Wed, 07/14/2021
This post is a summary of Episode 27 of The Nebraska Governance & Technology Center’s (NGTC) Podcast Series, Tech Refactored. In this TR/DT (just in time) episode, host Gus Hurwitz, Director of the NGTC, was joined by Richard Shockey, Chairman of the Board of the Session Initiation Protocol Forum and Principal of Shockey Consulting.
Over the course of the last several years most people with a phone have become acquainted with two parallel realities 1) a user can effortlessly call anywhere in the world (a real marvel when you think about it) and 2) for each of us, somewhere out in the ether, there would seem to exist a fountainhead from which flows a stream of robocalls, ranging from a steady flow to a virtual torrent. While we might assume that modern innovations like zoom, social media, and the somewhat-older text message have displaced phone calls, that isn’t so, according to Shockey. And because some of our most urgent communications, from speaking with our banks to receiving information from our health care providers takes place over phone networks, the problem of robocalls, and the resulting loss of public trust in the integrity of the phone system, are problems that urgently need to be addressed.
As Shockey explained, the origins of the acute robocall phenomenon has its roots in the 1996 Telecommunications Act, which introduced competitive markets into voice communications. In many ways that act was an extraordinary success in that it pushed the cost of international calls down to near-zero. But as in the case of email messages, which are also virtually free, that lack of cost creates a situation where the costs of communication for unwanted callers (“spammers,” in internet parlance) also approaches zero, meaning they can reach out to a vast number of random numbers. Even if a relatively small number of call recipients take the bait, the overhead costs to spammers are so low that even a low-probability scam presents a viable business model.
In terms of the methodology of robocalls it's important to note that, as presently constituted, caller ID is totally unreliable, in that it is the caller that sends the information about the number from which a call originates into the network. “You can display whatever you want with very little control, which is why robocallers (are able to) forge their numbers,” Shockey explains. Recent action by the FCC has attempted to address this in part by creating a regulatory framework whereby, if a network hasn’t filed a “robocall remediation plan” with the FCC, then other networks will block their calls. Shockey calls this the “excommunication” model of robocall mitigation.
Will the FCC’s recent action solve the problem of robocalls entirely? According to Shockey the FCC action won’t eliminate the robocall, but it will “suppress the problem to a point where you are restoring trust in the phone network itself. And because of the absolutely critical nature of the phone network to public safety” (...) other governments will undertake “every conceivable task” to restore the integrity of phone networks to the point where public trust is restored. One incremental solution would be a system similar to what is utilized on the internet in the form of HTTPS, where public key encryption is used to demonstrate to an internet user that a website has been properly authenticated. Similarly, a person receiving a phone call under the STIR/SHAKEN protocols might see a check mark next to the number that is displayed when they receive a phone call, demonstrating that it has been authenticated by their phone network.
As Shockey explains, public trust in the phone network is important because, without it, the odds that an individual will pick up a phone call drop off significantly. Banks, for instance, are very concerned about the robocall problem because, when they detect potential fraud in a user’s account, they need to be able to contact the user by phone to be able to confirm that their account has not been compromised. Similarly, healthcare providers need to be confident that they can get a hold of a patient in the event that, for example, their test results have come back and they need to schedule an appointment with a patient as soon as possible.
While automated call screening might seem like an unmitigated good, it does present the question of how you notify users that a call that was addressed to them has been blocked. In the case of email, we all have a spam folder that shows messages that have been filtered out by our email systems, and we have all had the experience of having to go to our spam folders to locate an email that has been screened by our email provider in error. No such obvious solution exists in the phone context.
Lastly it’s worth noting that, as is the case with changing any complex hybrid system, a substantial change to the phone network will almost certainly present challenges that haven’t been anticipated. Hurwitz notes the example of IBM that recently rolled out a change to it’s internal network on which it had been working for the last 18 months. After the change was implemented, employees were unable to receive internal emails for days; this happened at a company that maintains a very high level of sophistication with regard to computer systems. Not all international phone networks can be anticipated to have the same high level of competence, so problems with implementation of STIR/SHAKEN in an international context (as has already begun between the US and Canada, and is anticipated to take place with other international phone networks) are bound to appear.
One final note: in facing the problem of robocalls, the United States is not alone. The number one complaint addressed to telecommunications regulators in Canada, the UK, France, and Germany is the same - robocalls. So while every hope exists that STIR/SHAKEN will be an effective response to the scourge of robocalls - and allowing for differences in the regulatory frameworks of different countries - at least we in the United States will potentially have other tested solutions to turn to should the approach articulated in STIR/SHAKEN prove insufficient to address the challenge.
Tags: Tech Refactored Review
