Statement by Martin Winter, before the Joint Public Hearing Assembly Consumer Affairs & Protection Committe Assembly Corporations, Authorities and Comissions Committe Assembly Task Force on Telecommunications Senate Consumer Protection Committe I would like to thank Mr. Nadler, Mr. Siegel, Senator Levy, and Senator Brennan for allowing me the opportunity to address my concerns about the privacy of telephone subscribers to them, both as a private citizen and as the President of the New York State Systems Operator's Association ( here after known as "The Association"). Since many of my concerns as a private individual overlap those of the Association I would like to make a few general remarks concerning what is usually referred to as "Caller ID and then address the list of issues published by the Senate and Assembly committees. "Caller ID" appears to be what is known as a "trap and trace" device. Title 18, United States Code Chapters 119, 121, 201, and 206, also known as the Electronic Communications Privacy act, and which I will hereafter refer to as the "ECPA" defines a "trap and trace" device as: a device which captures the incoming electronic or other impulses which identify the originating number of an instrument or device from which a wire or electronic communication was transmitted; Since Caller ID has the ability to display the number of the telephone from which a call originated and record that number it would certainly seem to fit the ECPA's definition of a "trap and trace" device. Further the ECPA limits those circumstances in which a device of this type can be used. Chapter 206, section 3121 of the ECPA states: (a) In General.-Except as provided in this section, no person may install or use a pen register or a trap and trace device without first obtaining a court order under section 3123 of this title or under the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.). (b) Exception.-The prohibition of subsection (a) does not apply with respect to the use of a pen register or a trap and trace device by a provider of electronic or wire communication service- (1) relating to the operation, maintenance, and testing of a wire or electronic communication service or to the protection of the rights or property of such provider, or to the protection of users of that service from abuse of service or unlawful use of service; or (2) to record the fact that a wire or electronic communication was initiated or completed in order to protect such provider, another provider furnishing service toward the completion of the wire communication, or a user of that service, from fraudulent, unlawful or abusive use of service; or with the consent of the user of that service. (c) Penalty.-Whoever knowingly violates subsection (a) shall be fined under this title or imprisoned not more than one year, or both. With this in mind it would appear that the use of Caller ID would be limited only to Police, Fire, Hospital Emergency Rooms, Poison Control Centers, and other Emergency Service Providers for the purpose of identifying the telephone number and address from which a telephone call originates in the event that the caller is not able to provide this information; residential subscribers who wish to maintain the privacy of their telephone line by knowing who is calling or from what number a telephone call has orig inated; those subscribers, both residential and business, who have received harrassing, threatening and/or obscene telephone calls and wish to identify the number from which these calls are originating for the purpose of criminal and civil prosecution; and those business and residential subscribers like myself and other members of the Association who operate an electronic data communications service or hobby type computer bulletin board for the purpose of identifying the origination of telephone calls in or der to maintain the security of the system and the privacy of our users. With regard to the technology involved in offering the Caller ID service, I am not an expert in the design of telecommunications systems and would prefer to leave the explanation of this technology to New York Telephone itself. With regard to the potential benefits to those customers who chose to subscribe to Caller ID, both with and without the blocking of the caller's telephone number I would like to make the following points: 1: Emergency Service Providers who use Caller ID systems would have the ability to dispatch emergency units to the scene even if the caller was unable to provide their location. This system is currently in place in the form of an augmented 911 emergency telephone system in a number of cities throughout the country and has been credited numerous times with saving lives that might otherwise have been lost due to the callers inability to identify their location. At the present time, many Emergency Service Providers in New York State have no way of identifying the location from which an emergency call originates. If the caller is a young child who cannot tell them where he is, a person who speaks little or no English, or a person who is incapacitated or so upset or excited that they cannot identify their location this can and has lead to delays in the arrival of emergency personnel that has resulted in loss of life and property that could have been avoided had the Emergency Service Provider been able to identify the location of the caller. 2: Without "blocking" residential customers would have the ability to screen incoming telephone calls by looking at the originating number before they answer the call. This would allow them to know before hand if the incoming caller is someone with whom they wish to speak. 3: Without "blocking" residential and business customers who have received telephone calls of a harrassing, threatening and/or obscene nature would have the ability immediately provide law enforcement agencies with the number of the telephone from which the calls originated. In those area where Caller ID is now offered the number of calls of this nature has been reduced. 4: A group of teenagers uses a home computer to break into a banks computer and obtains several credit card numbers which they then use to go on a spending spree. A college student majoring in Computer Science writes a program that, when inserted in a computer network using a specific software program, replicated itself to the point where the network can no longer be used. A group of computer users in West Germany manages to infiltrate a highly sensitive computer network and then proceeds to gather as much classified information as possible, then makes that information public in an effort to show how easy it was to get it. All of these incidents have been in the news in recent times. Those customers who operate electronic data services, or hobby type computer bulletin board services are very sensitive to the issues these incidents raise with regard to the security of the information on their systems. Caller ID would make it Possible for electronic data services and hobby bbs systems to immediately know if their security system had been breached or bypassed. Most of the systems that I have used or operated allow the System Operator (or SYSOP), to see information about the caller displayed on his computer terminal as the user logs on to the system. This information usually includes the callers name, or the name by which he is known on the system, the callers password and the caller's telephone number. A SYSOP who is monitoring a caller's activity would be able to see immediately if the call is originating from the location initially given by the caller. Those calls which are originating from the caller's listed location would require no further monitoring as it is fairly certain the the caller is who he claims to be. Those calls which come from a location the does not match the listed location could then be monitored to determine if the caller is who he claims to be and for any activity which would compromise the security of the system or the privacy of the users. I cannot emphasize how important this feature would be to those customers who operate an electronic data transfer system. Recently my own BBS almost fell victim to what I would term a "computer delinquent". This person uploaded a program to my system that was designed to destroy a section of my computer's memory when used. Prosecuting this individual is going to be difficult because, even though I have a complete log of the activities of all the users on the day he transferred the program to my system, I do NOT, however, have absolute proof that the call originated from the number that owner of the account used in the transfer of this program gave me when he requested access to my BBS. The ability to identify the location of an incoming call would be invaluable to maintaining the security of electronic Banking systems and information clearing houses. With this system in place and properly used it would substantially reduce the number of incidents of unauthorized persons gaining access to information on a multitude of electronic data systems. Incidents such as I have just described would be reduced or eliminated entirely. All of the advantages I have outlined above would be available to the consumer only if the blocking of calls were not allowed. While I do believe that we all have the right to privacy as it regards our telephone number, and I also feel that those people who are currently paying for an "unlisted" or "non-published number" should have the right to maintain the privacy of that number, I also feel that there are some circumstances where blocking should NOT be allowed. Specifically those instances are: 1: Calls made to an Emergency Service Provider. I think that most people would agree that the ability to respond to an emergency call, and the potential for loss of life or property out weighs the callers need or desire for privacy. 2: Calls which are made to residential or business subscribers who have been receiving calls of a threatening, harrassing, or obscene nature. In these cases there should be a way to over-ride call the blocking of the display of the incoming number, but such an over-ride capability should be avialable only on the request of an investigating authority. Further such a request should only be made if it shown that the calls are originating from a number which is blocking the display of the number, and the over-ride should only be allowed until such time as the individual making these calls is caught. 3: Calls made to electronic data services and computer BBS systems. Those who provide such services should have the ability to over-ride the blocking of an incoming number. This is not a stand that I take lightly. While there is the potential for abuse of this ability I feel that there are several factors which mitigate in favor of the over-ride of number blocking in this instance. First, many electronic data systems contain information of a sensitive or classified nature. Many banks now keep records of all their accounts on computer systems. These systems both at the local branch office, and the main headquarters can and do communicate with each other automatically over the telephone lines. As I have already outlined there have been instances where unauthorized persons have managed to gain access to these computer systems and make use of the information contained on them. Further, those persons and businesses which operate such systems are currently subject to the provisions of the ECPA with regards to the disclosure of any and all information contained on their systems. Briefly, operators of electronic communications systems, whether it be a national banking corporation operating a nationwide computer banking network, or the kid down the street who has 22 users on a BBS system that operates for 3 hours a day, cannot divulge any of the information on their system to anyone other than a law enforcement agency acting under court order, or the user of the account in question. To do so would be a violation of the ECPA and would subject the operator to a fine of up to $10,000 and up to five years in jail for each violation. The potential harm that could result from an unauthorized person gaining access to such a system is enormous. A virus or "bomb" type program, if inserted into a computer network, could completely destroy the ability of that network to function, or even destroy all the data contained on that network. If this network were that of a bank it could effectively leave depositors penniless until the bank could recreate the records. With regards to the drawbacks of Caller Id, I do agree that there may be some problems associated with the technology as it affects a callers privacy, but I also believe that if number blocking is allowed in all but the circumstances I have already outlined then the problems associated with Caller ID will be minimal. In the information that the Assembly and Senate committees published concerning this hearing they specifically mention banking and housing "red-lining" as one of their concerns. In order to discuss this we must first understand a little bit about how telephone exchange numbers are allocated to an area. In order to provide service to an area the telephone company uses what they call a "Central office". Each central office is set up to serve a specific area and all calls going to or from this area are routed through that office. In addition each office has a number of "exchanges, the first three digits of a number after the area code are the exchange. How large or small an area s central office serves is determined by the population density of that area. In New York City, for example there are central offices that serve only a few square blocks. In other areas, such as the northern section of the 518 area code, a central office may serve an area as large of 100 square miles or larger. In a densely populated area an exchange may serve an area of only one or two blocks, while in a sparse;y populated area it may serve an area as large as that which the central office does. As an aid to the practice o f "red-lining" in housing or banking Caller ID would only be practical in an area of high population density, in an area of low or median density, such as the 518 area code, an exchange number could conceivably serve customers who are as much as 10 miles apart making it impossible to tell exactly where the call originates from without the aid of a numerical directory. Further, Caller ID would also act as an aid in detecting the practice of red-lining as it co uld easily be determined if calls originating fro m a neighborhood or exchange are being answered. In addition, since Caller ID appears to regulated by the ECPA it would subject those who use it to accomplish red-lining the penalties provided by the ECPA in addition to those already provided for in the Fair Housing Act and the Fair lending Act. Potential does exist for the use of Caller ID as a means of identifying previously anonymous customers for the purpose of later solicitation, but again, such use is already clearly prohibited by the ECPA. With regard to the blocking of caller telephone numbers by Caller ID I feel that blocking should be allowed in all but the cases I have already outlined. Further blocking should be allowed on both a call by call basis and as part of a service which will premanently block the display of the number. Display of an incoming callers number should be allowed for only in those instances where a significant risk to life and or property is at stake. In addition I feel that certain numbers, such as those of batter ed women's and children's shelter's, should be blocked in all cases except where blocking the number would result in significant risk to life and/or property. With regard to other technologies which would compliment Call blocking. again I would prefer to defer to those who design and market such items. With regard to the blocking or disclosure of unlisted and non-published numbers, such numbers should normally be blocked from being displayed under most circumstances. Again, in cases where a significant risk to life and/or property would result blocking should be over-ridden. WIth regard to the privacy of an individual as the receiver of a telephone call I think we need to keep the following in mind. As a subscriber of New York Telephone I have a telephone in my home. Since that phone is in my own home the right of privacy attached to the house should extend to the use of the telephone. I have the right and the ability to see who is at my front door before I open that door and allow entrance to my home. The same right should extend to my ability to know who is calling me on m y telephone. If I do not wish to let a person in my house because he refuses to identify himself to me I have that right. i should also have the right to not answer my telephone if a caller does not want his number identified. As a visitor to another's home the homeowner has the right to refuse me entrance if I do not identify myself to him, the same right should apply to his telephone. With regard to balancing the individuals right to privacy both as a maker and receiver of telephone calls, I would hope that what I have already said has done so. We are dealing with a new technology. It is only recently that the ability to identify a caller before answering the telephone has become available. The issues which I have attempted to address. however, are not new, they have been in existence for as long as the United States has. We have a right to privacy in our own homes, and we have the ri ght to maintain that privacy be reasonable means. If Caller Id is implemented in a manner that is consistent with what I have just outlined then it's use should be able to insure the continuation of the right to privacy without unwarranted intrusions. To sum up briefly, in order to insure the telephone customer's right to privacy Caller ID would have to allow for the following: 1: The display of a caller's telephone number in those circumstances where blocking the display would result in a significant risk to life and/or property. 2: The display of the number top those persons who operate electronic data services, data clearing houses of computer bulletin board systems, where such display is for the purpose of insuring the security of the system, the security of the data on the system and the privacy of the users accounts. 3: The display of a caller's number in those instances when the making of threatening, harrassing and/or obscene telephones is being investigated, provided that such display is requested by a duly authorized investigative agency, that it has been shown that the calls are originating from a number that is blocked from display, and that such ability to use blocking will be restored when the person making the calls is apprehended. 4: Display blocking will be made available to those customers who currently have an unlisted or non-published number as a part of that service. 5: Display blocking will be automatically disabled when calls are placed to Emergency Service Providers or others who have a valid need to display the number of each incoming caller. 6: That the numbers of battered women's and children's shelters shall be automatically blocked from all but Emergency Service Providers. 7: That all business customers electronic data system operators who subscribe to Caller ID are made aware in writing that disclosing the number of an incoming call is a violation of the ECPA and that such disclosure may subject them to severe penalties. If Caller Id is offered with these protections in place it should fairly balance the privacy of both the caller and the person receiving the call. ***** NOTE FROM TOMMY ***** It is my opinion that an eighth protection should be put into place for the protection of those subscribing to Caller ID: 8: That the Caller-ID subscriber may, at his option, block incoming calls from callers employing Caller-ID blocking. This option will protect those who wish to have *ALL* incoming calls identified. The idea is, if you won't identify yourself, I don't want your call. Tommy's Holiday Camp Remote Online Systems will subscribe to this particular option should it become available in British Columbia. This will ensure that users' accounts are 100% secure and eliminate "spoofing" or users posing as other users, and eliminate the need for Voice Validation. Think about it. From a hacker's point of view, Caller ID is a catastrophe. From a BBS sysop's point of view, it is his salvation. ***** TOMMY OUT *****