InterCage, Inc. (NOT Atrivo)

Justin Shore justin at justinshore.com
Tue Sep 23 09:17:53 CDT 2008


Valdis.Kletnieks at vt.edu wrote:
> On Mon, 22 Sep 2008 17:00:35 CDT, Justin Shore said:
> 
>> There may not be a law preventing you from asking him for proof of 
>> legitimate customers, but there is a law preventing him from answering 
>> you.  Google for CPNI and "red flag".
> 
> Hmm... I'm not sure how "Yes, XYZ is a customer of mine" qualifies as
> a "red flag" question for identity theft.  I'm also not sure how "XYZ is
> a customer" qualifies as CPNI, which (according to the first few pages of
> Google hits) comprises things like calling/billing records.
> 
> Nope. Doesn't seem like "xyz is a customer" qualifies there...
> 
> Hmm... "xyz is a customer" doesn't seem to run afoul of that either.
> 
> Feel free to enlighten me about what I missed here?

Given the unfortunate vagueness of the FCC on their directive, 
consultants have interpreted CPNI differently and have given their 
customers (SP and CS organizations) wildly varying instructions. 
However every interpretation that I've been privy to extends far beyond 
call records like many people believe CPNI is limited to.  Our CPNI 
consultants instructed us to not even reveal that Company X is a 
customer (which is laughable given the size of the communities we serve, 
but I digress).  They did however tell us that we can trust all phone 
numbers listed on an account both for instant information providing and 
for callbacks.  Cox's interpretation is that only the primary number 
listed on the account is valid for callbacks and that the PIN is 
required regardless (something our consultants told us was only required 
if the caller couldn't be reached on a valid callback number). 
Everybody has different instructions to work with.

To answer the question the list is asking, the SP isn't simply stating 
that Company X is a customer of SP ABC.  They are stating that Company X 
is a customer and that they believe Company X is a valid, not malicious 
customer in good standing.  While that's not a call record that implies 
certain things about Company X's relationship with the SP.  They 
essentially stating that they haven't received spam or other abuse 
complaints regarding the customer.  They're implying that they are a 
customer in good standing.  That could even be construed to imply that 
their account is in good standing.  That's more than just saying that 
Company X is a customer of SP ABC.  Our consultants advised us against 
saying anything of the sort.  Think of it like HIPAA for SPs.

It's splitting hairs but that's the unfortunate situation that CPNI has 
put all of us in.  Instead of a common sense response we get to deal 
with the knee-jerk response from the FCC thanks chiefly to the Patty 
Dunn scandal.

Justin




More information about the NANOG mailing list