For many years the USA has had a 'CNAM' service (or Caller ID Name), allowing telecoms operators to show the name of the caller rather than a number.
There are obvious advantages to this, having "BT" show when they phone rather than 0800 800 150 would be much more useful, but is also open to abuse. After all, would you trust a call appearing to be from your bank if the name appeared?
The method of powering this is known as a Reverse Lookup.
Today I stumbled upon a service called OpenCNAM which claims to offer this across the globe and, surprisingly, matched my mobile number to my name.
Now, since no-one else in the UK does this, I naturally wondered how they were doing so.
OpenCNAM are very cagey on where they get this data from, but I can guarantee that it is not as a result of specific consent, as I've never given it.
I ran around 100 numbers from my phone book through OpenCNAM and obtained 64 matches or partial matches (e.g. firstname or surname only) - some of which were misspelled which further supports the suggestion that this data is coming from 'grey' sources.
It is my view that providing this service in the UK would be unlawful, as confirmed by the ICO on their guide to the PECR and in a phone call with them earlier today.
Directory information should only be made available in line with subscribers’ wishes and expectations. Generating a name or address (or both) from a phone or fax number (reverse searching) has not traditionally been offered in the UK and is not what subscribers generally expect. So the Regulations prohibit reverse searching unless the subscriber has given their prior informed consent. This requirement was originally set out in the 1998 Code of Practice on Telecommunications Directory Information Covering the Fair Processing of Personal Data.
The idea of reverse searching may not be fully and generally understood, so additional specific consent must be obtained from subscribers agreeing to allow their information to be made available on this basis. It will not be enough for this consent to be combined with various other terms and conditions, which someone might agree to without fully appreciating the consequences.
I would also expect that legitimately using this data in the UK would be tricky, as you cannot verify the source of it and my suspicions are that this data would not have been obtained in accordance with the 'specific consent' outlined above.
Ofcom and the ICO
Can, predictably, do nothing... This service is based in New York, USA and offering Reverse DQ services there is legal, and commonplace.
There is almost no way to find out how they're getting this data, but I have some ideas...
Should the UK have CNAM?
This raises another question - perhaps the UK should have an official CNAM service, and I'd support this as long as it was appropriately ran, however with CLI so easily spoofed and abused as it is, it could be easily misused to give scammers more apparent credibility
I always considered a phone number fairly public information, indeed since about 1995 I've happily given numbers to anyone who asked for them (before the paranoia that seems to encompass online communities these days)
But most people do not consider that people could find them from just their number, but services such as OpenCNAM open up this possibility.
It seems now it's worth paying attention to who you give your number to.