Regular readers of Commsrisk will appreciate how the topic of nuisance calls gets increasing attention as countries like the USA attempt (and fail) to implement controls that are supposed to reduce them. A lot of confusing verbiage is spun about how to deal with the issue, but all proposed mitigations essentially belong to one of three categories.
- Trace and prosecute. If somebody receives a bad call, determine where it came from and punish the source and/or the intermediaries who carried the call.
- Attempt to authenticate before warning or blocking. Apply some control designed to confirm if the source is genuine or trustworthy. If authentication fails, warn the recipient as they receive the call or block the call on the recipient’s behalf.
- Analyze the likelihood of a call being bad before warning or blocking. Implement automated data analysis which estimates the chances of each call being bad, perhaps by applying heuristics (such as many short-duration calls originating from a specific range of numbers) or artificial intelligence. Warn the recipient or block the call on the recipient’s behalf according to the evaluation score produced and the thresholds chosen for each kind of automated response.
The first method is desirable but delivers inadequate deterrence unless sufficient resources are put into investigating the origin of bad calls and securing a meaningful punishment for those responsible. The second method tends to be presented as a theoretical panacea by people with a naive understanding of technology and its limitations, but responsible engineers appreciate the risk that good calls would likely be disrupted because of the many reasons that authentication could fail in practice. Most hope is now riding on the third method, which can never promise to be perfect, but which could potentially deliver results with a tolerable degree of error if a sufficiently powerful analytics engine was fed with enough high-quality data. Optimism about this third method is bolstered by the belief that improvements in artificial intelligence are accelerating exponentially, and that national regulators will become more tolerant of false positives generated by automated analysis to compensate for the limitations of the alternative methods. But what if the data fed into the analytics engine represents a violation of an individual’s rights under data protection law? That is the question now being posed by noyb, the European privacy activist group responsible for some of the most famous legal victories in the history of data protection.
A complaint filed by noyb with the Belgian data protection authority, the Autorité de protection des données (APD), objects to US business Telesign calculating a reputation score for phone numbers based on data supplied by wholesale comms carrier BICS without the consent of the phone users associated with those numbers. Belgian comms provider Proximus, the parent company of BICS, is also cited in the action.
Vu la part de marché de BICS, il semble même que TeleSign a collecté les données de plus de la moitié des utilisateurs du globe, ce qui génère un revenu considérable, sans base légale et sans les en informer. TeleSign utilise en outre un algorithme pour adopter automatiquement un score sur la base duquel l’accès aux services de ses clients peut être refusé. Il s’agit donc de décisions automatisées illégales au sens du RGPD. Enfin, TeleSign étant soumis aux lois de surveillance américaines, le traitement de ces données est contraire aux règles relatives aux transferts de données édictées par le RGPD, et aux arrêts Schrems I et Schrems II de la Cour de justice.
Outre le traitement illégal mis en œuvre par TeleSign, cette plainte concerne également l’absence de réponse à la demande d’accès introduite par deux plaignants auprès de Proximus. Cette plainte concerne également le détournement de finalités des données traitées par BICS, qui partage ses données pour des finalités qui sont interdites à la fois par le RGPD mais également par la loi sur les communications électroniques. La plainte soulève également l’illégalité du transfert de données opéré par BICS vers TeleSign aux Etats-Unis, transfert organisé et encadré par un contrat entre les deux sociétés et qui prévoit l’envoi systématique et massif des données de communications par BICS vers TeleSign.
Given BICS’ market share, it would appear that TeleSign has collected data from more than half of the world’s users, generating considerable revenue without any legal basis and without informing users. TeleSign also uses an algorithm to automatically adopt a score on the basis of which access to its customers’ services can be refused. These are therefore unlawful automated decisions within the meaning of the GDPR. Lastly, as TeleSign is subject to US surveillance laws, the processing of this data is contrary to the rules on data transfers laid down by the GDPR, and to the Schrems I and Schrems II judgments of the Court of Justice.
In addition to the unlawful processing carried out by TeleSign, this complaint also concerns the failure to respond to the request for access made by two complainants to Proximus. The complaint also concerns the misuse of the data processed by BICS, which shares its data for purposes that are prohibited both by the GDPR and by the Electronic Communications Act. The complaint also raises the illegality of the transfer of data by BICS to TeleSign in the United States, a transfer organised and governed by a contract between the two companies and which provides for the systematic and massive sending of communications data by BICS to TeleSign.
Referring to the Schrems I and Schrems II judgments helps to illustrate the seriousness of the threat to Telesign’s business, and to any other US business that collects comms data in order to assess the risk associated with a phone number. Max Schrems is the noyb activist whose legal victory in Schrems I killed the EU-US ‘Safe Harbor’ agreement that covered transfers of personal data about EU citizens to the USA. The rulers of the EU and the USA decided to ignore Schrems I by simply resurrecting the same data transfer agreement with the new brand name of ‘Privacy Shield’, leading to them being defeated again in Schrems II. Put simply, the European Commission was shown to be incapable of legally reaching either agreement because US laws compel US entities to behave in ways that violate the EU’s data protection laws. So even if there are some cases of cross-border transfers of data about the use of phone numbers that would be permitted by EU law, noyb can put forward especially strong arguments against the transfer of data to US businesses like Telesign.
The defense of the supply of data by BICS to Telesign will likely rely upon the exemption in GDPR when personal data is used to tackle fraud and other crimes. This has been anticipated by noyb.
Cependant, si la lutte contre la fraude est une finalité autorisée par la loi pour l’utilisation des données de communications électroniques par les opérateurs, TeleSign n’est pas supposée recevoir ou utiliser lesdites données de communications électroniques, même à des fins de prévention de fraude, comme cela est développé dans la présente plainte. Dans tous les cas, il est plus que douteux que l’utilisation desdites données par TeleSign reflète un tel objectif de détection de la fraude qui réponde au prescrit de la loi. Le service d’inspection de l’APD que ne manquera pas d’éclairer les plaignants sur ces traitements de données, dont l’existence aurait encore été un secret sans les révélations d’une presse bien informée.
However, if fraud detection is a legally permissible purpose for the use of electronic communications data by operators, TeleSign is not supposed to receive or use such electronic communications data, even for fraud prevention purposes, as discussed in this complaint. In any event, it is more than doubtful that TeleSign’s use of such data reflects any fraud detection purpose that meets the statutory requirement. The DPA’s inspection department will not fail to enlighten the complainants about this data processing, the existence of which would still have been a secret had it not been for the revelations of a well-informed press.
Activists used subject access requests to obtain information about how their phone numbers had been evaluated by Telesign. This confirmed that Telesign’s scoring system is based on straightforward parameters used in most heuristic decision-making about whether to accept or reject a call, such as the volume of calls with the same A-number and the typical duration of those calls.
It was obvious that noyb’s arguments were correct in Schrems I and Schrems II, despite many years of resistance. Their victory was especially remarkable because they had to overcome lawyers who did not just represent corporate interests, but also lawyers who worked for obstructionist data protection authorities that tried to spare the blushes of arrogant technocrats at the European Commission. However, noyb’s arguments were strong and sound, so when they eventually reached the judges at the Court of Justice of the European Union, the EU’s top court, those judges ruled surprisingly quickly in noyb’s favor. The only way noyb would have been defeated in those cases is if their resources had been exhausted by the lawyers and officials that lined up against them. The stubborn pursuit of victory in those cases showed noyb is a force to be reckoned to be with. However, I offer no opinion on who will win this new case, because the merits of the arguments are so evenly balanced. Here are some of the key issues that are not mentioned in noyb’s complaint but which may influence who wins.
- Is it personal data? Laws about personal data do not apply if the data is not actually personal data. There is some history of phone numbers being treated as personal data belonging to the relevant phone user, but such an interpretation could change over time if material circumstances evolve. Specifically, a very large proportion of fraudulent calls are associated with spoofed phone numbers. When a number is spoofed, it becomes debatable whether information about the use of the number really does fit the definition of personal data any more.
- Ignoring data may not be the best way to defend a reputation. Suppose a fraudster makes a million calls where the CLI presented to the recipient matches my home number. Even if a few of my actual calls were captured in the same stream of data supplied to a business like Telesign, it becomes difficult to argue that all of this data is about me, or that it belongs to me. I did not create it. It does not reflect anything about me. It perhaps has the character of somebody coincidentally using my name when referring to a fictional character, without that character having anything else in common with me. In such circumstances, there becomes a strong argument that I should be protected from the erroneous assumption that the spoofed and refiled calls had anything to do with me, just as I might be protected from accidental reputation harm if my name was linked to a fictional character that did despicable things and which had other attributes which could encourage people to believe the character is based upon me.
- Political pressure and how to interpret an exemption. Exemptions exist in GDPR because there are times when rules designed to limit the use of personal data need to be overridden. A tidal wave of consumer anguish about scam and spam calls will encourage political support for exemptions for any anti-fraud control that promises to reduce consumer harm and annoyance, even if those exemptions were previously applied in a much more limited fashion. This might be accomplished through a procedure that does not involve the changing of the literal wording of any rules but does admit the need to change how the rules are interpreted. Failing that, the rules themselves could be rewritten, with the result that noyb secures a short-lived technical victory which is immediately reversed because politicians believe there will be popular support for a change to the law.
In the meantime, one unfortunate side effect of noyb’s complaint is that communications businesses which profit from wrongdoing have another excuse for refusing to share anti-fraud data. It is legitimate for noyb to raise their concerns about phone data being fed into algorithms that will ultimately decide whose calls are received, and whose are rejected. The issues are so finely balanced that this is a rare instance where I offer no opinion about who is right. This is a situation where we genuinely do need politicians to weigh in, on the basis that elected officials are uniquely placed to represent the will of the people.