by Neil Brown, decoded:Legal
The new General Conditions of Entitlement — the rulebook which makes up part of the regulatory framework for the provision of communications services in the UK — comes into force on 1 October 2018. Under new Part C of the revised General Conditions, which deals with consumer protection conditions, Ofcom has expanded the rules relating to CLI — calling line identification.
What is CLI?
“CLI” is the data that enables identification of the number from which a call could be made or to which a return call could be made. It comes in two parts: network numbers and presentation numbers.
The network number is the number that identifies the point at which the call ingresses the public network. It’s a technical thing.
The presentation number is the telephone number that is displayed to an end-user — when you receive a phone call, and the caller’s number (or what purports to be the caller’s number) is displayed, that is the presentation number.
Often, the presentation number will be the same as the network number but, in some situations, they will be different. This is particularly true in the case of a business, where every line has its own unique network number, but the business chooses to send a standard presentation number for all outbound calls, showing the business’s switchboard number or other common number. (For example, the tech support department might all make calls showing the tech support helpline number, the sales team the sales number and so on.)
What is changing?
Under the pre-October regime, providers were merely required to provide facilities by which the telephone number of a calling party is presented to the called party prior to the call being established.
Under the new regime, the CLI obligations have been broadened, to assist with the identification of callers, and to reduce the number of nuisance calls.
CLI facilities free of charge and by default
First, providers must provide CLI facilities, enabled by default, and without separate charge for “standard” CLI facilities. Where CLI facilities are not available on any given service, the provider has to inform the subscribers of that service that that’s the case.
A subscriber should thus be given, free of charge, the information needed to work out whether or not they want to answer a call.
But that information is no good unless it is reliable, and technically, it is easy to get access to a service which allows you to make calls and show them as coming from whatever number you like. And, while this can be convenient, there is a clear potential for misuse.
Because of this, Ofcom has introduced a number of requirements on operators to attempt to mitigate the risk of misuse.
In addition to the requirement to provide CLI facilities to subscribers, there is a parallel obligation that requires providers to ensure that, so far as technically feasible, any CLI data provided with and/or associated with a call includes a valid, diallable telephone number which uniquely identifies the caller.
The General Conditions do not define what constitutes “valid”, “diallable”, or “which uniquely identifies the caller” and, on first glance, these terms appear problematic — after all, many businesses want their outgoing calls to display their switchboard number, rather than the extension of an individual user.
Fortunately, alongside the new General Conditions, Ofcom has published revised “Guidance on the provision of Calling Line Identification facilities and other related services”. According to this new Guidance:
A “valid” number is one which complies with the International public telecommunication numbering plan. Where a UK number is used, it must be a number that is designated as a ‘Telephone Number available for Allocation’ in the National Telephone Numbering Plan and be shown as allocated in the National Numbering Scheme.
A “dialable” number (oddly, Ofcom spells “diallable” as “dialable” in the Guidance…) must be one that is in service and can be used to make a return or subsequent call.
It is not clear to me how an operator is supposed to tell whether any given number is “in service”, so we will have to see how this particular limb of the requirement pans out. I suspect that if an operator checked the number was allocated to a provider by Ofcom, this might be sufficient, but since this appears to duplicate the definition of “valid”, we’ll have to wait and see.
Ofcom has clarified that a number which “uniquely identifies the caller” can be a number relating to an individual or an organisation, so permitting an organisation to present its (own) switchboard or other valid diallable number on its outbound calls. The test of unique identification, strangely enough, is not really based in uniqueness — it is simply that the number is one “which the user has authority to use, either because it is a number which has been allocated to the user or because the user has been given permission (either directly or indirectly) to use the number by a third party who has been allocated that number”.
According to the Guidance, the provider which first handles a call (e.g. Vodafone, if you make a call and Vodafone is your provider) has to ensure that the correct network number is generated when you make a call, and also that the presentation number is either from a number range that has been allocated to you, or else be assured that you are using a CLI that you have permission to use.
Most responsible providers already have controls in place around presentation numbers, and take reasonable steps to check that users can only make calls from numbers which they have permission to use, so this should not cause too much additional effort, but providers might want to check that they have documented evidence of authority, if the numbers in question are not ones which they have allocated to the customer.
Attempting to stop invalid and non-diallable CLI
Recognising the particular irritation associated with spoofed or undiallable CLI, Ofcom now requires that, “where technically feasible”, a regulated provider must take all reasonable steps to (a) “identify calls in relation to which invalid or non-diallable CLI Data is provided”, and (b) prevent such identified calls from being connected.
Ofcom does not specify how this identification should take place, or how connection of the calls should be prevented. This is intentional, to allow different solutions and approaches, but the lack of specificity may also cause concern and confusion as to whether a provider’s chosen implementation meets the legislative requirement.
Ofcom’s guidance notes that “[c]alls can be stopped either through blocking or filtering”, and that blocking stops the call from being connected, while filtering redirects the call to a voicemail-like facility, so that these calls are not immediately connected to the end user. It also suggests that providers could work with their upstream providers — the carriers who transit calls into their network — to ensure contractually that the upstream provider only passes on calls with the correct CLI.
What does this mean?
It would be unduly optimistic to think that we are no longer going to get scam calls or that the abuse of CLI will end, but, with some luck, the new rules will help clean up some of the poorer practices around CLI.
By requiring providers to take action against traffic with invalid and non-diallable CLI where technically feasible, providers have a clear legal basis for interfering with traffic, which may mean fewer unwanted calls come through. Similarly, enhanced obligations about validating CLI may — fingers crossed — help Ofcom and other regulators investigate and enforce misuse of communications services.
This article reproduced with kind permission of Neil Brown of decoded:Legal. Neil is a specialist senior lawyer, with years of experience advising on communications regulation, privacy, security, and Internet / technology law – and probably the only lawyer that publishes a SIP URI and uses GPG for eMail!