home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker Chronicles 2
/
HACKER2.BIN
/
774.CPD337.TXT
< prev
next >
Wrap
Text File
|
1993-09-19
|
19KB
|
354 lines
Computer Privacy Digest Sat, 18 Sep 93 Volume 3 : Issue: 037
Today's Topics: Moderator: Dennis G. Rears
Finding out the Caller's Number (was ANI)
Privacy Bill?
Re: CAller ID vs Name System
The Computer Privacy Digest is a forum for discussion on the
effect of technology on privacy. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy
(Moderated). Submissions should be sent to
comp-privacy@pica.army.mil and administrative requests to
comp-privacy-request@pica.army.mil.
Back issues are available via anonymous ftp on ftp.pica.army.mil
[129.139.160.133].
----------------------------------------------------------------------
Date: Fri, 17 Sep 93 14:48:25 -0700
From: gast@CS.UCLA.EDU (David Gast)
Subject: Finding out the Caller's Number (was ANI)
A number of correspondents have taken issue with my belief that
calling an 800 number does not give them a right to know the number
I am calling from. A number of other correspondents have provided
argumentation similar to my own beliefs.
1. I think the vast majority of people have an expectation that the
number they are calling from is private. (Reports are that people
calling the AMEX number, which was I believe one of the first---if
not the first--to get real time ANI, were upset when the phone was
answered "Hello, Mr. X.")
2. People with unlisted numbers probably have an expectation or desire
more than others. Something like 40% or more of numbers in major
metropolitan areas can be unlisted.
3. This expectation of privacy is further communicated by all of the
anonymous services which use 800 numbers. I believe that it is negligent,
if not fraudulent, to advertise a confidential 800 number. In fact,
I remember one anonymous, government-operated, 800 number which was
advertised with the line "You don't have to give us your name."
Because they already knew it? :-( Even if the recipient does not
get any information, the call is still not necessarily confidential.
(See below for details).
4. Anyone who calls a number thinking it is anonymous only to have that
number not be anonymous has been harmed. If a person calls an anonymous
number associated with HIV testing, AIDS information, Alcohol Abuse,
Drug Dealing, Criminal Activity, etc from a borrowed phone, the person
who "owns" that phone line may get linked via ANI and a database with
some derogatory. (I think that is the word used in the trade).
Clearly, those people are harmed.
5. Many of the people who argue that an 800-number recipient has the
right to know the caller's phone number because the callee is paying
are the same people who want Caller-ID when the caller is paying. The
argument for them is not really one of who is paying, at all.
These people are being disingenuous.
6. Arguments that one should call using a regular, POTS number miss the
point as well. In some cases, it is impossible to use a non-800
number. For example, I know of one company whose repair service is
only available via an 800 number. If you call the regular number,
they tell you to call the 800 number.
If you look at most product labels, it is very unusual to find a regular
number. If any number is displayed, it is an 800 number. I cannot
remember ever seeing both on the same label.
7. One specific example of a harm that can come from delivering ANI to
800-numbers is the scam that converted the 800-number to a 900-number
and then charged whatever the callee wanted. I certainly do not believe
that scam is the only one that exists. If there were no real-time ANI,
such scams could not exist.
8. There have also been complaints of bill collectors going after people
just because their phone number has been in some way (frequently, a
bogus way) connected with the debtor. There are many errors in these
databases, using ANI as an index key is only going to create more
errors.
9. Even if you pay for the call yourself, there is nothing in law or
technology to prohibit ANI from being delivered. That is, there is
no reason as far as I know that some phone company might not decide
it is a good idea to start delivering ANI to non-800/900 phone lines.
At least one correspondent to the telecom-digest has reported that
if you by-pass the LEC, you can get ANI on all calls, no matter who
is paying for them.
10.Further, there is nothing in the law or technology to prevent a telephone
company from delivering real-time ANI to parties other than the callee,
as long as that party is not the government. Would the people who believe
that ANI should be delivered to the caller, become upset if that
information were provided to others? If so, then regulation is a good
idea, and now we only have to decide the extent of the regulation. If
not, then they paying is not linked to receipt of real-time ANI information.
11.Further, FCC regulations require that IXCs share calling patterns
with each other. So the concept of privacy with respect to calling
patterns is empty. The IXCs can then buy, trade, or sell this information
to others.
In fact, Bob's Sleazy IXC could go into business just to collect, and sell
this information. Actually, providing phone service could be of little
interest. (Don't argue me there is no sleaze in the telephone industry).
12.Currently, at least some (if not all) of the IXCs maintain that because
the caller used their lines to place the call, they have the right to
sell that information to others. For example, call X, and the IXC that
services X's 800-number wants to sell that information to X's competitors.
One thing is certain: the IXC is not paying for the call.
13.The numbers you call provide information about your lifestyle and
demographics. This information is one of the reasons for collecting
ANI.
14.Some have claimed that most businesses just toss the information. I find
this scenario very unlikely. If someone is paying extra to get real-time
ANI, it is doubtful that they would not use it. The primary reason for
wanting it is to index into other databases.
15.Others have claimed that there is no difference between real-time ANI,
and a bill at the end of the month. I respectfully disagree. Real-time
provides the mechanisms for more pernicious actions. [I still do not
think that providing ANI information in batch format is a good idea;
however, it is preferable to real-time display.]
16.If the party paying for the call was the determining factor in permitting
ANI delivery, then 900 calls would not provide ANI in real-time or
otherwise. In fact, the caller to a 900 number should get to find out
what the POTS number is. :-) After all, the caller is paying. Funny
how one of the loudest proponents of "he who pays gets to know" is also
involved in the 900-number business and would loudly bitch if ANI were
not supplied to 900-numbers.
17.Arguments like real-time ANI has been available for 20 years, and so you
should not be complaining now are factually incorrect. First, in the
old days there was no call detail provided on 800-numbers. Secondly,
I believe that ANI came about as a result of equal access after the
Bell split up (although a similar technology was involved for billing
purposes only). Third, ANI was developed for billing purposes, not
call identification purposes. Fourth, AT&T's tariff for Info-2, which I
believe tariffs real-time ANI, is only about 5 years old. In the good
ole days, calling an 800-number was essentially anonymous. No inbound
800 or outbound 800 call detail was kept. Ma just sent a bill and said
pay it.
18.One person listed several "good" uses for real-time ANI, such as ordering
pay-per-view movies. I don't have cable, much less a need for
pay-per-view. In any event, the sending of ANI information should be
voluntary. If I don't agree to send it, then the cable company should
not be required to give me the pay-per-view movie. There needs to be a
"meeting of the minds", just as there must be a meeting of minds in
contracts.
19.I was especially amused by these comments:
The only legitimate concern expressed here has been that some
telemarketer MIGHT call some evening. Horrors! What a thought!
Even if true (it more than likely is not), I know many people who
have survived telemarketing calls and lived to tell about it.
What do you care about inflating dial lists with hopeless prospects?
Are you the direct marketing efficiency police?
I was so amused because this individual has posted numerous harangues
about receiving telemarketing calls, especially from the San Jose Mercury,
wrong numbers, and calls from long-winded Fred while backing the bike
out the garage. Let's try to be intellectually honest---either
telemarketing calls are a pain or they are not. It is not credible to
argue that calls to the writer are unacceptable, but the rest of us
should just live with them.
Additionally, the more important concern is not that some telemarketer
might call back, but the inclusion of the number into databases, such
as lifestyle databases, which are then bought and sold.
20.It has been stated that a telephone number is not "the key to your house,
your savings passbook number, your Swiss bank account number, or your
winning lotto ticket." Literally, that statement is true, but the
telephone number as supplied by ANI is frequently used to index into
databases, and at that point, it can be a bank account number, a
transactional database, or other database with personal information.
(Even neglecting phreaking, a phone number does not identify an
individual).
The facts that phone numbers change, that people share lines, etc,
do not mean that ANI is not used as an index in databases. It just
means that the potential for confusion is all the greater.
21.>In that regard, can someone cite one single documented case where
>someone was harmed by either CNID or ANI and took action against the
>number recipient? Is the problem real, or is it arm.chair.fantasy?
>In my experience, the latter is definitely the case. If you have more
>experience than I, let us hear about your case histories.
I don't know whether action was taken or not. It's rather hard to
sue for invasion of privacy because the trial itself is public.
If I recall correctly, the writer was upset when Amex started
calling his mother because he used her phone once. Actionable?
Probably not. A misuse of information/a violation of trust? Definitely.
22.> Why not approach reality just a little? Try asking your coworkers if
> they have ever called such a number and had any evidence whatsoever
> that 1) their number was even captured; 2) there was any misuse of any
> information collected; or 3) any harm of any kind resulted from the
> call. I believe that if you cannot quantify or objectively describe
> "harm" that it did not happen.
Please be sure and quantify the harm in all future posts on the San Jose
Mercury or long-winded Fred, or any of the other evils that befall
you. We must have quantification. :-)
Repeated requests for quantification of harm are ipso facto impossible
to produce. If every organization/person that collects ANI information
had to produce a report on exactly what they did with the information,
then one could study it and report on the harms. Unfortunately, for
the scientific method, the collectors of ANI are in all likelihood
going to consider their methods of capturing it, correlating with other
databases, and acting on it (by raising prices, etc) trade secrets.
If you go into a grocery store, they will be happy to process your
payment via ATM card, Debit Card, Check Cashing Card, or increasingly
credit card. All the data---including time, quantity, check out lane,
and price---related to the transaction is captured, and later analyzed.
Do you think they go to all the expense---millions of dollars---out of
the goodness of their cold, calculating capitalistic hearts? They do
it because the information allows them to increase sales, prices, and
profits. If you pay more for a loaf of bread because of this scheme,
have you been harmed? Yes. Is it "actionable?" I doubt it. Can you
quantify the harm? Absolutely not. [And incidentally, branded products
who are big users of this data and related lifestyle and demographic
data, plus other data like when TV commercials ran and the like have
increased prices far more than inflation over the past ten years. People
are harmed. The data collectors have become more powerful. All of
which is to say that just because I cannot personally quantify every
harm does not prove that the harms do not exist. Rational people do not
spend money without getting a benefit. And since money does not grow
on trees, that means someone is paying for that benefit. [Read the
industry trade rags].
23.Let's consider for a moment a possible particular application of using ANI.
An organization sets up an 800-number to verify credit-worthiness for
a 900-number. (If the callee has not been pre-approved, the 900-number
does not answer, or just gives the person a message to call the 800-number
to set up an account).
The 800-number rings. IF before the 800-number picks up the phone, the
organization has used ANI to index that number into credit records, possibly
via a super bureau, then I submit harm has occurred. The mere calling of
the number (it could have been a wrong number, even delivered incorrectly
by the phone company at no fault to the dialer) does not provide the
callee with the right to look up credit information. It is not a
legitimate business need. On the other hand, if the caller picks up
the phone, explains what is going on, answers all the callee's questions,
and then gets consent for the credit check, the callee has behaved in a
much better fashion. If the callee throws the number away if no consent
is granted, then the callee has behaved even better.
It is not clear how the callee will behave. The callee may believe that
she/he/it has to verify credit information before providing any precious
information, such as, cost, how to dispute charges, etc, to the callee.
Presumably, however, the callee will get some means of billing the
client other than through the phone company.
24. > One, TPC is not selling the number, they are providing the number as
> required to complete the call. TPC is not making any money off of it.
I don't understand. Of course, they are making money; the TPC is selling
the ANI information (or CLID information). They don't give it away for
free.
25.I disagree with the poster who felt a 700-number provided
more privacy. It may provide some degree of geographical privacy
regarding the location of the caller at any given moment although the
extent to which this is true depends on what transactional information
the phone company is selling. On the other hand, a 700-number could
be for life, and as such would operate more like an SSN or ID than
a telephone number. A 700-number also provides valuable demographic
data.
In conclusion, ANI is not the most pernicious threat faced today, but
it is part of the surveillance society where our every move and action
can be recorded in some database, to be combined with other databases,
in order to better manipulate us. Information is power. If it weren't
valuable, it would not be collected.
David
------------------------------
From: peterson@CS.ColoState.EDU (james peterson)
Subject: Privacy Bill?
Date: Fri, 17 Sep 1993 17:02:12 GMT
Organization: Colorado State University, Computer Science Department
I have recently been hearing about a privacy bill being considered
by Congress. Does anyone have the text of this bill to post?
--
james lee peterson peterson@CS.ColoState.edu
dept. of computer science
colorado state university "Some ignorance is invincible."
ft. collins, colorado (voice:303/491-7137; fax:303/491-6639)
------------------------------
From: David Dyer-Bennet <ddb@burn.network.com>
Subject: Re: CAller ID vs Name System
Organization: Network Systems Corporation
Date: Fri, 17 Sep 93 18:56:24 GMT
In article <comp-privacy3.35.9@pica.army.mil> rogerj@otago.ac.nz writes:
>I agree that the use of a naming system by the police to identifier
>harassing calls. However I do believe the current system that New Zealand
>Telecom uses for handling harassing calls could still be used with a naming
>system. (Victims in New Zealand first make a complaint to the police,
>the phone numbers of callers to the viticm are then record by the phone
>company but are only given to the police. No action can be taken by the
>individual.)
In fact, this system can be used without any sort of identification
*to the victim* of where the calls are coming from. It's good to
handle serious problems through the proper official channels.
>But why do we have to reveal a our unique identifier in order to communicate
>with someone else. How many people would not accept a letter without a
>return address on the back.
Well, to talk to me face-to-face you have to reveal your face to
me. People who whisper to you from the bushes as you walk past are
generally regarded as, at best, strange. Similarly, anonymous letters
are viewed very negatively by everybody I know. So, why should phone
calls be special? Why should anonymity be the default in this one
particular mode of communication? While the call itself is anonymous,
in a normal conversation the first thing that happens is the caller and
the answerer exchange identities. It seems that people generally
*want* to know who they are talking to.
--
David Dyer-Bennet Network Systems Corporation
ddb@network.com Brooklyn Park, MN (612) 424-4888 x3333
ddb@tdkt.kksys.com My postings represent at most my own opinions.
GCS/O d* p--- c++ l m+ s+/+ ++!g w+++ t- r f+++ x+
------------------------------
End of Computer Privacy Digest V3 #037
******************************