tl;dr
The Telecom Regulatory Authority of India released its consultation paper on the ‘Introduction of Calling Name Presentation (CNAP) in Telecommunication Networks’ on 29th November 2022. On December 23, 2022, we submitted comments on the citizens’ privacy-centric issues identified in the consultation paper. In our comments, we have suggested that the service must be made opt-in with clear notice to the end users to their enable informed consent; a central database should be avoided since it increases the threat surface to privacy risks. It must be enabled only after a data protection law is in place.
Why should you care?
The introduction of CNAP in telecommunication networks is a significant change in how the telecom industry operates. It can potentially increase trust between third parties, allowing for higher rates of call answering. Additionally, it presents the potential for privacy risks if not implemented correctly, which is why it is important that an effective data protection regime is in place before its operationalisation.
Given the privacy concerns with the CNAP service, the use of it can potentially violate an individual's privacy by disclosing their name to the recipient without their consent. This could be particularly problematic if the service is mandatorily activated, as it would not give users the option to opt-out.
Moreover, it can potentially lead to a caller's name being used for malicious purposes, such as identity theft or spamming.
Background
Telephone consumers have voiced their need to identify the calling party, which is currently not met by the Calling Line Identification (CLI) supplementary service. This can be achieved through a name presentation facility that would display the identity of the calling party on the called party's telephone. Additionally, they have raised concerns about robocalls, spam calls, and fraudulent calls. Robocalls are automated calls used to dupe consumers financially, spam calls are unsolicited marketing calls that bypass the do-not-disturb feature, and fraudulent calls may aim to obtain details of bank accounts or OTPs with an aim to defraud consumers.
There is a concern that without the CNAP facility, the CLI service does not provide enough information for consumers to trust that a call is genuine. As a result, even genuine calls are going unanswered, resulting in missed opportunities for both the caller and the receiver.
Our Suggestions
Our core recommendation is for a CNAP to be introduced only after a rights-respecting Data Protection Law is in force under which an independent Data Protection Authority may assess its impact on individual privacy.
In our comments to TRAI, we have emphasised that since the CNAP service will require the creation of an additional database and information sharing it will result in an increase in the amount of personal information that is stored on every Indian who owns a telephone or broadband connection. Hence, we recommend that its operationalisation should be preceded by a data protection statute as it may have the likelihood of data leaks and breaches resulting in increased spam for users.
The CNAP service should also not be mandatorily activated for each telephone subscriber and must be an opt-in service. Further, additional clarity and control must be provided to the users for the part of the service they opt for. There must be a distinction between activating CNAP on incoming and outgoing calls separately.
Since CNAP can potentially violate an individual's privacy in the following ways, citizens must understand what they are consenting to:
- Unauthorised disclosure of personal information: The caller's name is considered personal information, and disclosing this information without the caller's consent could be considered a violation of their privacy.
- Lack of control over personal information: The caller may not have control over whether or not their name is displayed to the recipient, which can violate their right to privacy.
- Potential for misuse of personal information: The caller's name may be used for malicious purposes, such as identity theft or spamming, if it is displayed to unauthorised parties.
For recording the consent of the subscribers, we have suggested the following mechanisms:
- Opt-in process: One way to obtain consent for the activation of the CNAP service is to use an opt-in process. This could involve providing clear information about the service, its benefits, and any potential privacy implications and giving users the option to choose whether or not they want to use the service.
- Written consent: Requiring written consent from users could involve having users sign a form or agree to terms and conditions that outline the use of the service and any potential privacy implications.
- Online consent: In an online setting, consent for the activation of the CNAP service could be obtained by having users check a box or click on a button to indicate that they agree to the use of the service. It is important to ensure that this consent is obtained clearly and unambiguously.
It is important for telecommunications companies to ensure that they obtain the consent of telephone subscribers before activating the CNAP service. This can help to protect the privacy of users and ensure that the service is used responsibly and ethically. TRAI and the TSPs can run awareness campaigns and encourage users to sign up for the CNAP service.
We have opposed using Customer Acquisition Forms (CAFs) for the purpose of Calling Name Presentation (CNAP). Apart from the risk of being inaccurate, using CAFs for CNAP lacks explicit consent and can lead to potential misuse of personal information.
Important documents:
- Consultation paper on the ‘Introduction of Calling Name Presentation (CNAP) in Telecommunication Networks’ (link)
- IFF’s comments (link)