HomeTrust Frameworks › The Telcom Data Trust Framework

The Telcom Data Trust Framework

Background

The growth of electronic commerce is increasing the demand for reliable and high-quality identity verification as well as for solutions that help prevention of on-line fraud.   While telecom carriers individually already manage a great quantity of data that could be used for these purposes there has, to date, been no cross-carrier, industry-wide agreement on the standards or specifications of such services.  There is also great variation from country to country of the regulatory control over the telecom data necessary to implement such services.  Specifically, the regulatory limitation on telecom carriers within the U.S. is greater than that placed on even the financial service industry.

This lack of open standards, industry-certified best practices and industry-wide participation combined with out-of-date or ineffective regulation has created an environment in which only data brokers and aggregators can provide a modicum of services using older or poorer quality information that most parties agree is less than ideally suited for the purpose.    This situation results in poorer quality solutions that are insufficient for both the demands of current technology as well as for the protection of consumers.

The Working Group Charter is available for viewing (.pdf file).

An overview presentation of the Telecom Data Working Group and status is available for viewing (.pdf file).

Intent

The intent of the Telecom Data Trust Framework is to specify a consistent, provider-agnostic set of information exchange protocols and policies for the purpose of facilitating identity verification, digital identity management and fraud prevention.   Such information exchange protocols and policies, or “rules and tools”, would allow for access to necessary subscriber information without interfering in, risking, or devaluing the primary relationship between the subscriber and the Telecom Service Provider who is holding private subscriber data “in trust”.

At a minimum the Telecom Data Framework should:

  • Provide for an audit and certification process that ensures any entity with access to the specified services uses it only for the purposes allowed and accepts and follows the limitations placed on the data and services by either the carrier, the subscriber or the appropriate regulatory authority;
  • Provide a common, cross-carrier definition of key solutions that allow carriers and other telecom service providers to provide ID verification and fraud prevention services to support, encourage and protect legitimate commerce;
  • Provide for protection and control of subscriber information;

High-Level Overview

As noted in Diagram 1 below, parties who use this information to obtain or verify identity may include telecom data aggregators and identity service providers who are willing to comply with the rules, limitations and data protections specified in the Telecom Data Trust Framework.   Members of the Telecom DataWorking Group will supply these rules to the Open Identity Exchange (OIX) which can facilitate audits of members, utilizing independent “Trust Assessors” to ensure Working Group members and parties who rely on their services are abiding by the rules that are established. 


Diagram 1 – Telecom Data Trust Framework with contractual interactions among entities.

The components of such a framework must include:

  • A description of one or more service definitions that specify a means and protocol for communication, the data necessary to initiate the communication (the “question”) and the information returned (the “answer”)
  • Documentation of the “Levels of Protection” a given service must afford the identity provider
  • Documentation of the “Levels of Assurance” a given service provides the entity relying upon the service
  • Documentation of the “Levels of Control” afforded the party or entity about whom the communication references.

Telecom Data Trust Framework Components

Specifically, the trust framework related to telecom data should provide for the following components:

Policy Components or Interopts (Rules)

  • Definitions (subscriber, telecom service or data provider, assessors, ID reference providers, relying parties, etc.)
  • Permissible uses of subscriber or line data (for example, for fraud prevention and ID verification) and possible indexing to existing regulation sets
  • Data retention rules and policies
  • Audit elements and procedures
  • Certification requirements and service marketing restrictions
  • Stratification of information exchange protocols into appropriate NIST levels of  Assurance

Technical Components or Interopts (Tools)

  • Supported transactions and transaction standards including specification and definition of both a minimum “query” and “result”
  • Supported information exchange protocols (for example SS7 or XML)
  • Subscriber permissions and categories of permissions (for example, the framework might provide the means for a subscriber to opt-in to allow commercial transaction to be authorized, but perhaps not allow subscribers to opt-out of fraud prevention)