28 July 2003

Mr Tony Shaw PSM
Chair
Australian Communications Authority
PO Box 78
BELCONNEN ACT 2616


Dear Mr Shaw

Breach of Telecommunications Act 1997 and the Calling Number Display Industry Code (C522)

Irene Graham, Roger Clarke and David Fitch jointly lodge this representative complaint on behalf of those Australian customers of Internet Access Providers/Internet Service Providers ("ISPs") and/or of telephone call carriers who are affected or potentially affected by the practices complained of herein. For reasons set out below, the size of these classes is difficult to ascertain but the number affected could reasonably be estimated to be in the thousands or tens of thousands.

Ms Graham is the Executive Director of Electronic Frontiers Australia Inc. ("EFA"). Dr Clarke is an officer of the Australian Privacy Foundation ("APF") and a board member of EFA. However, the complainants lodge this complaint in their capacities as members of the class of people affected by the practices complained of, not in their capacity as a member or officer of an organisation. Mr Fitch is not a member or officer of either EFA or APF.

This complaint concerns collection, disclosure and use of Calling Line Identification ("CLI") information, in particular, silent and other blocked calling numbers by telephone call carriers and ISPs.

The term "blocked calling number" herein means a number from which a caller initiated an outgoing telephone call with instructions that their calling number not be displayed or provided to the called party.

The term "blocking" herein means the method by which calling number display/provision is prevented. The blocking of calling number display/provision may be effected either by way of a permanent line block or by dialling the blocking code.

This complaint is set out in the following sections:

Risks and Consequences of Disclosure of Blocked Calling Number Information

1.   As detailed later herein, some telephone call carriers are disclosing silent and other blocked calling number information to some ISPs. Some commenced doing so only in the past two months, and we understand others commenced doing so last year. We believe the vast majority of individuals who have silent and other blocked numbers are not aware that blocking is being over-ridden.

2.   The disclosure of blocked calling number information to ISPs poses serious real-world risks and consequences to individuals. We make this complaint firstly because we believe the Respondents' practices are in breach of law. Those breaches are all the more significant, however, because of the serious risks and consequences they give rise to.

3.   The potential impact on the privacy and well-being of individuals arising from ISPs having access to silent and other blocked calling number information, without the individual's consent, is significant because:

  • ISPs already have a massive amount of information about individuals, as well as the ability to datamine and datamatch;
  • an ISP having access to blocked calling number information operates on a practical level much like a "reverse phone-book". It can be used by an ISP staff member, or a temporary contractor, or anyone obtaining access to the information, to match an anonymous arbitrary identifier (phone number) to a real-world identity and to the physical whereabouts of an individual;
  • statements made by some ISP owners and/or staff in public discussion forums have indicated they have little, if any, knowledge about their privacy protection obligations under telecommunications and privacy laws. Anecdotal evidence and reports suggest a significant number of ISP personnel may lack such knowledge due to complexity of the relevant laws and insufficient, if any, training;
  • some ISP owners and/or staff fail to recognise that blocked calling number information may be information that if disclosed could result in bodily harm or death;
  • some, perhaps many, ISPs store login-in information, which includes user names and blocked calling numbers, on computers connected to the Internet which carries a risk of unauthorised access by crackers and hackers;
  • an ISP staff member/contractor or other person gaining access to an ISP's login records could match the IP address being used by an otherwise anonymous participant in an online forum or in sending emails, against the ISP's login records to find out the number the person dialled in from, which may then be used to find out their physical whereabouts. (This information may be information that would not be ascertainable by the person without knowledge of the blocked calling number.) This situation exposes a wide range of classes of law-abiding individuals to potential blackmail, bodily harm, or pressure intended to repress the individual's behaviour or speech as a result;
  • examples of classes of individuals who may be particularly at risk as a result of disclosure of their blocked calling number or use of same to identify their physical whereabouts include: victims of domestic violence and stalking, people in sensitive occupations such as psychiatric health care, womens' shelters, prison management, counsellors, VIPs, celebrities, politicians, notorieties, sex-workers and their clients, political activists/lobbyists, gay and lesbian people, whistleblowers, protected witnesses, judges and other court officials, ex-criminals trying to go straight and avoid their previous colleagues, probation officers, undercover law enforcement and security officers, etc.

4.   More detailed information concerning risks and consequences, together with supporting information and examples, is provided in Attachment 1.

General Principles

5.   The general principles at stake in the lodgement, investigation and resolution of this complaint include that:

  • The use of personal information about individuals should be limited to that for which it was originally collected, unless the owner of the information (the data subject) has given express and informed consent (AUSTEL Privacy Report 1992 [1]). This principle underlies the informed choice condition under which carriers in Australia were permitted to commence selling or otherwise disclosing individuals' calling number information in 1997. The same principle was re-endorsed by the government and the Parliament in the amendments to the Privacy Act 1988 effective from December 2001.
  • Divergences from general principles or laws governing privacy issues should occur only where the telecommunications industry is demonstrated to be unique or at least so special as to require telecommunications specific treatment (AUSTEL Privacy Report 1992 [1]).
  • Any such divergence should not occur unless it has been demonstrated that there is a public interest in permitting businesses to invade an individual's privacy that outweighs, to a substantial degree, the public interest in requiring businesses to respect individuals' rights to privacy, and that the public interest objective cannot be achieved by a less privacy invasive means.
  • Traditionally, all telephone service subscribers and users of telephone services have been entitled to the same degree of privacy protection in their use of telephone services. Carriers have not provided any legitimate explanation concerning why individuals who use a telephone service to access the Internet should have less protection in their use of telephone services than other individuals.
  • Individuals who pay for a silent/unlisted number have decided their privacy is so important to them that they are willing to pay to have their number kept private. At the time most current silent/unlisted number subscribers entered into a contract with a telephone service provider, carriers were not disclosing silent/unlisted numbers to ISPs without prior consent. Such individuals had clearly not assumed a risk of disclosure of their personal information and thus have a reasonable expectation that their privacy be protected.

Respondents and Practices the subject of this complaint

6.   The Respondents to this complaint are:

  1. the telephone call carriers Telstra Corporation Ltd, Comindico Australia Pty Limited, Optus Networks Pty Ltd, and any other carriers or carriage service providers engaging in the complained of practices (including resellers of carriers' services to ISPs) ("the carrier Respondents"); and
  2. an unspecified number of ISPs who are providers of a dial-up Internet access service, including but not limited to Netspace Online Systems Pty Ltd, Ihug-The Internet Group Ltd, Bluejoy Pty Ltd trading as Froggy ISP and Froggy Internet ("Froggy"), Telstra Bigpond, Optus Internet Pty Ltd ("OptusNet"), and other ISPs who are customers of either Telstra's MegaPoP service, or Comindico's Dial IP service, or any similar service provided by Optus or other carriers ("the ISP Respondents"). Attachment 2 contains a list of ISPs that we have been able to identify as customers of the carrier Respondents' services providing blocked calling number information and we expect there are many more.

7.   The carrier Respondents are over-riding blocking for the purpose of intentionally disclosing silent and other blocked calling number information, that they have received in the course of carriage of a telephone call over their telecommunications network, beyond the terminating telephone exchange and into the local loop, so that the called party (B-party) receives the blocked calling number. Specifically:

  • the carriers are over-riding blocking on calls terminating at 01983 numbers (and possibly other numbers). 01983 numbers are dial in Internet access numbers provided by carriers to their ISP customers and in some cases to the carriers' own subsidiary ISP. Customers of the ISP Respondents use the 01983 numbers to dial in to an Internet access service.

    The carriers have, evidently, relatively recently decided to place their ISP customers' dial in numbers in an over-ride category the same as, or similar to, that used to meet the requirement to disclose blocked calling numbers on calls made to Australian Communications Authority ("ACA") specified emergency services numbers. While over-riding blocking on calls made to emergency services is specifically authorised by Section s279(5) and s286 of the Telecommunications Act 1997, over-riding on calls made to ISPs is not; and
  • having over-ridden blocking, the carriers are disclosing silent and other blocked calling numbers to ISPs by way of:
    • providing ISPs with a CLI-based/CND Service that includes silent and other blocked calling numbers (which would not include same if the carriers had not over-ridden blocking); and/or
    • collecting silent and other blocked calling numbers from the CLI information of incoming telephone calls that terminate on (are answered by) the carrier's own telephone call answering equipment (e.g. Telstra MegaPoP equipment), and subsequently forwarding/disclosing the blocked calling number information to ISPs in a message that has nothing whatsoever to do with telephone signalling system messages.

8.   The fact that Telstra is over-riding blocking is stated in Telstra News Issue 8 dated "December 2002/January/February 2003". The newsletter states, in minuscule print in a footnote, that Telstra's Line Blocking Service is "Not available for calls to 000 or MegaPoP National access service". Since that footnote came to one of the complainant's attention in April 2003, recent further investigation has revealed that Telstra commenced over-riding blocking on calls to the MegaPoP service on Saturday 23 March 2002, the day after Telstra claims to have published a "Detrimental Effect Advertisement" [2] in the public notices section of The Australian newspaper regarding amendments to Telstra's Standard Form of Agreement, that is, blocking ceased to be effective on such calls well over a year after Telstra's MegaPoP product was launched in November 2000. Blocking has only become "not available" because Telstra has chosen to configure its telephone network/equipment to over-ride the blocking instructions it receives with telephone calls, so that Telstra can include silent and other blocked numbers in a CLI based product that Telstra has chosen, apparently for commercial reasons, to package with the MegaPoP product it sells to ISPs.

9.   Our investigations have revealed that Comindico is also over-riding blocking on calls made to, at the least, ISP customers of their equivalent of the MegaPoP product. This information has been provided to us by managers and staff of several ISPs who use Comindico's services. In addition, we have been provided with a copy of a Memorandum of Understanding for the Use of CND on the Comindico / Ozdial Networks (see copy attached). This document was provided to an ISP by Ozdial Pty Ltd, a reseller of Comindico's services, and makes clear that a CND Service (not "CLI") is being provided to ISPs. Optus is also over-riding blocking on calls made to OptusNet [3] and probably also to ISP customers of their equivalent of the MegaPoP product.

10.   Attachment 3: How CLI and CND Services Work contains detailed information in the section titled Forwarding of CLI data to Internet Access/Service Providers about the technical process by which Telstra and other carriers are taking unfair advantage of their privileged access to silent and other blocked calling numbers for the purpose of intentionally and unnecessarily disclosing same to ISPs. The attachment also explains the process used by ISPs to collect and record the calling number information. As the attachment shows, calling number information is not necessary for the provision of dial-up Internet access. That fact is also apparent from the Internet Industry Association ("IIA")'s media release [4] dated 21 July 2003 which states that IIA's draft Cybercrime Code "does not require ISPs to capture caller line identification (CLI) or caller name display (CND) data" and that the draft Code states "CLI information is generally not made available to ISPs at this stage".

11.   We allege that the carrier Respondents are in:

  • Breach of Sections 5 and 7 of the Calling Number Display Industry Code (C522) registered by the ACA on 25 June 2003 ("CND Code") (and Sections 4 and 6 of the previous Code registered in October 2001); and
  • Breach of Section 276 (or in some cases, Section 302) of Part 13-Protection of Communications of the Telecommunications Act 1997, and that none of the exemptions to the prohibitions on use and disclosure are applicable to the disclosures addressed herein; and
  • Breach of National Privacy Principles 1, 2, 4 and 8 of the Privacy Act 1988; and
  • Breach of Confidence; and
  • Breach of Common Law Right of Privacy.

12.   We also allege that the ISP Respondents are in:

13.   We also submit that some practices discussed herein may be in breach of the Telecommunications (Customer Service Guarantee) Standard 2000 (No. 2) and may also be considered a deceptive trade practice under the Trade Practices Act (C'th) and an unfair trading practice under the laws of some States/Territories.

14.   Detailed information concerning the above matters is provided later herein.

Relevance of Telecommunications Act, CND Code and Privacy Act

15.   This letter principally addresses breaches of the Telecommunications Act 1997 and the CND Code.

16.   Breaches of the Privacy Act 1988 are addressed in the attached copy of our letter of complaint to the Federal Privacy Commissioner. We request that you take into account the matters detailed in the attached letter as if they were part of this complaint, to the extent that they are relevant to this complaint.

17.   We are aware that some carriers and ISPs contend that all carriage service providers (including ISPs) are permitted to collect, disclose and use CLI information, including blocked calling numbers, for purposes listed in the CND Code.

18.   We believe that such carriers and ISPs have misinterpreted the CND Code, and even if they have not, an industry code does not permit or entitle a carriage service provider to collect, use or disclose information in circumstances that breach the law. The CND Code cannot replace or diminish the consumer and privacy protection obligations of carriers and carriage service providers imposed by the Telecommunications Act 1997 and the Privacy Act 1988.

19.   The relevant provisions of the CND Code and the Telecommunications Act 1997 are addressed below.

Breach of the CND Code

Carriers

20.   We allege that, in over-riding blocking on calls to 01983 numbers (and any other number that is not an emergency service number), carriers are in breach of the Section 5 (previously 4) of the CND Code.

21.   In particular, Clause 5.1.2 (previously 4.2) states that "Blocking of CND must be offered by Suppliers on an unconditional basis and must operate across all networks" and Clause 5.1.3 (previously 4.8) states that "Suppliers must ensure that a Permanent Line Block prevents CND for all calls made from the telecommunications service to which the Permanent Line Block or Per Call Block applies" [emphasis added] except for calls made to designated emergency service numbers. In addition, the current Code inserted a new note to Clause 5.1.3 (previously 4.8) stating "Suppliers (including ISPs) must not take steps to override a Caller's Permanent Line Block without the Caller's consent".

22.   We understand that some carriers and ISPs contend that Section 5 (previously 4) does not apply in relation to telephone calls made to ISPs on the grounds that Section 7 (previously 6) of the Code negates the above obligations. However, Section 7 states:

"7.1.1 [previously 6.1] A Supplier may provide CLI to a Carriage Service Provider for the purposes of supporting the operation of a carriage service in accordance with the Act. [emphasis added]

7.1.2 [previously 6.2] Prior to agreeing to supply CLI to a Carriage Service Provider, a Supplier must be satisfied that CLI is to be used only for the purpose of supporting the operation of a carriage service."

23.   As can be seen above, the clauses deal with provision of CLI, not provision of a CND Service or any other type of CLI-based service. CLI is data that is generated by, and transmitted through, a telephone network during the carriage of a telephone call. Clearly the above clauses refer only to provision of CLI to carriage service providers who operate a telephone call carriage service because CLI, by its very nature, does not support the operation of any other type of carriage service. It is a telephone network signalling capacity. It is our understanding that the only carriage service providers who would be receiving CLI are those who hold a carrier licence and have a PSTN (Public Switched Telephone Network) interconnection agreement with one or more other licenced carriers (and very few ISPs who provide dial-up Internet access services also hold a carrier licence to enable them to provide telephone services, which are unrelated to dial-up Internet access services).

24.   The carriers are not providing CLI to ISPs in the circumstances that are the subject of this complaint. They are providing a CND Service, or other type of CLI-based service, to ISPs that includes blocked calling numbers only because the carriers have over-ridden blocking in direct contravention of Clause 5.1.3.

25.   We note that Comindico's letter in response to a complaint sent to them on 29 June 2003 states that "the Comindico network receives CLI...and, in turn, passes this CLI to the destination CSP, in this instance an Internet Service Provider". We believe such a practice would also be in breach of the CND Code and the Telecommunications Act 1997. However, whether or not Comindico is passing CLI to some ISPs, as stated earlier herein we have received information from several ISP staff that Comindico are providing a CND Service which includes blocked calling numbers to some (possibly all) resellers of Comindico's dial-in ports (a similar service to Telstra MegaPoP) and to Comindico's direct customers of same. An Internet web search has revealed that this situation has apparently existed since at least May 2002. For example, a message posted by the CEO of Legion Internet [5] to an ISP discussion list stated that "The CallerID data I get from Comindico _does not_ honour my silent line, ie I have a silent line and the number comes up in caller-id info with Comindico ports".

26.   Further, the attached copy of a Memorandum of Understanding for the Use of CND on the Comindico / Ozdial Networks clearly refers to CND information (not "CLI") being provided to ISPs. Nevertheless, it asks ISPs to "note Section 6 of the [CND] code which outlines your obligations in relation to use of CND". However as discussed above Section 6 (Section 7 of the 2003 Code) deals with provision and use of CLI. It does not deal with provision of a CND Service to ISPs, nor does it claim to authorise ISPs to collect or use blocked calling numbers.

27.   The fact that ISPs are carriage service providers under the Telecommunications Act 1997, for other reasons and purposes, is irrelevant to the issue of their receipt of CND type services or CLI information in any form. The Explanatory Statement to the CND Code makes clear that carriage service providers are not permitted to receive calling line identification information merely because they are carriage service providers. It states:

"Part 13 of the Act restricts the use and disclosure of information, including CLI, that carriers and carriage service providers obtain in the course of their business. The Code expands on those privacy protections, ensuring that CLI is only passed on to carriage service providers which need CLI information for the provision of carriage services."

and later therein:

"The Code also deals with the provision of CLI to carriage service providers. ... the Code sets out strict limits on the circumstances in which CLI may be provided to carriage service providers and how they may use it."

28.   ISPs do not need to receive calling line identification information in their capacity as a carriage service provider providing a dial-up Internet access service. The capacity in which the ISPs are receiving the CND Service is the same as any other organisational customer of CND Services. Moreover, in many instances the ISPs are not actually being provided with a CND Service - they do not receive the telephone call. The ISPs are being provided with blocked calling number information that has been extracted from CLI or a CND Service by another carriage service provider and subsequently disclosed to them by a means that does not involve telephone calls, nor the telephone network. This is clearly a breach of Clause 7.1.3 which states:

"7.1.3 Where a Supplier passes CLI information to an Organisational Customer, the Supplier must ensure it does not pass on its Customer's full CLI information, except where required by Clause 5.3 [emergency service calls] or as otherwise permitted."

29.   The Code makes additionally clear, in Clause 5.3.2, that blocking is required to operate on all calls other than those to emergency services, in that it specifically requires Suppliers to notify callers about non-operation of blocking only in relation to emergency services:

"5.3.2 Suppliers must take reasonable steps to ensure that Callers are made aware that the display or presentation of CLI will operate for all calls to Emergency Services Numbers by appropriate notices in formats accessible to all Callers, including in directories."

30.   The carriers are apparently also in breach of Clause 7.2.1 (previously 6.3) because they are using CLI they receive from other carriers for purposes not permitted by the CND Code. Clause 7.2.1 provides that, for example, an intermediary or terminating carrier which receives CLI from an originating carrier may use (not disclose) CLI only for the purposes of (a) fraud prevention; (b) billing; (c) call management; and (d) credit control. Notably Clause 7.2.1 does not permit the use of CLI for the purpose of extracting blocked calling numbers from CLI and disclosing same to other carriage service providers/ISPs. Clause 7.2.2 (previously 6.4) states that they are subject to the other sections of the Code for any use of CLI that is not specified in Clause 7.2.1 (previously 6.3), and Clause 5 (previously 4) states they "must ensure that a Permanent Line Block prevents CND for all calls". Clearly, over-riding line blocking and disclosing blocked calling numbers to ISPs is directly contrary to Section 5 (previously 4), and Section 7 (previously 6) does not authorise such use of CLI.

ISPs

31.   As discussed above, Section 7 (previously 6) of the Code does not authorise or permit the collection, use or disclosure of blocked calling number information by dial up ISPs, because it is only applicable to carriage service providers who are lawfully receiving CLI in the first place. The ISPs are not receiving CLI, some are receiving blocked calling number information via a CND Service and others are receiving information that has been collected from a CND Service by another entity and subsequently disclosed to them.

32.   In the highly unlikely event that there is any particular ISP who can justify a claim that calling number information is necessary for the provision of a dial up Internet access service, and who is receiving CLI as distinct from a CND or other CLI-based service, they will be in breach of the CND Code if they have not complied with Clause 7.2.3 which states:

"7.2.3 Carriage Service Providers receiving CLI must inform their Customers:
(a) that they are receiving the Customer's CLI regardless of whether the Customer has Blocked sending it; and
(b) any privacy implications for the Customer."

33.   With regard to receipt by ISPs of blocking calling number information via a CND or other CLI-based service, we allege that the ISP Respondents have been in breach of Section 4 of the CND Code dated 2001 which states:

"4.2 Subject to Clause 4.8 [emergency services], a Code Participant [a carrier, and a carriage service provider which includes an ISP] must ensure that its Callers have the option of blocking or enabling CND on a permanent basis and on a per call basis. Blocking of CND must be offered by Code Participants on an unconditional basis and must operate across all networks.

Per call blocking and enabling
4.3 Subject to Clause 4.8 [emergency services] in relation to per call blocking, a Code Participant [a carrier, and a carriage service provider which includes an ISP] must ensure that Callers using its Services are able to block or send CND in relation to a particular call by dialling the Blocking Code or the Display Code prior to dialling the called number."

34.   ISPs who have been receiving blocked calling number information have failed to ensure callers using their Internet access service are able to block CND. An ISP is capable of notifying their carrier supplier not to provide them with blocked calling number information and it is technologically easy for a carrier supplier not to provide same.

35.   We note that in the recently registered version of the Code (25 June 2003), in the equivalent of the above clauses (5.1.2 and 5.1.5 respectively), the term "Code Participant" has been changed to "Supplier" which is defined therein to mean "a Carrier or Carriage Service Provider". The definition does not make clear whether the term "Supplier" refers to a supplier of a carriage service or a supplier of a CND Service, or both. Nevertheless, Clause 5.1.3 states:

"5.1.3 Subject to Clause 5.3.1 [emergency services], Suppliers must ensure that a Permanent Line Block prevents CND for all calls made from the telecommunications service to which the Permanent Line Block or Per Call Block applies.
Note Suppliers (including ISPs) must not take steps to override a Caller's Permanent Line Block without the Caller's consent." [emphasis added]

36.   We allege that an ISP who is a subscriber to a CND Service that provides blocking calling number information, is a participant in steps taken to over-ride blocking, and is in breach of Clause 5.1.3.

Breach of the Telecommunications Act 1997

Carriers and telephone call carriage service providers

Breach of Section 276

37.   We allege that carriers and other carriage service providers who over-ride blocking (other than in relation to calls made to ACA designated emergency service numbers) are in breach of Section 276(1) of the Telecommunications Act 1997 ("the Act") which states:

"276 Primary disclosure/use offence-eligible persons
Current eligible persons
(1) An eligible person [includes a carrier, a carriage service provider and employees thereof] must not disclose or use any information or document that:
(a) relates to:
(i) the contents or substance of a communication that has been carried by a carrier or carriage service provider; or
(ii) the contents or substance of a communication that is being carried by a carrier or carriage service provider (including a communication that has been collected or received by such a carrier or provider for carriage by it but has not been delivered by it); or
(iii) carriage services supplied, or intended to be supplied, to another person by a carrier or carriage service provider; or
(iv) the affairs or personal particulars (including any unlisted telephone number or any address) of another person;"

38.   Calling number information carried with a telephone call is clearly information that is covered by (i) above and is also covered by (iii) - the calling number relates to a carriage service (telephone service) supplied by a carriage service provider. In addition, a silent/unlisted number is also clearly covered by (iv) above. Any calling number is also covered by (iv) above in that it is information that relates to the personal affairs of a person - it may be used to identify a telephone subscriber and it provides information about the geographic whereabouts of the caller such as whether they are calling from their usual location or somewhere else, e.g. a different suburb, interstate, etc.

39.   Section 276(1) prohibits disclosure of such information.

40.   We are, of course, aware that the Act contains a number of exemptions to the Section 276 prohibition on disclosure. However, as discussed below, none of the exemptions are applicable to the disclosure of blocked calling numbers to ISPs who provide dial-up Internet access services.

Section 289 Exemption

41.   In the case of telephone calls made without blocking implemented, the exception set out in Section 289 ('Knowledge or consent of person concerned') permits disclosure of calling numbers to a called party because it is reasonably likely that the calling party has been made aware (and telephone service providers are required to make them aware) that, unless their call is made with blocking implemented, their calling number will be disclosed to the called party (when the called party is subscribed to a CND, or other CLI-based, service).

42.   The Section 289 exemption is clearly irrelevant to the disclosure of blocked calling numbers.

Section 291 Exemption

43.   In the case of telephone calls made with blocking implemented, we are aware that some members of the telecommunications industry contend that Section 291(1) of the Act authorises carriers to disclose blocked calling numbers to ISPs and ISPs to receive same (regardless of the provisions of CND Code intended to restrict disclosure and use of calling number information to an even greater extent than the Act itself). We believe that such a contention is incorrect and arises from misunderstanding of, or misinterpretation of, Section 291.

44.   The Explanatory Memorandum to the Telecommunications Bill 1996 states in relation to Section 291 of the 1997 Act (which was Clause 276 of the Bill) that:

"Clause 276 - Business needs of other carriers or service providers

This clause exempts persons from the prohibition in clause 262 [s.276 of the current Act] where the disclosure or use is: made by or on behalf of a carrier or carriage service provider (paragraph (a)), for the purposes of facilitating another carrier or service provider (that is, a carriage service provider or content service provider) providing a service (paragraph (b)), to the person who is the subject of the information or document (paragraph (d)), and that person has been or is a customer of the disclosing carrier or carriage service provider or the other carrier or service provider (paragraph (c))." [emphasis added]

45.   A calling number, whether or not a silent or other blocked number, is information that identifies the telephone service subscriber. The telephone service subscriber is the subject of the information and the information relates to the telephone service subscriber.

46.   In the case of disclosure of a blocked calling number by a carrier to a dial up ISP, paragraph (c) of Section 291(1) could, perhaps, be seen to authorise disclosure when the subject person has been or is a customer of the disclosing telephone call carrier or of the ISP. However, a broad interpretation in that regard would be contrary to the privacy protection intent consistently stated by the Parliament since prior to 1990. For example, it could allow a carrier such as Telstra, which was once a monopoly, to disclose personal information (e.g. names and addresses) about individuals who have been a customer of Telstra in the past and have long ago cancelled their Telstra service account. We believe it has long been established that Section 291 does not permit such disclosure and that the exemption only applies when disclosure is necessary to enable a service to be provided to an individual who has requested same, that is, substantially similar to the following:

  • "to permit a carriage service intermediary to pass on the details of a customer to a network operator so as to permit connection. Disclosures would also be permitted where a customer changes his or her CSP." (ACA Telecommunications and Law Enforcement Manual [6])
  • to allow a "provider who has the customer's details to disclose the customer's information to another provider [e.g. a 190 calls provider] so that it can bill for the calls made" (TIO Position Statement, 2003 [7])

47.   However, whether or not Section 291 would authorise disclosure of blocked calling number information, without consent, when the subject person has been or is a customer of the carrier or the ISP, in many cases when a blocked calling number is disclosed to an ISP, the subject person is not a customer of either the disclosing carrier or the ISP (and may never have been). For example, Person A is a silent/unlisted number customer of Optus, i.e. their telephone service is provided by Optus. Person B is a dial-up customer of an ISP whose dial in lines are provided by Telstra. Person B dials into their ISP's Internet access service from Person A's telephone service. Telstra, who has received CLI from Optus including blocking instructions, discloses Person A's silent telephone number to Person B's ISP. The subject of the information being disclosed is Person A, who is not a customer of Telstra, nor are they a customer of the ISP. Moreover, when disclosing the silent number information to the ISP, Telstra cannot know who is using Person A's telephone service, nor does Telstra even know whether Person A is a customer of the ISP. Carriers disclosing and ISPs receiving blocked calling numbers will in many cases be invading the privacy of telephone service subscribers who are not the carrier's and not the ISP's customer.

48.   Paragraph (b) further restricts the circumstances in which disclosure is permitted, as stated in the Explanatory Memorandum, to "the purposes of facilitating another [carriage service provider] providing a service, to the person who is the subject of the information". As discussed above, the ISP is often not providing a service to the telephone service subscriber who is the subject of the information, they are often providing an Internet access service to someone else.

49.   Furthermore, the provision by telephone call carriers of blocked calling numbers to a dial-up ISP does not facilitate provision of an Internet access service by the ISP to the caller. The ISP has previously supplied an Internet access account to the caller and provided them with a username and password which is used to identify/authenticate the ISP's customer for the purpose of billing for Internet access. The ISP does not need to know the calling number in order to supply the Internet access service, nor to identify their customer, nor to bill their customer. Attachment 3 provides detailed information on the way in which dial up Internet access is provided and the means by which ISPs are receiving blocked calling number information.

50.   While the very small number of ISPs that are related entities of a telephone call carrier may bill Internet access charges on the same account as telephone calls, this is achieved by data matching the customer's Internet username with the customer's telephone service account. If such ISPs used the calling number to identify the customer for Internet access billing purposes, the customer would only be able to log in to the Internet access service from one telephone service, whereas many ISP customers dial in from a variety of locations, such as home, hotels, workplaces, relatives' and friends' homes and so on.

51.   In that regard, for example, although OptusNet claims on their web site that they collect blocked calling numbers for "billing purposes" the same page makes clear that the calling number is not needed for billing purposes - the page states that callers can dial in from "a telephone service that's not billed directly to [the Internet access customer], for example ... a hotel phone line". Similarly, although Telstra has claimed that calling number information is needed by ISPs for billing purposes, the Telstra Bigpond Member Agreement states that Telstra/Bigpond does not use calling number information to identify a customer for billing purposes (see Attachment 4 for further information).

52.   Furthermore, while some ISPs offer a value-added service that restricts Internet access to dial in calls made from customer specified numbers, that is easily done without disclosure of blocked calling numbers by carriers to ISPs. ISP customers who wish to receive such a service, and who have a permanent block on their line, can configure their computer/modem software to dial the blocking over-ride code before the ISP's number, thereby signifying informed consent to collection of the calling number by the ISP and enabling their calling number to be lawfully disclosed to the ISP under Section 289 of the Act as referred to earlier herein. A number of ISPs, including OptusNet, claim that blocked calling number information is needed by them for "fraud prevention" purposes. Scrutiny of such claims evidences that collecting blocked calling numbers cannot prevent fraudulent use of a dial-up Internet access account unless the particular customer has previously notified the ISP of the number/s they will be calling from. Hence, there is no need for ISPs to collect or use blocked calling numbers without the customer's consent. With regard to fraud prevention, ISPs are not special and are no different from, for example, banks who are not carriage service providers but who are the end recipient of telephone calls and who provide telephone banking services.

53.   Attachment 4 addresses, in detail, the claims of some carriers and ISPs regarding blocked calling number information allegedly being necessary for the purposes of fraud prevention, billing, call management and credit control.

54.   ISPs have long been efficiently managing their relationship with dial up Internet access account holders without knowing the telephone number from which a customer is dialing in. Such ISPs are to all intents and purposes no different from any other business with a telephone line, receiving calls from customers and providing them with a service - in this case Internet access via a connection between a telephone line and an Internet access system. The telephone line is used in the same way as a call to information services provided by other businesses whereby a customer dials a number and provides details such as a PIN number/password to identify/authenticate themselves in order to use the service.

55.   We submit that, if there is any doubt as to the meaning of Section 291, a construction that would promote the purpose or object underlying the Act must be preferred to a construction that would not promote same (Acts Interpretation Act s15AA).

56.   The stated objects of the Telecommunications Act 1997 are, inter alia, to provide a regulatory framework that promotes "the long-term interests of end-users of carriage services" (s3(1)(a)) and to "provide appropriate community safeguards in relation to telecommunications activities and to regulate adequately participants in sections of the Australian telecommunications industry" (s3(2)(h)).

57.   The object and purpose of Part 13 of the Act is specifically to "protect the confidentiality of communications" and "information that relates to the affairs or personal particulars" of persons, by prohibiting use and disclosure of protected information to limited, specifically authorised, purposes.

58.   As stated in the Explanatory Memorandum, Part 13 "re-enacts the substance of s.88" of the Telecommunications Act 1991 ("the 1991 Act") and, as well, the 1997 Act included a "significant policy change" in creating an offence for secondary use or disclosure of information (which would be applicable where a carrier discloses information about another carrier's customer to fourth party such as ISP).

59.   Section 88 of the 1991 Act contained amendments enacted in 1992 (Transport and Communications Legislation Amendment Bill (No. 3) 1992) for the specifically stated purpose of extending the limits on disclosure and use of calling line identification information, that then applied to carriers, to service providers as well because as stated in the Senate Second Reading speech [8]:

"service providers will have increasing access to calling line identification information for the purpose of billing their own customers" [emphasis added].

60.   As discussed in AUSTEL's 1992 Telecommunications Privacy Report [1], the need for the amendment had become evident during AUSTEL's inquiry in the context of Optus commencing to provide telephone services. It was recognised that telephone service providers would have access to calling line identification information because CLI is an automatic capacity of the telephone network signalling systems and, in a multiple service provider environment, enables telephone service providers to identify and therefore bill their own customers for the cost of telephone calls. Hence, the amendments were necessary to place limits on use and disclosure of calling number information by service providers who automatically receive CLI in the course of transmission of telephone calls across their network and need same to bill their own customers. ISPs, in providing a dial-up Internet access service, are not involved in transmission of calls and do not need, and do not even use, calling number information to identify and bill their own customers.

61.   The 1992 amendments comprised a number of additional sub-clauses and consequently a quite lengthy and repetitive section. Section 291 of the 1997 Act amalgamated the sub-clauses, apparently for the purpose of expressing the provisions in a clearer style. Where a later Act appears to have expressed the same idea in a different form of words for the purpose of using a clearer style; the ideas shall not be taken to be different merely because different forms of words were used (Acts Interpretation Act s15AC).

62.   We submit that if the ordinary meaning conveyed by the text of Section 291 can be perceived to permit disclosure of blocked calling number information in the circumstances discussed herein, that is a result that is, at least, unreasonable and may be considered manifestly absurd when taking into account its context in the Act and the purpose or object underlying the Act (Acts Interpretation Act s15AB). We submit therefore that if Section 291 is perceived to possibly permit the practices complained of, consideration must be given to other material capable of assisting in the ascertainment of the meaning of Section 291, such as the previous provisions that were re-enacted, explanatory memoranda, second reading speeches and other material as listed in s15AB of the Acts Interpretation Act.

63.   It should also be noted that apparently some carriers and/or ISPs contend the disclosure of blocked calling numbers by carriers to ISPs is permitted on the claimed grounds that it is for "a purpose of, or is connected with...the supply by" an ISP of an Internet access service (s291(1)(d)(i), regardless of the other provisions of Section 291 and that ISPs do not need such information. If Section 291 could be interpreted in such a manner, the same sub-section could equally easily be interpreted to permit a carrier or an ISP to disclose personal information (name, address, telephone number) about their customers, without their customers' consent, to for example a pay television provider "for a purpose of, or is connected with...the proposed supply by" a pay television service provider of "a content service" (s291(1)(d)(i), that is, for the purpose of facilitating the pay television service provider to telephone individuals and propose to supply them with a content service (i.e. unsolicited direct marketing).

64.   Such an interpretation is clearly contrary to the objective of Part 13 of the Act, and is unreasonable and manifestly absurd, as is an interpretation that would permit disclosure of blocked calling numbers, without the individual's consent, to an ISP who provides a dial-up Internet access service.

Breach of Section 302

65.   We also allege that a terminating carrier who discloses blocked calling number information to an ISP, that it has received from an originating or intermediary carrier for the purpose of carriage of a telephone call across its network as permitted by Section 291, is in breach of Section 302 of Division 4 ("Secondary disclosure/use offences") of Part 13, for the same reasons set out under Section 276 above.

ISPs

Breach of Section 276

66.   We allege that ISPs who use (or disclose) blocked calling number information are in breach of Section 276(1) of the Act.

67.   An ISP who claims they have not used (or disclosed) the information, clearly had no need to receive the information in the first place.

68.   The information relates to "the affairs or personal particulars (including any unlisted telephone number...) of another person" and is obtained by an ISP in the course of carrying on its business as a carriage service provider, as a result of another carriage service provider unlawfully using and disclosing the information. Receipt of such information by ISPs is not permitted or authorised by law and the information has been obtained contrary to the specific instructions of the caller and/or telephone service subscriber.

69.   To any extent that the exemptions to the Section 276 prohibition on use (and disclosure) may be found applicable to use and disclosure of information that was not lawfully obtained in the first place, these may at most be disclosure to a law enforcement agency authorised under Section 280 or 282 and Section 287 concerning threat to a person's life. These exemptions are not applicable to the overwhelming majority of blocked calling numbers being routinely collected by ISPs. We assert that any ISP who has used or disclosed blocked calling number information for any other purpose, without prior consent of the person to whom the information relates under Section 289, is in breach of Section 276(1).

Unfair Discrimination - CND Code

70.   In addition, some ISPs are apparently breaching Clause 5.8.1 (previously 4.20) of the CND Code which states:

"5.8.1 A Supplier must not unfairly discriminate between or offer different levels of service to Customers on the basis of whether those Customers choose CND or Blocking. (See note to Guideline 4 in Appendix A)."
and Guideline 4 states:
"Examples of unfair discrimination include:
- not servicing or providing a lesser service to Callers who choose not to display CND"

71.   For example, ISPs Cairns Network Services, Overflow Internet Service, Adam Internet and LiSP (and possibly others) require, as a condition of provision of their Internet access services, that persons with a silent or other blocked number dial the unblocking code, 1832. (See Attachment 2 for links to those ISPs' relevant web pages). Obviously this denies service to persons who do not wish to disclose their telephone number.

72.   Cairns Network Services, for example, admit they discriminate against against individuals who do not wish to disclose their calling number, as shown in the following message [9] posted to the Oz-ISP mailing list :

"From: "SysAdmin - Cairns Network Services" <admin@cairns.net.au>
Date: Sat, 11 May 2002 11:00:49 +1000

On Sat, 11 May 2002 09:04:48 +1000, David wrote:
>David,
>
>think again, YOU CAN NOT discriminate against customers who do not want to
>present CLID.
>
>Dave

Now the above is a complete load of crap depending how you look at it......

You can provide a service only if cid is present. but you can also choose not to.

For several years now we [Cairns Network Services] have insisted on caller-id being present on calls made to our dialup. If a user refuses without good reason (Like they cant due to a pabx, government department etc) they have to go elsewhere.

so we are not discriminating, the user has a fair and reasonable choice, present caller-id, or present a good enough reason not to present it or simply go elsewhere.

its the callers choice, just like its our choice to firstly want it." [9]

73.   In addition, we understand some ISPs who have recently started receiving/collecting blocked calling numbers, e.g. OptusNet, are informing customers who complain about unnecessary collection of their personal information, that if they do not wish to have their calling number collected, they can cancel their Internet access account.

74.   We believe refusal to provide a dial-up Internet access service to persons who attempt to block CND/deny permission to collect their blocked calling number is a breach of the non-discrimination provisions of the CND Code.

Customer Service Guarantee

75.   We assert that the non-operation of blocking is a breach of the Telecommunications (Customer Service Guarantee) Standard 2000 (No. 2). Calling number display blocking is a "specified service" as it is an "enhanced call handling feature". The blocking feature is not operative on calls to a range of numbers, and there is no technical reason, nor legislative basis, for it not to be operative. We consider that the fact that carriers have intentionally introduced this fault and service difficulty into their network should not enable them to thereby escape their obligations under the Customer Service Guarantee. Consumer Protection/Trade Practices

76.   We submit that, in addition to enforcement of privacy protection provisions of legislation and regulations, there is a commercial need for ACA intervention in telecommunications industry practices. In this regard:

  • Carriers sell silent/unlisted number services (and state that such services will have a default status of line blocking, unless specifically requested otherwise) without disclosing upfront that silent/unlisted numbers will be routinely disclosed to a range of called parties other than emergency services.

    For example, Telstra commenced over-riding blocking and changed its Standard Form of Agreement ("SFOA") without prior notice to its existing customers of that service (as referred to earlier herein). Further, although the current SFOA refers to the ineffectiveness of line blocking, the phrasing of same is at best misleading. Clause 4.16 states:
    "Line and per call blocking will not operate on calls to the designated emergency services number (currently 000). Line and call blocking will not operate on calls made as part of Telstra's service known as MegaPoP National Access where the B-party receives CLI presentation in conjunction with that service for the purposes of fraud prevention, billing, call management or credit control."

    The above incorrectly represents that line blocking is operative on all calls other than those made to emergency services and MegaPoP services. Telstra has not informed existing or potential customers that line blocking is also ineffective on calls made to other services, that are similar to MegaPoP and provided by other carriers such as Comindico and Optus. In addition, the vast majority of consumers would not have any idea what MegaPoP is and even if they do are unlikely to be aware of whether the B-party they are calling is a customer of MegaPoP or a similar service.

    The Optus Standard Form of Agreement [10] for local telephone call services via the Optus HFC network (dated 2002 as at July 2003) does not inform that blocking is ineffective on calls to any ISP-related services, and thereby incorrectly represents that line blocking is effective on such calls.

  • The overwhelming majority of ISPs, who are receiving blocked calling number information without consent, do not notify customers in their contracts that they collect and record same, nor that they are customers of MegaPoP or a similar service. Extensive searching (in May and June 2003) using the Google search engine reveals only two Australian ISPs who inform customers of their collection of blocked calling number information. (For further information, see attached copy of our letter to the Privacy Commissioner under the heading NPP 1.3 and 1.5.)

77.   We assert that the failure to notify consumers of the true situation regarding confidentiality of unlisted numbers and effectiveness of blocking could be considered a deceptive trade practice under the Trade Practices Act (C'th) and an unfair trading practice under the laws of some States/Territories.

Breaches of the Privacy Act 1988

78.   We also allege that carriers routinely disclosing, and ISPs routinely collecting, blocked calling number information from carriers, in circumstances where that information is not necessary for the provision of the telecommunications service provided by the ISP are in breach of the National Privacy Principles in the Privacy Act 1988. As mentioned earlier herein, the attached copy of our letter of complaint to the Federal Privacy Commissioner addresses breaches of the Privacy Act 1988 and we request that you take into account the matters detailed in that letter as if they were part of this complaint, to the extent that they are relevant to this complaint.

Breach of Confidence and Breach of Common Law Right of Privacy

79.   The carrier Respondents held silent number, line blocked and call blocked telephone number information concerning complainants which was information capable of being the subject of a breach of confidence and was held under circumstances of confidence. We claim that the carriers' disclosure of this information was unlawful in that it was a breach of confidence. It was also unlawful in that it was a breach of complainants' common law right of privacy. Similarly, we claim the ISP Respondents' collection of this information is a breach of complainants' common law right of privacy and, if disclosed by an ISP, would also be a breach of confidence.

Related Matters

80.   We maintain that it is not practicable, and in many cases not even possible, for individuals whose privacy is being invaded to complain to the relevant organisations, or to the Telecommunications Industry Ombudsman, because:

  • many callers from silent and other blocked calling numbers are unlikely to be aware that their privacy is being invaded because their telephone service provider's notices about CND incorrectly state that blocking is effective for all calls except those made to emergency service numbers;
  • members of the public have no reason to even suspect their privacy is being invaded given the ACA's Calling Number Display Consumer Fact Sheet [11] informs the public that:
    "If you have an unlisted number, it will automatically be blocked (and not show up on CND), unless you request otherwise. ... Please note that calls made to emergency call service numbers will always display the caller's number, regardless of whether it has been blocked or not."
  • in many cases the individual is not a customer of the disclosing carrier, for example, to the best of our knowledge Comindico does not provide originating call services to residential customers, although it does disclose, to ISPs, blocked calling numbers that it receives from an originating and/or intermediary carrier;
  • an originating carrier may not know that its customers' blocked calling numbers are being disclosed by a terminating carrier, nor have a means of finding out whether a particular complainant's number has been disclosed by another carrier;
  • callers and telephone subscribers have no adequate means of knowing which carriers are involved in the transmission of their calls and hence may be disclosing blocked calling numbers;
  • many dial-up Internet users, current and future, are unlikely to know how to find out whether or not their ISP is a customer of one of the MegaPoP type services and therefore receiving blocked calling number information;
  • many ISPs who receive calling numbers cannot know whether a customer's complaint, that the ISP has collected, or is collecting, their silent or other blocked calling number, is factual. This is because the manner in which the carriers disclose the numbers to ISPs does not include blocking status information. (This has been confirmed to us by various ISP personnel who have checked the situation by dialling in themselves with a line block in place).

81.   In addition, we believe some carriers may be disclosing blocked calling numbers to end-recipients of calls other than ISPs. In this regard, on 19 July 2003 we received information alleging that some 40 businesses in a particular building in Perth see blocking calling number information (if they have screens that display CND received with incoming calls). Reportedly, such screens display blocked and silent numbers in the format "Private - (xx) xxxx xxxx" and "Unlisted - (xx) xxxx xxxx". We have not yet attempted to verify this information, but can provide details as to the particular building etc on request.

82.   Given the above circumstances and that our complaint concerns industry-wide practices, we consider the matter cannot be resolved by individual customer complaints to their telecommunications service provider, nor to the TIO, and therefore warrants investigation by the ACA.

Form of Relief Sought

83.   We request the ACA to investigate this matter, to arrange for the prosecution of the corporations found to have breached the law, and to exercise the following of its powers under the Telecommunications Act 1997 to:

  1. issue an s121 direction to comply with the CND Code to carriers and carriage service providers (includes ISPs) found to be contravening same; and
  2. issue a warning to all carriers and carriage service providers (includes ISPs) concerning compliance with the CND Code and the Telecommunications Act 1997 in relation to the prohibitions on disclosure and use of silent and other blocked calling number information and the non-discrimination provisions of the CND Code; and
  3. if the existing CND Code or Act is found not to contain sufficient provisions to protect silent and blocked calling numbers from disclosure and use without prior consent, require the development and registration of an industry code that does so, or develop an industry standard.

We will be pleased to provide any further information that may assist in investigation of this matter.

We advise that, for ease of communication, we nominate Ms Irene Graham as the primary point of liaison between ourselves and your office. Ms Graham can be contacted during business hours at Tel: 07 3424 0201, Fax: 07 3424 0241 or Email: [...].

We look forward to your response.

Yours sincerely


Irene Graham     Roger Clarke     David Fitch

Attachments:

  1. Privacy risks of supply of blocked calling numbers to ISPs
  2. List of ISPs receiving blocked calling number information
  3. How CLI and CND services work: detailed information about the CND Service provided by carriers to ISPs
  4. The claimed needs of dial-up ISPs: fraud prevention, billing, call management or credit control
  5. Copy of letter of complaint to Federal Privacy Commissioner
  6. Copies of letters of complaints sent to Respondents and responses received
  7. Copy of Memorandum of Understanding for the Use of CND on the Comindico / Ozdial Networks

References:

  1. AUSTEL Privacy Report 1992
    http://www.privacy.org/pi/countries/australia/austel_1992_privacy_report.txt
  2. Telstra Detrimental Effect Advertisements (469 Kb)
    http://www.telstra.com.au/sfoa/docs/detr-ads.doc
  3. OptusNet 0198 331 111 Frequently Asked Questions
    http://www1.optusnet.com.au/helpdesk/0198faqs.html#cli
  4. Internet Industry Association media release, 21 July 2003
    http://www.iia.net.au/news/070301.html
  5. Message posted to ISP-Australia mailing list by CEO of Legion Internet
    http://isp-lists.isp-planet.com/isp-australia/0205/msg00280.html
  6. ACA Telecommunications and Law Enforcement Manual (875 Kb)
    http://www.aca.gov.au/aca_home/licensing/radcomm/about_radcomms_licensing/leac.pdf
  7. TIO Position Statement, 2003
    http://www.tio.com.au/POLICIES/Privacy/
    Customer's%20personal%20information%20passed%20to%20
    another%20provider.htm
  8. Transport and Communications Legislation Amendment Bill (No. 3) 1992: Second Reading, 12 November 1992
    http://parlinfoweb.aph.gov.au/piweb/view_document.aspx?id=221650&table=HANSARDS
  9. Message posted to Oz-ISP mailing list by Cairns Network Services
    http://archive.humbug.org.au/aussie-isp/2002-05/msg00178.html
  10. Optus Standard Form of Agreement
    http://www3.optus.com.au/standard_agreements/list/1,1548,133,00.html
  11. ACA Calling Number Display Consumer Fact Sheet
    http://www.aca.gov.au/consumer_info/fact_sheets/
    consumer_fact_sheets/fsc39.htm