My article on “How the Telecoms Industry Legitimizes Theft” has provoked quite a reaction. Unsurprisingly, some came from businesses that use the customer data which resides in Home Location Registers (HLRs). There was also a lot of sympathy for my arguments from other quarters. Some readers want increased transparency in the realm of HLR dipping, or at least a clarification of which privacy rules apply and when they will be enforced. Given the response to the previous article, I am now going to take a big risk. There have been many threats to sue Commsrisk over the years, none of which I took seriously. On the other hand, I am conscious that libel laws can still apply even when you write the truth. In this instance, you may have already noticed the name of a US company with a market capitalization of USD18.5bn and annual revenues of USD4bn. If Commsrisk suddenly goes dark then this article might have something to do with it.
Regular readers hardly need reminding about the reasons for my opposition to STIR/SHAKEN. It was touted as a way to protect consumers from crime when the real motivation had far more to do with the way businesses generate profit. I predicted that the use of STIR/SHAKEN in the USA would be an expensive distraction from better, cheaper ways to reduce a broader range of crimes. That has proven to be true, although I admit that the Rich Call Data extension of STIR/SHAKEN will likely be a cost-effective way to increase telemarketing, especially for those big US businesses that rely heavily on offshored call centers. That is the real reason that they care about the international governance of CLI validation. They want a form of validation that enables more international telemarketing traffic, whether from an offshored call center to an American consumer, or from a big US business to a foreign market. They are not, as I heard one CEO comically pretend, ‘doing it for charity’. Some Americans find it controversial when I argue there are big US businesses that prioritize profits and shareholder returns whilst pretending to serve the public good. Other Americans have more open minds. And there are other nationalities which tend to share my skepticism. Those latter groups may not be surprised that there are US corporations with an interest in STIR/SHAKEN that also have an interest in HLR dipping.
Regular readers will be familiar with Neustar, one of the companies behind STIR/SHAKEN. Jon Peterson, the leading architect of STIR, did all his work on the technology as their employee. Neustar was acquired by TransUnion for USD3.1bn just a few months after STIR/SHAKEN became mandatory in the USA. This provides a useful indication as to the exploitable value of knowing things about phone users. As far as stock market analysts are concerned, Neustar is an “identity resolution company”, which is a fancy way of saying that they know who you are and they will help other companies find ways to sell things to you. They were a good fit for TransUnion. No less an authority than the US government’s Consumer Financial Protection Bureau (which may have just been killed by President Trump) says that TransUnion is one of three very special businesses in the landscape of who-knows-what-about-whom:
There are three big nationwide providers of consumer reports: Equifax, TransUnion, and Experian. Their reports contain information about your payment history, how much credit you have and use, and other inquiries and information.
So TransUnion handles extremely sensitive consumer data in a country with fluctuating ideas for how to protect consumers. The presumption is that TransUnion can be trusted to handle such sensitive data appropriately. Nobody would expect them to be involved in trading data that had been illicitly obtained. The word ‘trust’ is important to businesses like these, as was apparent when reading the press release describing TransUnion’s acquisition of Neustar.
Like TransUnion, Neustar has built its brand and reputation on fostering trusted connections between consumers and businesses to help them transact with greater confidence.
To be clear, TransUnion and Neustar care about fraud because scammers that impersonate companies are bad for business. They are not interested in all the other scams that do not involve impersonating government agencies and well-known brands, such as romance scams or cryptocurrency scams. And that is why allowing them to dominate decisions on how to protect the public from scams is so unhelpful. They conflate some imposter frauds with all imposter frauds, and the result is too much spending on systems and processes that tackle the frauds which matter to them, whilst not enough is done to tackle all the other frauds that hurt ordinary people.
Nevertheless, TransUnion wants you to trust them because they do some things which are genuinely relevant to tackling some frauds. That is not all they do. Per TransUnion’s website, they also…
…help ensure traffic is routed properly, improving cost efficiency and customer experience.
There is nothing wrong with that. Unsurprisingly, the terms Home Location Register or HLR do not appear on the TransUnion website. However, careful inspection of the website of their business partner, the GSMA, reveals TransUnion’s Pathfinder service offers the following.
High-quality data and breadth of coverage — Authoritative Database and Home Location Register sources that are in real time with this carrier-grade proven solution.
In other words, one of TransUnion’s services depends upon HLR queries. Do they have permission to execute these queries? They would need a lot of permission if the following claim about the service is accurate.
Tracks ownership details of 8.6 billion phone numbers across 250 countries and territories — so messages get to the right destination.
Err… tracking 8.6 billion phone numbers sounds a lot like tracking every phone in the world.
I suppose it is possible that lawyers have worked through the details and determined that they have all the consents required to obtain this data from very many sources spread across 250 different legal jurisdictions, or that some other rules mean they do not need explicit consent in every instance. Let me reiterate that point for the benefit of any libel lawyers that are reading this article: it is possible. I just know that I live on a planet when there have been two separate occasions when the European Union’s highest court has struck down long-standing agreements that supposedly allowed the transfer to the USA of personal data belonging to EU citizens, and there were no consequences because nobody enforced the law in the immediate aftermath of each decision. So I have no difficulty imagining circumstances where data protection law is systematically and repeatedly violated but nobody gets punished as a result.
TransUnion will likely have lawyers that insist there are valid reasons why they can access data without always needing consent. Many other businesses will likely make the same argument. But having a legitimate reason to access the data does not mean that all those businesses are respecting the law. In particular, if they can use the data for one purpose without prior consent, that does not mean the data, once obtained, can also be used for other purposes. Who is auditing all these businesses that obtain data from HLRs to ensure the data is only used in the way permitted by law, when no other consent has been granted? The answer is nobody. So it is pertinent to ask big responsible businesses to clarify how they abide by the law, especially as ‘the law’ is a misnomer, and we are actually talking about all the laws of all the countries in the world. Only a business like TransUnion can clarify how they control the flow of data within their own organization to prevent employees using the data for purposes that go beyond what is legally permissible in the absence of any prior consent.
The repeated and systematic violation of data protection law is not a figment of my fevered imagination. Nor is the observation that the USA suffers from fluctuating standards for protecting ordinary people from harm. Commsrisk reported on just such an example last week, because President Trump has trashed a surveillance oversight body that the European Commission kept saying was the reason they could trust US data protection laws to function just like EU data protection laws. Nobody has done anything differently since the President rendered this body inoperative, which demonstrates the difference between the letter of the law and how well it tends to be respected in practice.
When I worked as Director of Risk Management at Qatar Telecom, people would get very sniffy about the idea of Qatari data being processed somewhere other than Qatar. The question came up fairly often; Qatar is small and security-conscious but it also has an outward-looking government that wants to invest the country’s wealth in becoming technologically advanced. Some of these factors encourage a more relaxed attitude to transferring data; other factors discourage it. My stance on data transfers was not hardline. I thought a lot of the sniffiness expressed by my colleagues was naive. Some of them were only doing it for show. Computers get networked; data flows from place to place. It would be stultifying to never allow data to cross a border. There can be good reasons to compromise. I refer to this experience because I am not a hardliner, but I am a realist. People often say they care about transnational flows of data, but if you cite an inconvenient example those same people may choose to bury their heads in the sand. HLR queries would rank amongst the most inconvenient examples ever considered, if anyone chose to give them any consideration.
Surveys reveal many conflicts amongst American attitudes to data privacy. Pew Research found that 81 percent are concerned with how companies use the data they collect about them. Just 21 percent have confidence that the organizations which have access to their data will do what is right. But 56 percent admit they agree to privacy policies without reading them. The attitudes of a population with these kinds of views could swing wildly depending on how they perceive the choices made by corporations. TransUnion is a business that needs to be trusted to be profitable. For example, their branded calling product would be worthless if the public thought a scammer could use it to hijack a brand. It is less obvious how the public would react if they thought a company was monitoring them in order to protect them. Would that be perceived as beneficial? Or would only 21 percent trust the company to use the monitoring data appropriately?
I do not have all the answers. Regular readers will recognize this article has followed a pattern I use occasionally, just so I can learn from the responses they provide via social media and private correspondence. I liken this approach to throwing a rock at a bush to see what will scurry out. Maybe nothing will emerge. Or maybe I will awaken a ferocious beast that should have been left in peace. Nevertheless, I intend to persist because I learned so much from the responses to my previous article about HLR queries. If you wish to engage, please help me with the following questions.
- If your business queries HLRs, please advise how many operators are queried by your business, whether you sought consent from them all, and whether consent was sometimes denied.
- If you work for an operator with HLRs, do you believe they are ever queried illegally? If so, how often does this occur?
- If you work for a regulator, have you ever asked these questions? If yes, what answers did you get? If no, has somebody decided they were not worth asking?
Since the beginning of the century, there has been an appreciation that the technological and cultural dividing lines between communications, data processing, news, surveillance and crime have been dissolving. If you describe what a billion-dollar corporation does to a stock market investor then the explanation will be so abstract that it will not do justice to the full range of products and services supplied. But sometimes it only takes a scandal involving a part of a business to wipe out much of the company’s value because of the damage to the company’s reputation. Arthur Andersen collapsed in the wake of the Enron and Worldcom scandals, but there must have been many other audits they performed diligently. Volkswagen lost 30 percent of their value as a consequence of their Dieselgate scandal, although they were caught cheating tests for a US market where diesel cars represented only 1 percent of new car sales. According to some of the things that people tell me, a scandal involving illegal transfers of data from HLRs could be like watching a line of dominos falling.
I picked on TransUnion in this article for one simple reason. Even telco insiders with intimate knowledge of the practice will struggle to fully evaluate the legal and compliance risks surrounding HLR queries. I received contradictory responses to my previous article, further complicating the evaluation process. As a professional risk manager, I admit that I am struggling with this topic. However, it is always worth remembering one truth about risk: it is a severe mistake to infer the future will be like the past. Just because there were no negative consequences in the past does not mean there can be no negative consequences in the future; Volkswagen’s cars passed a lot of tests before their cheating was discovered. TransUnion appears to have a sophisticated approach to risk management, and they say “risk and compliance are top management priorities”. If they have concluded that HLR dipping is a low-risk activity, then I would be keen to understand how they reached that determination. And for the sake of the users of the 8.6 billion phone numbers that they are tracking, the answer is not just for me, but for everybody.



