InterCage, Inc. (NOT Atrivo)
justin at justinshore.com
Tue Sep 23 09:17:53 CDT 2008
Valdis.Kletnieks at vt.edu wrote:
> On Mon, 22 Sep 2008 17:00:35 CDT, Justin Shore said:
>> There may not be a law preventing you from asking him for proof of
>> legitimate customers, but there is a law preventing him from answering
>> you. Google for CPNI and "red flag".
> Hmm... I'm not sure how "Yes, XYZ is a customer of mine" qualifies as
> a "red flag" question for identity theft. I'm also not sure how "XYZ is
> a customer" qualifies as CPNI, which (according to the first few pages of
> Google hits) comprises things like calling/billing records.
> Nope. Doesn't seem like "xyz is a customer" qualifies there...
> Hmm... "xyz is a customer" doesn't seem to run afoul of that either.
> Feel free to enlighten me about what I missed here?
Given the unfortunate vagueness of the FCC on their directive,
consultants have interpreted CPNI differently and have given their
customers (SP and CS organizations) wildly varying instructions.
However every interpretation that I've been privy to extends far beyond
call records like many people believe CPNI is limited to. Our CPNI
consultants instructed us to not even reveal that Company X is a
customer (which is laughable given the size of the communities we serve,
but I digress). They did however tell us that we can trust all phone
numbers listed on an account both for instant information providing and
for callbacks. Cox's interpretation is that only the primary number
listed on the account is valid for callbacks and that the PIN is
required regardless (something our consultants told us was only required
if the caller couldn't be reached on a valid callback number).
Everybody has different instructions to work with.
To answer the question the list is asking, the SP isn't simply stating
that Company X is a customer of SP ABC. They are stating that Company X
is a customer and that they believe Company X is a valid, not malicious
customer in good standing. While that's not a call record that implies
certain things about Company X's relationship with the SP. They
essentially stating that they haven't received spam or other abuse
complaints regarding the customer. They're implying that they are a
customer in good standing. That could even be construed to imply that
their account is in good standing. That's more than just saying that
Company X is a customer of SP ABC. Our consultants advised us against
saying anything of the sort. Think of it like HIPAA for SPs.
It's splitting hairs but that's the unfortunate situation that CPNI has
put all of us in. Instead of a common sense response we get to deal
with the knee-jerk response from the FCC thanks chiefly to the Patty
More information about the NANOG