pdf (35.86 KB)

Introduction

The Office of the Federal Privacy Commissioner welcomes the opportunity to comment on the issues raised in the ENUM discussion paper. It gives the Office the chance to ensure that privacy is built in to an initiative closer to the beginning. It means there is a good chance to properly balance privacy interests and commercial interests and avoids costly patching that often results if privacy is built in after the fact.

Before commenting on the specific questions raised by the paper it is worth outlining the key privacy concepts that need to be kept in mind when developing this initiative. These are:

• Choice: Giving individuals the chance to consent, or to opt-in to uses of personal information is an important tool of privacy protection. However it only provides protection where individuals actually have the chance to walk away from a transaction if they do not like the proposed uses. It is flawed as a protection tool where walking away means a person is denied a service that has come to be an essential part of day to day living. If there is a chance that ENUM could become such a service, it would be essential to ensure that consent is not the main privacy protection tool to be relied upon.
  
  
• Transparency: Giving people adequate information to enable them to make good choices is also a key to privacy. This would be an important part of the implementation of ENUM. However, it will also pose a challenge as understanding the implications of ENUM will require a level of knowledge about the internet and how it works that may not be currently present in the community. In particular, if the implementation of ENUM involves making more information about people publicly available, it will be important not to assume that people will necessarily understand the potential uses that others will want to, and be able to, make of it.
  
  
• Anonymity: In developing a database, or delivering services, whether a person can interact anonymously should be a consideration. Questions to be posed at each point of development should include, do we need to identify the person or would authentication or authorisation be adequate?
  
  
• Use and disclosure limitation: Those developing ENUM should have clear purposes in mind and build in measures to ensure that, as far as possible, use and disclosure of personal information is limited to those purposes. ENUM involves the development of a large and valuable database that uses (at least potentially) a unique identifier. It therefore has huge commercial potential to be used for a number of other unrelated secondary purposes, for example, inescapable direct marketing via multiple channels simultaneously. It also has potential uses for law enforcement purposes which may be quite legitimate, but nonetheless give rise to important transparency and accountability matters which would need to be resolved. Any process for implementing ENUM should be aware of this ‘function creep’ potential and have procedures for addressing any privacy risks associated with it.

Ensuring privacy is protected in implementing ENUM will involve considering first, what privacy outcomes need to be delivered and then secondly, consider how those privacy outcomes can be delivered. This latter will necessarily involve considering a number of ways that privacy outcomes can be delivered including by means of:

• the system’s organisational structure and policy;
• technology; and
• regulation.

This Office therefore recommends that the ACA conducts a thorough privacy impact assessment before it implements a particular approach to ENUM and then ensures that the system addresses, one way or another, all the privacy issues raised by that assessment.

This submission answers the following questions from a privacy perspective only. It does not attempt to address other non-privacy related issues that may arise in relation to ENUM.

1. What are the advantages or disadvantages of a single entity running the registry function for ENUM in Australia?

The privacy benefits in having a single entity running the registry function for ENUM in Australia could include that:

• it might be easier to maintain the quality of the data held;
• it would be easier to develop policies or regulations for the register, and to monitor the activities of the organisation that holds the register;
• the organisation that holds the register could play a role in monitoring the activities of second tier organisations;
• it could be easier for individuals to know who to complaint to and to get access to any information held about them.

Privacy disadvantages of having a single register could be that:

• if all the information is held in one place, there may be a greater temptation to use it for a range of other functions and purposes;
• there could be a greater threat to privacy if the security of the register is breached.

It could be useful to consider the experience in the area of domain name processing to get additional insight into what, if any, privacy benefits or detriments might arise in relation to the separation of registry and registrar functions.

2. What costs and benefits would a multiple registry model provide for consumers?

The answer to this question from a privacy point of view is the flip side of the previous question. There may be some privacy advantages in having the personal information dispersed into separate databases, however, regulating the multiple registries and ensuring they adhere to privacy principles and practices could be more difficult.

3. Should there be a formal separation between the registry and registrar functions for ENUM implementation in Australia? If so, how should this separation occur?

It is hard to comment in too much detail on whether there should be a formal separation between the registry and registrar function for ENUM implementation in Australia without a good idea of what functions each might play and which organisation would hold what information. However, it is possible that there could be privacy benefits in separating out the registry and registrar functions. For example, there could be benefits in one organisation (the registry) holding all the telephone and NAPTR information without identifying information and the registrars holding separately any necessary identifying information. This way, neither organisation would hold all the information. There could be security and function creep prevention benefits in this.

There may also be privacy benefits in having a trusted third party authenticate ENUM individuals who wish to participate in the ENUM system. This would mean that the quite detailed information that might be needed to authenticate an ENUM subscriber could be kept separate from information on the ENUM database. It might allow an individual to interact pseudonymously with service providers and the ENUM database.

4. Opportunities, threats and risks of ENUM implementation in Australia. Are there broader communications/policy issues associated with the introduction of ENUM?

Whether there are privacy opportunities as a result of ENUM will depend to a large extent on the way it is implemented. It is possible that there may be some privacy benefits to individuals if they only have to give a person their ENUM rather than all the details of the way they can be contacted. (However, how privacy beneficial this is would depend on what use other individuals can make of an ENUM and how much access to an individual’s details an ENUM gives.) Other benefits to privacy could be:

• it could possibly enable a person to choose the medium in which they wish to be contacted and order of preference (but that would depend on preferences having to be followed)
• it might make it easier for businesses to provide communications filtering services to individuals
• it could enable people to have separate identities for different parts of their lives eg an ENUM for work, an ENUM for home, an ENUM for hobbies.
• it could enable a person to change their ISP without having to tell the world their new email address.

On the other hand, there are clearly some possible privacy risks posed by ENUM these include:

• ENUM would bring together a range of information on a large database that has not until now been able to be easily linked – there are security risks associated with this and also a temptation to use this data for a range of purposes unrelated to the main reason for implementing ENUM;
• ENUM is potentially a unique identifier, and as it is simply a person’s phone number converted into a domain name, it has the potential to be used to link to a whole range of other data with telephone numbers on other databases;
• depending on who has access to the ENUM database/databases, a person’s contact information could become publicly available, or more available that it has ever been before. This creates a risk that people could lose control over who can get hold of their contact details and what can be done with it. Even if it was an opt-in system, people may not necessarily be aware of the technology available that could enable access to and use of this information;
• ENUM could possibly allow for reverse look ups – that is, find out who belongs to a number and other information associated with it – this is not currently possible with Telstra databases;
• ENUM could expose individuals to a greater risk of spam. For example it would be much easier to randomly generate a phone number that connects to a real person than an email address that connects to a real person. Also, depending on how accessible an ENUM is, it could be easy to trawl the internet looking for ENUMs and downloading associated information.
• depending on how it is implemented, it might be possible to use an ENUM to find a person’s location using their mobile phone number.

5. Principles to apply to selection (and accreditation) of ENUM registrars.

Principles that could apply to the selection (and accreditation) of ENUM registrars include:

• that it has a demonstrated commitment to privacy;
• it has systems that optimise its ability to protect privacy;
• it has no conflicts of interest in its other business operations that might impact on its willingness to protect privacy in relation to its ENUM operations.

6. What if any principles (eg accreditation, review, monitoring) should apply to the selection and operation of ENUM authentication agencies?

The Federal government as part of its Gatekeeper Project to develop PKI to facilitate e-commerce and to promote uptake of on-line Government services, has developed rules, which include privacy rules, that apply to bodies within the trust framework that confirm identity (registration authorities) and to organisations that issue certificates (certification authorities). I would suggest that this might be a useful reference material to draw upon in deciding what principles, including privacy principles, should apply to ENUM authentication agencies. Information about Gatekeeper and accreditation of relevant authorities can be found at www.govonline.gov.au/projects/publickey/GatekeeperAccreditation.htm

These rules are complemented by privacy guidelines issued by the Privacy Commissioner which can be found atwww.privacy.gov.au/government/guidelines/index.html#a.

7. Regulatory issues

Key issues in implementing ENUM will be whether the Privacy Act 1988 (Cth) (Privacy Act) would regulate the activities of those involved in ENUM and, if it does, how effective it would be in addressing the risks. Depending on the answers to these questions, additional regulation might be necessary. Issues that could arise here are:

• Is an ENUM personal information? If it is not personal information then the Privacy Act protections would not apply to it. However, this would not mean that protection is not needed.
• The Privacy Act would not apply to randomly generated ENUMs used for spamming people as there would be no collection and an ENUM may not be personal information.
• If ENUM information is published in a form that is a generally available publication, then the publishing organisation would only be subject to the collection principles of the Privacy Act when collecting ENUM information for publication. Once ENUM information was published, the organisation that publishes the database would have no further obligations under the Privacy Act in relation to ENUM information in its published form (see s 16B).
• If ENUM information is not held in a generally available publication and so all the NPPs apply, the purpose limitation provisions of NPP 2 may not be sufficient to prevent undesirable unrelated secondary uses or disclosures of personal information associated with ENUM. For example, as raised earlier in this submission, consent may not be an adequate privacy tool to prevent the dangers of function creep.
• As an ENUM would not be a Commonwealth government identifier, the protections for unique identifiers provided for in NPP 7 of the Privacy Act would not apply.

In addition, the implementers of ENUM will clearly need to consider the question of legitimate access to ENUM information for law enforcement purposes. While some access will clearly be legitimate, it is also important that law enforcement concerns do not become a disproportionate driver for the way ENUM is set up. The key will be to focus on the main purposes for having ENUM and accommodating law enforcement concerns where appropriate. Other key issues will be to consider what collection limitations it might be appropriate to put in place and to ensure as much transparency and accountability as possible. Given the trend towards increasing use of telephone related data for identification and authentication purposes, and the even further potential an ENUM system might create, it could be important to consider whether requiring a warrant for access by law enforcement officials might be necessary.

In implementing an ENUM system it would also be necessary to look at the Telecommunications Act 1997 (Cth), the Telecommunications (Interception) Act 1979 (Cth) as well as how they interact with the Privacy Act in protecting the privacy of ENUM subscribers. The ACA may also need to examine whether the current boundaries in the operations of telecommunications legislation would cover any new entities operating in the telecommunications area as a result of ENUM.

8. Privacy and authentication issues – what processes should ENUM authentication agencies adopt to ensure that: (a) an entity has the right to use a number for the purpose of ENUM: and (b) the applicant is the entity with those rights.

The discussion paper talks about the possibility that all communications services associated with each telephone number would be stored in a ‘generally accessible’ DNS database. It is not clear what is meant by ‘generally accessible’ or whether it is referring to information held in the registry, or by registrars or others.

It is this Office’s view that making this information publicly accessible even on a view only basis is likely to be an unacceptable privacy risk.

Risks to privacy with this kind of set up would include:

• random search on number may give access to all communications services associated with that telephone number;
• it could dramatically increase chances for organisations to spam or send unwanted marketing material to individuals, for example, it could be easy for a spammer to generate ENUMs randomly and then get access to all of a person’s contact data or to data mine the information through sequential look ups;
• it could provide greater chances for an individual’s identity to be stolen;
• it could function as a global unique identifier, for example be a contact ID number that would find a person where ever they are.

Also, the question appears to overlook a key issue in this area. Privacy and authentication here is more than a matter of security, it is also a question of what uses can be made of ENUM information once the entity has gained access to it. A matter to be resolved for ENUM is how to determine what preferences an individual has for how his or her information can be used, and what measures could be taken to ensure that the information is only made accessible, or used, for those purposes. The Office is aware that software is being developed that is designed to achieve this kind of protection for information on databases, and could be useful in developing an ENUM system.

The options outlined at the top of page 9 would appear to be less privacy risky options, although it is not altogether clear how the options would operate in practice if implemented. Generally, an approach would be less privacy risky if:

• access to ENUM information is only allowed to the ENUM subscriber and approved or authorised entities, rather than providing general access to members of the public (this appears to be what option 1 is proposing)
• access to information is on a query and response basis, rather than all information available on request;
• there are strict requirements about who can add to or alter, information on the ENUM database (this appears to be what option 2 is proposing) and rigorous processes for establishing that a person or entity is who they say they are and have the necessary authority; and
• the system enables the recording of individual preferences about who can access and use their information and for what purposes and has a capacity to only allow access for use for those purposes.

How strict these need to be will depend considerably on:

• how data is to be made available;
• how much personal information will be available; and
• whether the system is based on fully informed opt-in or relies on opt-out.

Once again, some of the processes and rules worked out as part of the Gatekeeper project may come in useful here.

9. Benefits and costs resulting from an ‘opt-in’ approach to ENUM subscription

As choice is a key principle of privacy, establishing a system that is based on an individual’s informed choice to participate would be an essential first step in making the system privacy friendly.

Particularly if the commercial viability of ENUM depends on use of personal information for unrelated secondary purposes there is no question at all that it MUST be a fully informed opt-in system.

10. Are there alternative mechanisms to protect the security of the ENUM database and privacy of ENUM subscribers not considered in this paper?

As discussed earlier in this submission, simply relying on an opt-in system may not be sufficient privacy protection, especially if ENUM becomes part of everyday life and so choosing not being part of the system becomes less of an option. Also, protecting privacy is much more than protecting the security of information, that is, who can get access to the information, and how to stop unauthorised access, it is also about what uses can be made of the information. The more comprehensive a database it is the more valuable it will be as a resource for wide use, including perhaps, use for identification and authentication.

Decisions to be made in implementing ENUM will therefore are:

• what privacy results does the implementation of ENUM wish to achieve such as:
  • who will be allowed access
  • what uses can be made of the information;

and also

• how do we achieve those results, for example by means of
  • organisational structure and policy
  • the technical structure
  • regulation.

Carrying out a through privacy impact assessment is an excellent way of working through these kinds of issues.

At the risk of anticipating the outcome of such an assessment, two particular issues that arise at the level of the legal framework and incentive structure must be addressed:

1. Given the potential potency of ENUM, clearly enforceable, specific protections against misuse may have to be considered. Particularly if any elements of the system are monopolistic, there would be little brand damage to the monopolist from security errors or other compromises. For this reason, penalty arrangements, possibly severe, may be necessary to ensure confidence in the system by users and to send clear signals to service providers.

2. Clear risk allocation decisions must be made and made known widely. In particular, all costs of misuse of the system must be borne by others than the affected individuals. This is similar to the risk allocation with Credit Cards, where unless the customer fails to meet specified minimal requirements such as security of the PIN number, all costs are borne by the card issuer in such instances as card theft or identity fraud. Given the comprehensive damage to a private life that a compromised ENUM could cause (especially if it has been used to link many elements of information in the individual’s life), the costs of recompense could be considerable.

At a more detailed level, additional mechanisms that could be used to protect the privacy of ENUM subscribers include:

• having a clear purpose or purposes in mind for ENUM, for example, whether its purpose is to:
  • provide directory information; or
  • to allow communication between different types of receiver; or
  • allow operators to reroute traffic; or
  • all or some of these; or
  • something else;

and then designing the system specifically for the identified purposes.

• placing specific limitations on secondary use and disclosure of personal information about ENUM subscribers and building those limitations into the design and architecture of the system;
• ensuring that individuals are fully aware of any secondary uses or disclosures that might be required or authorised by law;
• allowing individuals to have more than one ENUM (this would give a person a chance to segment their lives and also discourage adoption and use of ENUM as a unique identifier;
• enabling individuals to interact pseudonymously with the databases;
• giving individuals choice about what information is included or accessible in the database and building the ability to give that choice into the design and architecture of the system;
• giving individuals a right to withdraw from ENUM and to have account usage and information expunged (this is especially important if portability is fully achieved);
• prohibiting the adoption or use of an ENUM as a unique identifier.

There are likely to be a whole range of security measures needed to ensure that ENUM information, wherever held, is protected from unauthorised access and use. What measures are needed will depend to a great extent on how the system is set up. However, more stringent measures will be needed as the value of the data base increases.

11. Should consideration be given to which types of numbers, such as geographic or mobile numbers, are to be used for ENUM services? Identify any issues associated with the use of existing number ranges for ENUM services.

There may be some privacy benefits in having an ENUM that is unrelated to geographic location. It would mean that there would be one less immediately available piece of information about an ENUM subscriber. This could be an important consideration if there is a potential for an ENUM to be a unique identifier.

A consideration in deciding which types of number to use would be whether use of a particular number type would enable a person to have more than one ENUM.