Computer Privacy Digest Sat, 18 Sep 93 Volume 3 : Issue: 037 Today's Topics: Moderator: Dennis G. Rears Finding out the Caller's Number (was ANI) Privacy Bill? Re: CAller ID vs Name System The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@pica.army.mil and administrative requests to comp-privacy-request@pica.army.mil. Back issues are available via anonymous ftp on ftp.pica.army.mil [129.139.160.133]. ---------------------------------------------------------------------- Date: Fri, 17 Sep 93 14:48:25 -0700 From: gast@CS.UCLA.EDU (David Gast) Subject: Finding out the Caller's Number (was ANI) A number of correspondents have taken issue with my belief that calling an 800 number does not give them a right to know the number I am calling from. A number of other correspondents have provided argumentation similar to my own beliefs. 1. I think the vast majority of people have an expectation that the number they are calling from is private. (Reports are that people calling the AMEX number, which was I believe one of the first---if not the first--to get real time ANI, were upset when the phone was answered "Hello, Mr. X.") 2. People with unlisted numbers probably have an expectation or desire more than others. Something like 40% or more of numbers in major metropolitan areas can be unlisted. 3. This expectation of privacy is further communicated by all of the anonymous services which use 800 numbers. I believe that it is negligent, if not fraudulent, to advertise a confidential 800 number. In fact, I remember one anonymous, government-operated, 800 number which was advertised with the line "You don't have to give us your name." Because they already knew it? :-( Even if the recipient does not get any information, the call is still not necessarily confidential. (See below for details). 4. Anyone who calls a number thinking it is anonymous only to have that number not be anonymous has been harmed. If a person calls an anonymous number associated with HIV testing, AIDS information, Alcohol Abuse, Drug Dealing, Criminal Activity, etc from a borrowed phone, the person who "owns" that phone line may get linked via ANI and a database with some derogatory. (I think that is the word used in the trade). Clearly, those people are harmed. 5. Many of the people who argue that an 800-number recipient has the right to know the caller's phone number because the callee is paying are the same people who want Caller-ID when the caller is paying. The argument for them is not really one of who is paying, at all. These people are being disingenuous. 6. Arguments that one should call using a regular, POTS number miss the point as well. In some cases, it is impossible to use a non-800 number. For example, I know of one company whose repair service is only available via an 800 number. If you call the regular number, they tell you to call the 800 number. If you look at most product labels, it is very unusual to find a regular number. If any number is displayed, it is an 800 number. I cannot remember ever seeing both on the same label. 7. One specific example of a harm that can come from delivering ANI to 800-numbers is the scam that converted the 800-number to a 900-number and then charged whatever the callee wanted. I certainly do not believe that scam is the only one that exists. If there were no real-time ANI, such scams could not exist. 8. There have also been complaints of bill collectors going after people just because their phone number has been in some way (frequently, a bogus way) connected with the debtor. There are many errors in these databases, using ANI as an index key is only going to create more errors. 9. Even if you pay for the call yourself, there is nothing in law or technology to prohibit ANI from being delivered. That is, there is no reason as far as I know that some phone company might not decide it is a good idea to start delivering ANI to non-800/900 phone lines. At least one correspondent to the telecom-digest has reported that if you by-pass the LEC, you can get ANI on all calls, no matter who is paying for them. 10.Further, there is nothing in the law or technology to prevent a telephone company from delivering real-time ANI to parties other than the callee, as long as that party is not the government. Would the people who believe that ANI should be delivered to the caller, become upset if that information were provided to others? If so, then regulation is a good idea, and now we only have to decide the extent of the regulation. If not, then they paying is not linked to receipt of real-time ANI information. 11.Further, FCC regulations require that IXCs share calling patterns with each other. So the concept of privacy with respect to calling patterns is empty. The IXCs can then buy, trade, or sell this information to others. In fact, Bob's Sleazy IXC could go into business just to collect, and sell this information. Actually, providing phone service could be of little interest. (Don't argue me there is no sleaze in the telephone industry). 12.Currently, at least some (if not all) of the IXCs maintain that because the caller used their lines to place the call, they have the right to sell that information to others. For example, call X, and the IXC that services X's 800-number wants to sell that information to X's competitors. One thing is certain: the IXC is not paying for the call. 13.The numbers you call provide information about your lifestyle and demographics. This information is one of the reasons for collecting ANI. 14.Some have claimed that most businesses just toss the information. I find this scenario very unlikely. If someone is paying extra to get real-time ANI, it is doubtful that they would not use it. The primary reason for wanting it is to index into other databases. 15.Others have claimed that there is no difference between real-time ANI, and a bill at the end of the month. I respectfully disagree. Real-time provides the mechanisms for more pernicious actions. [I still do not think that providing ANI information in batch format is a good idea; however, it is preferable to real-time display.] 16.If the party paying for the call was the determining factor in permitting ANI delivery, then 900 calls would not provide ANI in real-time or otherwise. In fact, the caller to a 900 number should get to find out what the POTS number is. :-) After all, the caller is paying. Funny how one of the loudest proponents of "he who pays gets to know" is also involved in the 900-number business and would loudly bitch if ANI were not supplied to 900-numbers. 17.Arguments like real-time ANI has been available for 20 years, and so you should not be complaining now are factually incorrect. First, in the old days there was no call detail provided on 800-numbers. Secondly, I believe that ANI came about as a result of equal access after the Bell split up (although a similar technology was involved for billing purposes only). Third, ANI was developed for billing purposes, not call identification purposes. Fourth, AT&T's tariff for Info-2, which I believe tariffs real-time ANI, is only about 5 years old. In the good ole days, calling an 800-number was essentially anonymous. No inbound 800 or outbound 800 call detail was kept. Ma just sent a bill and said pay it. 18.One person listed several "good" uses for real-time ANI, such as ordering pay-per-view movies. I don't have cable, much less a need for pay-per-view. In any event, the sending of ANI information should be voluntary. If I don't agree to send it, then the cable company should not be required to give me the pay-per-view movie. There needs to be a "meeting of the minds", just as there must be a meeting of minds in contracts. 19.I was especially amused by these comments: The only legitimate concern expressed here has been that some telemarketer MIGHT call some evening. Horrors! What a thought! Even if true (it more than likely is not), I know many people who have survived telemarketing calls and lived to tell about it. What do you care about inflating dial lists with hopeless prospects? Are you the direct marketing efficiency police? I was so amused because this individual has posted numerous harangues about receiving telemarketing calls, especially from the San Jose Mercury, wrong numbers, and calls from long-winded Fred while backing the bike out the garage. Let's try to be intellectually honest---either telemarketing calls are a pain or they are not. It is not credible to argue that calls to the writer are unacceptable, but the rest of us should just live with them. Additionally, the more important concern is not that some telemarketer might call back, but the inclusion of the number into databases, such as lifestyle databases, which are then bought and sold. 20.It has been stated that a telephone number is not "the key to your house, your savings passbook number, your Swiss bank account number, or your winning lotto ticket." Literally, that statement is true, but the telephone number as supplied by ANI is frequently used to index into databases, and at that point, it can be a bank account number, a transactional database, or other database with personal information. (Even neglecting phreaking, a phone number does not identify an individual). The facts that phone numbers change, that people share lines, etc, do not mean that ANI is not used as an index in databases. It just means that the potential for confusion is all the greater. 21.>In that regard, can someone cite one single documented case where >someone was harmed by either CNID or ANI and took action against the >number recipient? Is the problem real, or is it arm.chair.fantasy? >In my experience, the latter is definitely the case. If you have more >experience than I, let us hear about your case histories. I don't know whether action was taken or not. It's rather hard to sue for invasion of privacy because the trial itself is public. If I recall correctly, the writer was upset when Amex started calling his mother because he used her phone once. Actionable? Probably not. A misuse of information/a violation of trust? Definitely. 22.> Why not approach reality just a little? Try asking your coworkers if > they have ever called such a number and had any evidence whatsoever > that 1) their number was even captured; 2) there was any misuse of any > information collected; or 3) any harm of any kind resulted from the > call. I believe that if you cannot quantify or objectively describe > "harm" that it did not happen. Please be sure and quantify the harm in all future posts on the San Jose Mercury or long-winded Fred, or any of the other evils that befall you. We must have quantification. :-) Repeated requests for quantification of harm are ipso facto impossible to produce. If every organization/person that collects ANI information had to produce a report on exactly what they did with the information, then one could study it and report on the harms. Unfortunately, for the scientific method, the collectors of ANI are in all likelihood going to consider their methods of capturing it, correlating with other databases, and acting on it (by raising prices, etc) trade secrets. If you go into a grocery store, they will be happy to process your payment via ATM card, Debit Card, Check Cashing Card, or increasingly credit card. All the data---including time, quantity, check out lane, and price---related to the transaction is captured, and later analyzed. Do you think they go to all the expense---millions of dollars---out of the goodness of their cold, calculating capitalistic hearts? They do it because the information allows them to increase sales, prices, and profits. If you pay more for a loaf of bread because of this scheme, have you been harmed? Yes. Is it "actionable?" I doubt it. Can you quantify the harm? Absolutely not. [And incidentally, branded products who are big users of this data and related lifestyle and demographic data, plus other data like when TV commercials ran and the like have increased prices far more than inflation over the past ten years. People are harmed. The data collectors have become more powerful. All of which is to say that just because I cannot personally quantify every harm does not prove that the harms do not exist. Rational people do not spend money without getting a benefit. And since money does not grow on trees, that means someone is paying for that benefit. [Read the industry trade rags]. 23.Let's consider for a moment a possible particular application of using ANI. An organization sets up an 800-number to verify credit-worthiness for a 900-number. (If the callee has not been pre-approved, the 900-number does not answer, or just gives the person a message to call the 800-number to set up an account). The 800-number rings. IF before the 800-number picks up the phone, the organization has used ANI to index that number into credit records, possibly via a super bureau, then I submit harm has occurred. The mere calling of the number (it could have been a wrong number, even delivered incorrectly by the phone company at no fault to the dialer) does not provide the callee with the right to look up credit information. It is not a legitimate business need. On the other hand, if the caller picks up the phone, explains what is going on, answers all the callee's questions, and then gets consent for the credit check, the callee has behaved in a much better fashion. If the callee throws the number away if no consent is granted, then the callee has behaved even better. It is not clear how the callee will behave. The callee may believe that she/he/it has to verify credit information before providing any precious information, such as, cost, how to dispute charges, etc, to the callee. Presumably, however, the callee will get some means of billing the client other than through the phone company. 24. > One, TPC is not selling the number, they are providing the number as > required to complete the call. TPC is not making any money off of it. I don't understand. Of course, they are making money; the TPC is selling the ANI information (or CLID information). They don't give it away for free. 25.I disagree with the poster who felt a 700-number provided more privacy. It may provide some degree of geographical privacy regarding the location of the caller at any given moment although the extent to which this is true depends on what transactional information the phone company is selling. On the other hand, a 700-number could be for life, and as such would operate more like an SSN or ID than a telephone number. A 700-number also provides valuable demographic data. In conclusion, ANI is not the most pernicious threat faced today, but it is part of the surveillance society where our every move and action can be recorded in some database, to be combined with other databases, in order to better manipulate us. Information is power. If it weren't valuable, it would not be collected. David ------------------------------ From: peterson@CS.ColoState.EDU (james peterson) Subject: Privacy Bill? Date: Fri, 17 Sep 1993 17:02:12 GMT Organization: Colorado State University, Computer Science Department I have recently been hearing about a privacy bill being considered by Congress. Does anyone have the text of this bill to post? -- james lee peterson peterson@CS.ColoState.edu dept. of computer science colorado state university "Some ignorance is invincible." ft. collins, colorado (voice:303/491-7137; fax:303/491-6639) ------------------------------ From: David Dyer-Bennet Subject: Re: CAller ID vs Name System Organization: Network Systems Corporation Date: Fri, 17 Sep 93 18:56:24 GMT In article rogerj@otago.ac.nz writes: >I agree that the use of a naming system by the police to identifier >harassing calls. However I do believe the current system that New Zealand >Telecom uses for handling harassing calls could still be used with a naming >system. (Victims in New Zealand first make a complaint to the police, >the phone numbers of callers to the viticm are then record by the phone >company but are only given to the police. No action can be taken by the >individual.) In fact, this system can be used without any sort of identification *to the victim* of where the calls are coming from. It's good to handle serious problems through the proper official channels. >But why do we have to reveal a our unique identifier in order to communicate >with someone else. How many people would not accept a letter without a >return address on the back. Well, to talk to me face-to-face you have to reveal your face to me. People who whisper to you from the bushes as you walk past are generally regarded as, at best, strange. Similarly, anonymous letters are viewed very negatively by everybody I know. So, why should phone calls be special? Why should anonymity be the default in this one particular mode of communication? While the call itself is anonymous, in a normal conversation the first thing that happens is the caller and the answerer exchange identities. It seems that people generally *want* to know who they are talking to. -- David Dyer-Bennet Network Systems Corporation ddb@network.com Brooklyn Park, MN (612) 424-4888 x3333 ddb@tdkt.kksys.com My postings represent at most my own opinions. GCS/O d* p--- c++ l m+ s+/+ ++!g w+++ t- r f+++ x+ ------------------------------ End of Computer Privacy Digest V3 #037 ******************************