deal between police, ISPs, Kate Mackenzie, 23 Apr 2002
  6. OzEmail subscribers blocked by US provider, Dan Warne, Whirlpool, 17 Jan 2002
    http://whirlpool.net.au/article.cfm/702
  7. OzEmail Fighting Spam, OzEmail Newsletter to Customers, 13 June 2002
    http://www.ozepay.com.au/newsletter/ozemail/20020613/view/news
    OzEmail increases anti-spam arsenal, OzEmail Media Release, 2 Mar 2002
    http://www.ozemail.com.au/info/about/mediarelease/mediarelease2002/mar02-1.html


You are here: EFA Home » Issues » Privacy » Calling Number Display » Complaints re blocked calling number disclosure » Attachment 4