Focusing public attention on emerging privacy and civil liberties issues

ENUM

Top News

  • EPIC Files Comments on ENUM. In comments to the ENUM-Forum, EPIC advocated a framework of protections for enrollees and users of ENUM. ENUM is a developing technology that enables a user to store contact information that can be accessed by another person through the use of a single number. The system may facilitate spam and other unsolicited commercial messages. Additonally, Roger Clarke submitted ENUM - A Case Study in Social Irresponsibility to the ISOC-AU Forum. More information is available at Roger Clarke's ENUM Page. (Nov. 25)

Introduction

Electronic Numbering (ENUM) is a "protocol developed in the IEFT, RFC 2916, for fetching Universal Resource Identifiers (URIs) given an E.164 number."

More simply put, ENUM is a technology that enables a user to store contact information that can be accessed by another person through the use of one phone number. For instance, one could store a fax, voice, voicemail, e-mail, and home address all in a single ENUM Naming Authority Pointer (NAPTR). By using the ENUM, another person could access all the personal contact information contained within the NAPTR.

ENUM employs a open and public international database of contact information. The ENUM database can also include certain rules for contacting a person. For instance, an ENUM registrant could specify that calls after 6 PM should be routed to a cell phone or home phone line. However, a caller using ENUM can ignore these rules.

The Internet Protocol Journal has published a review of ENUM that explains its development, applications, and policy implications.

ENUM and Privacy

ENUM may become a widely-used technology to facilitate convenient communications. However, its privacy implications have not been adequately explored or addressed. For instance, ENUM is a globally-unique number (GUID). Because of the convenience of using a single number to contact another person, ENUM may be assigned to all humans at some point in the future.

ENUM may also become a tool of marketers, spammers, and individuals who wish to harass others. The ENUM database is public and can be searched by anyone. It is likely that marketers, spammers, and malicious actors will mine the database for personal contact information. Since there are no statutory protections in place regulating the use of ENUM contact information, marketers and spammers may use the contact information for junk mail, unsolicited commercial e-mail, and other forms of commercial solicitations. The system could facilitate an unprecedented amount of spam because programs could be designed to send solicitations to all of the registrant's communications devices.

The ENUM security and privacy task group has established a framework of Fair Information Practices (FIPs), however, the protections are largely illusory. For instance, the July 2002 unified ENUM working document asks registrants of service to assume the risk of privacy violations: "...[T]he ultimate form of privacy protection would be to opt-out and choose not to participate in ENUM...Simply put, an ENUM user chooses to load his or her telephone number into the ENUM Golden Tree."

Technically, individuals "opt-in" to having phone service, a fax machine, e-mail, or wireless cellular service. In choosing to use these technologies, individuals do not opt-in to telemarketing, junk faxing, spam, and location tracking. These are costs transferred to the individual by free riders who are taking advantage of technology and either the absence of or weak legal protections. Similarly, ENUM registrants should not have to risk misuse of their personal information, or be subjected to unsolicited commercial advertising.

The approach of the security and privacy task group also ignores quality of consent. That is, many future ENUM users may be required to have an account as a result of corporate policy. Additionally, as the ENUM service becomes more popular, ENUM may become necessary for participation in modern communications.

Privacy issues in ENUM need to be addressed by a systems of FIPs that provide users actual rights. These include:

  • Purpose specifications that detail the reason for which data from registrants is collected.
  • Use limitations that prevent personal information from being employed for unrelated, secondary purposes, such as profiling or spam.
  • Genuine consent provisions that allow the individual to choose whether or not to enroll, and choice over what data is included in the record.
  • Notice of all information collection associated with ENUM, including the information stored in the registrant's account and whatever network usage that is monitored on a personally-identifiable level.
  • Genuine control over unauthorized uses of personal information in the ENUM account.
  • Access to ENUM account and transaction information.
  • A right to withdraw from ENUM, and to have account and usage information expunged. If ENUM portability is fully achieved, the right to withdraw from ENUM becomes especially important.
  • Collection limitations that set a principle that information collection should be minimized. Wherever possible, individuals should be able to enroll in services anonymously or pseudoanonymously.
  • Protections against government or law enforcement acquisition of ENUM usage or account information without proper judicial oversight.
  • Accountability provisions that give individuals genuine recourse against individuals who misuse their information.

ENUM in the News

ENUM Resources