Monday, 11 July 2016

Junk calls, TPS and DPA

If you want to avoid marketing calls, the "right" way to do it is to register the number with the Telephone Preference Service (TPS). They have a web site where you can check the number and register. Simple enough...

There are, however, a few problems. I am looking at this as the new number I recently obtained (my old home phone number from 20 years ago) got another junk call. I checked, and it is no in the TPS.

Now, this should be simple, but it is not.

The TPS web site does not just want the number, which is all they actually require to maintain the register, they also want:-
  • Name
  • Full postal address
  • Email address
  • Agreement to their privacy and cookie policy
Well, half way through the web site filling in a form, it is a tad late to ask for agreement to the cookie policy, but what if I do not wish to agree? I cannot register.

As for the privacy policy - it looks rather iffy to me. Again, what if I don't agree?

First part of the privacy policy that seemed odd was "You should be aware that if you subsequently give any personal information to another company, the uses to the Telephone Preference Service privacy policy will no longer apply." I am not trying to be thick here, but they seem to say that if I give any personal information (at all?) to another company (any company?), then their privacy policy no longer applies. Well, of course I have given some personal information to some other companies! My employer for a start, and, well, loads of companies. Does that really stop the TPS privacy policy applying. Maybe I am misreading it. Seems a pointless policy if it stops applying so easily.

The other issue is they can give my personal information to other parties. They do say the uses are limited to "suppression purposes or to incorporate onto suppression software". So if the software wants email and postal addresses, it can be incorporated in to that software. That is one valid use of the data. The suppression software does not have the restriction on use (note the "or" in that statement). The TPS can also use for "research and statistical analysis".

It seems to me a great way for my phone number and postal address and email address to leak, and be given to the unscrupulous companies involved in direct marketing. That could mean I am actually giving my data to the very people I do not want calling me. Saying "unscrupulous" may seem harsh, and is my opinion, but is an opinion based on the fact we even need laws on this matter in the first place, that I get junk calls to TPS listed numbers all the time, and that the ICO have fined companies, so I feel it is not an unfounded assertion, at least for some of them.

I have now contacted OFCOM to add the number, and advised that they are not to store email or postal addresses or disclose that to third parties. If they want to validate my request they can call the number! We'll see what they say.

Interestingly, OFCOM themselves were promoting (on twitter) a text based TPS listing saying "Calling all mobile users...text ‘TPS’ & your email address to 85095 to reduce #nuisancecalls" so again asking people to provide email address when not needed to maintain the register.

I believe one of the Data Protection principles is you don't collect data you don't need. As my requests on twitter went unanswered, I have asked OFCOM to tell us more (FoI request). We'll see what they say.


  1. Were you aware the Google vs Vidal-Hall appeal has been cancelled? They've settled...

  2. My landline number has been registered with the TPS for at least ten years, and I still get several junk calls a day (most of them silent robo-calls). Totally ineffective.

    1. AIUI the prerecorded message spammers and silent robocallers are operating illegally anyway, and have no reason to comply with the TPS rules while flouting the others.

      What I would like to see is robust enforcement, particularly against "number withheld" abusers (perhaps with 'Brexit' removing the stupid EU requirement for number withheld to be available free, we could even get that fixed in time?) - like a shortcode to dial to report the last caller as an illegal telemarketer. The telco could then report that to ICO in aggregate, complete with the actual source number ("withheld" or not, the telco still has it and could release it for enforcement purposes) every month - hefty fines for the worst offenders each month.

  3. Sure, I'd give them my email address, or at least an alias: It would be almost interesting to see what arrived there.

    If you set up an alias for each organisation you deal with, it soon becomes clear what gets leaked to spammers. And a few dummy aliases act as canaries in case one's own alias file gets compromised. A real benefit is that spam becomes really easy to spot: If gets a request to log in to my bank account, that's one thing, maybe. But if acme.widgets.nonce@my.domain gets the same email, that's another...

    1. I do this anyway - I have a whole domain for such.

  4. The TPS is fairly useless. When it first started there was a form that you could report violations to with a hope that something would be done.

    Now there's this blurb "we are not the body responsible for enforcement and we are unable to take enforcement action against companies complained about. Complaints handled by TPS and CTPS are included in a regular report sent to the Information Commissioner's Office (ICO) who are the body responsible for enforcement. This enables them to identify trends in complaints being made and supports their investigation when taking enforcement action deemed necessary by them."

    Which is a long winded way of saying 'nothing will happen'.

    So you're providing your contact details to the direct marketing association, who maintain the list but can't enforce it - and also want your email/address so they can make sure you get *lots* of marketing which is of course the entire purpose of the DMA.

  5. NOTE:

    If you don't want to provide your e-mail address, you do not have to, as it says:

    "If you are registering a residential number and do not wish to give your e-mail address, please call the registration line on 0845 070 0707."

    So residential numbers eg your home one need not give that information.

  6. When I signed up both my landline and mobile numbers at least ten years ago I don't recall having to provide an email and address. Of course I wasn't privacy aware in those days so it wouldn't have seemed significant if I had. Does anyone know whether it was compulsory back then? If not, how can they justify the need to collect this infornation for 'new customers only', as it were? If they can continue to maintain the database for everyone else's numbers it cannot be essential to have that information.

  7. Have to agree that the TPS as a body is useless. They seem to have made it their mission to write their own brief, such that they're not actually responsible for doing anything effective. With that done, they can sit back and shuffle figures, secure in the knowledge that they can't be held responsible for anything.

    I've started using A&A's incoming call filter for known junk callers. So far it seems to be effective, in that I haven't had such a call since I switched it on.

    Is there any way it could be set up so that, if one does receive a junk call one just hangs up and dials a short code (1472 or whatever) which then causes your systems to log the previous caller as a junk caller? Then when N of your customers have reported the same caller, they get added to your blacklist?

    1. The junk call filter was set up when a particular spate of calls was easily identifiable. But longer term we need a proper system, with global and per-customer database of CLIs consider junk, etc.

    2. If you were to set up facilities for storing lots of phone numbers on VoIP accounts for blocking, would you consider also providing a general purpose telephone directory for your VoIP customers? It would be great if we could store our phone number list in your system, so that numbers could be resolved by your systems in logs and call-recording emails, and you could provide a mechanism to download it in, say, SNOM and Gigaset formats. I guess if you didn't want to host that yourself, you could allow some link to a directory service which the customer hosted, and you queried to resolve numbers.

  8. The TPS is a scam in a way, anyone getting hold of that list can be sure the numbers are genuine so its more a of a list for the cold callers to call rather than avoid.