La
st month I discovered I’d lost my EHIC – European Health Insurance Card – whilst travelling through Manchester airport.
I don’t know what happened – I think it left behind whilst I was I replacing my belt, shoes, jacket, wallet, mobile phone and other pretty pathetic stuff the public have to endure in the name of security whilst traversing the third-world security system that UK airports employ instead of using x-ray and electronic sniffer technology like the rest of Europe.
Can you tell I write about security matters?
The EHIC, in case you were wondering, is a card identifier that `proves’ the owner is entitled to emergency and other (limited) healthcare treatment in European Union and EEA countries, as well as Switzerland.
The treatment can be free, but is usually allowed at a reduced cost, and – perhaps more importantly – covers the excess (aka deductible) that most travel insurance policies impose on the clients who have the temerity to actually claim on their policies.
So, armed with my UK credentials I called up the EHIC renewal/enquiry line on 0300-330-1350 – the 0300 code replaces the complex mix of 0845/0870 national codes for those organisations that have a national presence, but want to route calls to geographic centres.
0300 calls are – generally speaking – charged at standard national rates, so come out of your landline or mobile bucket of minutes, if you pay for such a service.
Like the 0330 national code, the 0300 code replaces the old 0845/0870 national non-geographic dialling codes here in the UK, which are being phased out by Ofcom, the UK communications regulator, because some cheeky monkeys were taking a rake-off/commission when people called the 0845/0870 numbers.
Can you tell I write about communications (as well?)
Being the security-conscious sort of guy I am, and mindful of the fact that the EHIC enquiry number warns punters calling it that their details will be shared with other government departments, I prefixed the call with 141 – the UK caller ID withheld request prefix.
This means that the recipient – or so I thought – did not receive my home ex-directory phone number.
After stepping through various IVR (interactive voice request) comments, the UK’s Department of Health computers identified me from the other many millions of people and read my details back. It then asked me if I wanted to allow the DoH to call me back on the number I called on, if `they’ had a query.
Hold on a minute – I did dial 141 in prefix to the call, didn’t I? Yes I did…
So I said `yes,’ at which stage the EHIC IVR system read back my ex-directory home phone number.
How is this possible?
I quickly wrote down a few notes and repeated the exercise for my better half on the second phone line into the house, which is with a different telephony carrier.
Despite dialling 141 – called ID withheld – before the 0300-330-1350 number, the same thing happened. My telcos were/are releasing my caller line identity data to the destination switch, despite the fact that I had explicitly requested my telco to withhold the number!
Incensed, I started making a few calls with seriously tech-head pals to discuss the issue. It transpires that, on modern telecoms systems the caller ID withheld flag no longer blocks the originator identifier at the source switch on the Caller ID 1 and II systems used in the UK and most of Europe since the 1990s.
What actually happens is that that the CLID Withhold flag (as it is known) traverses the telecoms network along with the other call data, to allow the network – and the distant switch, where appropriate – to tariff the call correctly.
In the case of the DoH’s telecoms supplier, this data is being interpreted and fed into the DoH’s computer network.
At first I thought this had to be wrong, so I made a journalist enquiry to Ofcom, the UK telecoms regulator, asking for its comments on the matter, and routed my request via the Ofcom press office.
Here’s what I received back about a month later:
“In some situations, callers, like yourself, will want to withhold their CLI when making calls. Communications providers must respect the privacy rights of consumers and adhere to the rules (General Condition 16.1 and Regulation 10-13 of the Privacy and Electronic Communications Regulations) subject to the exemptions that exist. Under PECR, the communications provider may override anything done to prevent the presentation of the identity of a calling line where necessary to investigate and trace malicious or nuisance calls and where calls are made to emergency services (calls to 999 or 112) allowing the emergency operator to see the caller’s number should the caller be unable to communicate with the operator. An important point to appreciate therefore, is that even if the caller does choose to withhold their CLI, it prevents the called party from seeing or finding out the CLI, but it doesn’t stop the phone company from having access to this information.”
“We have identified the communications provider who supply the EHIC service to the NHS. They have advised us that the automated system they have developed allows information to be captured over the phone. At the end of the process the caller is asked whether the number they are calling from may be used to contact them should further clarification be required (as a communications provider they have access to this information).”
“If the consumer says yes, they are deemed to have consented to their CLI being shared and therefore the number, along with the rest of the information captured, is sent to the NHS. If the consumer says no, then they are not considered to have given their consent and the CLI is not submitted to the NHS with the form. The service is applied regardless of whether the call terminates on a PSTN or a VoIP network.”
So there you have it – confirmation that CLID Withhold – which was designed to protect vulnerable people (maybe in a battered spouse’s home) and who do not want to give out their phone number – is about as much use a chocolate fireguard.
To say I am astonished is an understatement. I’ve been researching and writing about telecoms systems for more than three decades.
Yes, the UK telecoms network is a much more complex animal than it was back in the 1980s, with calls originating and terminating on non-circuit switched systems, most notably VoIP and cellular connections, but the fundamental rules of caller ID controls – which were enshrined to protect users against a Big Brother mentality – are clearly being flouted by the UK’s telephony providers.
+SG