Submission

2 November 2002

Calling Number Display Industry Code

This is a response to ACIF re the Draft C522 Calling Number Display Industry Code.

Contents:

Executive Summary

  • The Code does not provide adequate community safeguards.
  • The Code must be amended to become consistent with the National Privacy Principles (NPPs) and also to ensure that all carriers, carriage service providers and recipients of CND information are, in fact, required to comply with the NPPs and that the Code informs them accordingly.
  • It may be necessary to re-insert enforcement mechanisms into the Code as some carriers, carriage service providers and recipients may not be required by law to comply with the NPPs.
  • The Code must be amended to ensure that the privacy choices of Internet users (and other telephone users) who have unlisted/silent telephone numbers or choose to block provision of CND information are not permitted to be over-ridden except when such information is essential for the supply of the telecommunications service being provided to the caller (i.e. that it is technically impossible to provide the service without over-riding a customer-choice CND block) and that such CND information is not permitted to be collected, disclosed or used for other purposes except in particular instances pertaining to specified customers when required by law.
  • The Code must be amended to clarify the circumstances, if any, in which Carriers and Carriage Service Providers (CSPs), including Internet Service Providers (ISPs), are authorised to receive and collect CND information from telephone calls made to them by customers who have or use an unlisted (i.e. silent) number and those who choose to block CND on a permanent or per call basis.
  • If the information contained in recent newspaper reports is correct, then:
    • apparently Telstra is currently disclosing CND information to ISPs in circumstances that are not in compliance with Clause 5.2.2 of the Code and, in EFA's analysis, quite probably breach the provisions of the Telecommunications Act 1997 and the Privacy Act 1988.
    • apparently some ISPs are currently collecting, from Telstra (and possibly from other CND suppliers), CND information in circumstances that, in EFA's analysis, breaches the NPPs, is not required by the Telecommunications Act 1997, and quite probably is not even authorised by the Telecommunications Act.
  • If ACIF believes any CND Supplier is legally allowed to breach Clause 5.2.2 in the manner recently reported in newspapers (and discussed in detail later herein), then Clause 5.2.2 and other relevant parts of the ACIF Code need to be amended so as not to misrepresent to members of the public the extent to which they can rely on the telecommunications industry to self-regulate to protect the privacy of telecommunications users in relation to collection, use and disclosure of CND information.
  • Guideline 4 should be amended to make clear the circumstances, if any, in which ISPs are allowed to discriminate against customers who choose to block provision of CND information to ISPs.


Introduction

EFA submits that the Code does not provide adequate community safeguards and must be amended to become consistent with the National Privacy Principles (NPPs). The Code should also be amended to ensure that all carriers, carriage service providers and recipients of CND information are required to comply with the NPPs and that the Code informs them accordingly.

We understand the purpose of the Code is to complement and extend the privacy protections set out in the Privacy Act 1988 (C'th) and Part 13 of the Telecommunications Act 1997 (C'th). In this regard, we note the Code states:

"The way in which suppliers have to handle personal information associated with CND is already regulated by the Privacy Act and Part 13 of the Telecommunications Act 1997 (the Act). The ACIF C523:2001 Protection of Personal Information of Customers of Telecommunications Providers Industry Code (CPI) developed by ACIF complements and extends these protections.
This Code deals specifically with CND and CLI and refines the more general privacy protection rules set out in the Privacy Act and the [Telecommunications] Act."

We also note the apparent intention of the Commonwealth Parliament that industry codes would be consistent with the National Privacy Principles (NPPs). Section 118 of the Telecommunications Act states:

"The [Australian Communications Authority (ACA)] may request the body or association to develop the industry code to replace an earlier industry code that the Privacy Commissioner (exercising functions under the Privacy Act 1988) has advised the ACA is inconsistent with the National Privacy Principles or a relevant approved privacy code (as defined in that Act)."

Although the draft Code contains indications that ACIF's intent is that the Code be consistent with the NPPs and that all carriers and carriage service providers be required to comply with the NPPs, the draft Code fails to achieve such an objective.

As drafted, the Code not only appears to permit and/or condone breaches of the Privacy Act, but also states the Privacy Act is being breached by carriers and carriage service providers in circumstances when collection and/or disclosure of CND information is not necessary for the operation of a telecommunications service and is not required or authorised by law, and the relevant individual has explicitly denied consent to disclosure of their personal information (by blocking CND).

This situation appears to result from the following:

  • a possibly mistaken belief that amendments to the Privacy Act relative to the private sector require all organisations receiving CND information to comply with the NPPs,
  • a mistaken belief that collection and use of CND information is necessary to provide the telecommunications services provided by all Carriers/Carriage Service Providers (and including Internet Service Providers who provide Internet access services).

Further information concerning the above is provided later herein.

EFA considers the draft Code provides insufficient privacy protection for, at the least, the following members of the public:

  • telephone service subscribers who have an unlisted (silent) telephone number and those who have chosen to have a permanent CND block implemented
  • callers who choose to block provision of CND information on a per call basis
  • callers who choose to send CND information with their telephone calls to organisations that receive CND information that may be, or may consider themselves to be, exempt from compliance with the Privacy Act.


Definitions

In this submission, the term "CND information" refers to the telephone number and/or caller/subscriber's name and/or any other personal information sent with a call whether as CLI data or ANI data or any other type of data, and whether or not the end recipient of the call has telephone answering equipment that actually displays such information.

EFA considers the Code should be amended in a manner that ensures suppliers and recipients of "CND information" cannot potentially escape their obligations to comply with the Code by claiming, for example, they have disclosed or used "ANI data", not "CND" or "CLI" information.

We observe that the term "Internet Service Provider" used in the Code is not defined and recommend the following definition be inserted in Section 4: "Internet Service Provider means a person or entity that supplies a listed carriage service that enables end-users to access the Internet".


Organisations exempt from Privacy Act (C'th)

We note the remark in the "Background" section of the Code which states:

"[Following amendments to the Privacy Act 1988] organisations receiving CND information are now required to comply with the NPPs when handling CND information."

EFA considers it doubtful that all businesses that do, or may in the future, receive and collect CND information are required to comply with the NPPs contained in the Privacy Act. Some, perhaps many, small businesses qualify for the small business operator exemption in the Privacy Act (Section 6D) because they:

  1. have an annual turnover of $3 million or less, and
  2. are not related to a business with an annual turnover of greater than $3 million, and
  3. do not provide a health service or hold health records, and
  4. do not disclose personal information about an individual to anyone else for a benefit, service or advantage (except with the individual's consent or when required or authorised to do so under legislation) and
  5. do not provide a benefit, service or advantage to collect personal information about another individual from anyone else (except with the individual's consent or when required or authorised to do so under legislation).

EFA considers the wording of (e) above in the Privacy Act, combined with a lack of publicly available information regarding whether all recipients of CND information "provide a benefit, service or advantage" to collect same, makes it difficult to determine whether all small businesses who would otherwise qualify for exemption, would cease to do so when they receive CND information.

It would appear that if a small business pays a CND supplier to receive CND information then the small business is probably considered to be providing a benefit to collect the information.

We consider it of serious concern however that it is likely that many recipients of CND information would not be aware that they may cease to qualify for the small business exemption merely because they pay for CND information.

Moreover, EFA believes that some businesses (including some Internet Service Providers) currently receive CND information, and others may in the future, without specifically paying for the CND service.

We also note the statement in the draft Code that:

"The way in which suppliers have to handle personal information associated with CND is already regulated by the Privacy Act..."

The definition of "suppliers" in the draft Code includes both carriers and carriage service providers. We question whether some small business carriers and carriage service providers, including some Internet Service Providers, may qualify for the small business operator exemption in the Privacy Act. EFA understands that some small business "suppliers" receive CND information in a manner that indicates they are not providing a "benefit, service or advantage" to collect same. For example, we understand that the incoming telephone line/call service provided by some telephone companies to some ISPs sends CND information in such a way that the ISP can use telephone call answering equipment that can be set by the ISP to ignore a flag, sent with the call by the telephone company, that says in effect "do not display CND information to the end-recipient of this call (i.e. to the ISP)". This indicates that such ISPs can receive CND information without paying to receive same (and even if they pay for same, can receive CND information with calls made from silent numbers and any others made with a CND block in place).

Enforcement Mechanisms

We note that ACIF proposes to remove pre-existing enforcement mechanisms from the Code, on the basis of its belief that all "organisations receiving CND information are now required to comply with the NPPs when handling CND information".

We submit that, if all small businesses who would otherwise be exempt from compliance with the NPPs, do unquestionably become required by law to comply with the NPPs as a result of receiving CND information, then the ACIF Code should clearly state that and also require providers who supply CND services to small business organisations to inform such recipients of CND information of their obligation to henceforth comply with the NPPs.

We also submit that if there are, or potentially are, any circumstances in which a small business organisation (including a carrier/carriage service provider/ISP) may receive CND information without this resulting in such a business ceasing to qualify for the small business operator exemption, then the previous enforcement mechanisms should be re-inserted in the Code in a manner that ensures such recipients are required to comply with the NPPs and that service providers who supply CND services are required to take action if they believe an organisation has contravened the NPPs.


Over-riding of Caller CND Blocking

EFA submits that the ACIF Code must be amended to clarify the circumstances, if any, in which Carriers and Carriage Service Providers (CSPs), including Internet Service Providers (ISPs), are authorised to receive and collect CND information from telephone calls made to them by customers who have or use an unlisted (i.e. silent) number and those who choose to block CND on a permanent or per call basis.

We consider that end-recipients of telephone calls should not be permitted to collect CND information in contravention of the NPPs unless they are an Emergency Service. Evidently, however, caller choice to block CND is currently being over-ridden when calls are made to some providers of telecommunications services merely because it is convenient or useful, but not necessary, for the end-recipient of the call to receive this personal information without their customer's consent or even knowledge.

In this regard, we observe with concern that a new note has been added to Clause 2.1.1 of the Code which states:

"Note: Carriage Service Providers include Internet Service Providers."
and the Code states:
"CLI is provided to carriage service providers regardless of whether customers have opted for blocking to CND Services."
(Explanatory Statement, page 7)

While it is a fact that Internet Service Providers (ISPs) are Carriage Service Providers (CSPs), the above makes clear that the Code does not strike an appropriate balance between the rights of Internet users/ISP customers, who have opted to block CND in order to protect their privacy, and the 'needs' of ISPs.

This situation appears to result from a mistaken impression that CLI is integral to the operation of all telecommunications networks/services, including Internet access services provided by ISPs. In this regard, we note the Code states:

"CLI is integral to the operation of telecommunications networks, facilitating efficient call management, route selection and billing." (Explanatory Statement, page 5)

We wish to draw to ACIF's attention that CLI is not integral to the operation of telecommunications networks/services provided by ISPs, i.e. it is not necessary for an ISP to know the telephone number their customer is calling from in order to provide Internet access services. CLI data is not necessary to enable ISPs to bill their customers and few, if any, of approx. 650 ISPs operating in Australia use CLI data to determine which customer to bill, nor is it necessary for call management or route selection.

If CLI was integral to the operation of telecommunications networks/services provided by ISPs, all ISPs would already be receiving CLI. However, not all ISPs do. As reported in the media recently:

"Telstra spokesman John Court said [Telstra] activated caller line identification on its MegaPOP network in March - meaning Telstra Wholesale, Telstra Retail and Telstra resellers had access to the service but the rest of the ISP world did not."
   (ISPs want caller ID, by Caitlin Fitzsimmons, Australian IT, 25 June 2002)
and
" 'CND (Calling Number Display) could be turned on by Telstra for all calls to Internet points of presence. We want it turned on,' Milne [CEO of OzEmail and head of the Internet Industry Association] says."
   (Big Brother is looking to read your e-mail, by Nicole Manktelow, Sydney Morning Herald, 7 May 2002)

It is also relevant to note that commercial ISPs have been providing Internet access services in Australia, in the same way they do now, since at least 1994, three years prior to the introduction of CLI/CND services in Australia.

EFA submits that the privacy choices of Internet users (and other telephone users) who have silent telephone numbers or choose to block provision of CND information should not be permitted to be over-ridden except when CLI is integral to the operation of the telecommunications network/s being used to provide the telecommunications service.

Evidently, customer choice to block CND is already being over-ridden on telephone calls to some ISPs, without the customer's consent or even knowledge, on the ground that ISPs are Carriage Service Providers, although it is not necessary for ISPs to receive CLI data in order to provide Internet access services. It is evident that customer choice is already being over-ridden from the following:

  • The Code states "CLI is provided to carriage service providers [which includes ISPs] regardless of whether customers have opted for blocking to CND Services".
  • The Australian IT reported on 25 June 2002:
    "[Telstra spokesman John Court] said Telstra had ensured all its [ISP] resellers were carriage service providers and if it rolled out a caller line identification product, it would need to ensure all its potential customers were as well."
    (ISPs want caller ID, by Caitlin Fitzsimmons, Australian IT, 25 June 2002)

    Given Telstra is legally allowed to provide CND information with any call that does not have a CND block in place, to any organisation that wishes to received CND information, the question arises as to why Telstra would need to ensure that all its ISP customers/resellers are CSPs. There appears to be no reason for Telstra to do so unless Telstra considers it is permitted to over-ride customer choice to block CND and disclose blocked CND information to ISPs merely because they are CSPs and claim to have a 'business need' to receive same.

  • The Australian IT reported on 30 October 2002:
    "THE Federal Privacy Commissioner has hit out at the use of compulsory caller line identification (CLI) on all phone calls to internet services providers, although Telstra has already deployed the technology.
    IIA chairman [sic] Peter Coroneos confirmed that Telstra, an IIA member, had begun to prevent CLI-blocking on all calls terminating at customers of its wholesale ISP service, MegaPop." [emphasis added]
    (Privacy battle over CLI, by Kate Mackenzie, The Australian IT, 30 October 2002)

Although some ISPs claim that CLI is "necessary", EFA does not consider the definition of "necessary" being used provides sufficient justification for over-riding customer choice to block CND. Examples of these "necessity" claims are provided below.

Law Enforcement

EFA believes claims that ISPs "need" to routinely collect CND information from every Internet user for law enforcement purposes are not factual and that such routine collection breaches the NPPs and is not required or even authorised by the Telecommunications Act. It should be noted that ISPs are authorised and may be required by the request of a law enforcement agency to collect CND information pertaining to calls made from particular numbers during particular periods, such as when a law enforcement agency is investigating the activities of an individual suspected of engaging in an unlawful activity.

This matter is discussed in detail later herein.

Billing

Given telephone companies bill the cost of a call to the owner of the calling telephone number, it is clear they need to know what number a call is made from in order to bill the call to their customer. This is not, however, how ISPs bill their customers.

ISPs bill the owner of an Internet access account using the login name and password sent by the user when logging in. For example, in the case of a dial up user, after the telephone call is answered by the ISP's login system, the user's computer sends the user's login name and password to the ISP's login system. Depending on the user's computer software setup, a login name and password may be stored on the user's computer and automatically sent to the ISP's login system, or the computer software may prompt a user to type in their login name and password.

The user's login name and password has nothing to do with the telephone service/number the user is using to dial in. The customer could be dialling in from a hotel room or a friend's home, etc - the ISP does not need to know that to bill their customer's account. Several customers who share a house or flat can have separate accounts with the same ISP and dial in from the same phone number using their own login ID and password. The ISP does not need to know the telephone number called from in order to bill the correct customer's account because this is identifiable by login ID and password.

A claim that CND information is necessary for "billing" is often actually a claim that the information is needed for the purposes of fraud prevention and/or credit control, as discussed later herein.

Call Management and Route Selection

CLI data is not used for route selection or routing traffic around the Internet. The telecommunications network providers across whose networks Internet traffic flows have no need to know Internet users' telephone numbers.

Some ISPs say they "need" CND information for "call management". What this means is they "need" it because it's useful to them for the purpose of offering value added services to their customers.

For example, CND enables ISPs to implement automated checks on whether their customer is dialling into the wrong POP (ISP point of presence). If they are they could be charged STD call rates by their telephone service supplier, not by their ISP. EFA recognises this is a useful service for customers who want to avoid accidentally dialling a non local number to log in and who are willing to provide CND information to their ISP in order to use the check service. It is not a legitimate ground for over-riding a customer's choice to block CND information, nor for requiring all ISP customers to provide CND information to ISPs.

Fundamentally this is no different from any company asking/requiring callers to send CND so, for example, the recipient of the call can route calls from preferred/unpreferred customers to other numbers or particular extensions.

No doubt ISPs receive complaints from customers who have dialled the wrong POP and later received an unexpectedly high telephone bill from their telephone service supplier, not the ISP. However, ISPs should be capable of explaining to customers the importance of using the correct POP and, if possible, offering an opt-in automated check service for customers willing to provide CND. That some ISPs may not bother to explain this, and/or some customers may not take sufficient notice of information provided, is not a valid justification for ISP customers to have no choice regarding disclosure of their CND information. It is important to remember that it is not necessary for ISPs to know the telephone number of their customer in order to provide Internet access services, and, if a customer disputes call costs on their telephone service bill, such a bill is received from their telephone service provider, not from their ISP.

Fraud Prevention

Some ISPs claim CND information is necessary for fraud prevention purposes. However, the extent to which ISPs can use CND information to prevent fraud does not provide adequate justification for over-riding an ISP customer's choice not to provide CND information to an ISP.

Fraud that can be prevented by ISPs who receive CND information is fraudulent use of a customer's ISP account login ID and password, i.e. use of a customer's Internet access account by a person who is not authorised to use the account. This can occur when an unauthorised person has obtained (by stealing or guesswork) and used another person's account login ID and password. If an ISP knows the telephone number/s used by the authorised user/s of an account to dial in from, the ISP can configure its login facilities to prevent that account's login ID and password from being used by persons using any other telephone number/s to dial into the ISP's login system. EFA considers this type of value-added service does not justify over-riding customer choice to block CND. Moreover, many Internet users dial in from different numbers at different times (e.g. those who travel) and do not know the number in advance, and in any case, do not wish to disclose CND information which can enable data matching and identification/tracking of a customer's physical whereabouts from time to time.

It should also be noted that there are a number of non-privacy intrusive means of significantly minimising the potential for unauthorised use of login IDs and passwords, such as requiring customers to use passwords that are not easily guessed (and technically preventing use of passwords that consist of ordinary words, etc.) and educating customers about the need to keep passwords secret. It is notable that banks that provide telephone banking services do not (and most probably are not legally permitted to) make it a condition of use that their customers present CND information in addition to an account ID and password. There are also less privacy invasive reactions to an instance of use of a stolen password, such as simply changing the password, and also the login ID if considered necessary.

Except in very limited circumstances like the above, provision of CND information to ISPs cannot prevent fraud. At best, CND can be used to investigate a specific instance of fraud after the event, but is unlikely to provide conclusive proof as to who was using a telephone number to login in to an ISP's system.

This type of "need" for CND information is no different from any other organisation claiming they "need" CND information from everyone who uses their services in case someone uses a stolen account ID and password to access services provided by telephone, or uses a stolen credit card when paying for goods or services by telephone. When ISPs receive CND information with an incoming call they are the end-recipient of a call just like any other organisation that receives CND information.

It should also be noted that provision of CND information to ISPs cannot prevent fraudulent use of the telephone service to which the CND information relates, nor prevent the fraudulent use of telephone service networks in general.

Credit Control

Some ISPs claim CND information is necessary for credit control. This usually relates to the circumstances outlined under 'fraud prevention' above. If a customer disputes a bill from their ISP, on the ground that they were not logged in to the ISP system at a particular time, an ISP can use CND information received at the time of the disputed login to see if the incoming call was from the telephone number normally used by the customer.

However as CND information does not identify the individual who made the call, only the telephone number/service used to make the call, it cannot be used to conclusively prove whether or not the customer was using that telephone service to log in. The customer could have been using someone else's telephone service, or someone else could have been using the customer's telephone service. Some ISP's may be willing to make assumptions in this regard and withdraw a charge for a particular login, and some customers of such ISPs are likely to be happy to provide CND information in case it may turn out to be useful in a future dispute concerning a charge by the ISP. It is not a legitimate ground for over-riding a customer's choice to block CND information, nor for requiring all ISP customers to provide CND information to ISPs.

Spam Prevention

Some ISPs have called for mandatory provision of CND information to ISPs on the claimed ground that this would reduce spam (unsolicited bulk email).

However, mandatory provision of CND Information to ISPs, or anyone else, will not reduce spam and is an extraordinarily privacy invasive idea for dealing with the spam problem - a problem that could be significantly reduced by far more effective, non privacy invasive, means. For detailed information, please refer to EFA's submission to the National Office for the Information Economy (NOIE) which is available online at the below URL.

EFA Submission to NOIE re NOIE Spam Review Report, 16 Sept 2002
   http://www.efa.org.au/Publish/efasubm_noiespam.html

It should also be noted that some ISPs obtain disclosure of CND information covertly for one of more of the above purposes. For example, they provide set up disks to customers that automatically configure software on the customer's computer to dial into the ISP's system. The automatic configuration process inserts the unblocking code (1832) before the dial-in number. Unless the customer is technically literate they would not know where to look on their computer to see if their modem was dialling 1832 without their knowledge, even if the possibility occurred to them that their computer software had been configured to do so. Some ISPs do not even tell their customers that a permanent CND block on the customer's phone number will be switched off in this manner when they dial in to the ISP's log in system.


Applicability of the Telecommunications Act

EFA recognises that the Telecommunications Act 1997 lists a number of circumstances in which carriers and carriage service providers (including ISPs) are authorised by law to use or disclose personal information. We understand however that the telecommunications industry was required to develop a code providing a higher level of privacy protection in relation to CND information than is otherwise provided by the Telecommunications Act.

Whether or not the ACIF Code is intended, or required, to limit the use and/or disclosure of CND information to a greater extent than the Telecommunications Act otherwise would, we note that the Telecommunications Act does not appear to authorise, or require, collection of personal information (by CSPs or anyone else) in a manner that breaches the Privacy Act.

We outline below some matters we consider relevant to determining whether or not the Telecommunications Act requires, or even authorises, telephone companies etc. to disclose to ISPs silent telephone numbers and any other telephone numbers that have a customer choice CND block in place, and whether that Act requires, or even authorises, ISPs to collect such information in a manner that breaches the Privacy Act.

Disclosure

In this section, we use the example of Telstra disclosing CND information to ISPs, with calls made from silent telephone numbers and other numbers with a CND block in place. (Note: We are under the impression that Telstra is currently over-riding call blocking choices by callers who have an outgoing telephone call service provided by Telstra, Optus and any other telephone company, when a caller dials some ISPs whose incoming dial-in telephone service is provided by Telstra.)

Part 13 of the Telecommunications Act (TA) prohibits Telstra from disclosing personal information unless the circumstances of disclosure fall within the exemptions listed in the Act. It appears the only exemptions that might permit Telstra to routinely disclose to ISPs CND information pertaining to calls made from a silent number or with a caller choice CND block in place are as follows:


  • s291 "Business needs of other carriers or service providers"

    S291 (1) provides an exemption from the prohibition on disclosure of information when:
    "(b) the disclosure or use is made for a purpose of, or is connected with, any other carrier or service provider carrying on its business as such a carrier or provider, and
    (c) the information or document relates to a person (the third person) who is a customer or former customer of:
      (i) the first carrier or the first provider; or
      (ii) the other carrier or the other provider; and
    (d) the disclosure or use is made for a purpose of, or is connected with:
      (i) the supply, or proposed supply, by the other carrier or other provider to the third person of a carriage service or a content service; or..."

    As discussed earlier herein, EFA does not consider ISPs can demonstrate that CND information is necessary for the provision of Internet access services.

    However, irrespective of whether CND information is necessary, we question how Telstra could rely on s291 to avoid breaching the Telecommunications Act. It seems clear s291 only permits disclosure of information about a person who has been or is a customer of both the disclosing carrier or service provider and the receiving carrier or service provider.

    When Telstra provides the telephone number of one of Telstra's telephone service customers to ISPs by sending them CND information, how can Telstra know whether their customer is also a customer of the ISP? EFA considers that quite often Telstra would be disclosing personal information about a person who is not a customer of the ISP, and quite possibly not even a customer of Telstra. For example, John and Jane live in the same house. John has a telephone service provided by Telstra with an unlisted telephone number. John does not have an account with an ISP and he does not use the Internet. Jane has an account with an ISP and when she uses John's telephone service to dial into her ISP, Telstra discloses John's silent phone number to Jane's ISP. Furthermore, if John's telephone service is provided by say Optus, and Telstra discloses John's silent telephone number to an ISP in CND information, then Telstra would be disclosing information about a person who is not even a Telstra customer.

    We note that the Telecommunications and Law Enforcement Manual (PDF 875 Kb) issued by the Australian Communications Authority provides examples of the interpretation of S291 "business needs". It states in Section 5.9 that:

    "Section 291 Business needs of other carriers or service providers.
    An example of the kind of disclosure allowed would be to permit a carriage service intermediary to pass on the details of a customer to a network operator so as to permit connection. Disclosures would also be permitted where a customer changes his or her CSP."

    EFA considers that if Telstra, or any other CND supplier, claims it is permitted to routinely disclose CND information pertaining to silent numbers and other CND blocked numbers to ISPs due to s291 (and does so), it very likely breaches the Telecommunications Act unless the reason for the disclosure is substantially similar to the examples in S5.9 of the ACA Manual referred to above. EFA doubts that any ISP has or can even demonstrate a 'need' that is substantially, or even remotely, similar to those examples.

  • s282 "Law enforcement and protection of public revenue"

    Section 282 states:
    "(1) Division 2 [of Part 13 - Primary disclosure/use offences] does not prohibit a disclosure or use by a person of information or a document if the disclosure or use is reasonably necessary for the enforcement of the criminal law...[and civil penalty laws, and so on]"

    EFA submits that it is not "reasonably necessary" for the enforcement of the law for Telstra or any CND supplier to routinely disclose to ISPs the telephone numbers used by Internet users.

    We consider the exemptions from disclosure for law enforcement purposes would apply to CND information pertaining to calls made from particular numbers during particular periods, such as when a law enforcement agency is investigating the activities of an individual suspected of engaging in an unlawful activity. They do not appear to permit routinely over-riding the privacy choices of every individual who chooses to block CND on the off-chance that the information might be useful sometime in the future. Furthermore, it appears that generally speaking disclosure for law enforcement purposes is intended to apply to disclosure by CSPs to law enforcement agencies, rather than routinely to other CSPs.

Collection

Whether or not it is legal, insofar as the provisions of the Telecommunications Act are concerned, for a CND supplier to routinely disclose CND information from calls made with a silent number or customer choice CND block in place to ISPs and other CSPs, the Telecommunications Act does not appear to authorise, and certainly does not require, recipient ISPs and CSPs to collect such CND information.

In this regard, we note that the Australian Communications Authority Fact Sheet No. 13: Internet Service Providers and Law Enforcement and National Security (PDF 367 Kb) lists various types of information, including "calling line identification", that law enforcement agencies may request from ISPs and states:

"Legislation does not specifically require ISPs (or other CSPs and carriers) to keep this type of information for law enforcement or national security purposes."
http://www.aca.gov.au/consumer/fsheets/industry/fsi13.pdf

While s313 of the Telecommunications Act contains a requirement that carriers and service providers 'do their best' to prevent telecommunications networks and facilities from being used in, or in relation to, the commission of offences against the laws of the Commonwealth or of the States and Territories, the disclosure of CND information to ISPs cannot prevent any individual from using the Internet in the commission of an offence against the law. Furthermore, CND information does not necessarily identify an Internet user. It may identify another person whose telephone service is being used once, or often, by an Internet user.

The Telecommunications and Law Enforcement Manual (PDF 875 Kb) issued by the Australian Communications Authority provides examples of steps that carriers and service providers would be expected to take to meet the requirements of s313:

"- taking reasonable steps to ensure that customer information is not false
- taking reasonable steps to ensure integrity of staff
- not deliberately targeting services towards a market likely to use those services for criminal purposes, and
- participating in industry action to prevent the networks being used for criminal purposes."

It is interesting to note that if an ISP collects a telephone number from CND information and includes that in its record of customer details in a manner that indicates it is the customer's telephone number, the information may be false, given a customer may dial in to the ISPs system from someone else's telephone number: a friend's home, a hotel, a temporary workplace (e.g. consultants/contractors) and so on.

It is also of considerable concern to EFA that if ISPs are permitted to collect CND information regarding all of their customers without the consent of the relevant individuals on the ground that it is 'needed' for law enforcement purposes, then the same argument apparently can be applied to ISPs having a 'need' to collect and store information about every Internet user, such as copies of their emails, copies of web pages they visit, etc, in case sometime in the future a law enforcement agency asks for such information. A variety of criminal and civil law enforcement agencies expressed their objections to the fact that ISPs are not required by law to collect and store personal information about Internet users to a Joint Parliamentary Committee Inquiry into the "Law Enforcement Implications of New Technologies". The desires of law enforcement agencies if granted would result in a massive invasion of the privacy of the vast majority of Internet users who do not and do not have any intention of engaging in an illegal activity. The Committee issued its report and recommendations to the Government in August 2001. To date, the Government has not responded to the Committee's report nor have laws been enacted granting the vast majority of the law enforcement agencies wishes.

EFA submits that it is not 'necessary' for the Internet industry or the telecommunications industry to collect personal information about customers for the purpose of law enforcement, unless there is a law requiring them to do so. Furthermore, EFA considers that neither the Internet industry nor the telecommunications industry more generally should be willing to voluntarily collect personal information about Internet users (without consent of the relevant individual) that they do not need for the provision of a service, merely because some law enforcement agencies have been, to date, unable to convince the Government and the Parliament that such invasions of personal privacy are necessary for 'law enforcement' needs.

Given the Telecommunications Act does not appear to authorise, and certainly does not require, ISPs to routinely collect silent telephone numbers and any other telephone numbers that have a customer choice CND block in place, it appears ISPs are required to comply with the provisions of the Privacy Act when collecting such information. It should be noted that compliance with the Privacy Act does not prohibit ISPs from collecting CND information pertaining to calls made from particular numbers during particular periods, such as when a law enforcement agency is investigating the activities of an individual suspected of engaging in an unlawful activity.


Applicability of National Privacy Principles (NPPs)

Collection of CND Information

EFA submits that collection by ISPs of CND information pertaining to calls received by them that are made by the caller with a CND block in place breaches NPP 1, except in specific and very limited circumstances, which states:

"1.1 An organisation must not collect personal information unless the information is necessary for one or more of its functions or activities."

and the Guidelines issued by the Federal Privacy Commissioner state:

"The Commissioner interprets 'necessary' in a practical sense. If an organisation cannot in practice effectively pursue a legitimate function or activity without collecting personal information, then the Commissioner would ordinarily consider it necessary for that function or activity. It would not ordinarily be acceptable for an organisation to collect personal information on the off chance that it may become necessary for one of its functions or activities in the future."

As detailed earlier herein, it is not necessary for ISPs to know the telephone number their customers call from in order to provide Internet access service to the customers.

Collection of CND information by ISPs from a telephone company/CND service supplier that has over-ridden a customer's CND block may also, depending on the specific instance, breach NPP 1.2 and 1.4.

NPP 1.2 states:

"1.2 An organisation must collect personal information only by lawful and fair means and not in an unreasonably intrusive way."

and Guidelines issued by the Federal Privacy Commissioner state:

"In general, the Commissioner interprets 'fair' to mean without intimidation or deception. This would usually require an organisation not to collect personal information covertly but there will be some circumstances - for example, investigation of possible fraud or other unlawful activity - where covert collection of personal information by surveillance or other means would be fair."

When an ISP, or any other business, collects CND information from a telephone company/CND service supplier that has over-ridden a customer's CND block covertly, i.e. without prior notification to the customer, it is clearly unfair collection. It may be 'fair' in relation to a particular customer believed to be engaging in unlawful activity, but in EFA's view it is not fair to covertly collect CND information about every Internet user on the off chance that this might become useful in the future.

NPP 1.4 states:

"1.4 If it is reasonable and practicable to do so, an organisation must collect personal information about an individual only from that individual."

If an ISP or any other end recipient of a phone call considers receipt of CND information from a customer would be useful, it is reasonable and practicable for them to collect that information from the customer by simply asking them to present CND information when making calls. If a customer declines to provide such personal information and blocks CND when making a call, and the end recipient of the call instead collects the CND information covertly from a CND service supplier, the collection breaches NPP 1.2.

Disclosure of CND Information

EFA submits that disclosure to ISPs of CND information pertaining to calls made with a CND block breaches NPP 2 which states:

2.1 An organisation must not use or disclose personal information about an individual for a purpose (the secondary purpose) other than the primary purpose of collection unless:
(a)... (ii) the individual would reasonably expect the organisation to use or disclose the information for the secondary purpose; or
(b) the individual has consented to the use or disclosure;
...

The primary purpose for which telephone companies collect the telephone number of telephone callers appears to be for the purpose of providing a telephone service and billing the relevant customer. The provision or sale of CND information to the end recipients of telephone calls is a secondary purpose of collection. Hence, NPP 2 apparently does not permit telephone companies to disclose CND information to end recipients of telephone calls unless one of the exceptions set out in NPP 2 applies. Furthermore, CND services were permitted to be introduced in Australia on the condition that callers be permitted to block the sending of CND information to end recipients of their calls, so even if a telephone company wishes to claim disclosure to end recipients of calls is a primary purpose of collection of CLI data, they are not allowed to disclose CND information when callers have clearly refused consent by blocking CND.

ISPs receive and collect CND information as the end recipient of a telephone call, the same as any other business or individual may.

In the case of CND information pertaining to a call made without a CND block, it is probably reasonable to assume that callers would reasonably expect (NPP 2.1(a)(ii)) telephone companies to disclose CND information to the end recipient of the telephone call, including an ISP, or that the caller has impliedly consented to the disclosure (NPP 2.1(b)) by not opting to block CND. Hence disclosure of CND information pertaining to a call made without a CND block would not breach NPP 2.

However, disclosure by a telephone company/CND service supplier to ISPs of CND information pertaining to a call made with a CND block in place would often breach NPP 2. Callers have clearly refused consent to disclosure and would not reasonably expect a silent number or any other number with a CND block to be disclosed to any entity other than to a telephone company that is involved in routing of the particular telephone call, or to an emergency service in the case of a call made to same.

While there are a number of other exceptions to NPP 2 permitting disclosure of personal information collected for a secondary purpose, these would apply to CND information pertaining to calls made from particular numbers during particular periods, such as when a law enforcement agency is investigating the activities of an individual suspected of engaging in an unlawful activity. They do not permit routinely over-riding the privacy choices of every individual who chooses to block CND.

Anonymity

NPP 8 states:

"Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation."

It is lawful and practicable for ISPs to provide Internet access without requiring their customers to identify themselves. Moreover, a number of ISPs currently sell anonymous pre-paid Internet access accounts.

The disclosure by a telephone company/CND service supplier to ISPs of CND information pertaining to a call made with a CND block breaches NPP 8 because it may enable an individual who has been provided with an Internet access service on an anonymous basis to be identified.


Supplier Obligations in Relation to Provision of CLI

The Code states:

7.1 Supplier Obligations in Relation to Provision of CLI

7.1.1. A Supplier may provide CLI to a Carriage Service Provider for the purposes of supporting the operation of a carriage service in accordance with the Act.

7.1.2. Prior to agreeing to supply CLI to a Carriage Service Provider, a Supplier must be satisfied that CLI is to be used only for the purpose of supporting the operation of a carriage service.

These clauses appear to allow provision of CLI data from numbers with CND blocking in place in circumstances when the CLI data is not necessary for the provision of the telecommunications services provided by the recipient CSP. As discussed earlier herein, ISPs can use CLI data in a manner that arguably "supports" operation of a carriage service, although it is not necessary for provision of the service.

EFA considers Section 7 of the Code must be amended to prohibit CND suppliers from disclosing CND information to end recipients of telephone calls made by callers with CND blocking in place, when the end-recipient is an ISP or any other CSP and the CND information is not necessary for provision of the telecommunications service provided by the end-recipient of the call.


No Discrimination

5.10 No discrimination
5.10.1 A Supplier must not unfairly discriminate between or offer different levels of service to Customers on the basis of whether those Customers choose CND or Blocking. (See note to Guideline 4 in Appendix A).

EFA believes that some ISPs are breaching the no discrimination provisions, on the grounds that they are "Carriage Service Providers", merely to minimise potential problems similar to those experienced by many businesses entirely unrelated to the telecommunications industry who are certainly not permitted to breach the no discrimination provisions.

Reportedly, a number of ISPs believe they are permitted to refuse to provide Internet access to customers who choose to have CND/CLID information blocked (not sent to the ISP) when the customer dials in (logs in) to the ISP's service. Some do not refuse to provide service altogether, but require customers who decline to provide CND information to go into the ISP's office and provide their drivers licence or other identification. Given the very limited number of offices most ISPs have, this practice can make it impossible for people to obtain Internet access with disclosing CND information, especially those in regional and rural areas.

EFA submits that if ISPs have a special and legitimate need to discriminate, ISPs should be required to publicly disclose these alleged needs and explain why they cannot deal with any potential problem in other ways in order not to breach the no discrimination provisions. These claims should be made available to ACIF, the ACA, the Federal and State Privacy Commissioners and the public for scrutiny and comment, before the current draft code is finalised and submitted to the ACA for approval.

In the event that ISPs cannot justify a claimed need to use CND information in an unfairly discriminatory manner, EFA submits that Guideline 4 should be amended to make clear the circumstances, if any, in which ISPs are allowed to discriminate against customers who choose to block provision of CND information to ISPs.


Blocking

The Code states:

5.2 Permanent Line Blocking
5.2.1 Suppliers must ensure that a fixed telecommunications service, which has an Unlisted Number, carries a Permanent Line Block unless the Customer has requested permanent CND.
5.2.2 Subject to Clauses 5.3.1 and 5.3.2 Suppliers must ensure that a Permanent Line Block prevents CND for all calls made from the telecommunications service to which the Permanent Line Block applies.

5.3 Blocking not to apply for calls to emergency services
5.3.1 Suppliers must ensure that all calls made to Emergency Services Numbers result in the display or presentation of CLI, regardless of whether the telecommunications service from which the call is made has a Permanent Line Block or the Caller has dialled the Blocking Code.
5.3.2 Suppliers must take reasonable steps to ensure that Callers are made aware that the display or presentation of CLI will operate for all calls to Emergency Services Numbers by appropriate notices in formats accessible to all Callers, including in directories.

EFA draws to ACIF's attention that recent newspaper reports (referred to earlier herein) state Telstra is engaging in activities that are not in compliance with Clause 5.2.2 in relation to, at least, calls made to some ISPs.

If ACIF intends that Suppliers be permitted to breach 5.2.2 in such a manner, then:

  • Clause 5.2.2 and other relevant parts of the ACIF Code need to be amended so as not to misrepresent to members of the public the extent to which they can rely on the telecommunications industry to self-regulate to protect the privacy of telecommunications users, and
  • the ACIF Code must be amended to require telephone companies and ISPs to undertake and continue a public education campaign until they can demonstrate that 100% of the public knows that CND blocks will be over-ridden on calls made to ISPs (and/or any other CSPs). Such education campaign must also have a deadline set for completion to ensure the members of the public (and especially persons with unlisted telephone numbers) are adequately informed as to potential breach of their privacy at the earliest possible date.

To date, the public has been told, and the existing ACIF CND Code says, that customer privacy choice CND blocks are only over-ridden on calls to Emergency Services numbers. No dial-up Internet user, who has a basic understanding of how the Internet works, would expect their ISP to routinely receive and collect their phone number without their explicit prior consent when they have a silent number or have chosen to have a permanent CND block implemented, or to use a per call CND block on calls they make to ISPs.


Recommendations

  1. The Code be amended to:
    1. become consistent with the National Privacy Principles (NPPs).
    2. ensure that all carriers, carriage service providers and recipients of CND information are, in fact, required to comply with the NPPs and that the Code informs them accordingly.
    3. ensure that the privacy choices of Internet users (and other telephone users) who have unlisted/silent telephone numbers or choose to block provision of CND information are not permitted to be over-ridden except when such information is essential for the supply of the telecommunications service being provided to the caller (i.e. that it is technically impossible to provide the service without over-riding a customer-choice CND block) and that such CND information is not permitted to be collected, disclosed or used for other purposes except in particular instances pertaining to specified customers when required by law.
    4. ensure that, except when (c) above is applicable or in particular instances pertaining to specified customers when required by law, Carriers and Carriage Service Providers (CSPs), including Internet Service Providers (ISPs), are not permitted to receive and collect CND information from telephone calls received by them (as end-recipients of the call) from callers or customers who have or use an unlisted/silent number and those who choose to block CND on a permanent or per call basis, and that they are required to comply with the same guidelines concerning use and disclosure as any other Organisation that receives CND information as the end-recipient of a call.
    5. require Carriers and Carriage Service Providers (CSPs), including Internet Service Providers (ISPs), who receive CND information pertaining to calls made to them with a CND block in place to notify existing and prospective customers accordingly, together with details of the "need" that "requires" them to ignore customers' privacy preferences.
    6. require CND Suppliers who routinely over-ride caller choice CND blocks in a manner that enables end-recipients of the call to receive CND information to inform the public accordingly together with reasons for so doing, for example, by prominent notices in newspapers and on their web sites.
  2. that Guideline 4 be amended to make clear that ISPs do not have any special right to discriminate, or make clear the circumstances, if any, in which ISPs are allowed to discriminate against customers who choose to block provision of CND information to ISPs.
  3. that enforcement mechanisms be re-inserted into the Code unless ACIF has received or does receive formal advice from the Federal Privacy Commissioner that it is unquestionably beyond doubt that all carriers, carriage service providers and recipients of CND information are required by legislation to comply with the NPPs.
  4. that the following definition be inserted in Section 4: "Internet Service Provider means a person or entity that supplies a listed carriage service that enables end-users to access the Internet."
  5. that if ACIF considers ISPs can prove CND information is necessary for the provision of Internet access services, and/or is routinely required to be disclosed by CND Suppliers and collected by ISPs from all Internet users for 'law enforcement' or any other need, that ACIF make such claims available to the Federal and State Privacy Commissioners, the Australian Communications Authority (ACA), and the public for scrutiny and comment, before the current draft code is finalised and submitted to the ACA for approval.

References



EFA Site Navigation:

You are here: EFA Home » Publications » Submission to ACIF re CND Industry Code

Related Resources: EFA Home » Issues » Privacy » Calling Number Display