[ Standards Bulletin 2.01 -- April 28, 2003

[
[ Policy Updates and Analysis from the Internet Standards World
[ Provided by
[ The Center for Democracy & Technology's
[ Internet Standards, Technology, and Policy Project

Welcome to the Standards Bulletin, a publication of CDT's Internet Standards, Technology, & Policy Project. This series is intended to provide updates and analysis about public policy implications of the work of the organizations that design the technical standards on which the Internet is based.

This Bulletin provides an overview and analysis of the privacy and public policy issues raised by the "ENUM" protocol, developed by the Internet Engineering Task Force ("IETF") to bridge the gap between the traditional telephone system and the Internet. This Bulletin also provides a report on the 56th meeting of the IETF, which took place March 16 through 21, 2003.

1 - Standards Spotlight: ENUM and Voice Over the Internet Technology

ENUM, a technology protocol that may provide a critical tool in the more widespread adoption of "voice over the Internet" services, also poses risks to privacy. CDT's Standards, Technology & Policy Project is today issuing a report analyzing a range of privacy and other public policy concerns raised by the ENUM protocol. The report sets out detailed policy recommendations that should be followed by national governments and service providers in any implementation of ENUM.

Background on ENUM:

ENUM is a protocol that allows the translation of normal telephone numbers into a format that can be used to store and retrieve Internet addressing information, which can in turn be used to route communications over the Internet. With ENUM and "Voice over Internet Protocol" ("VoIP") technology, an increasingly amount of voice communications can be carried over the Internet instead of over the traditional telephone network. Initially, ENUM is likely to be deployed by corporations and other large institutions that seek to reduce their use of traditional telephone services (especially international and other long distance service). This technology has the potential to allow users -- corporations and individuals -- to save money and increase the choices they can exercise in their communications.

ENUM will facilitate the routing of telephone calls over the Internet in a manner that is seamless to the end users. To place a call with ENUM (using one possible implementation), (1) a person dials a standard phone number on a normal telephone (or on a telephone-like device connected to a computer), (2) the computer or telephone system uses ENUM to check if the called number can be reached over the Internet using VoIP technology, (3) if the number can be reached, a VoIP call is initiated, and (4) if the number cannot be reached over the Internet, the call is routed to the traditional telephone network.

ENUM is still in the development and testing stages. A number of nations around the world have initiated formal ENUM "test bed" implementations. The United States Department of Commerce has endorsed the U.S.'s participation in ENUM, and set out a series of guidelines to be met before formal tests or government-sanctioned implementations can proceed. Commercial ENUM deployment is likely to take place by the end of 2004.

Policy Issues Raised by ENUM:

ENUM's potential benefits also bring risks in terms of privacy and other public policy concerns. The simplest implementation of ENUM envisions that individuals' personal contact information (such as telephone numbers and e-mail addresses) will be stored in special records located in the Domain Name System (or DNS) of the global Internet. Because the DNS is publicly available, the placement of personal information in ENUM records in the DNS could compromise the privacy of its users, and could lead to additional spam and other problems.

However, a more complex use of ENUM (in conjunction with a device called a "proxy server" or "SIP server") offers the opportunity to gain the benefits of ENUM without sacrificing control over personal information. This approach would use the Session Initiation Protocol ("SIP"), or a similar protocol, to screen ENUM queries and only return contact information according to rules set by the party being contacted. To minimize the potential harmful effect of ENUM on privacy, it is vital that this second, more complex approach to ENUM be permitted and available in the marketplace.

Other important issues turn, for example, on (a) how much information individuals or companies will be required to provide in order to take advantage of ENUM, and (b) how much of that information will be revealed in a public database (similar to the "whois" database which reveals information about domain name holders). On this latter point, CDT believes that there is no need for a public whois-like database that would identify the user of an ENUM number. In a different vein, ENUM also raises a range of policy issues about how closely "ENUM numbers" should be tied to existing traditional telephone numbers.

One critical aspect of the global public policy issues surrounding ENUM is the fact that ENUM will, for the most part, be implemented within each country by the telephone authorities or companies that operate within that country. Thus, many critical decisions (for example, about how much information will be required to obtain an ENUM number) will be made on a country-by-country basis. It is critical that within each country, the relevant telephone authorities must closely consult with the public interest and civil society sector, the communications industry, and the computer industry.

Recommendations for ENUM Implementations:

To ensure that users can take advantage of ENUM without sacrificing privacy, any implementation of ENUM should follow a number of guidelines to ensure that there are a diversity of ENUM service providers and that those providers will be able to offer privacy-protecting ENUM options. CDT's report on ENUM details 14 specific policy recommendations. Among the specific recommendations are:

"ENUM: Mapping Telephone Numbers onto the Internet -- Potential Benefits With Public Policy Risks" is available at http://www.cdt.org/standards/enum/.

2 - Standards Update: Quick Dispatches on Standards & Policy

1. Presentation on Privacy Given to Plenary Session of the IETF. During the 56th meeting of the IETF in San Francisco in March, Matt Blaze of AT&T and John Morris of CDT gave a presentation entitled "On Considering Privacy in IETF Protocols" to a plenary meeting of 1000+ IETF attendees. The presentation discussed ways in which technical standards can affect privacy concerns, and asserted that the IETF's consideration of privacy should be more systematic and rigorous. Blaze and Morris will prepare and submit to the IETF a written "Internet-Draft" setting out some suggested privacy principles.

   The presentation "On Considering Privacy in IETF Protocols" is available at http://www.crypto.com/talks/ietf56-privacy.pdf. [pdf]

2. Anti-Spam Research Group ("ASRG") Holds First Meeting. During the March IETF meeting, a newly organized group of the Internet Research Task Force ("IRTF") met to consider technical ways to combat unsolicited commercial e-mail, or "spam." The IRTF is a research-oriented companion organization to the IETF, and usually focuses on broader technical issues without a mandate to produce an actual protocol. There was extraordinary media attendance at this IRTF meeting, reflecting the public awareness of the spam problem. John Morris of CDT gave a presentation on CDT's newly released report on the origins of spam.

   The charter of the Anti-Spam Research Group is available at http://www.irtf.org/charters/asrg.html.

   CDT's report on the origins of spam is available at http://www.cdt.org/speech/spam/030319spamreport.shtml.

3. IETF "Intellectual Property Rights" Working Group Has Final Meeting. The "IPR" working group met -- probably for the final time -- at the March IETF meeting, and as expected did not adopt any major changes to the "patent policy" of the IETF. The working group was chartered to clarify the IETF's IPR policy, which addresses whether patented technology can be used in IETF standards. A group of activists supporting "open source" software have urged the IETF to move beyond the clarifications and to undertake a shift in policy to ensure "royalty free" licensing for all IETF standards. The discussion of that possibility will likely continue within the IETF, but the clarifying work of the IPR group will conclude prior to the next meeting of the IETF.

   The issue of patents and standards was discussed in more detail in Standards Bulletin 1.03, http://www.cdt.org/standards/bulletin/1.03.shtml.

   The charter of the Intellectual Property Rights Working Group is available at http://www.ietf.org/html.charters/ipr-charter.html.

4. IETF Location Privacy Working Group Makes Progress. The "geopriv" working group, which is developing technology to protect the privacy of location information, made significant progress at the March IETF meeting. The working group has reached agreement on the basic requirements for the technology to protect the privacy of location information, and is now progressing to make final decisions on the specific elements of privacy that will be protected. The focus of the next meeting of the geopriv working group will be on defining the actual geopriv protocol itself. The work of the GEOPRIV working group was discussed in more detail in Standards Bulletin 1.01, http://www.cdt.org/standards/bulletin/1.01.shtml.

   The most recent submissions by the CDT Standards Project to the GEOPRIV working group are available at http://www.cdt.org/standards/.

CDT Standards Bulletin Subscription Information

To subscribe to CDT's Standards Bulletin list, send mail to standards-request@cdt.org. In the BODY of the message type "subscribe" without the quotes.

To unsubscribe from CDT's Standards Bulletin list, send mail to standards-request@cdt.org. In the BODY of the message type "unsubscribe" without the quotes.

Detailed information about online civil liberties issues may be found at http://www.cdt.org/, and more information about Internet standards and public policy can be found at http://www.cdt.org/standards/.

This document may be redistributed freely in full or linked to http://www.cdt.org/standards/bulletin/2.01.shtml.

Excerpts may be re-posted with prior permission of ari@cdt.org

Standards Bulletin 2.01 Copyright 2003 Center for Democracy and Technology

Free Speech | Data Privacy | Government Surveillance | Cryptography | Domain Names | International | Bandwidth | Security | Internet Standards, Technology and Policy Project | Terrorism | Authentication | Right to Know | Spam

Our Mission / Get Involved / Staff / Publications / Links / Search CDT / Jobs / Action! Previous Headlines | Legislative Tracking | CDT's Privacy Policy