Privacy, security on Aust single-identifier group's list

The Australian Communications Authority (ACA) has convened a working group to study the privacy and security implications of mapping telephone numbers to Internet Protocol numbers ahead of a trial next year.

The Australian ENUM Discussion Group, which is hosted by the ACA and looks at issues involved in the Australian trial of ENUM, on Monday established a working group to study the interrelated issues of privacy and security.

ENUM stands for e164 Number Mapping. e164 is the International Telecommunications Union (ITU-T) code for the international telephone address number plan. Under the ENUM scheme, telephone numbers will be mapped to an IP address ending in e164.arpa.

This will allow people to use one identifier for many different purposes, including land-line numbers, mobile phones, e-mail, instant messaging and faxes. Theoretically, it will allow online users to access a person's contact information, including their e-mail address, simply by typing in the person's phone number in the Internet address field of the Web browser.

The ACA plans an Australian trial of ENUM in the second quarter of next year, and the working group is concerned that overseas trials of the system have glossed over issues of privacy and security.

"The privacy issues in particular are one of those issues that have been glossed over in other trials," Rowan Pullford, policy analyst in the numbering team at the ACA told ZDNet Australia  . "We've taken on consultants to look at those issues."

The ACA has commissioned a consultant that has worked previously with auDA -- the au Domain Administrator -- on privacy issues associated with the domain name system, since this "is not an area the ACA has a lot of experience in, we've traditionally focussed on telephone regulation", said Pullford.

The working group studying privacy and security will first identify the issues involved in the ENUM trial. Issues that have already been mooted for discussion include who controls the contact information and the availability of whois data on the privacy side, and verification of the person authorised to change ENUM data on the security side.

In a paper issued to the discussion group by Peter Darling, international project manager, Next Generation Networks Framework Options Group (NGN FOG) at the Australian Communications Industry Forum, he described his experiences at the ENUM sessions at 57th Internet Engineering Task Force meeting in Vienna in August.

According to Darling, two points stood out: trials were encountering problems from the use of "live" numbers which were already providing service, and none of the trials had made a provision to verify that the details in the ENUM data were correct and had been provided by a person with the right to control that number.

"These two points were related, as the trial organisers faced pressure to move from trial to commercial service with little thought about the commercial and privacy aspects of populating an ENUM database," wrote Darling.

"Problems of authorisation and validation are not unknown in the Internet area, and there is a long history in the telephone industry of -sharp" commercial practices that can result in service changes without adequate authorisation," he added.

The Australian trial of ENUM will be composed of a number of smaller trials. "The ACA would tender for a tier one operator and there would be multiple tier 2 operators," said Pullford. "A lot of trialling would take place at the tier two level."

The trials will differ depending on which services or issues a particular organisation might want to offer and study. However, Darling proposed that certain requirements be made mandatory for all trials, with a review during or following the trial to determine the appropriateness of the requirements. "These mandatory requirements are motivated by the notion that it is easier to relax privacy constraints than to subsequently tighten them," wrote Darling.

He proposed the mandatory requirements include:

• Registrants must opt-in
• The rules that apply to the management of registrant information should at a minimum require that all registrant information to be subject to the national privacy principles, without exemption.
• Whois: Either no service to operate, or the service to be limited to contact details for the purposes of technical support. The service would not expose Registrant information.
• registrants should have full disclosure regarding the privacy risks regarding ENUM and the options available to manage such risks.