ENUM RAISES PRIVACY CONCERNS WHOSE SOLUTIONS ARE UNCLEAR

Privacy should be viewed as “an enabler,” not barrier, said Toby Levin, vp-chief privacy officer of Privacy Council Inc. While ENUM is under development, she said, attention should be focused on how to “bake privacy” into its architecture. Given “skeletal” nature of ENUM documents so far, she said, there’s much work to be done to implement privacy safeguards.

If ENUM is used only to route phone calls to Internet addresses, that could be handled in way that raised few privacy concerns, said John Morris, dir. of Center for Democracy & Technology’s Internet Standards, Technology & Policy Project. For instance, he said, calls could be sent to private service that screened access to user contact information, giving consumers control over that information. However, Morris said, if ENUM deployment requires all information to be listed in relatively public database, spam, identity theft and other privacy problems are likely.

U.S. ENUM Forum, industry group working on implementing IETF protocol (RFC 2916), has taken position that users must opt into system by choosing to put their personal data into ENUM service, said Laks Prabhala, chmn. of forum’s privacy & security task force. Opt-in is fine, Morris said, if ENUM turns out to be niche product. But if it becomes ubiquitous, he said, it should be opt-out.

Because ENUM technology is neutral, opt-in or opt-out becomes policy issue, said Scott Bradner, senior technology consultant at Harvard U. Morally, he said, opt-in is right way to go, but decision can’t be left to business community because it’s not in its best interest to use opt-in system that takes too long to populate database.

Question of opt-in versus opt-out is largely driven by consumers, said David Valdez, Verizon chief policy officer. It’s not clear yet whether service providers would collect any information for ENUM that consumers didn’t already provide, he said, in which case privacy protections already are in place. Privacy advocates think customers are stupid, said Kristen Verderame, BT North America vp-U.S. regulation & govt. relations. Not only is that untrue, she said, but companies already are subject to privacy rules and regulations all over world.

Because ENUM puts new twist on technology, it’s important to ask not only whether it’s good idea to regulate it but whether it’s even possible to control activities such as spamming, said Casey Anderson, vp-international public policy for AOL Time Warner. Any govt. regulations must balance the costs of focusing on privacy against possibility of stifling competition, he said. Don’t “be allergic to” idea of regulation or govt. oversight, he said, but don’t rush into it until it’s clear what’s there to regulate. But Bradner disagreed, saying “the market is not a protector of privacy,” and inherent conflict between those who want to use phone numbers for ENUM and those who control those numbers may make regulation necessary.

ENUM Forum believes existing fair information practice principles cover most of ENUM technology, Prabhala said. But while new regulations aren’t needed, he said, it would be helpful to bind ENUM service providers contractually to privacy protections. That’s nice thing to advocate, Bradner said, but there’s already ample evidence of that paradigm in ICANN’s requirement that all accredited registries and registrars adopt Uniform Dispute Resolution Policy: “Let’s say that’s not universally appreciated.”

Contracts are useful vehicle for addressing privacy concerns, but not standing alone, Levin said. Morris said that while ENUM is “worrisome” to privacy advocates, industry has “great opportunity to show self-enforcement can work.”

FCC’s tendency toward regulation at this point would be to “take a light hand” until it saw how ENUM evolved, said Scott Marcus, senior adviser for Internet technology. FCC and NTIA together have jurisdiction over ENUM, NTIA Deputy Asst. Secy. Michael Gallagher said later. Two agencies are attempting to reach consensus on whether U.S. should participate in ITU’s ENUM implementation process. Once they agree, he said, they'll forward recommendation to State Dept., which will present U.S. position at next month’s ITU plenipotentiary session.

“Intersection between telephone numbers and the DNS makes rulemaking very difficult,” Wilmer Cutler attorney Susan Crawford said later. She said it was uncertain whose law would apply and what agency within a particular country would have jurisdiction if there were: (1) Multiple places in DNS where mapping took place. (2) Multiple registry/registrar/authentication service providers, many of which aren’t in U.S. (3) Databases of ENUM mappings visible all over world. (4) ENUM registrants who weren’t located “in” country to which particular country-code applied. (5) Country codes that didn’t map neatly to geographical territories. Given that, and panelists’ support for registrar competition, Crawford said, perhaps registrars should have to promise to protect their registrants’ privacy and security or face enforcement by agencies or courts with jurisdiction over them. In that case, she said, minimum global standards should be crafted by companies providing ENUM services -- not by govts.

Panel on ENUM privacy and security “foreshadowed” concerns policymakers had better be able to address early on, Gallagher said. ENUM must be able to marry best of phone system -- its ubiquity, affordability and simplicity -- with flexibility, robustness and customization of Internet, he said. -- Dugie Standeford

ENUM Experts Describe Benefits of Evolving Standard

Wide adoption of ENUM telephone number mapping protocol would give consumers control over how they were contacted via Internet and non-Internet devices, panelists said. “Phone numbers are hardwired to a house or to a physical circuit. ENUM detaches a phone number from a physical location and instead you can attach it to an application or a device,” Pulver.com analyst Carl Ford said. ENUM services (IETF RFC 2916) are protocols that enable communications applications to “locate” or “discover” IP communication services associated with given telephone number. In that way single phone number can connect to phone, e-mail address, instant messaging client or other network device.

SAIC Corp. Vp Ronald Brouillette described use of ENUM numbering protocol with corporate voice-over-Internet- protocol (VoIP) phone system where names, phone numbers and IP addresses were linked automatically. With SAIC’s phone system, “I can look ahead to someone I'm trying to contact to see if he’s on the phone or whether his e-mail is up.” In another application Brouillette established 2-way chat simultaneously with 4-way conference call, setup he said was “useful in contract negotiations.” On question of who controlled user’s data under ENUM, Gary Richenaker, chmn. of ENUM Forum, said it was opt-in type of service. Subscriber has control over information associated with ENUM, he said: “If they want to add an e-mail address or cell number, it’s up to the customer.” End-user control is “core tenet” of ENUM standard, NetNumber founder Douglas Ranalli said. Protocol “shifts the balance of power to enable users… to redirect communications whether at home or at work.”

Panel was divided on whether adoption of ENUM would reduce pressure on U.S. numbering system. Richenaker predicted “no increase or decrease” in demand for phone number attributable to ENUM. “While one ENUM can be an identifier for many existing numbers, all the POTS [plain old telephones] numbers are not going away.” Scott Marcus, FCC adviser for Internet technology, said “2nd order effect” could increase demand for numbers. With current telephone network, landline number often represents several individuals, family for example, while cellphone number is more often one number for one person, he said: “With the option of ENUM, subscribers may want to have a distinct number for an individual.” Brouillette suggested industry begin to change way it thought about phone numbers. ENUM could identify fax machine by IP address instead of phone number, while Voice over IP handsets could be identified by SIP address, he said.

Panel agreed ENUM would have to be adopted as worldwide standard and deployed in large numbers to be effective. “There is an infinite number of ways to connect a phone number to Internet locations,” Ranalli said: “The value of a standard is to pick one way. ENUM leverages the DNS [Domain Name System], which is scalable and proven.”