Dated 1 November 2002
This document is at http://www.privacy.org.au/Papers/SubmnACIF0211.html
Privacy and consumer advocates have made a substantial commitment of time and resources to the CND issue over many years - more recently with the intent of assisting carriers in meeting the obligations which they have accepted, but never fulfilled. The obligations to create a genuine environment of informed consent accompanying the introduction of CND, and the obligations outlined in the original code, have never been met. The research conducted both by the ACA and by Telstra has never legitimately tested all three of the agreed criteria for people's awareness of the key reason why CND will in the future be a major privacy problem - the fact that it links a person's call to other database information about that individual.
We do not believe that threat has gone away. We do not believe that threat is immediate. But we believe that it is a very significant medium to longer term issue, and for this reason we regard the current proposed revision of the CND code with deep concern. It dismantles some safeguards that were in place, and it weakens other commitments that were only partly fulfilled.
The Code purports to support the privacy obligations in the Telecommunications Act 1997 Part 13 and the Privacy Act 1988. In our view, at least in respect of Internet Service Providers, the Code does precisely the opposite and encourages ISPs to collect and use CLI information in a way that potentially breaches both those Acts. This is explained below in relation to Section 7 of the Code.
Page 1 Para 5
"This Code does not cover CND services provided on an opt-in basis". (see also 2.1.4(c))
We cannot see the need for this exclusion - the Code is about the use of CLI information and some of the provisions are just as relevant where a user has chosen to `opt-in' as when they have failed to exercise an `opt-out'. We suspect the effect might be to deprive some users of protection under the Code on the basis of an arbitrary decision by a telecommunications supplier. Opting in to a CND service should not abruptly deprive users of the same rights to information, protection and remedies as are provided to other users.
Page 2 para 2
"requirements in the earlier Code for a public education campaign and research to ensure consumer awareness have not been included in this Code."
We agree that the emphasis needs to shift now that most of the major carriers have introduced their CND services. But we believe that only some of the public education objectives have ever been met, and that at no stage has public education even tried seriously to communicate to telephone users the fact that CND enables a linkage between databases of information and a person's call, and the fact that this raises significant privacy concerns. To the extent that some targets for awareness have been met now, we cannot see why those targets should not be ongoing - otherwise even existing levels of awareness are likely to decline, and telephone customers will not be making informed decisions when contracting for new or additional services.
There is also the issue of potential new entrants which is addressed only partially and inadequately at the end of the Explanatory statement. Relying on the awareness requirements in Section 6, without any monitoring, targets or sanctions is almost certain to be ineffective - we are already aware of instances of non-compliance with awareness requirements even under the existing Code, and in our view nothing should be done to relieve whatever pressure that targets bring to bear. Therefore, while the targets and research requirements need amending to cater for the new `in-service' status of CND, they should not be removed entirely.
Page 2 para 5
"Because organisations receiving CND information are now required to comply with the NPPs when handling CND information, it is no longer necessary for this version of the Code to contain enforcement mechanisms other than those already in place by the Privacy Act."
This is neither satisfactory nor true. Many organizations are either exempt from or not subject to the Privacy Act (such as most smaller businesses, and government agencies in some States and the NT). Deleting the enforcement mechanisms leaves no sanctions against such organisations misusing CND information - there is no reason to think that the potential for such misuse is a function of size. The Code should continue to include enforcement mechanisms at least for those organisational users of CND which are not subject to a privacy law.
2.1.3
"Code rules in Sections 5 and 6 of this Code apply only in relation to the provision of a Standard Telephone Service."
It is not clear what the effect of this scope limitation - the definition of "Standard Telephone Service" in the Code simply refers to section of an Act which is most unhelpful - readers need an explanation of what it means.
We understand that the effect of this definition is to limit the scope of the code to services for voice telephony. We are not sure how a carrier knows if a service is being used for voice or data, but in any case, we can see no justification for the Code not applying to lines being used partly or wholly for data - such as many users' internet or fax connections. The same issues of privacy protection arise for all types of use, and are in fact particularly sensitive in relation to internet service providers (see comments on Section 7)
2.1.4 states
" Nothing in this part is intended to affect:
(a) Suppliers using or disclosing CLI information in the course of providing telecommunications services, including for the purposes of billing for telecommunications services, where the use or disclosure is necessary to provide the telecommunications services, and is authorised or required by legislation; ....
We are concerned about the potential use of CLI information by Internet Service Providers (ISPs) - see comments on Section 7.
This section reflects the provisions of the Telecommunications Act which are based on the necessity of some telecommunications service providers to receive CLI information for the technical operation of networks, and for billing and other administrative functions that follow from that necessity. That necessity also requires transfer and use of CLI information even for calls where a line or per-call block applies to its use for CND.
Unfortunately, the same category of carriage service provider also encompasses Internet Service Providers. Most ISPs are not in the same position as other providers of network services - they do not need CLI information to provide their service. The submission by Electronic Frontiers Australia (EFA) explains this in detail and we agree with their analysis. In relation to the alleged need for CLI information for fraud control, we note that the provisions of the Telecommunications and Privacy Acts dealing with law enforcement would allow carriers to disclose CLI information to an ISP in some cases in connection with a specific investigation - such as when required by a law enforcement agency.
Assuming that the attempt to exclude data calls is rejected (see comments above on 2.1.3), ISPs will be covered by Section 7 of the Code.
It is arguable that the restricted purposes for which CSPs can receive CLI information prevent ISPs from receiving that information for calls where a line or per call block is in place. If an ISP routinely collected CLI , without any justification in terms of the four permitted uses, it would potentially be in breach of both the Telecommunications Act and the Privacy Act (National Privacy Principles 1 and 2). The legal position appears far from clear and in our view the Code should deal with this issue.
We understand that ISPs have been lobbying for access to CLI information on all calls, partly on the grounds that it will help them to counteract unsolicited e-mail or SPAM. This is in our view a misleading claim. As we said in our recent submission to the NOIE SPAM enquiry:
"The main area of concern for the Foundation in relation to the role of ISPs is the suggestion that they need to routinely identify users, and that calling line identification should be used more for this purpose (see draft recommendations 2-4). We do not think that these proposals have been adequately thought through. The paper slips into talking about identification of individuals when we have seen no evidence of large scale Spamming by individuals. Most Spammers are organizations (and mostly overseas) and any proposed monitoring should focus on them. What evidence is there that Spammers are blocking transmission of their CLI (presumably as a way of preserving their anonymity?)."
We went on to suggest that in any event, control of SPAM did not fall into any of the four categories of use that CSPs can make of CLI information (listed in clause 7.1.3).
Most if not all of the reasons ISPs give for wanting CLI information are no different from those which could be given by any business - ISPs are in our view seeking to take advantage of the incidental fact that they happen to be CSPs under the Telecommunications Act.
We suggest that the revised ACIF CND Code clarifies the issue of ISPs access to CLI information - preferably in a way that puts it beyond doubt that they do not need that access and that they can therefore only obtain it where the line or call is `unblocked'. The Code should also make it clear that it is unacceptable for ISPs to make it a condition of service that users do not block CND on calls to the ISP, or to covertly insert unblocking codes into pre-programmed dial up products.
We would be pleased to provide further information about our concerns and to participate in any meetings that may be necessary to address the major flaws in the current draft Code.
Go to the APF Home Page.
Created: 7 February 2003
Last Amended: 7 February 2003
APF thanks its site-sponsor: