MediaNama, February 01, 2023
CUTS lists negative impacts such as disclosure of personal information, risks to privacy and fundamental rights, and data breaches.
“There are some issues in the TRAI’s consultation paper that need thorough examination from a consumer perspective. Therefore, we urge the regulator to undertake (a) comprehensive cost-benefit analysis of its proposal on all stakeholders, before reaching a conclusion,” read the submission by the Consumer Unity & Trust Society (CUTS) to the Telecom Regulatory Authority of India (TRAI).
The submission is a part of the comments received by TRAI to its consultation paper on the introduction of Calling Name Presentation (CNAP) in telecommunication networks. The organisation is an independent economic policy think tank which focuses on issues related to consumers. You can read our summary of the paper here.
Why it matters: It is important to note these comments as the proposal can prove to be quite handy because it looks to address the problem of UCC which remains a nuisance despite TRAI’S do-not-disturb (DND) registry. The submission is also notable as it approaches the proposal from the perspective of consumers and examines its effects on them.
Key takeaways from CUTS’ submission
The concerns raised by CUTS can be categorised in the following themes—
May expose sensitive groups: “There might be various scenarios wherein consumers may not wish to have their identities revealed on others’ devices. These could include calls by victims of domestic abuse, activists, journalists, auditors, investigators, watchdogs, whistle-blowers, or those bound by professional secrecy,” read the submission. “This one-size fits all approach, of displaying identity of all callers, bereft of nuances, may not necessarily be an optimal solution,” the group concluded.
May not be reliable: The submission pointed out that there were concerns around “reliability, safekeeping, and verification of information provided in Customer Acquisition Form (CAF)”. “It is possible that such information is not consistent with information recorded during other customer due diligence exercises,” the submission noted, adding that information may not be accurate, and possibility of information mismatch exists.
Difference between subscriber and user of the number: “There are some cases in which the person filling in the CAF might be different from the person using the number. This may lead to the revelation of a wrong name,” CUTS said in its note. It cautioned that if a customer’s phone gets stolen, and is misused, the KYC information may not be sufficient for protecting the consumer. “CNAP will legitimise these existing stolen or fraudulent SIM cards obtained through identity theft and will display names of victims of identity theft,” it added.
May have unintended consequences: The organisation said that the following groups may be adversely impacted by the proposal—
- Small family-run businesses: Many family-run businesses in India procure phone numbers in the name of the head male member of the family, as per CUTS, and relying on KYC information, will exclude other family members who may be involved in the business activities.
- Women: “Gender is an important consideration for phone usage and KYC. In a patriarchal and unequal society like India, the phone numbers of women family members may be linked to the male family member. The effect of this might be women losing their own agency and autonomy, by being attached to the identity of the male head of the household,” read the submission.
- Children: “Children are likely to be using numbers registered with their parents’ KYC. Even after reaching adulthood, it is common that they would continue using the same number after becoming and the number would still be linked to their parent’s KYC. The issue of losing autonomy and identity this way would also apply to children,” the submission said.
Display names with informed consent: “It is important for individuals to be aware of the potential privacy implications of using supplementary services like CNAP, and then be able to give informed consent on whether or not they want their name to be displayed when making calls,” CUTS recommended in its comments. “Consequently, it might be useful to think about limiting obligations of caller name display to specific service providers of a certain threshold, and further, natural persons may be given the option to opt into such systems,” the submission continued.
Difficulty in fixing responsibility and accountability in case of breach: “Sharing and passage of data through different points of interconnection between multiple networks, may make data susceptible to leaks. Alternatively, creation of a centralised database wherein details of all consumers are stored, or its clones with all service providers, may end up acting as honeypots for malicious actors, with increased likelihood of data leaks and breaches, resulting in increased spam for users,” the organisation observed in its comments.
May lead to violation of fundamental rights of consumers: “The caller’s name is considered personal information, and the disclosure of this information (along with caller’s number) without the caller’s consent could be considered a violation of their privacy,” read the submission. “Hence, if CNAP is implemented in the proposed form, it would not only stifle consumer choice but also present a grave danger to not only privacy, but consequently to exercise of other constitutionally protected fundamental rights, such as freedom of expression,” CUTS said.
Risk of identity spoofing and misuse of data: The proposal may exacerbate risks related to violation of privacy, misuse of information, and identity spoofing. “The caller’s name may be used for malicious purposes, such as identity theft (through call back scams, phishing and social engineering attacks etc) or spamming, if it is displayed to unauthorised parties,” the submission said, adding that it might be useful to wait for the data protection law to come into force before implementing this measure.
Language barriers and need for translations: “The CP does not clarify what would be the language of displaying the caller name under the CNAP facility. If we were to assume that it would be English, there would be the exclusion of a large number of consumers who cannot read English. For effectiveness, the Caller ID would need to be translated into a language the call recipient is well versed in. This would require further clarity on whether the TSPs would be responsible for the translations. If so, it would require certain costs and infrastructure,” the submission said.
What did other consumer groups submit?
Consumer Care Society, a consumer-advocacy group based in Bengaluru, was one of the rare organisations which called for a mandatory activation of CNAP because it felt that educating millions of subscribers to activate a measure will be a never-ending process. It “eliminates the process of obtaining consent with the consequent economic costs”.
They also recommended that the location of the calling party be included in the details provided to the person receiving the call so that it can enable “faster identification of frauds and scams”.
A submission by a group called Consumer Protection Association Himmatnagar batted for mandatory activation as well but acknowledged that it can be harmful to vulnerable groups. It proposed that the service provider should be responsible to register such groups and provide a proper mechanism to take them off the database.
The association urged TRAI to carry out follow-up research into “incidence of call and text scams” to monitor the impact of the work they are doing, including where to focus their efforts as scammers evolve their tactics.
The submission called upon the government to invest in creating digital literacy, skilling citizens to navigate and use tech properly so as to ensure that they do not share their data indiscriminately, and are aware of dangers of financial frauds and spoofing.
A vote of confidence for mandatory activation was also given by Consumer Guild indicating that consumer groups are in unison over every subscriber enjoying the benefits of CNAP. This pits them against telcos which have asked for an opt-in approach.
Overview on telco submissions
Reliance Jio said that it will be able to share the name of a telecom consumer only after obtaining their consent due to license provisions. “There can be myriad reasons for the customers not being willing to share their name with the called party. A few of these can be potential fraud and risk of abuse, misbehaviour, social media stalking, etc.” read the submission by Jio, adding that instances of abuse increase in case of women.
Airtel also called for privacy to be addressed in the framework but cautioned that a consent mechanism may leave CNAP ineffective as violators may choose to opt out of it thereby not revealing their name/identity in a call. BSNL, a government-run company, was also of the opinion that CNAP should not be made mandatory at this stage.
“For making the mandatory activation for each subscriber there may be challenges with legacy network elements which may not be capable of providing this facility to all of its customers,” the company said.
Cellular Operators Association of India (COAI) said that CNAP should be optional for telcos given the technical and privacy challenges. They pointed out that subscriber data is “confidential information” and a segment of consumers may not want their names to be shared besides risk of data leakage.
This news item can also be viewed at:
https://www.medianama.com/