Attachment 1

Privacy risks of supply of blocked calling numbers to ISPs

25 July 2003

[Note: This document is an edited version of Attachment 1. Some private information is not included in this version.]

The disclosure of blocked calling number information to dial-up Internet Service Providers ("ISPs") poses serious real-world risks and consequences to individuals. This paper provides information about the risks and related matters.

Contents

• Overview
• Factors affecting risk of unauthorised use and disclosure
  • Lack of knowledge by some ISP personnel of legislated obligations
  • Incorrect assumptions about calling number information by ISPs
  • Security of calling number records held by ISPs
  • Small ISPs exempt from Privacy Act 1988
  • Inter-relationship of Telecommunications Act 1997 and Privacy Act 1988
• Risks and consequences of breach of privacy
  • Identification of individuals' physical whereabouts
    • Risk of bodily harm or death
    • Risk of blackmail
  • Tracking/monitoring individuals' physical whereabouts
• Ease of identifying individuals and/or whereabouts
• Conclusion

Overview

The disclosure of blocked calling number information to ISPs poses serious real-world risks and consequences to individuals.

The potential impact on the privacy and well-being of individuals arising from ISPs having access to silent and other blocked calling number information, without the individual's consent, is significant because:

• ISPs already have a massive amount of information about individuals, as well as the ability to datamine and datamatch;
• an ISP having access to blocked calling number information operates on a practical level much like a "reverse phone-book". It can be used by an ISP staff member, or a temporary contractor, or anyone obtaining unauthorised access to the information, to match an anonymous arbitrary identifier (phone number) to a real-world identity and to the physical whereabouts of an individual;
• some ISP owners and/or staff fail to recognise that blocked calling number information may be personal information about a person who is not their customer and disclosure of same to their customer or to someone else could result in blackmail, stalking, bodily harm or worse;
• the risk of unauthorised use and disclosure is high because:
  • statements made by some ISP owners and/or staff in public discussion forums have indicated they have little knowledge about their privacy protection obligations under telecommunications and privacy laws. Anecdotal evidence and reports suggest that quite a number of ISP personnel may lack such knowledge due to complexity of the relevant laws and insufficient, if any, training;
  • privacy-related provisions of legislation applicable to ISPs is complex due to the inter-relationship of Telecommunications Act 1997 and the Privacy Act 1988, and some aspects can seem contradictory prior to detailed analysis. This can cause difficulties for some ISP personnel in attempting to understand their obligations and may result in incorrect interpretation and unlawful use and disclosure of personal information;
  • many ISPs do not have in-house legal counsel, unlike large telephone call carrier corporations, and the high cost of legal advice may discourage some ISPs from seeking same instead of relying on their own interpretation of the laws which may not be correct;
  • a significant number of ISPs do not restrict access to log-in records (which include calling number information) to specific authorised staff who have received training concerning their privacy protection obligations. In such instances, calling number information is usually accessible by technical support and help desk staff, technical contractors and consultants, etc. Allegedly many such persons have not received training concerning privacy protection laws.
  • some, perhaps many, ISPs store log-in information including user names and blocked calling numbers on computers connected to the Internet which carries a risk of unauthorised access by crackers and hackers;
  • approximately 70% of 563 ISPs (as at September 2002) are most likely to be small businesses that are exempt from compliance with the Privacy Act 1988, including from the data security (NPP 4) provisions requiring an organisation to protect the personal information it holds from unauthorised access, misuse, and modification.

A number of the above matters may also apply to other businesses who receive calling number information via a CND Service. However, non-ISP businesses receive calling number information with the consent of the caller - they do not receive silent and other blocked calling number information and nor should ISPs.

Further information regarding the above follows.

Factors affecting risk of unauthorised use and disclosure

Lack of knowledge by some ISP personnel of legislated obligations

A paper presented to an IIR Privacy Law Conference in May 2000 by the then General Manager of OzEmail ISP, states that OzEmail was not then required to comply with the privacy protection provisions of the Telecommunications Act 1997, although all ISPs had been required to comply since 1997. The General Manager said:

"...And here's the somewhat scary bit. We [OzEmail] have the username and password for every one of our users; we have their credit card details, we have a lot of information about their liquidity, we can know about every purchase they make online, with whom, when and for how much. We can know every site they visit on the web - every page, every newsgroup, every picture they look at. We could read all of their mail and know all about their romances and the jobs they're applying for.

The commercial opportunities arising from this are endless, of course. We could watch what each of our customers does, and then just pop them a quick email that says, 'Oh - we see that you just bought a nice new pair of brown boots. One of our other merchants just happens to have a special on black socks - just follow this link.' Or 'We see that you've been looking at dirty pictures tonight - in fact the sixth and 10th pictures you looked at were over the top and you're busted.' In short there's not much we couldn't find out about the online life of our customers - and remember, in a few years our customer base will represent a sizeable chunk of the Australian population. A chunk about the size of NSW for example. This is becoming irresistible to both marketers and governments, who often share the view that they have a God given right to access private information about the general public.

Then, of course, we could go in for a bit of datamatching, where we instruct our databases to match names, products and addresses with other databases. String three or four conditions together in a query which trawls two or three databases and you get amazing pinpoint clarity. The accuracy of this kind of targeting truly provides the so called 'market of one'. And the nature of the net means that the marginal cost of marketing to the next market of one is effectively zero.

And right now in Australia there is almost nothing to stop us from doing this. Nearly all of Australia's privacy legislation is pointed at government. Private corporations can effectively do what they like - with the exception of a few telcos who are caught by the Telecommunications Act 1997 (Cth)."

(OzEmail - an ISP's approach to privacy, Privacy Law and Policy Reporter 26, 2000
http://www.austlii.edu.au/au/journals/PLPR/2000/26.html)

It is hoped that since May 2000, the ex General Manager of OzEmail (subsequently head of Telstra Bigpond ISP) has not been further promulgating the impression that the Act only applies to telcos. ISPs are Carriage Services Providers and as such all 600 or more of them in 2000, were and still are, also "caught by the Telecommunications Act 1997". His view in relation to customers' privacy appears to have changed since 2000. During 2002, remarks attributed to OzEmail's then General Manager in newspaper reports suggest he considered ISPs have a God given right to know the telephone numbers customers are calling from (in addition to everything else ISPs can already know about customers). He was the most publicly prominent campaigner during 2002 for mandatory provision of calling number information to ISPs, apparently because OzEmail chose to sell anonymous pre-paid accounts, some of which were reportedly being used by spammers.

Questions and comments indicating that some ISP personnel are not aware of the laws prohibiting disclosure of calling number information have been quite common in ISP online discussion forums. Examples of responses to same, demonstrating the type of discussion that occurs, are below.

"Date: Tue, 14 Aug 2001 19:14:31 +0930

On Tue, Aug 14, 2001 at 04:37:57PM +1000, [...] wrote:

> I wonder if any ISP supplying on-line access for there clients to check on
> there account usage has left in the cli info from the radius records?
> One could naturally presume that a client would be allowed full access to
> there own radius log.

One could *not* naturally presume that, [...] . That's what this entire bloody thread is about (and has been about every other time it's surfaced on this mailing list).

If someone is using your network without the permission of an account holder, you're STILL REQUIRED TO PROTECT THE PRIVACY OF THE UNAUTHORIZED USER. You may divulge information to the Police as part of a law enforcement investigation, but you MAY NOT DIVULGE IT TO THE ACCOUNT HOLDER, or more or less anyone else.

It astonishes me that after all these years there are so many people who simply refuse to believe that carriage service providers can revoke their privacy obligations simply because of the actions of some unknown third party. It's really simple: Everyone who uses your network has a legislated expectation of privacy, even if they're not authorized to be there. And information gathered in the course of someone's use of the network belongs to *YOU*, not to the person who owns the account that utilized the network, so account holders can't claim some kind of right of ownership over their own logs.

If you don't want an unauthorized user on your network, complain to the police. If your customer doesn't want an unauthorized user using their account, change their password and get them to complain to the police. You can divulge all the calling records you like to the cops if they come to you with a Section 282 declaration.

Why are there so many people working for so many ISPs who have some kind of emotional attachment to the idea of giving out caller-ID records? It's the only thing I can think of to explain the utter refusal to accept that it's against the law for Carriage Service Providers to divulge caller information about users of their network."
(http://archive.humbug.org.au/aussie-isp/2001-08/msg00376.html)

While the context of the above concerned possible unauthorised use of an account, in numerous cases the calling number information can be used to identify an individual who is not using the account illegally and who is not the ISP's customer. This matter is addressed later herein.

Furthermore, as others have pointed out on ISP discussion lists, ISPs can deal with suspected unauthorised use of an account without breaching the law by disclosing calling number information. For example:

"Date: Wed, 15 Aug 2001 09:48:54 +1000

> > The onus is on YOU, not them, to show that you're charging them $X this
> > month because they made "the following calls on the associated dates and
> > times for Y number of minutes".... plus GST. :)

> Yup, and I can do that without caller-ID. I mean, ferfuxake, I've been
> doing that since before caller-ID was even available, so I can't think
> why it'd suddenly be necessary to provide it to customers now when a few
> years ago I didn't even have it to give out!

Spot on [...] . It always amazes me when this thread comes up (over and over and over ....)

In the days when I ran an ISP the response to a customers enquiry was
(a) Provide a list of time/date/duration of all sessions (available on-line anyway)
(b) If a session is identified by the customer as being inaccurate yet the records show CNID being their normal number, tell them so
(c) If it's another number, tell them as much and let them know that by law you cannot provide the number to them but you will certainly help the police in any way you can if they choose to pursue the matter.

You can neither do, nor be expected to do, anything more."
(http://archive.humbug.org.au/aussie-isp/2001-08/msg00394.html)

Obviously, it occurs to those who ask questions that there may be a law prohibiting disclosure by ISPs of personal information. One can only speculate about how many of the staff of Australia's 563 ISPs (as at September 2002) do not even think of that or believe they are not required to comply, for example, as a result of the OzEmail General Manager's statement in 2000 as referred to earlier herein. (Also, it should be noted that the ISP discussion mail lists referred to in this document are merely discussion forums that some ISP staff and other people choose to participate in.)

Incorrect assumptions about calling number information by ISPs

A number of ISPs apparently assume that their customers will have no objection to their collection of a customer's silent or other blocked calling number without the customer's consent or knowledge because:

"I _already_ have their phone number, be it silent, unlisted, or whatever. If I don't get a valid number on their application form I believe I have the right not to accept their application."
(http://archive.humbug.org.au/aussie-isp/1999-07/msg00851.html)

"Very soon OzEmail will commence a test with Telstra that will activate Caller Line Identification, or CLI, for all calls to our POPs... [emphasis added]
This test will not provide us with any information that we don't already have from our users. We ask all subscribers for their phone number when they join..."
(OzEmail Newsletter, Sep 2002,
http://www.ozepay.com.au/newsletter/ozemail/20020923/view/news - Dead URL)

However, such an assumption is incorrect. In many instances the ISP will not already have the number the person is calling from. Examples include:

• An individual may use their account from a new temporary location such as a friend or relative's home, a workplace (including a temporary workplace, e.g. contractors/consultants), a university or school, a hotel, an airport lounge, etc. The individual may not wish to give the ISP the temporary number from which they are dialling, or the friend/relative etc may have a silent or other blocked number and not wish their number to be provided to the other person's ISP.
• An individual may have more than one telephone line installed in their home or office and a contact number provided to the ISP may not be the number from which they dial in.
• An individual may provide their ISP with their mobile number for contacting them for a variety of reasons including that some individuals are often dialled in from their landline. If an individual emails their ISP requesting technical support, and the ISP chooses to respond by calling the customer's landline number, the ISP is likely to find that number is engaged.
• etc.

Security of calling number records held by ISPs

Some, perhaps many, ISPs store log-in information including user names and blocked calling numbers, (if the ISP is receiving same as a result of carriers over-riding blocking), on computers connected to the Internet which carries a risk of unauthorised access by crackers and hackers.

Furthermore, it appears some believe they can simply disclaim any obligations to protect the confidentiality and security of calling number information. For example, the following discussion took place on an ISP discussion mail list:

"There also exists the possibility that the ISP concerned might have as part of their T&C the requirement that all calls must present Caller ID."
(http://archive.humbug.org.au/aussie-isp/2001-08/msg00374.html)
----
"There are swings and roundabouts here too. By advising people with silent numbers to activiate caller ID whilst calling your RAS you are accepting a duty of care over the secrecy of that number.

At the very least this implies that if the machine carrying the log files is cracked you then have an obligation to inform all those clients.

Those client may well expect you to take the same care of that number as a telco does. For example, by keeping the logs on a machine on its own management network, distinct from the Internet, as is standard telco practice for computers carrying call records. You might do well to advise them if you are offering lesser security for silent number call records than the telephony system."
(http://archive.humbug.org.au/aussie-isp/2001-08/msg00374.html)
----
"That's not a bad idea, disclaiming liability on the off chance your machine with those logs is cracked, or at least may not be as secure as a telco might be."
(http://archive.humbug.org.au/aussie-isp/2001-08/msg00375.html)
----

Small ISPs exempt from Privacy Act 1988

Approximately 70% of 563 ISPs are most likely to be small businesses that are exempt from compliance with the Privacy Act 1988, based on ISP subscriber numbers published in the Australian Bureau of Statistics report, 8153.0 Internet Activity, Australia, Quarter Ended September 2002 issued in March 2003.

Prior to December 2001, such ISPs were subject to the Protection of Personal Information of Customers of Telecommunications Providers (CPI) Code of Practice enforceable by Australian Communications Authority ("ACA"). However, the Code was de-registered by the ACA when the amendments to Privacy Act became effective, thereby reducing the prior level of privacy protection for customers of approximately 70% of Australian ISPs.

Since December 2001 some, possibly many, small ISPs have commenced receiving silent and other blocked calling number information.

The small ISPs that are exempt from compliance the Privacy Act 1988 are therefore not required to comply with the data security (NPP 4) provisions in that Act requiring an organisation to protect the personal information it holds from unauthorised access, misuse and modification. Such ISPs were previously subject to compliance with the identical data security provisions in the Industry Code of Practice referred to above, prior to the de-registration of that Code by the ACA.

Inter-relationship of Telecommunications Act 1997 and Privacy Act 1988

Privacy-related provisions of legislation applicable to ISPs is complex due to the inter-relationship of Telecommunications Act 1997 and the Privacy Act 1988, and some aspects can seem contradictory prior to detailed analysis. This can cause difficulties for some ISP personnel in attempting to understand their obligations and may result in incorrect interpretation and unlawful use and disclosure of personal information.

Many ISPs do not have in-house legal counsel, unlike large telephone call carrier corporations, and the high cost of legal advice may discourage some ISPs from seeking same instead of relying on their own interpretation of the laws which may not be correct.

The Telecommunications Act 1997 is complex and reportedly in mid 2001 even the ACA and AFP had some difficulty explaining some aspects:

'Date: Tue, 14 Aug 2001 20:20:52 +1000 (EST)

On Tue, 14 Aug 2001, [...] wrote:

> If you don't want an unauthorized user on your network, complain to the
> police. If your customer doesn't want an unauthorized user using their
> account, change their password and get them to complain to the police.
> You can divulge all the calling records you like to the cops if they come
> to you with a Section 282 declaration.

Just one little thing here, by way of clarification to "the masses"... it is certainly NOT something I was initially aware of, and only after lengthy "deep and meaningful" discussion with the legals at the ACA and the AFP were we able to resolve exactly what this meant.

Allow me to paraphrase....

In short, you may only reveal such information (including, but not limited to caller-ID) to law enforcement officers and even then, only when there is sufficient "good cause".

"Good cause" is not particularly well defined. If you, as the ISP, consider that whatever the police are presenting to you as "good cause" then you are at liberty to disclose the information. However, if at some later stage, a court decides that it wasn't a sufficiently "good cause", you are in trouble.

The Section 282 certificate is designed specifically to give YOU, a completely reasonable, justifiable reason to disclose the information. It means, in essence, that someone else with legal training (hopefully) and legal power, has made that decision FOR YOU, which in effect absolves you of any and all consequential disclosure and use of that information.

In short, a S282 certificate is a very convenient "get out of gaol free" card. Sure, you CAN disclose the information to an officer of the law if they request it, and YOU think the reasons are sufficient - but remember, YOU are probably NOT legally proficient to make such determinations. ...'
(http://archive.humbug.org.au/aussie-isp/2001-08/msg00378.html)

In addition, since the amendments to the Privacy Act 1988 became effective in December 2001, some ISP personnel may believe that the National Privacy Principle requirement to give customers access to personal information about themselves over-rides the prohibitions on disclosure of various types of information in the Telecommunications Act 1997.

The above situation has resulted in debates on discussion lists concerning whether a calling number recorded with the customer's login username is personal information about the customer or not, because personal information about another individual may also be ascertainable from the calling number. Such a discussion occurred on the aussie-isp mail list in May 2002 and included the same types of questions and responses regarding disclosure of calling number information as had occurred in previous years.

While government agencies have long been required to provide individuals with personal information held about them under privacy legislation and freedom of information legislation, such agency staff are normally trained in the need to ensure that they do not disclose personal information about other people. It is apparent from comments made on discussion lists, that there is a significant risk that some ISP personnel may not be aware that the calling number information they hold in customer records may be personal information about someone else that should not be disclosed to the customer, for example, the calling number may be used to locate the whereabouts of a victim of domestic violence.

Risks and Consequences of Breach of Privacy

The privacy risks associated with collection, use and disclosure of calling number information were canvassed at length in Australia prior to the introduction of calling number display ("CND") services in 1997. See for example the 1992 AUSTEL Telecommunications Privacy Report and the 1995 Third Report of the AUSTEL Privacy Advisory Committee. It has long been an accepted fact that the risks are such that individuals' must have the right to block provision of their calling number/s.

The following sections do not re-address the many issues canvassed in the past, but discusses issues that are particularly relevant in the context of receipt by ISPs of silent and other blocked calling number information.

Identification of Individuals' Physical Whereabouts

Risk of bodily harm or death

It is a common refrain on ISP email discussion lists that a customer has complained that they have been incorrectly charged for time online or amount of data downloaded. The customer claims they were not logged in for that many hours in the month, etc. The customer asks an ISP staff member to give them the calling numbers used to log in to their account so they can see whether any of the calling numbers were not used by them. At first glance, this may sound reasonable, so it is quite possible that an ISP staff member may disclose the numbers. However, the potential danger inherent in such disclosure is as pointed out by an ISP staff member in May 2002 on the aussie-isp list:

"Date: Fri, 10 May 2002 16:07:20 +0930

> ...re disclosure of calling number information...

This comes up every now and then on various ISP mailing lists. It stems from a fundamental misunderstanding about the nature of the data kept by the ISP, the Telecommunications Act privacy restrictions, and the "owner" of the data.
...
ISPs ignore this at their peril. Let's see what can happen if they do:
- ...
- You might be unwittingly involving yourself in even worse stuff further down the line. The canonical example is the abusive husband, noticing that his ex (who went into hiding a week ago to prevent him from killing her) is still using the Internet, and who calls the ISP to say, 'I'm paying the bill on that service, I demand that you tell me the phone numbers it's being used from!' By giving him the phone numbers, you're giving him enough information to enable him to track his ex-partner down for the purpose of assulting/maiming/killing her. Do you really want to get involved in that kind of crap, especially if the part you have played is later found to be illegal?

If you must divulge information to your customers, it's imperitive that you "sanitize" it to make sure that you don't unwittingly divulge additional information which -doesn't- pertain to that person, and which is protected by the privacy act and/or the telco act."
(http://archive.humbug.org.au/aussie-isp/2002-05/msg00168.html)

Risk of blackmail and/or bodily harm

An ISP having access to blocked calling number information operates on a practical level much like a "reverse phone-book". It can be used by an ISP staff member, or a temporary contractor, or anyone obtaining unauthorised access to the information, to match an anonymous arbitrary identifier (phone number) to a real-world identity and also their physical whereabouts.

For example, some individuals publish a silent phone number for clients to contact them on (and some use a business name or pseudonym, not their own name, when advertising). It is possible for an ISP staff member/contractor to obtain these individuals' real names, addresses, credit-card details, etc, by matching the published telephone number against telephone numbers dialling into the ISP service (in cases where the person dials in from the published number). It would not be possible for ISP staff/contractors to do this if carriers were not over-riding blocking and disclosing silent numbers.

Alternatively, an ISP staff member/contractor could match the IP address being used by an otherwise anonymous participant in online activities such as Internet Relay Chat ("IRC"), Instant Messaging (such as ICQ, AOL Instant Messenger, MSN Instant Messenger), or sending and receiving emails, against the ISP's login records to find out the number the person dialled in from, which may then be used to find out the person's physical whereabouts. This information may be information that would not be ascertainable by the person without knowledge of the blocked calling number.

The calling number may not be the number given to the ISP, if any, as a contact number (a mobile or business hours number may have been provided). The person's physical location may be a different address from the one provided to the ISP for billing purposes. Both addresses may be valid addresses for contacting the individual but the one identified from the calling number may be confidential for personal safety reasons.

One example of a class of individuals who are particularly vulnerable to blackmail and/or physical harm, as a result of their silent or other blocked number and physical location/address being identified in this manner, is sex-workers and their clients, many of whom use the Internet to communicate. Examples of other classes of at-risk individuals because discovery of their location may be followed by bodily harm, or imposition of pressure intended to repress the person's behaviour, include victims of domestic violence and stalking, people in sensitive occupations such as psychiatric health care, womens' shelters, prison management, counsellors, VIPs, celebrities, politicians, notorieties, political activists/lobbyists, gay and lesbian people, whistleblowers, protected witnesses, judges and other court officials, ex-criminals trying to go straight and avoid their previous colleagues, probation officers, undercover law enforcement and security officers, etc.

Many ISPs have no internal security measures on the databases containing calling numbers and other personal information and numerous technical support staff and temporary contractors have access to same. While no doubt the vast majority of ISP employees would not engage in extortion, ISP staff turnover is high and no ISP can be certain that an employee will not discover, for example from online chat forums, that a customer is a sex-worker or another person who may be vulnerable to a threat to publish their confidential number and physical address (which would have become ascertainable by an extortionist as a result of carriers over-riding blocking).

Tracking/Monitoring Physical Individuals' Whereabouts

In the case of individuals who dial in from more than one telephone number, data-matching using calling number information can give an ISP staff member a picture of an individual's offline life, including:

• where the user is at the time they are logged in, e.g. in another city not where they live (and possibly exactly where);
• whether at particular times or on particular days, the user logs in from a number other than their home number (and possibly exactly where);
• that two or more users dial in from the same phone number, and so evidently user anon245 lives at the same address as John Smith (another one of the ISP's customers);
• that John Johnson intermittently dials in from the calling number usually used Jane Anderson, and so they apparently know each other;
• etc.

In short, calling number information can tell ISP staff where an individual works, where they travel to, when and how often, that they sometimes or often log in from the home of another one of the ISP's customers, and so on.

The level of risk to individuals' privacy and well-being inherent in ISP staff having access to such information depends on the extent to which all such people can be trusted to protect privacy and whether any of them have nefarious intent. Neither the individual customer, nor the ISP employer, can know that with 100% certainty. Perhaps they sell the calling number information to telemarketers, or sell information about users' offline activities to marketers. (Oh, there's a law against that? Never mind, very unlikely the ISP's customer will find out who facilitated the invasion of their privacy). Perhaps a user's home is broken into while they are interstate. Perhaps it's leaked to the press that every time Mr Smith travels interstate, Mr Black visits Mrs Smith (Mr Black and Mrs Smith both log in to their accounts from Mrs Smith's phone). Such information may be quite valuable information if any of the individuals are public figures. The list of potential misuse of personal information could go on.

Privacy risks also arise because the Internet can be a very small world. Individuals may find themselves participating in Internet discussion forums where staff of their ISP also participate. An individual may choose to participate using a pseudonym, but an ISP staff member with natural human curiosity is able to find out who the person is from the IP address and calling number information can provide them with additional personal information about the individual's offline life. It has not been uncommon to see arguments break out as a result of difference of opinion and there is a risk of sensitive personal information (obtained as a result of access to blocked number information) being published spitefully in such forums by an ISP staff member - many of whom have the technical knowledge enabling them to do so with minimal if any risk of being identified.

Ease of identifying individuals and/or whereabouts

It is trivially easy to identify some, probably many, individuals by typing a telephone number into an Internet search engine and Australian reverse lookup phone directories are available for as little as $91.

Further, ISPs can used their customer databases much like a reverse lookup phone directory. For example, during 2002 an ISP remarked on an ISP discussion list that he was surprised to discover, by using calling number information, how many customers had dialled in from the same number as another customer.

In addition, comments are posted from time to time on ISP discussion lists indicating the ease with which even silent/unlisted numbers can be used to identify individuals and/or their residential address. For example:

"I'm NOT about to suggest how to [convert a silent number into a street address] or anything, but the last time I tried it (in a case of fraud against me) I was surprisingly sucessful.
I went back to the police after my initial discussions with them, and in the space of about 2 hours, without any 'friends in high places' - indeed, without talking to /anyone/ I knew - and handed the detectives names, addresses, 3 known aliases, Date of Birth and other information obtained freely. The detectives were very impressed - as I had come up with more information on the offender than they had in their system (and with one of the aliases linked him to a string of prior offences). They did ask how I'd uncovered such information, but I declined to share it - except to reassure them it was all done legally.
You need only think 'outside the square' to get a lot more information than you'd think possible."
(http://archive.humbug.org.au/aussie-isp/2001-08/msg00366.html)
---
"> It's trivial if you know somebody who works at the appropriate telco, and
 > that person is willing to risk prosecution by providing the data to you."
(http://archive.humbug.org.au/aussie-isp/2001-08/msg00365.html)

"Not even that. Just call [a pizza shop] and order a pizza for that telephone number. Half the time they'll read out the address to confirm with you."
(http://archive.humbug.org.au/aussie-isp/2001-08/msg00421.html)
---
"> Oh, and apart from the 160,000 people working for telstra. If you
> have the faintest belief that a 'silent' number will stop anyone who
> has an interest in you, getting your number, you must be using a
> totally different Telstra than the one the rest of Australia is using.
(http://archive.humbug.org.au/aussie-isp/1999-07/msg00859.html)

Agreed - one of our staff (a couple of years back) had a customer call him at home one night. He had a silent number that had only been connected days before. Telstra gave it out (the customer admitted calling a friend of his within Telstra who looked it up)."
(http://archive.humbug.org.au/aussie-isp/1999-07/msg00942.html)
---

(Obviously a name or address could be obtained from a silent number in the same way.)

Conclusion

As detailed above, there are significant risks to privacy and individuals' well-being inherent in the provision of silent and other blocked calling number information to ISPs. Even if all ISPs and their staff were knowledgeable and well trained in relation to privacy risks and privacy protection laws, the best way to avoid the risk of someone breaking the law and disclosing personal information about someone else is not to provide them with personal information that they do not need in the first place.

There is no need for individuals' privacy and well-being to be placed at greater risk by ISPs having access to blocked calling number information. ISPs do not need to receive silent and other blocked calling number information for the provision of dial-up Internet access services, and none of the personal information ascertainable by use of calling numbers is any of an ISP's business.