facebook

twitter

youtube

Virtual Tour


“Caller ID” raises privacy, security questions

By Prof. V Sridhar, IIIT Bangalore

The Telecom Regulatory Authority of India (TRAI) has recently received a reference from the Government to initiate the consultation process for “Know Your Customer (KYC)” based identification (as verified by the telecom operator) for display of the calling party on the callee’s Smartphone. While the proponents indicate that this will provide increased accuracy and transparency in caller identification, opponents have always been wary of privacy intrusions posed by such mandates. The CEO of the Swedish called identification app - Truecaller, has also supported this initiative.

The “Caller ID” service using Automatic Number Identification was introduced for the first time in 1987 by the then regional Bell Operating Company – New Jersey Bell in the U.S. Subsequently it was promoted in all areas of the U.S. and in other countries as well. However, there was an immediate backlash with New York Times asking the question: whether the Caller ID was a “friend” or a “foe”.

First - the privacy concerns. Typically, there are rights of the caller who may want to protect her caller ID due to privacy concerns and the right of the callee to know the caller identification to minimize her privacy intrusions as well as to protect herself against spamming. Privacy interests of both these parties often conflict and are not the same in all contexts. If I find a stranger in my house, my intrusion concern takes precedence over the privacy of the stranger. Thus Caller ID, by providing partial information about the caller, can minimize the privacy intrusion of the callee, thereby providing an option for informed choice to pick up the call or decline.  While privacy advocates contend the privacy of the caller, anonymity does not hold good when the caller initiates the communication with a callee. Won’t you advise your child to hang up immediately when the caller addresses her as “Guess who is calling?”. In fact, since the caller initiates the communication, the burden of proof of disclosing the identity lies squarely with the caller. Most of the implementations include options wherein the caller presses additional codes after dialing the callee’s number to allow display of the caller ID.

However, the caller ID in a business setting raises concerns over the firms’ intention to collect information related to their business by concealing their identities when they call. Alternatively, telemarketers induce callers to make calls to a number for some worthless gift, thereby collecting enough information using Caller ID for aggressively selling merchandize or defraud the unwary.  

In the age of Big Data and Smartphones, applications such as Truecaller, Hiya and Everybody use the crowdsourced information to display the caller ID. Hence even someone does not have the app (aka “non-user”), their information can be scrapped by the app system through the address book of her social connections and displayed to the callee. These non-users do not have control over their personal information and have not also explicitly consented to the caller ID collection and display process, thereby in a very vulnerable position indeed. In this crowdsourced setting. we have had instances where the caller ID displays names that are not representative of the caller. How about receiving a call from Jewel Singh with the caller ID displaying that the call is from a jewelry store! Here is where verified display of caller IDs such as the ones proposed will be very much authoritative and accurate.

Further, how is this different from the phone directories of the past wherein the telephone numbers of subscribers are printed and distributed? While this is callee’s prerogative to display their numbers, caller ID bequeaths callers’ intention to reveal their phone number using a “reverse lookup” of the name given their numbers.

Second: is the property right one has over her telephone number. Most countries have not prescribed this right clearly. Does the telecom company that provided you with the number has the rights to distribute it to others? Or do you hold the right to your telephone number as your personally identifiable information? If later is the case, then all the data protection and privacy regulations hold good and you should be the one who can decide how and whether your caller ID should be displayed.

Third, is the caller ID spoofing that is rampant and is used for a variety of misuse and fraud incidents. These include credit card frauds wherein a caller receives a call as if from a bank and shares sensitive passcodes, or “swatting” wherein false alarms sent to emergency services such as ambulance/ fire, triggering some tragic events. Though there have been technology developments in detecting and preventing caller ID spoofing, regulations must address this problem seriously. In the U.S., the Congress introduced the Truth in Caller ID Act of 2009 that outlaws caller ID spoofing. However, these laws could not prevent attempts by hackers to use caller ID spoofing for nefarious purposes. Hence apart from KYC based caller ID mechanisms, ID spoofing needs to be curtained by technology and law. 

So, the caller ID case is not simple and the regulator apart from making it accurate using KYC, also has to make provisions to (i) protect the right of the caller to display or not; (ii) protect the rights of the callee in identifying accurately the caller ID and prevent intrusion; (iii) prevent misuse of the displayed Caller ID, now that it is accurate and verified; and (iii) prevent ID spoofing through appropriate technology and legal measures.

** This article first appeared in Business Line on 30 May 2022

(The author is currently visiting the University of Southern California)