ARCHIVED - Telecom Decision CRTC 2002-42

This page has been archived on the Web

Information identified as archived on the Web is for reference, research or recordkeeping purposes. Archived Decisions, Notices and Orders (DNOs) remain in effect except to the extent they are amended or reversed by the Commission, a court, or the government. The text of archived information has not been altered or updated after the date of archiving. Changes to DNOs are published as “dashes” to the original DNO number. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats by contacting us.

Telecom Decision CRTC 2002-42

Ottawa, 26 July 2002

Password-protected account transfers

Reference: 8698-C12-14/01

The Business Process Working Group of the CRTC Interconnection Steering Committee submitted a non-consensus report to the Commission seeking a decision on issues related to the transfer of password-protected accounts between local exchange carriers.

In this decision, the Commission finds that the unavailability of a password should not prevent the transfer where the customer has provided a signed letter of authorization or letter of agency (LOA). Accordingly, the Commission directs all local exchange carriers, in cases of invalid or missing passwords, to accept an LOA as proof of a customer's consent to transfer service.

The application

1.

The Commission received a non-consensus report on 18 January 2002 from the Business Process Working Group (BPWG) of the CRTC Interconnection Steering Committee seeking direction on the appropriate approach for transferring password-protected accounts between local exchange carriers (LECs), where passwords are invalid or missing.

Background

2.

Customers who subscribe to a telecommunications service are assigned an account number for identification, administration and billing purposes. The account contains such information as the subscriber's name, address, type of service provided, contact number(s) and the installation date. Account passwords are assigned upon request by a customer or when a customer contacts the serving LEC's business office to make a complaint arising from unauthorized access to account information or unauthorized changes to the customer's services. A password prevents unauthorized persons from accessing or making changes to a customer's account.

3.

Local competition for telecommunications services has resulted in the transfer of a large number of customers between LECs. The transfer process begins when the acquiring LEC sends a local service request (LSR) to the serving LEC. However, an LSR relating to a password-protected account is often rejected by the serving LEC due to a missing or invalid password. In light of the increasing number of rejections of LSRs by serving LECs due to missing or invalid passwords, the matter was put before the BPWG by Bell Canada for discussion at the group meeting on 15 September 1999.

4.

The participants in the BPWG (the parties) included Aliant Telecom Inc., AT&T Canada Telecom Services Company, Bell Canada, Bell Intrigna Inc. (now Bell West Inc.), Call-Net Enterprises Inc. (Call-Net), EastLink Telephone, E&O Consulting, Futureway Communications Inc., GT Group Telecom Services Corp. and TELUS Communications Inc.

5.

At the September meeting, the parties agreed on a Bell Canada proposal to address the issue on an interim basis in order to protect the customer's interests. Under the interim arrangement, the serving LEC would call the acquiring LEC to provide a password where it was missing from an LSR. The parties also agreed that the absence of a password would not be used as a reason to reject or delay an LSR.

6.

At the BPWG meeting of 18 January 2001, Bell Canada noted concerns with respect to the interim arrangement. Bell Canada noted that the interim arrangement had been documented only in the minutes of a BPWG meeting. Bell Canada urged the BPWG to document an industry policy with respect to account passwords in the Canadian Local Ordering Guidelines (C-LOG).

7.

Bell Canada also noted that it was impractical for a serving LEC to contact the acquiring LEC in cases where a password was missing or invalid due to short service intervals and the increasing reliance on electronic interfaces to handle large volumes of orders. As a result, Bell Canada submitted that it had unilaterally reverted to the practice of rejecting LSRs if a password was missing or invalid. Acquiring LECs were then required to resubmit an LSR that included the correct account password. The parties observed that this practice required extra time on the part of acquiring LECs to process customer requests to transfer service from a serving LEC, and that the process often had to be repeated before the customer could provide a valid password.

8.

In July 2001, Call-Net raised a concern with Bell Canada regarding the number of LSRs that Bell Canada rejected due to missing or invalid passwords. Call-Net noted that, by November 2001, with the increased volume of residential orders, the number of password-related LSR rejections had more than doubled in a relatively short period of time and represented approximately 20 percent of all LSR rejections. In addition, Call-Net noted its concern regarding the lack of a solution in situations where a customer forgets the password. Following discussions between Call-Net and Bell Canada and an industry review, the parties agreed, at the group meeting of 16 October 2001, to develop industry guidelines with respect to this issue.

9.

Bell Canada agreed to find a more acceptable solution regarding its business practices to deal with forgotten passwords while continuing to provide reasonable consumer safeguards. Bell Canada subsequently revised its LSR process for cases involving missing or invalid passwords, such that Bell Canada would accept as a substitute for a password, information such as a driver's licence number or credit card number that could be verified against information found in the customer's account.

10.

The parties representing competitive local exchange carriers argued that a letter of agency or letter of authorization (LOA), signed by the customer, should be sufficient to authorize the transfer of a customer's password-protected account, and further submitted that LOAs would obviate the need for a password. The parties representing incumbent local exchange carriers (ILECs) argued, however, that the industry needs to retain reasonable consumer safeguards to protect against serious incidents of unauthorized service changes.

11.

At the BPWG meeting of 18 January 2002, the parties were unable to reach consensus on an approach to transfer password-protected accounts from serving LECs to acquiring LECs. The parties approved a non-consensus report and referred this report to the Commission for consideration and a decision that would enable the BPWG to develop explicit guidelines and to implement work process changes.

12.

According to the BPWG non-consensus report, dated 18 January 2002, all BPWG participants agreed that an industry guideline on account passwords was required. However, some participants were of the view that an LSR should not be rejected on the basis of a missing or incorrect password.

13.

In an effort to provide as complete a record as possible to ensure a quick resolution of the issue, the parties solicited comments from the Public Interest Advocacy Centre (PIAC). PIAC's views were:

· Password account protection is an important feature for some customers, and should therefore be available upon request. Such protection should cover any changes to an account, including transfers to other service providers.

· An efficient process needs to be put in place to substitute for passwords where invalid or missing. PIAC objected to Bell Canada's approach of using credit card numbers, drivers licence numbers, or social insurance numbers, both because of privacy implications and because it would not necessarily stop unauthorized activity. The serving LEC should use a customer-defined question and answer, which is a common practice in electronic commerce to deal with the challenge of forgotten passwords.

· Password account protection should continue to be available only upon request by the customer, and should not become the norm. It is important that the process for authenticating LSRs be as streamlined as possible so as to minimize costs to the acquiring LEC.

Commission determination

14.

The Commission recognizes that password account protection is an important feature for customers who want to protect their accounts from unauthorized access or changes to the features of their existing service. Password protection also represents an effective tool against unauthorized transfers.

15.

At the same time, the unavailability of such a password should not prevent the transfer of a customer's password-protected account where an alternative means of authorization can be found. In this regard, the Commission does not find that it is in the public interest to adopt an alternative means of authorization that would rely on the customer to provide one or more details from his or her account. However, the Commission finds that a signed LOA is an effective alternative to the customer's provision of the account password. The Commission accordingly directs all ILECs, in cases of missing or invalid passwords, to accept a signed LOA as proof of customer consent for the transfer of password-protected accounts.

Secretary General

This document is available in alternative format upon request and may also be examined at the following Internet site: www.crtc.gc.ca

Date Modified: 2002-07-26

Date modified: