This webpage - http://www.numbergroup.com/products-services/ivr/cli - suggests that "a licensed telecommunications carrier supplying over 3000 businesses with telephone numbers" is ready to act in breach of its duties under the PECR.

(Follow the path from the home page through NUMBERS AND SERVICES>CALL FEATURES>CLI FRAUD PREVENTION.)

Numberstore claims Quote:

The suggested rules governing use of this data ("Legal Criteria") are fictitious. They do not exist for the simple reason that there is no provision which allows withheld CLI to be revealed, other than to designated public bodies investigating malicious or nuisance calls received on the line. (A similar provision applies to 999 calls.)

DIY "fraud prevention" is not a valid reason for the setting aside of an individual's right to privacy in this respect.

---

The relevant documents are as follows:

http://stakeholders.ofcom.org.uk/telecoms/policy/calling-line-id/caller-line-id/.
11.3 explains how PECR 13 applies to terminating operators.
8.3 covers the exemption

http://www.legislation.gov.uk/uksi/2003/2426/regulation/13/made
The regulation allegedly being breached by Numberstore.

http://www.legislation.gov.uk/uksi/2003/2426/regulation/15/made
The provision wrongly being used to suggest that there is an exemption to cover "Call Centre Fraud".
(Both the ICO and Ofcom have previously ruled that the person called is not "a person with a legitimate interest".)

http://www.legislation.gov.uk/ukpga/2000/23/section/22
This clarifies the position regarding how "communications data" may be used for the purpose of preventing or detecting crime.

A potential victim is not a "designated person". They are defined (in §25(2))as being "the individuals holding such offices, ranks or positions with relevant public authorities as are prescribed for the purposes of this subsection by an order made by the Secretary of State".

---

I have attempted to get Ofcom and the ICO interested in this matter, by telephone. In both cases representatives viewed the page referred to, expressed concern, but confirmed that despite them having seen this information they would do nothing about it.

In both cases when it comes to investigations and enforcement, they are reluctant to act in the public interest, as they are required to do. They find it more convenient (as it surely is) to operate as a "consumer complaints service", judging the public interest by the weight of complaints received on a particular matter, rather than by a balanced assessment of the issues.

For this sad reason, I must invite all those with concerns about this issue to raise them in written complaints (possibly by email or web-form) to the respective regulators.

I would be delighted if many draw attention to the extent to which public faith in the respective privacy regulations, and those charged with enforcing them, is undermined on reading information such as that quoted above. There is no reason to assume that anyone we call is not a customer of Numberstore, or indeed any other telco which offers the same facility.

It is important to understand that the only legal limitation on use of data revealed by Numberstore is that which may be contained in contracts between Numberstore and its customers. There are no statutory rules (that I am aware of) covering the use of withheld CLI data that has been revealed - for the simple reason that there should be no such data.

---

The ICO has enforcement powers in relation to the provisions of the PECR.
Ofcom is responsible for all general regulation of telecoms providers and has published the relevant Guidelines.

Because there is a high degree of cross-over between the two, they published this (undated) Letter of Understanding a few years ago. Although it was focussed on a slightly different area, I believe that the spirit of co-operation should apply equally to this matter also.

Please nobody ask me which of the two they should complain to - I hope the answer is obvious.

(My nickname may give a clue as to how I have to come to learn quite a bit about these matters.)

There is no 'easy' contact into BT. If normal customer services can't/won't help you you can't do a lot other than raise a complaint over the phone, or in an email to BT.

Openreach/Wholesale/Global Service etc will *not* deal with you if your just a normal domestic customer.

As for the guts of whats being discussed here - SS7 is your friend (and in turn wiki/google is your friend)

141 sets a flag that says 'I'd like you to please ask the final endpoint not to display the CLI to the end user' either way the CLI is sent and its down to the recieving hardware to honour the flag.

With an SS7 connection to the phone network the world is your oyster - there is lots you can do/get - How do you think you can get 'invalid' CLI from some odd endpoints (Like calling card co's still sending 0171 etc)

I don't know anything about the commercial side of address data and phone numbers, but I know its not the same thing as the emergency services use to access subscriber data.