16 November 2002
Introduction of ENUM in Australia
This submission is a response to the Australian Communications Authority's Discussion Paper titled "Introduction of ENUM in Australia" dated September 2002.
- Executive Summary
- ENUM and Privacy
- Technical Feasibility of Opt-in and Opt-out Models
- National Infrastructure Security
- Control of ENUM Databases
Electronic Frontiers Australia Inc. ("EFA") is a non-profit national organisation representing Internet users concerned with on-line rights and freedoms. EFA was established in 1994, is independent of government and commerce, and is funded by membership subscriptions and donations from individuals and organisations with an altruistic interest in promoting online civil liberties.
EFA has presented oral testimony before various Federal Parliamentary Committees inquiring into privacy related matters, including amendments to the Privacy Act 1988 to cover the private sector and telecommunications interception laws. EFA's Executive Director was a member of the Federal Privacy Commissioner's Research Reference Committee and National Privacy Principles Guidelines Reference Group during 2001. EFA's Chair has been a member of the Board of auDA since auDA's establishment and was elected Deputy Chair of the auDA Board at the November 2002 AGM.
- It is doubtful that the technical design of the ENUM system will be capable of delivering adequate privacy protection for telephone users and Internet users.
- Significantly more effort needs to be directed to building privacy protective mechanisms into the technical design of the system.
- There may be no existing Australian legislation that would afford adequate, if any, privacy protection for personal information contained in an ENUM database.
- It would be essential that telephone numbers only be inserted in an ENUM database with the explicit agreement of the end-user.
- The implementation model choices of either opt-in or opt-out do not appear to recognise either the complexities or the technical requirements of ENUM.
- Implementation of ENUM poses serious risks to national infrastructure security and related availability of telephony services.
- ENUM offers an environment in which telephone numbers around the world are administered under a structure which is tributary to the American government. It is inappropriate that citizens' access to telephony services in one country should be subject, even in theory, to another country's government.
ENUM presents serious risks to individuals' privacy because it creates a unique individual identifier and the current system design requires personal information about individuals, who have an ENUM address, to be made publicly-accessible in a database on the Internet.
EFA has doubts that the technical design of the ENUM system will be capable of delivering adequate privacy protection for telephone users and Internet users. It appears that considerably more technical work needs to be undertaken with the objective of building privacy protections into the technical design.
We support the Australian Privacy Foundation's submission to the ACA:
http://www.aca.gov.au/committee/nsg2/comments/APF.pdf (PDF 113 Kb)
and request that the ACA give close attention to the privacy issues raised therein.
In this submission, we raise a number of aspects concerning the system's technical design that appear to indicate ENUM is not presently, and may never be, capable of delivering existing standards of privacy protection and national infrastructure security.
2. ENUM and Privacy
2.1 Privacy and nature of DNS database
ENUM is based on the Internet's Domain Name System ("DNS") architecture and therefore inherits the DNS's assumptions about the public nature of information in the database. While these assumptions are appropriate for the address of a computer that serves web pages to Internet users, they are not appropriate for personal information about individuals.
The Internet cannot operate without publicly-available data in the DNS database. Any Internet device needs to know the IP address of its intended destination; and this information is discovered by retrieval from the DNS database.
This is fundamental, because the Internet permits a device's physical address – the port to which it is connected – to be separated from its logical address; and a user's access is not tied to, nor billed according to, either the physical port nor the logical address temporarily assigned to that user. A user can connect at any location available to that user's address – for example, through an Internet Service Provider's points-of-presence in Sydney today, and Melbourne tomorrow. In other words, Internet users are very weakly associated with physical ports or logical addresses.
In the telephone network, a user is strongly identified with a logical address (telephone number). That logical address is, historically, strongly identified with a physical port, and only the advent of Intelligent Network technologies has weakened this identification.
That association means that a user can function independently of publication: a customer's telephone number can make outgoing calls without its identity being known to anybody except the carrier and the customer. A user can choose to withhold his/her telephone number from publication without affecting network integrity.
If an individual maintains an unlisted/silent number on the PSTN, that individual can still be reached by those to whom the telephone number is known.
In the ENUM model, this would not be possible. A user whose telephone number did not appear in the ENUM database would not be reachable, because the incoming call would search the ENUM database to match the telephone number to the domain name, and ultimately IP address, by which that user can be reached.
In other words, while a telephone number can be reached without publication of that telephone number, an ENUM DNS entry must be public to be reachable.
The DNS's architecture also means an individual has no control over the distribution of information placed in the database. The DNS can only operate efficiently by the wide distribution of DNS entries into self-populating databases (local DNS servers).
For example, when a network is first connected to the Internet, its DNS is empty. If a network user seeks a Web site, that site's DNS entry will be unknown to the local DNS server. In that case, the DNS server will fetch the information from a server located above it in the DNS hierarchy, and will retain that information against future queries.
By using the DNS as its architectural model, ENUM presumes the willingness of address owners to a similar, highly-distributed network behaviour.
It is very unlikely that even wide public debate would give the bulk of the general population sufficient information to assume that a majority of users had offered "informed consent" to the distribution of their telephone numbers in a publicly-accessible database in this fashion.
2.2 Personal Information in DNS & ENUM databases
EFA considers there are several core problems with the technical design of ENUM in relation to privacy.
Telephone Number as Unique Identifier
An individual's telephone number is converted to a unique identifier that can be used to obtain a vast range of information about the individual. For example:
+61 3 2222 1111 becomes 220.127.116.11.18.104.22.168.3.1.6.e164.arpa
This unique identifier will be very useful for person tracking and location, data matching by marketers and so on.
It should be noted that while some commentators contend a telephone number is not personal information, it is already trivially easy to identify some, probably many, individuals from a telephone number using the Internet. ENUM as currently designed and proposed will make this even easier.
Personal Information in DNS
The publicly accessible DNS database will contain phone numbers in the ENUM address format. This appears to preclude use of ENUM by people who have an unlisted/silent telephone number.
The DNS would also contain other contact numbers or email address etc that the ENUM address holder has chosen to have listed as a means of contacting them. Hence, it would be simple to use commonly available query tools such as nslookup to look up a person's telephone number in the DNS and receive a listing of contact details like:
[...mobile, fax, etc...]
This will be very useful for some types of businesses (including those who do not use ENUM). As one example, a prospective customer who calls a business (and either provides their telephone number or fails to block calling number display presentation) may find themselves subsequently receiving spam, for example, the business may lookup their telephone number in the DNS and find their email address and their name if this is part of their email address.
We note that IETF ENUM Working Group draft document Privacy and Security Considerations in ENUM, dated October 2002, suggests contact details could be automatically anonymised so that the publicly accessible information would be, for example, [email protected] which could be resolved to [email protected] via a Service Resolution Service. The document states "The concept of a Service Resolution Service has not been defined in the IETF, however it is within the realm of technical possibility."
EFA considers significantly more effort needs to be directed to building privacy protective mechanisms into the technical design of the system.
Personal Information in WHOIS Database
Whois is a publicly accessible database that provides contact details about a DNS registration, i.e. a domain name holder's name, address, contact details. This database is separate from the actual DNS.
It appears unclear at this stage whether an ENUM address holder's name, street address and other contact details would be placed in a Whois database.
We note the IETF document referred to above states: "Unlike the ICANN administered domain name industry, the global ENUM system has no requirement for a central WHOIS registry of registrants. Information on whom or what entity is in administrative control of a phone number is widely available as a part of normal telephone service subscription."
EFA is strongly opposed to information about ENUM address holders being entered in a Whois database. Existing Whois databases are mined by marketers etc. If an ENUM Whois database is established it need contain no more than the technical contact relevant to the registration of a E.164 number which would be for example the registrar, not the ENUM address holder.
2.3 ENUM and Privacy Legislation
EFA submits that there may be no existing Australian legislation that would afford adequate, if any, privacy protection for personal information contained in an ENUM database. We consider a detailed analysis of the Privacy Act 1998 and the Telecommunications Act 1997 would need to be undertaken to determine whether or not exemptions from privacy protection provisions of those Acts would apply. For example:
- whether an ENUM database may fall within the definition of a "generally available publication" and would therefore be exempt from the provisions of a number of the National Privacy Principles,
- to what extent and for what specific purpose/s the exemptions from Part 13 of the Telecommunications Act would apply, for example, Section 291 "Business needs of other carriers or service providers".
EFA considers it is very likely that amendments to existing law would be necessary to protect privacy, together with increased penalties for breach of privacy provisions and increased enforcement powers and funding of regulatory authorities, e.g. the Federal Privacy Commissioner's office and the ACA. EFA does not believe that a 'co-regulatory approach' to protection of privacy involving codes of practice would be sufficient given the broad range of individuals and entities that would have access to personal information in an ENUM database due to the nature of the relevant technology and some sectors of the 'Internet industry'.
In our view, technological developments are outpacing existing law and traditional (but incorrect) assumptions about carriage service providers' "business needs" etc. are resulting in infringement of individuals' privacy rights in a manner that is contrary to, at the least, the spirit of relevant legislation and were probably not envisaged by the Parliament in enacting privacy protective provisions. Recent examples of infringement of telephone users' privacy include Telstra's publication of silent telephone numbers, apparently without penalty, and Telstra's recent decision to commence disclosing the telephone numbers of callers with a silent number or a Calling Number Display block in place to ISPs, although it is not necessary for ISPs to know what number their customer is calling from in order to provide Internet access services.
We also consider there are likely to be a number of aspects of existing legislation that may present impediments to various ENUM implementation models. As one example, if an ENUM registration entity is not a carriage service provider ("CSP"), the Telecommunications Act may preclude telephone companies and other CSPs from disclosing personal information to a registrar without the consent of the individual concerned. This of course would not be issue if an opt-in model for ENUM is adopted. However, if it is not, or if as we suggest below the technical design of ENUM prevents a pure opt-in model, this matter may need to be considered.
It is also necessary to consider the provisions of privacy legislation, in Australia and in other countries, in relation to the cross border data flows that would apparently occur due to the nature of the DNS. In addition, it is quite feasible that the name server mapping telephone numbers to IP numbers could be hosted outside the country in which those telephone numbers reside. Such a scenario, while being avoided by the ITU, should be considered in the light of legislation and treaties relating to cross-border data flows. In fact, the DNS architecture assumes high redundancy and flexibility in the location of domain name servers. For example, some commentators are critical of regulations requiring name servers for the new .us top-level domain to be located within America. The criticism is based on the notion that locating all the name servers for a single domain in a single geography undermines the redundancy of the DNS.
2.4 Opt-in or Opt-out
With privacy concerns in mind, the ACA's discussion paper seems to lean towards an opt-in model for ENUM – that users must explicitly request inclusion in any ENUM scheme. However, the ACA also admits the possibility of opt-out schemes.
In EFA's view, it would be essential that telephone numbers only be inserted in an ENUM database with the explicit agreement of the end-user. This is the only means of respecting the privacy rights of individuals and protecting their privacy.
We also consider this type of system should offer a choice other than solely inclusion or non-inclusion. There should also be a means whereby users who wish to be entered in an ENUM-type database can have their personal information protected from publication, unless they explicitly consent otherwise (similar to unlisted/silent telephone numbers). This does not seem to be possible in the ENUM system design.
Moreover, people who choose not to be included, or not to have their personal information made public, must not be charged a fee or discriminated against in any other way.
3. Technical Feasibility of Opt-in and Opt-out Models
EFA is strongly opposed to any implementation of ENUM or a similar scheme that is not opt-in.
However, in our opinion the implementation model choices of either opt-in or opt-out do not recognise either the complexities or the technical requirements of ENUM.
It appears that an opt-in model requiring explicit consent to inclusion is incompatible with the system's technical design in the long term. If a customer's only telephone is connected through the Internet, then it will only be reachable through a DNS architecture similar to ENUM. In other words, the system's technical requirements seem to eliminate a pure opt-in model in the long term. This is incompatible with modern attitudes to privacy and appears incompatible with the intent of Australia's existing privacy legislation. Individuals who do not wish to make their telephone number publicly available would in effect be coerced into doing so in order to obtain a telephone service. EFA considers such a scenario to be highly undesirable.
Furthermore, whether the model is opt-in or opt-out, users who choose not to be entered in the ENUM database have to be protected against identity fraud – and this seems to pose serious practical difficulties in the operation of such a system.
DNS registrar databases register presence, not absence: if, for example, nobody has ever requested the domain name foobar.com.au, that name is absent from the database.
This poses a problem in ENUM. The absence of an entry in a domain database usually signals its availability – in other words, if foobar.com.au is not known to the DNS, a user can apply to register the right to use that name.
So in the DNS, domain availability is binary: a name is available, or it is not. To minimise the risk of identify fraud, it appears ENUM would require a third state to be represented in the database: a number that is not registered, but which is not available for registration because it corresponds to a telephone number whose owner has chosen not to hold an ENUM registration.
It should be noted that this would considerably escalate the cost, size, scale and complexity of the databases needed to operate ENUM. Instead of registering only names which have been claimed, ENUM registrars would have to be able to accurately respond to queries for all numbers corresponding to the telephone numbering plan in their domain.
4. National Infrastructure Security
EFA is of the view that implementation of ENUM poses serious risks to national infrastructure security and related availability of telephony services.
ENUM represents a fundamental change to the characteristics of telephone calls, by exposing telephone number signalling to a public network.
This is not the case in the PSTN. Telephone calls are established by connection to a signalling system which is quarantined from general network traffic. It is impossible for an ordinary user to interact with the telephone signalling database.
This is not so on the Internet. The DNS is queried by individual users, usually automatically, in their every interaction with the network. Users can also, if they wish, interact directly with domain name servers – for example, by launching a "whois" query.
This is a fundamental vulnerability of the Internet, as was demonstrated in October when Internet performance was hampered by a denial-of-service attack on 13 top-level domain name servers.
This exposes a serious vulnerability which seems to render the Internet unsuitable for everyday telephony. It is feasible that an Internet-connected, ENUM-enabled telephone in one country could be rendered impossible to reach by an attack on domain servers in another country.
Certainly, attacks on the telephone signalling system are also possible, but they would require considerably greater access to a more protected system. It is equally certain that an anonymous attack of the kind launched against the DNS is not possible against telephone signalling, given the architecture of the telephone network as it now stands.
While the PSTN will persist for many years, all major telecommunications carriers have a strategy to migrate telephony services to the packet network. Given the current immaturity and vulnerability of ENUM, it seems an unsuitable basis on which to offer ordinary citizens telephony services.
5. Control of ENUM Databases
At the moment, the ITU's policy is to restrict the right to operate an ENUM registrar to national telecommunications regulators. However, there is no guarantee that control of a telephone numbering database would remain under the direct control of local regulatory authorities forever.
In fact, while responsibility for telephone numbering in Australia resides with the Australian Communications Authority, the most important telephone numbering database in Australia resides in Telstra. Ownership of telephone signalling infrastructure is already in the private sector in countries where formerly state-owned telecommunications carriers have been privatised.
If viewed merely as another telephone number database, ENUM could easily be sold into private hands. This could represent a serious breach of privacy which would be nearly impossible to reverse.
In the UK, in spite of the ITU policy, there has already been an attempt by a private registrar to claim the right to operate the ENUM registry. This is a strong indication that Internet registrars see ENUM as a potentially lucrative business. Apparently, they see the revenue-generation possibilities by way of either charging users for registration in the ENUM database and, possibly more likely, exploitation of the data for marketing, and for person location and tracking services.
Charging for registration in an ENUM database would be vastly different from the PSTN. A telephone user does not have to pay a surcharge to hold a telephone number, and this situation should be protected as part of citizens' rights to telephone service. In this regard it should be noted that much of the hype surrounding ENUM appears focussed on the idea that a person who has a PSTN telephone number could, potentially, use ENUM to redirect calls to a variety of other means of contact. However, in the future a system like ENUM could become the only means of having a 'normal' telephone number. Existing consumer rights should therefore be implemented prior to introduction of a system like ENUM, rather than ignored until technology develops to the point where consumers have no choice and pre-existing charging 'rights' of businesses become problematic to reverse.
While most operational activities in the DNS reside with ICANN, the legislative and administrative environment in which ICANN operates seems to leave a residual authority with the US Department of Commerce ("DoC").
In the case of ENUM, it could therefore be argued that ICANN's decision to cede ENUM administration to the ITU actually exceeded its powers. Since the US DoC could legally reclaim control of the DNS, it seems feasible, if not likely, that ICANN's administrative decisions could also be reversed.
In other words, ENUM offers an environment in which telephone numbers around the world are administered under a structure which is tributary to the American government – whereas telephone numbers under the ITU are effectively administered by regulatory authorities in sovereign nations.
There is another important difference between ITU numbering plans and ENUM. While the ITU holds an administrative responsibility for international telephone numbering, operational control of telephone numbers is in the hands of national regulators, not the ITU.
ICANN both performs active operational functions and makes administrative decisions – and it is tributary not to international treaty, but the legislative structures of a single nation. It is inappropriate that citizens' access to telephony services in one country should be subject, even in theory, to another country's government.
While interconnection between Internet hosts and the telephone network is desirable, it requires a robust technical structure which reproduces the rights to privacy, communication and national sovereignty which already exist in the PSTN.
The ENUM proposals do not seem to meet these requirements. EFA submits, therefore, that it is not even an adequate set of proposals to go to trial: it should, rather, be abandoned until a technical structure is offered which meets these requirements.