The real problem is the lack of security and authentication on telephone networks, which enables number spoofing with virtually no chance of reprisal -- foreign callers (realistically out of the FCC's jurisdiction) use VoIP services to create calls that originate from an IP address from the telephone network's perspective, and the phone network makes no attempt to authenticate the metadata (like the phone number that is calling) before forwarding it on.
The 'neighborhood scam' is one which I am frequently subject to, and there is virtually nothing I can do about it (except block all the numbers with the same prefix as my own, but even this only covers the cases where they restrict their spoofed numbers to that small range).
Domestic callers like the one described in this article seem like a very small part of the problem, since they can be tracked and prosecuted. Foreign callers never pay the penalty with our current system, and I suspect they are more numerous based on the accents of most robocall operators I've gotten on the line.
What I don’t understand is why no major mobile carrier is offering a solution to this. It’s a pretty competitive market and this could be a big selling point.
When the isp wars were going strong, before broadband put everyone under the thumb of monopolists and also before gmail, spam filtering was a serious competative advantage.
Why can’t phone companies take an RBL like approach? If your VoIP service garners too many complaints because you are selling to robocallers then you don’t get to have calls delivered to e.g. ATT mobile customers anymore?
Are there legal or technical interconnection requirements that would make such a thing impossible?
2% monthly churn is not low. That annualizes to ~25% which is significant. The cost per acquisition of getting a new customer is actually quite high so their churn numbers definitely hurt them.
When there are only 4 carriers in the US, it doesn't really matter. AT&T will lose a customer to Sprint, Sprint loses one to T-Mobile, T-Mobile loses one to Verizon, and Verizon loses one to AT&T. No one is getting rid of their cell phones.
T-Mobile offers it as a free option with two levels: labeling the call as Scam Likely and blocking it outright. The latter is quite effective - I was getting 5+ calls per day and it’s now 1-2 per week.
The “Spam Likely” determination is fairly unreliable, IMO. They have labeled my doctors office “Scam Likely”, while many “Scam definitely” calls have not been labeled.
T-Mobile's handling of "Scam Likely" seems to be spotty at best, with quite a few false positives. Additionally, their 3rd party vendor seems to be wanting to audit businesses that are mis-identified: https://feedback.fosrvt.com/
I haven’t had a single false positive. I get 1-2 false negatives per week but haven’t found an iOS call blocker which had comparable or better accuracy.
That’ll probably require fixing the broken design of the telephone system.
Only for postpaid accounts. T-mobile treats its prepaid customers like garbage. They even refuse to register correct callerID info for numbers they assigned in violation of E911 requirements.
Blocking calls from certain VoIP services is almost certainly going to be a violation of common-carrier rules (which still apply to phone service no matter what happens with broadband).
At a technical level, spam filtering relies heavily on analyzing email text. Doing similar analysis on voice calls is way harder. Also, there's UI issues. You can redirect suspected spam emails to a folder the user can inspect for false positives. What do you do with a call that hits the robocall filter?
It's worth reading Pai's actual dissent: https://apps.fcc.gov/edocs_public/attachmatch/FCC-15-72A5.pd.... Among his reasons for dissenting is that the Commission was unwilling to "establish[] a safe harbor so that carriers could block spoofed calls from overseas without fear of liability."
All this occurs against the background of the Communications Act's common-carrier obligations, and the FCC's call-completion rules, which generally prohibit blocking calls. What the FCC did in the order you linked is to simply say "nothing in the Communications Act or our rules or orders prohibits carriers or VoIP providers from implementing call-blocking technology that can help consumers who choose to use such technology to stop unwanted robocalls."
Is that a safe harbor? No, as the next sentence clarifies, what can be blocked depends on the nature of the call: "Additionally, in the interests of public safety, we strongly encourage carriers, VoIP providers, and independent call-blocking service providers to avoid blocking autodialed or prerecorded
calls from public safety entities, including PSAPs, emergency operations centers, or law enforcement
agencies; blocking these calls may compromise the effectiveness of local and state emergency alerting
and communications programs."
As explained in other posts here, it's hard for a carrier to tell what is a robocall. What is an "unwanted" robocall is even harder--it's a heavily-litigated issue in the TCPA context. (In fact, the rest of the order was about expanding what counts as an unwanted robocall in violation of the TCPA).
That leaves carriers between a rock and a hard place--it they block over-inclusively, businesses who think they fall into a TCPA exception could sue them for violating their common-carrier obligations. Then they get to litigate whether that business falls within the scope of the "unwanted robocalls" the FCC referred to (but did not define). Carriers have a huge incentive to not wander into that morass by offering call-blocking features.
> so that carriers could block spoofed calls from overseas without fear of liability
I don't really want my carrier deciding what calls to block. I just want them to ensure the veracity of caller ID data so that I can perform useful blocking at my end. There shouldn't be anything stopping them from removing fraudulent and unverifiable caller ID info from the calls they route my way. That leaves me free to block calls that lack caller ID info, and I'm assuming all the risks that entails.
Later on spam filtering relied on analyzing email text, but before that was available there was the blunt instrument of blackholing ISPs that refused to police their users.
I remember Bayesian spam filters being the first widely used ones. But it was a long time ago.
It’s not clear to me that carriers would be allowed to do that, especially accounting for situations where VoIP traffic is laundered through a legitimate service (so the entity at the exchange boundary with the end-user carrier is a legitimate one).
Could they get around common carrier restrictions by offering that service as opt in? I’m not so sure about that either.
Should be technically possible to have ”these numbers can originate from this operator”. I’ve learned that if a phone looks to be from my area code, it’s actually from China. No idea what the robocaller is saying.
My operator should be able to have a short list of teleoperators in this zip code, and drop other calls.
I've had the same phone number for over 20 years now, since LNP became a thing I've moved it a couple of times to different providers. Most recently I've parked it with a non-local voip provider which gives me a great deal of flexibility. It sounds like under your proposal no one would receive my calls?
No matter what solution is proposed, there's always a subset of people who depend on that very behavior (see https://xkcd.com/1172/ ).
I think no-one receiving calls from parked non-local voip numbers would be an acceptable price to pay for the elimination of voip spam. You are free to disagree, tech is all about making compromises.
Incidentally, this quickly follows the path we took with SMTP. I can no longer telnet into a random SMTP server and dump incoming mail, which no doubt ruined the carefully honed scripts of many sysadmins.
Something that helps is having an "undesirable" area code.
Telemarketers have learned that certain area codes convert at much higher rates than others. 202, 203, 212, 213 are prime targets. 242, 246, 406 and 701? Notsomuch.
If your NPA isn't important to you, get a number in those areas. (Some carriers will let you choose your area code as long as you're within the same billing center.)
I'm feeling very grateful for sticking with the same phone number I've had since high school in rural Minnesota. 100% of numbers I receive from "my" area code that aren't my mother, are spam. :)
I get almost no spam calls now, Google has call spam blocking built into Pixel phones and I went from a few spam calls a week to maybe 1 or 2 a month. And those 1 or 2 calls ring with a red warning that they're potential spam calls.
For reference, I've had the same New Jersey mobile number since 2001.
Thanks, looking into it now. iOS and Android app. I'm curious to see how this works. Probably can't get in the way of the calls on the device itself; pushes changes to the network maybe?
Some of it is just a matter of associating the name “Telemarketer” with a phone number. I still see those calls, but can immediately identify them.
Stuff it’s more confident about gets blocked outright. I think they’re automating what they’d do if you went into your account and manually blocked a number.
I already have a /dev/null contact with a silent ringer but the telemarketers (especially the neighbor dialing) almost never uses the same number twice. Still hopeful the ATT app helps though.
Their list automatically updates based on whatever mysterious processes happen in their end, so it should be an improvement over manually blocking numbers after you get a spam call. Hopefully it will help a little bit. It's definitely not a cure, but we have to take what we can.
> What I don’t understand is why no major mobile carrier is offering a solution to this.
Carriers have no economic incentive to do this. Most people on AT&T aren't going to jump to Verizon because of the number of robocalls they get on AT&T. It's not worth the hassle of changing.
>What I don’t understand is why no major mobile carrier is offering a solution to this.
I remember at one of the WWDC keynotes, Tim Cook announced this as a new iPhone feature. But he also noted that it was only available in China. I wonder if whatever the Chinese carriers have done can be imported to the United States.
My wife's iPhone will occasionally get an incoming call with small text below reading "Possible spam." She never uses her phone for voice, so she never answers the phone anyway.
I've suggested in the past that every instance of provable spoofing where they did not control the claimed number should result in a fixed fine. $100 sounds about right.
Every phone network will then quickly begin passing on that cost to anyone they "peer" with and it will be a non-issue soon enough.
Is there a compelling reason to allow such spoofs?
>Is there a compelling reason to allow such spoofs?
A few use cases to spoof the number:
* Appointment reminder systems - if I see the caller ID is from my doctor's office, I'm going to pick it up and hear the reminder. When the calls come from some other number, people think it's spam. People still expect reminder calls even if you/HN crowd would prefer an email/text.
* Outbound call centers on behalf of others companies (same reason as above)
* People who work from home but want to make business calls from a personal phone
If no one could spoof, it probably result in a huge uptick of people claiming spam calls since they would be getting tons of calls from numbers they didn't know.
There really needs to be an SPF, DKIM, DMARC for VOIP. I don't think a no spoofing policy would go over well for businesses or consumers.
The question wasn't about why spoofing exists at all. It was about spoofing where they did not control the claimed number.
If you want to place a call with spoofed caller ID info, your provider should require you to prove that the spoofed information is legitimate, not fraudulent. Otherwise, the telco should be obligated to strip the suspect caller ID information from the call so that the recipient can properly identify the call as fishy.
There's no need for any complicated cryptographic solution. Telcos should just be required to know their customer, much like banks, before allowing them to do certain things.
Yeah. I'm perfectly fine with e.g. Twilio being able to tell Verizon "oh, we have authorization to send from $x", Verizon going "uh huh, go ahead" because they trust Twilio not to mess around. But then, if there does turn out to be an issue, Verizon is on the hook, and they'll turn around and charge that to Twilio. So, they'll be fine with letting large companies like Twilio spoof on their network, but they're not going to let RandomCo spoof.
So forcing the fine on the last step in the chain forces everyone to carefully consider who they trust, which is as it should be. Nothing wrong with trust between trusted parties, but clearly the current system has untrustworthy parties given too much power.
That's the thing though, a lot of times they don't control the spoofed number, but there's a legitimate use case for spoofing it. Authorization to spoof is not the same as having control of a number.
A cryptographic solution is absolutely necessary. Most reputable telcos already restrict spoofing or require tons of paperwork to prove you own the number before allowing you to use it as caller ID (like Twilio for example).
The issue is that the PSTN is essentially a huge, worldwide message queue to which pretty much any telco can connect around the world, including shady ones - even if US law actually does fight spoofing, how do you prevent telcos from other countries from continuing the abuse?
Cryptography is needed - when a carrier leases you a number, they give you a certificate with which you can sign other carrier’s certificates if you want to let them use that number as caller ID. Every carrier on the call chain should verify call’s signatures against that and discard any calls with missing or invalid signatures. That will stop malicious spoofing while allowing its legitimate use, just like email where you can use SPF and DKIM to nominate any email provider to be able to send on your domain’s behalf.
A certificate system could work, but really all that's needed is traceability.
If I complain about a call, that should be trackable to the origination carrier and account, and if either one gets too many complaints, it gets thrown off the network (and other penalties).
Actually there is some standardization activity trying to do this. It does not solve the main problem: if you let the originating carrier sign the caller id, you still have to trust that carrier to really check if the caller is authorized to use it. Number portability prevents you from using certificates older than 24h.
In all of those scenarios, one could prove they controlled or had authorization for the spoofed number, hence it would not be eligible for my proposed fine.
I'm not suggesting no spoofing, I'm suggesting a fine on the carrier for unauthorized spoofing, which will force them to actually verify that there is authorization.
You didn't make this clarification in your first post. In the first two examples, they don't control the claimed number, which is what I was responding to.
>I'm suggesting a fine on the carrier for unauthorized spoofing, which will force them to actually verify that there is authorization.
This makes sense. Legitimate companies will get authorization agreements signed etc.
> Is there a compelling reason to allow such spoofs?
It makes telcos money. That's reason enough, since there are no economic downsides to the network operators that enable these crimes. If companies like AT&T and Verizon were also being subject to this $120M fine, we might see them decide to make caller ID trustworthy so that it could be used to block robocalls.
No, this occurs at the telco level. When a call is placed, only the number is sent. The receiving exchange must look up that number to get the name, and that lookup costs some fraction of a cent. This is why Caller ID with name costs extra money.
I'm afraid I didn't read TFA, so apologies if I'm getting the wrong end of the stick. Also it's been 20 years since I worked in PSTN stuff. But at least at that time, the security in the protocol was ridiculously lax. IIRC, with PRI there was literally a bit that you set to say that the originating number was checked and was legitimate. Every other switch on the way through would accept it blindly.
In most areas it was illegal to set that bit unless you were a telco. It was also illegal to sell equipment that set that bit unless you were selling it to a telco. But... it's not that hard to hack.
Someone who's more current can probably give you better information. As to why nobody does anything about it... well.. why should they? They literally don't care. The equipment manufacturers aren't going to change the specs (because it's pretty darn hard to change specs and they are all trying to screw each other over in the specs anyway). The telcos aren't going to demand that the specs are changed because people are making telephone calls -- exactly what they want. It's only if the governments demand the change -- and it will take laws to do that (even then, I imagine that it's cheaper to lobby against the law than to change the equipment -- you have absolutely no idea how crappy those systems are).
There are legitimate reasons for spoofing to work given how fucked up the PSTN is.
Mobile roaming is one for example - when you roam on another carrier and place a call, that carrier directly originates the call and “spoofs” your caller ID to make it look like the call originated from you.
Some companies may use different carriers for either load balancing or least-cost routing and so both of these carriers are required to “spoof” the company’s caller ID.
This can definitely be fixed with a CA system and “delegation” where the main carrier who owns the number can issue certificates for any other carrier you’d like to use to temporarily allow them to use a particular caller ID, and each call request should be signed with that certificate and the signature should be verified by call intermediate carriers down the chain, and the call dropped if the signature is missing or invalid.
I think the correct approach is economic, not technical. Make a rule that, if you get a spoofed call, then your telco owes you $100, not subject to any arbitration clause or other contractual waiver. Give a way out to avoid actually killing the telcos: annual penalties are limited to a few percent of annual gross revenues.
The telcos will find a technical solution real fast.
Or just let telephone users set a price, for someone not in there contact list, to call them. Set it at 5 cents by default. Problem solved for the most part. People that don't know you can still call you (like the person who you left your curtains at for repair) but most robo call campaigns won't be worth it. If you really hate spam, set your price to $10.
If an incoming call is saying it's coming from 555-1234 and telco owns 555-1234 and it's not one of their authorized income points then the call should get dropped.
Or if they don't own it then it's on who's inserting the call into the system.
Telco systems are fun. And by fun I mean it's a complete mess. ISDN is hard and full of caveats (look at SIP for a taste of what it involves).
How? Even in the same city, cellular and land lines aren't always serviced by the same company. In most places I'm pretty sure it's illegal for phone companies to be swapping call data. Or are you suggesting I call back all the numbers that call me to compare bills with the owner on the other end? This plan is not going to work out.
The reason I would agree with a fine is not because a caller's identity cannot be unmasked, but because phone numbers are so closely connected with identity that robocallers are essentially engaging in identity theft and slander when they use people's legitimate numbers to spoof their calls.
I had someone call me once, claiming I had just called them. I hadn't of course, so the only thing I could think of was that someone had used my phone number for spoofing.
The FCC at some point considered requiring authentication numbers or attaching names to numbers. They ultimately rejected the idea. There were multiple reasons why they rejected it, but from talking to someone at the FCC one of the reasons they rejected connecting numbers to identities too strongly is that victims of domestic abuse may need to call their abuser (eg about child support), but do so without giving away too much information (like address).
Doesn't ANI work? When I worked at a business with a phone system used for time tracking we relied wholly on ANI as caller id is what is spoofed. However I am not sure if the ANI information is a paid for service or is it being spoofed as well? Caller ID data was always malleable and never to be trusted
ANI does not typically come with end-user lines, and is (sadly) also spoofable. There are already some systems for fraud analytics, but thye have their own issues.
A user can request a "trace" (usually by dialing a feature code), but not only does this hit the user with a ~$20 fee each time, but the information gathered can only be released to law enforcement, and since local law enforcement would need to make the request, it rarely happens.
The telephone system, in the US at least, could charge people extra for calling a number with the extra charge going to the person/company that was called (those famous 900 numbers, now gone, that kids would call and rack up $10000 phone bills.) It seems to me that it would be pretty easy to set up a system where, if a person is not in my contact list, they get charged some amount of money to call me. Setting it at 5 or 10 cents would be enough to kill almost all of these spam calls and not deter a real person from calling you.
We (Nomorobo) protect you from both neighbor spoofing as well as "standard" robocalls. We add over 1,300+ new robocaller numbers every day. It's pretty crazy out there.
I used Nomorobo for 6 months and it was NOT useful, i have a phone number from a area code + prefix that i dont live at, yet I get about 5-10calls/day from similar looking numbers. Nomorobo would mark them as ‘unblockable’ because of the areacode+prefix match, so i would have to manually block each one.
I switched to ATT Call Protect which works much better. Now i get 1-2 calls/week. I would go back to nomorobo if it worked better.
We used to show "unblockable" because there was a problem with false positives. Lots of families had sequential numbers that were accidentally getting blocked.
Now, if you give us access to your contacts (local processing only, never transmitted to our servers) we can completely block them.
The 'neighborhood scam' is one which I am frequently subject to, and there is virtually nothing I can do about it (except block all the numbers with the same prefix as my own, but even this only covers the cases where they restrict their spoofed numbers to that small range).
Domestic callers like the one described in this article seem like a very small part of the problem, since they can be tracked and prosecuted. Foreign callers never pay the penalty with our current system, and I suspect they are more numerous based on the accents of most robocall operators I've gotten on the line.