Whose Line Is It Anyway?

September 3, 2018

The new General
Conditions of Entitlement
* — the rulebook which makes up part of the
regulatory framework for the provision of communications services in the UK —
comes into force on 1 October 2018. Under new Part C of the revised General
Conditions, which deals with consumer protection conditions, Ofcom has expanded
the rules relating to CLI — calling line identification.

What is CLI?

‘CLI’ is the data that enables identification of the number
from which a call could be made or to which a return call could be made. It
comes in two parts: network numbers and presentation numbers.

The network number is the number that identifies the point
at which the call the public network. It’s a technical thing.

The presentation number is the telephone number that is
displayed to an end-user — when you receive a phone call, and the caller’s
number (or what purports to be the caller’s number) is displayed, that is the
presentation number.

Often, the presentation number will be the same as the
network number but, in some situations, they will be different. This is
particularly true in the case of a business, where every line has its own
unique network number, but the business chooses to send a standard presentation
number for all outbound calls, showing the business’s switchboard number or
other common number. (For example, the tech support department might all make
calls showing the tech support helpline number, the sales team the sales number
and so on.)

What is changing?

Under the pre-October regime, providers were merely required
to provide facilities by which the telephone number of a calling party is
presented to the called party prior to the call being established.

Under the new regime, the CLI obligations have been
broadened, to assist with the identification of callers, and to reduce the
number of nuisance calls.

CLI facilities free of charge and by default

First, providers must provide CLI facilities, enabled by
default, and without separate charge for ‘standard’ CLI facilities. Where CLI
facilities are not available on any given service, the provider has to inform
the subscribers of that service that that’s the case.

A subscriber should thus be given, free of charge, the
information needed to work out whether or not they want to answer a call.

But that information is no good unless it is reliable and,
technically, it is easy to get access to a service which allows you to make
calls and show them as coming from whatever number you like. And, while this
can be convenient, there is a clear potential for misuse.

Because of this, Ofcom has introduced a number of
requirements on operators to attempt to mitigate the risk of misuse.

Higher-quality CLI

In addition to the requirement to provide CLI facilities to
subscribers, there is a parallel obligation that requires providers to ensure
that, so far as technically feasible, any CLI data provided with and/or
associated with a call includes a valid, diallable telephone number which
uniquely identifies the caller.

The General Conditions do not define what constitutes ‘valid’,
‘diallable’, or ‘which uniquely identifies the caller’ and, on first glance,
these terms appear problematic — after all, many businesses want their outgoing
calls to display their switchboard number, rather than the extension of an
individual user.

Fortunately, alongside the new General Conditions, Ofcom has
published revised ‘Guidance
on the provision of Calling Line Identification facilities and other related
services
’. According to this new Guidance:

  • A ‘valid’ number is one which complies with the
    International public telecommunication numbering plan. Where a UK number is
    used, it must be a number that is designated as a ‘Telephone Number available
    for Allocation’ in the National Telephone Numbering Plan and be shown as
    allocated in the National Numbering Scheme.
  • A ‘dialable’ number (oddly, Ofcom spells ‘diallable’ as ‘dialable’
    in the Guidance…) must be one that is in service and can be used to make a
    return or subsequent call.

It is not clear to me how an operator is supposed to tell
whether any given number is ‘in service’, so we will have to see how this
particular limb of the requirement pans out. I suspect that if an operator
checked the number was allocated to a provider by Ofcom, this might be
sufficient, but since this appears to duplicate the definition of ‘valid’,
we’ll have to wait and see.

Ofcom has clarified that a number which ‘uniquely identifies
the caller’ can be a number relating to an individual or an organisation, so
permitting an organisation to present its (own) switchboard or other valid
diallable number on its outbound calls. The test of unique identification,
strangely enough, is not really based on uniqueness — it is simply that the
number is one ‘which the user has authority to use, either because it is a
number which has been allocated to the user or because the user has been given
permission (either directly or indirectly) to use the number by a third party
who has been allocated that number’.

According to the Guidance, the provider which first handles
a call (eg Vodafone, if you make a call and Vodafone is your provider) has to
ensure that the correct network number is generated when you make a call, and
also that the presentation number is either from a number range that has been
allocated to you, or else be assured that you are using a CLI that you have
permission to use.

Most responsible providers already have controls in place
around presentation numbers, and take reasonable steps to check that users can make
calls only from numbers which they have permission to use, so this should not
cause too much additional effort, but providers might want to check that they
have documented evidence of authority, if the numbers in question are not ones
which they have allocated to the customer.

Attempting to stop invalid and non-diallable CLI

Recognising the particular irritation associated with
spoofed or undiallable CLI, Ofcom now requires that, ‘where technically
feasible’, a regulated provider must take all reasonable steps to (a) ‘identify
calls in relation to which invalid or non-diallable CLI Data is provided’, and
(b) prevent such identified calls from being connected.

Ofcom does not specify how this identification should take
place, or how connection of the calls should be prevented. This is intentional
– to allow different solutions and approaches – but the lack of specificity may
also cause concern and confusion as to whether a provider’s chosen implementation
meets the requirement.

Ofcom’s guidance notes that ‘[c]alls can be stopped either
through blocking or filtering’, and that blocking stops the call from being
connected, while filtering redirects the call to a voicemail-like facility, so
that these calls are not immediately connected to the end-user. It also suggests
that providers could work with their upstream providers — the carriers who
transit calls into their network — to ensure contractually that the upstream
provider only passes on calls with the correct CLI.

What does this mean?

It would be unduly optimistic to think that we are no longer
going to get scam calls or that the abuse of CLI will end but, with some luck,
the new rules will help clean up some of the poorer practices around CLI.

By requiring providers to take action against traffic with
invalid and non-diallable CLI where technically feasible, providers have a
clear legal basis for interfering with traffic, which may mean fewer unwanted
calls come through. Similarly, enhanced obligations about validating CLI may —
fingers crossed — help Ofcom and other regulators investigate and enforce
misuse of communications services.

Neil Brown runs decoded:Legal, a telecoms, technology and
Internet law firm.

*The link is to a version published by Ofcom but described
as an unofficial consolidated version