tl;dr
The Telecom Regulatory Authority of India (TRAI) has released recommendations on 'Introduction of Calling Name Presentation Service in Indian Telecommunication Network', supporting its introduction, despite the various privacy concerns with the service. In our comments sent earlier, we opposed its introduction citing a lack of autonomy and control over the subscriber’s informational privacy and potential violation of an individual's privacy by disclosing their name to the recipient without their consent.
Background
The Department of Telecommunications (DoT), through a letter dated March 21, 2022 requested TRAT to submit its recommendations on introducing the Calling Name Presentation (CNAP) facility in Indian Telecommunications Network. In this regard, TRAI issued a Consultation Paper on 'Introduction of Calling Name Presentation (CNAP) in Telecommunication Networks' on November 29, 2022. The reasoning for seeking comments on this matter was that in the absence of a CNAP facility, the Calling Line Identification (CLI) service does not provide enough information for consumers to trust that a call is genuine. Additionally, they have raised concerns about robocalls, spam calls, and fraudulent calls. Concerns around robocalls, spam calls, and fraudulent calls were also listed as reasons. In response, 40 stakeholders submitted their comments, and five stakeholders furnished their counter comments.
IFF’s comments
On December 23, 2022, we submitted comments on the citizens’ privacy-centric issues identified in the consultation paper. In our comments, we suggested that the service be made opt-in with clear notice to the end users to enable informed consent. We proposed avoiding a central database since it increases the threat surface to privacy risks and asked for it to be considered as an option only after a robust and rights-respecting data protection law is operational.
Our concerns stemmed from the potential privacy risks which may arise due to incorrect implementation. We flagged to TRAI that the use of CNAP can potentially violate an individual's privacy by disclosing their name to the recipient without their consent. This could be particularly problematic if the service is mandatorily activated, as it would not give users the option to opt-out. We also raised concerns about it potentially leading to a caller's name being used for malicious purposes, such as identity theft or spamming.
Among the comments submitted by stakeholders including associations, organisations, telecom operators, individuals, and consumer rights groups, some recognised the benefits that may be provided by CNAP, including but not limited to the prevention of robocalls, spam calls, fraudulent calls, and CLIP spoofing. At present, smartphone users can make use of tools and third-party apps to identify the caller’s name and mark spam calls. Instead of implementing another scheme with legal, technical and procedural loopholes, it may be more sound for TRAI to work on strengthening the existing models, such as the DND Registry. The presence of alternatives to CNAP already in place within the Indian telecom infrastructure was highlighted by the Cellular Operators Association of India (COAI) in their comments and reiterated by 4 other stakeholders in their submissions- namely the New Indian Consumer Initiative, AP & Partners, CUTS, and the Bhanja Institute for Rural Development.
TRAI’s recommendations
Based on the inputs received from stakeholders, TRAI has released its analysis and recommendations. We appreciate TRAI for following healthy precedents and conducting transparent public consultations, wherein counter-comments are accepted and comments sent are published by TRAI. Summarising the comments received for each question and listing all the stances is praiseworthy. The finalised recommendations released by TRAI after analysing the comments are as follows:
a. “Calling Name Presentation (CNAP) Supplementary Service should be introduced in the Indian telecommunication network”. Summarising the consultation responses to the question on the need for its introduction, TRAI shared that most of the stakeholders supported the implementation of CNAP supplementary service in Indian telecommunication networks, a few stakeholders voiced that there was no need for it, and a few others proposed a middle path - its introduction in a limited manner. As per our analysis of the 40 comments received by TRAI on this consultation paper (including ours), 18 stakeholders were against the mandatory activation of the CNAP service. While TRAI documented the various concerns raised and alternatives provided by stakeholders who opposed the CNAP service, it voiced its inclination for introducing it stating that it will help in reducing “mental agony and economic loss of telephone subscribers”. On the aspect of the need to obtain consent from telephone consumers, TRAI stated that a choice to not enter the service or withhold their identity under CNAP would be used by malicious actors or telemarketers to hide their identity, defeating the purpose of its introduction.
TRAI iterated the existence of an opt-out procedure and recommended that for subscribers who avail the Calling Line Identification Restriction (CLIR) facility, their CNAM should not be presented to the called party. CLIR facility essentially allows the caller to be anonymous to a limit. Availing the facility causes the callers’ phone number or caller ID to not be visible to the recipient. CLIR facility may be activated on a call-by-call basis or on a permanent basis. While Calling Line Identification (CLI), under which the caller name is displayed to the recepient, is switched on by default for the subscribers and cannot be disabled by them, CLIR needs to be activated by the service provider on request of the subscriber.
The Department of Telecommunications (DoT) discontinued the default facility of ‘private number’ masking for all Indian subscribers in 2015 following complaints of misuse and concern over potential security breaches and controlled its availability by restricting telecommunications service providers (TSPs) from allotting this facility without permission from senior police officials. Thus, since 2015, CLIR can only be availed by a non-VVIP or senior-level officer by submitting a request stating the reason along with address proof /identity proof and recommendation from an additional DGP/IGP of the state police intelligence wing. The TSP is then supposed to carry out physical verification of the applicant and forward the request to the Telecom Enforcement Resources Monitoring (TERM) cell for approval. The approval is valid for 12 months, after which the process needs to be repeated for renewal.
Under the General Data Protection Regulation (GDPR), TSPs are required to provide their customers with clear information about the use of CLIR and how it can be activated or deactivated. In the United States, the rules under the Federal Communications Commission (FCC) require the TSPs to offer CLIR to their customers free of charge and inform them of the availability of CLIR and how it can be activated or deactivated.
While CLIR provides several benefits and may be considered a privacy promoting measure, it is worth thinking about the possibility that subscribers in India have limited information on and low awareness of its existence, features, and the procedure for activating it. Given how restricted its availability is in India, it must not be considered a viable option for disabling CNAP. Thus, the CNAP facility must be activated only after obtaining explicit and informed consent from subscribers, especially in the absence of an accessible facility for withholding identity.
b. “For the introduction of CNAP supplementary service, the definition of CLI requires to be expanded to include calling name (CNAM). The name identity information provided by the telephone subscriber in the Customer Application Form (CAF) should be used for the purpose of CNAP”. On the concerns of stakeholders around a faulty and non-watertight know-your-customer (KYC) process undertaken by telecommunication service providers, TRAI expressed that the current name identity information provided by telephone subscribers in the CAFs, which is verified through Government recognised identity proofs, is reliable and verifiable. Additionally, while referring to the need for a robust KYC mechanism for the unique identification of a subscriber, TRAI mentioned Section 3(7) of the Indian Telecommunication Act, 2023 as a way to reap the benefits of CNAP more effectively and efficiently. This privacy invading Section of the Act imposes an obligation on any authorised entity, as notified by the Union government, to identify the person to whom it provides telecom services, through the use of any verifiable biometric-based identification “as may be prescribed”.
This inclusion of “verifiable biometric-based identification” raises fears that it may provide a legislative basis for the mandatory linking of Aadhaar to mobile phones which was ruled unconstitutional by the Supreme Court of India. Fears are further enhanced due to the Aadhaar Authentication for Good Governance (Social Welfare, Innovation, Knowledge) Rules, 2020 that state that the Union government may allow “requesting entities” to engage in Aadhaar Based Authentication in the interest of good governance, preventing the leakage of public funds, or promoting ease of living and enabling better access to services for residents. Since ‘requesting entities’ are defined as the Ministry, Department of the Government of India or any State Government that wants to use Aadhaar for the purposes specified in the Rules, it will become easy for a private entity to get access to the Aadhaar numbers of individuals under a public-private partnership project. These Rules came soon after amendments to the Aadhaar Act in 2019 which authorised the use of Aadhaar by private parties, and these amendments have been challenged before the Supreme Court for violating the judgement in K.S. Puttaswamy v. Union of India. After the Aadhaar Amendment Act, 2019 and the Aadhaar Good Governance Rules, 2020, there remain virtually no limitations on the use of Aadhaar authentication, which had earlier been restricted by the SC to only government entities and only for receipt of benefits and subsidies.
The Aadhaar project has faced several criticisms since its inception; such criticisms have only heightened after its implementation, with a diverse set of actors from the Supreme Court to CAG of India to various civil society bodies questioning the use of Aadhaar based authentication. In a country that is still largely not digitally literate and does not have an operational, rights-respecting data protection law, such technology should not be adopted for a routine procedure, especially in the absence of offline alternatives.
c. “All access service providers should provide CNAP supplementary service to their telephone subscribers upon their request”. This recommendation does allay our fears to some extent as it does not make this facility available by default. We hope that the Government, in their instructions on CNAP, will strengthen the opt-in procedure for activating the service and not make it a mandatory service.
d. “A technical model for the implementation of CNAP in the Indian telecommunication network has been outlined”. TRAI has proposed four models for implementing CNAP supplementary service, out of which it believes that Model 1 is, in general, the most suitable model for the implementation of CNAP supplementary service. It did however list some concerns with the practical implementation of Model 1 given the current infrastructural set of the telecom network in the country. Thus, TRAI has suggested the implementation of CNAP using Model No. 2 for now and the implementation of the service using Model No. 1 at a later stage, as and when the CS core networks are phased out from the Indian telecommunication networks.
Under Model 1, each TSP establishes and operates a CNAP database in respect of its subscribers. Under Model 2, each TSP will need to establish a CNAP database in respect of its subscribers and will need to provide access to its CNAP database to other TSPs. While TRAI states that there are no concerns related to “privacy and possible misuse of subscriber’s personal information” under Model 2, the rising instances of breaches of public and private databases in the absence of an operational, rights-respecting data protection law raises concerns for individual privacy and misuse of such data, including but not limited to increased spam for subscribers.
e. “After acceptance of the recommendations, Government should issue appropriate instructions for making CNAP feature available in all devices sold in India after a suitable cut-off date”.
f. “The Authority recommends that prior to the implementation of CNAP supplementary service on pan-India basis in Indian telecommunication network, a trial and assessment of the implementation of CNAP supplementary service should be conducted in one licensed service area (LSA) with subscriber base of each telecom service provider in the LSA”.
Reservations and reiterations
We still oppose the use of CAF for CNAP as it runs the risk of being inaccurate, lacks the provision for obtaining explicit consent, and can lead to potential misuse of personal information. The current recommendations by TRAI do not provide for an opt-in procedure for activating the CNAP service and instead recommends the use of CAF. TRAI and the TSPs can run awareness campaigns and encourage users to sign up for the CNAP service.
We still stand by our core recommendations that CNAP must only be introduced after a rights-respecting and robust data protection law is operationalised and an independent Data Protection Authority under it is equipped to assess its impact on individual privacy. The current Digital Personal Data Protection Act (DPDPA), 2023 is not rights-respecting as per our analysis as it has weak requirements for notifying data principals about third-party data sharing, provisions that allow vague non-consensual processing of data, wide exemptions for public and private data fiduciaries, and a Data Protection Board with compromised independence. Given the several shortcomings of the DPDPA, 2023 and its insufficiency in safeguarding the right to privacy, we strongly oppose TRAI’s recommendation with respect to the operationalisation of the CNAP service. We urge TRAI to roll back its recommendations and reevaluate the inputs received in the context of the insufficiencies of the data protection act in India. We also request TRAI to iterate in their recommendations the need to make CNAP a voluntary, opt-in facility as opposed to a mandatory, opt-out service.