Privacy invasions: Blocked Calling Number Disclosure to ISPs
Last Updated: 6 Sep 2004
If you have a silent (unlisted) telephone number, or have a Calling Number Display ("CND") block on your number, telephone companies may be over-riding your privacy choice when you or anyone else uses your telephone line to dial up an Internet Service Provider ("ISP") to log on to the Internet.
This invasion of privacy is occurring despite the fact that since Calling Number Display was introduced in Australia in 1997, telephone callers have had a right to protect their privacy by blocking the transmission of their telephone number (CND information) to the end-recipients of their telephone calls. Telephone companies have been and still are required to respect and implement callers' privacy choices.
Nevertheless, in 2002 the Internet Industry Association of Australia ("IIA") commenced attempting to take away Internet users' existing privacy rights and has, to date, been partially successful. IIA wants provision of silent and blocked calling numbers to ISPs to be mandatory. Hence, under IIA's plan, all Internet users would be treated as second class citizens with less privacy rights than other telephone callers.
In 2002 and 2003, Telstra, Optus, Comindico (and possibly other telephone call carriers) started intentionally over-riding CND blocking on dial-up calls to some, not all, ISPs resulting in silent/unlisted numbers and other CND blocked numbers being disclosed to those ISPs. This affects dial-up Internet users and also other telephone service subscribers who allow someone else (e.g. flatmate, partner, child, etc.) to use their telephone line to connect to the Internet.
Telstra commenced routinely over-riding telephone callers' clearly expressed privacy choices in, apparently, approximately October 2002 according to media reports. Subsequently Telstra issued a newsletter with telephone bills which stated, in miniscule print in a footnote, that Telstra's Line Blocking Service is "Not available for calls to 000 or MegaPoP National access service" (Telstra News, Issue 8, December 2002/January/February 2003), notwithstanding that line blocking had been available and operative during the prior two years since Telstra launched its MegaPoP product in 2000. This means that Telstra is now over-riding CND blocking when it delivers calls to Telstra's Bigpond and to 01983 numbers used by ISP customers of Telstra's MegaPoP product. Optus commenced over-riding CND blocking on calls to OptusNet's 01983 number in late May or early June 2003. Comindico over-rides CND blocking when it delivers calls to its ISP customers who use 01983 dial in numbers. Apparently Comindico also over-rides CND blocking on calls to other (non-01983) numbers, according to information received by EFA from a number of ISPs.
EFA believes that:
- telephone companies routinely disclosing silent numbers and other CND blocked calling numbers are in breach of the Calling Number Display Code Industry Code (enforceable by the Australian Communications Authority) which requires telephone companies to ensure callers can block transmission of CND information to end-recipients of calls and are also in breach of Part 13 of the Telecommunications Act 1997 and the Privacy Act 1988;
- ISPs collecting blocked CND information are in breach of the National Privacy Principles (NPPs) in the Privacy Act 1988 and that the provisions of Part 13 of the Telecommunications Act 1997 do not authorise ISPs to collect blocked CND information or any other personal information that is not necessary for the provision of dial up Internet access services.
For more information in the above regard see: EFA's submission to ACIF re ACIF's draft revised Calling Number Display Industry Code C522, 2 Nov 2002.
A complaint was made to the telecommunications regulator, the Australian Communications Authority ("ACA"), in mid 2003 and the ACA communicated its findings to the complainants in August 2004. The ACA's investigation into the complaint found some carriers are illegally disclosing silent and other blocked calling numbers to some ISPs. For more information, see the page about the complaints.
The overall situation appears to have originated with claims made during 2002 by Justin Milne, who was then Chairman of the Internet Industry Association ("IIA") and CEO of OzEmail (until October 2002, subsequently head of Telstra Bigpond). According to media reports, Justin Milne claimed that mandatory CND/Calling Line Identification disclosure:
- is necessary to prevent spam.
This is not factual. It is an extraordinarily privacy invasive idea for dealing with a problem that could be more significantly reduced by far more effective, non privacy invasive, means. For detailed information see EFA's Analysis: Mandatory CND disclosure to ISPs will not prevent spam, 24 Sep 2002.
- is necessary for 'law enforcement'.
This is not factual. There is no law that requires ISPs to routinely collect telephone numbers used by every Internet user for law enforcement, national security, or any other purpose. ISPs are authorised and can be required by various law enforcement agencies to collect and store CND information pertaining to calls made from particular numbers during particular periods, such as when a law enforcement agency is investigating the activities of an individual suspected of engaging in an unlawful activity. However such laws and regulations do not require ISPs to force all their customers to provide CND information as a condition of provision of Internet access services.
In addition, a number of ISPs (by no means all) claim that CND information is necessary for billing, call management and/or call routing and so on. This is not factual either. It is not necessary for ISPs to know the telephone number a customer is calling from in order to provide Internet access services nor in order to bill their customers. For more detailed information see relevant section of EFA's submission to ACIF, 2 Nov 2002.
EFA considers these incredible claims by IIA and some ISPs need far wider scrutiny than they have received to date. The definition of "necessary" being used does not provide sufficient justification for routinely over-riding the privacy preference of every Internet user who chooses to block provision of CND information.
In 2001, a variety of criminal and civil law enforcement agencies expressed their objections to the fact that ISPs are not required by law to collect and store personal information about Internet users to a Joint Parliamentary Committee Inquiry into the "Law Enforcement Implications of New Technologies". The desires of law enforcement agencies if granted would result in a massive invasion of the privacy of the vast majority of Internet users who do not and do not have any intention of engaging in an illegal activity. The Committee issued its report and recommendations to the Government in August 2001. To date (as at 4 November 2002), the Government has not responded to the Committee's report nor have laws been enacted granting the vast majority of the law enforcement agencies' privacy invasive wishes.
Neither the Internet industry nor the telecommunications industry more generally should be willing to voluntarily collect personal information about Internet users (without consent of the relevant individual) that they do not need for the provision of a service, merely because some law enforcement agencies have been, to date, unable to convince the Government and the Parliament that such invasions of personal privacy are necessary for 'law enforcement' needs.
Furthermore, if ISPs are permitted to collect CND information regarding all of their customers without the consent of the relevant individuals on the ground that it is 'needed' for law enforcement purposes, then the same argument apparently could be applied to ISPs having a 'need' to collect and store information about every Internet user, such as copies of their emails, copies of web pages they visit, etc, in case sometime in the future a law enforcement agency asks for such information.
Forcing every Australian Internet users to present their CND information to ISPs regardless of their privacy choices is overkill. Many, probably most, Internet users already identify themselves to ISPs when opening an Internet access account. It appears mandatory presentation of CND information is only being planned and implemented because some ISPs, like OzEmail, choose to sell anonymous prepaid accounts. If this presents a law enforcement problem, the solution is a matter for public and Parliamentary consideration and debate and serious efforts to appropriately balance individuals' rights to privacy with legitimate law enforcement needs. It is not a matter for decision by an industry association or telecommunications providers.
Many Internet users (just like users of telephone lines for voice calls) have legitimate reasons for not wanting to disclose the telephone number they are dialling from that have nothing whatsoever to do with sending spam or engaging in an illegal activity. The privacy choices of Internet users who do not want an ISP and/or their staff to see the telephone number they are calling from must be respected to the same extent as any other telephone caller's privacy choice.
- EFA Calling Number Display and Privacy page.
- EFA's submissions, analyses, reports, etc. on the topic of CND.
Media reports and releases:
- Privacy battle over CLI, Kate Mackenzie, The Australian IT, 30 October 2002
- "THE Federal Privacy Commissioner has hit out at the use of compulsory caller line identification (CLI) on all phone calls to internet services providers, although Telstra has already deployed the technology.
IIA chairman [sic] Peter Coroneos confirmed that Telstra, an IIA member, had begun to prevent CLI-blocking on all calls terminating at customers of its wholesale ISP service, MegaPop."
- OzEmail Newsletter, September 2002
- "Caller Line Identification
Very soon OzEmail will commence a test with Telstra that will activate Caller Line Identification, or CLI, for all calls to our POPs... [emphasis added]
This test will not provide us with any information that we don't already have from our users. We ask all subscribers for their phone number when they join..."
[Note: The above claim "will not provide us with any information that we don't already have" appears to be false and misleading. It appears to assume that all OzEmail users always dial in from the voice contact telephone number they've provided to OzEmail (which presumably could be their home or workplace telephone number). If any OzEmail user dials in from another telephone number/line (that is unlisted/silent or has or had a CND block when the user previously dialled in from it, such as a home number when they have given OzEmail their work voice contact, or a separate line they have at home for Internet access, or from a hotel, workplace, or intermittently from a friend's home, etc), then OzEmail will be collecting information about the user that the user has not previously given to OzEmail.]
- ISPs want caller ID, Caitlin Fitzsimmons, Australian IT, 25 June 2002
- "Internet service providers are pressing Telstra to provide another weapon in the war against spam by activating caller line identification for all dial-up internet connections.
Mr [Justin] Milne [CEO of OzEmail and Chairman of IIA] said Australia had an unusual problem because internet users could buy prepaid internet packages from retail stores and use the internet anonymously. [as sold by OzEmail]
Prepaid customers were not required to provide meaningful identification such as a credit card number, and could easily fake any details required in online registration, he said.
Mr Milne said ISPs could identify seven out of 10 prepaid customers because caller line identification was active, but 'any spammer worth their salt' would simply switch it off.
Telstra spokesman John [sic] Court said [Telstra] activated caller line identification on its MegaPOP network in March - meaning Telstra Wholesale, Telstra Retail and Telstra resellers had access to the service but the rest of the ISP world did not.
[Jon Court] said Telstra had ensured all its resellers were carriage service providers and if it rolled out a caller line identification product, it would need to ensure all its potential customers were as well."
- OzEmail cuts off accused spammer, Caitlin Fitzsimmons, Australian IT, 14 June 2002
- "OzEmail has disconnected the alleged spammer at the centre of legal case about anti-spam filtering. An OzEmail spokesman said the company had disconnected the dial-up account that anti-spam activist Glenn Barry had requested be investigated.
Mr Barry confirmed his complaint was about Perth- based direct marketing firm T3 Direct. This is the third internet provider in a week to disconnect T3 for sending unsolicited bulk email or spam. ..."
- See also message posted on the joefightspam.org message board, 27 June 2002, stating:
- "Just received 'phone call from OzEmail's Customer Relations relaying a message from Ozemail Security who now confirm that the latest (last week's) Wayne Mansfield spam was sent from a Pre-Paid 'dial up' account (purchased at Harvey Norman stores etc.)
They confirm that this account has been closed AND that in future all Pre-Paid dial up accounts will have their own mail server (separate from 'normal' Ozemail accounts) which will have a limit to the number of email messages that can be sent from each account at one time."
- See also message posted on the joefightspam.org message board, 27 June 2002, stating:
- OzEmail Fighting Spam, OzEmail Newsletter to Customers, 13 June 2002
- "...we would like to reassure you that we are working very hard behind the scenes to stop spammers using our network and spamming our customers. ...
Spammers tend to use pre-paid accounts to send their junk email, so we have re-engineered our pre-paid products to make spamming very difficult - if not impossible."
- Big Brother is looking to read your e-mail, Nicole Manktelow, Sydney Morning Herald, 7 May 2002
- "While anyone using a phone can withhold their number, the IIA wants to remove this right.
'CND (Calling Number Display) could be turned on by Telstra for all calls to Internet points of presence. We want it turned on,' Milne [Chairman of the Internet Industry Association (IIA) and CEO of OzEmail] says. ...
'...The problem is that only 70 per cent of calls have it turned on,' he says."
- Spying deal between police, ISPs, Kate Mackenzie, The Australian IT, 23 Apr 2002
- "The ISP industry is considering enabling caller-line identification of phone
lines used by police suspects to connect to ISPs.
ISPs are already obliged to co-operate with federal and state crime-fighters to provide information on their customers or actual recordings of traffic when a warrant is served."
- OzEmail increases anti-spam arsenal, OzEmail Media Release, 2 Mar 2002
- "...In a sweeping review of its prepaid products, OzEmail has announced changes that, according to Mr Milne, should 'make it impossible for would-be spammers to use OzEmail prepaid as a launching pad for anonymous spam attacks.'
'All prepaid accounts will soon have chokes, filters and controls added to the server side which are designed to prevent users of the accounts from accessing alternate PoP servers or open relays,' said Mr Milne. 'In addition, throughput of mail will be limited on the OzEmail PoP server so bulk spam can't be sent.'
'These changes will not effect legitimate users but will be another step towards eliminating spam.' ..."
- OzEmail subscribers blocked by US provider, Dan Warne, Whirlpool, 17 Jan 2002
- "A giant American ISP, United Online, has taken the drastic measure of blocking all emails from Australia's second largest internet service provider, OzEmail. The block means OzEmail's half million customers are unable to send emails to around seven million US email addresses hosted by United Online (formerly NetZero/Juno).
A United Online spokesman told AustralianIT that NetZero staff had made 'numerous inquiries to OzEmail regarding unsolicited email.'
'We have sent them several requests and haven't heard back regarding this matter. Until this is resolved, emails may be blocked from them to NetZero users.'
OzEmail subscribers say the problem has been occurring for more than two months."