The recent “incident” at the ARRL in which it disclosed that it was the “victim of a sophisticated network attack by a malicious international cyber group” brings into focus some serious questions around our community in relation to identity and privacy.
Let’s start with your callsign. Right now in Australia you can use the official register to look for VK6FLAB. When you do, you’ll discover that it’s “Assigned to Foundation”. That’s it. No mention of who holds it, where it’s registered or how to contact the holder, none of that.
In the case of my callsign, because I haven’t surrendered my apparently now legally useless license, you can still search the previous system, the Register of Radiocommunications Licenses and discover that it’s held by me, but as soon as it expires, that record will vanish and the relationship between me and my callsign will be lost to the public.
Also, there are no dates associated with any of this. You cannot use the current or previous system to discover if I held my callsign in November 2010 or not. In case you’re wondering, no, I didn’t, I was licensed a month later. Right now if you look for VK6EEN on QRZ.com, you’ll see that it’s linked to CT1EEN, but when was that information last updated? I know for a fact that I became the holder in November 2020. It appears that Sam CT1EEN used it around the turn of the century, about 24 years ago, but precisely when and for how long, is unclear.
So, from a public disclosure perspective, the links between me and my callsigns are tenuous at best.
Before I continue, I will point out that this is not unusual. For example, you can see the number plate on my car as I drive down the street, but most people don’t have the ability to link it to me.
Similarly, Ofcom in the United Kingdom released a list of allocated amateur callsigns after a freedom of information request. It’s unclear if this information is updated, or if it requires a new request each time. Like Australia, the dataset contains the callsign, the type of license and when the record was last updated. Nothing else.
In contrast, the United States has a full license search that returns name, address, issue and expiry dates. Japan offers both a search tool and downloads. Interestingly you can see if a callsign was previously licensed and when, but not by whom.
No doubt each country has their own interpretation in relation to how this is handled and as was the case in Australia, this is ever changing.
This leaves us with an interesting phenomenon.
We use callsigns on-air to identify ourselves, but the relationship between the callsign and our identity, let alone when, is not guaranteed for a significant proportion of the amateur community.
So, how does this relate to the ARRL incident?
Radio amateurs like to make contacts with each other and collect those contacts like you might collect stickers or postage stamps. For decades we’ve used QSL cards, essentially a postcard sent from one amateur to another to confirm a contact. When you collect enough cards, you can apply for an award, like the DXCC, showing that you made contact with one hundred different so-called DX entities.
In the era of computing, some organisations, like the ARRL, came up with the idea of using the internet to exchange these contacts instead of using a postcard. This reduced delays and was presented as a system to make the process more secure by requiring that people electronically sign their contacts, but could only do so after identifying themselves using traditional means, like providing copies of their license, their passport, etc. The ARRL called it Logbook of the World, or LoTW, and it was adopted by the amateur community around the globe.
While the ARRL continues to state that it only holds public information on its member database, it has made no such assurances about the LoTW system. There is personal and private information that the ARRL has and there is no indication at all what happened to it.
Other systems such as QRZ, eQSL, Clublog and Hamlog offer similar systems with various levels of authentication and verification. A new player, HQSL, is confusing the issue by offering cryptographically signed QSL cards, boasting that their system is decentralised and not restricted to any single service, but immediately requires that you sign-up with Hamlog to get going.
So, we have several organisations offering electronic logging, contact confirmation and security which claim to guarantee that this callsign contacted that callsign at a time and date, on a band, using a mode.
One problem.
None of this is real.
For starters, there is no guarantee that the station operating VK6FLAB was me. There is also no record guaranteeing that I’m the holder of VK6FLAB, or any proof that I am who I say I am. There is also no guarantee that the person confirming a contact between VK6FLAB and you is me. So, we’re creating a phantom secure system that’s attempting to fix the wrong problem.
In golf, when you start playing for rankings, rather than a round at the 19th hole, the process used to verify your score is dependent on peer review. You cannot mark your own score-card, someone else does.
In amateur radio we’ve built this electronic house of cards to track whom we’ve talked to and when, but it’s a mirage when looked at closely.
While a DXCC award is worth nothing more than a personal achievement, we cannot go on pretending that identity verification services like LoTW are real, nor can we continue to accept that organisations like the ARRL should demand and store valuable identity information.
I’m Onno VK6FLAB
I’m in and having my callsign permanently linked to my name and address makes me quite uncomfortable in the era of the internet tbh
It’s likely why many regulators are moving away from publishing that data.