If you are tired of reading my views on STIR/SHAKEN then I do not blame you; I am thoroughly tired of writing them. But the problem with STIR/SHAKEN is that it continues to make advances in the same manner as a shambling zombie dressed in a business suit; at one time it went to college and aspired to raise a family whilst making the world a better place, but now its only realistic ambition is to consume your brains and the brains of any other creature that does not outrun it. Nothing can make STIR/SHAKEN effective at reducing harmful calls, but that will not discourage the originators of the zombie plague from sacrificing more people in the hope that something good will come of it eventually. So, much to my chagrin, I felt obliged to respond to Ofcom’s consultation on whether to implement STIR/SHAKEN in the UK before the June 23 deadline. This submission elaborated the most important reason why so many professionals privately tell me they despise STIR/SHAKEN, although they choose not to sabotage their careers by publicly opposing the zombie apocalypse. If I can endure the pain of writing to bureaucrats that never listen then you can share a little of my suffering.
The relative good news for you is that I minimized the duration of the pain by writing the shortest and most pointed criticism of Ofcom’s plans that I possibly could, whilst still seeking to highlight the lies and dissembling that encourages full-time regulators to pretend shills for American business-zombies might actually be motivated to protect foreign consumers from harm. Here are the answers I gave to the most important questions Ofcom asked, and you are welcome to repeat them, lambast them or ignore them, because I no longer care who wins the argument either way. I am satisfied that I did my duty, whilst acknowledging that it is difficult to make progress by entering into rational debate with undead monsters that begin with a ‘z’ and end with a ‘why?’
Question 5.1: Is the approach to CLI authentication we have outlined feasible and workable?
No, your proposed approach is not feasible for the majority of harmful calls because they originate outside of the UK, and outside of your jurisdiction. Even if you could extend your influence to other countries, the majority of calls will originate on networks or be conveyed by networks that have not implemented SIP signalling, a technological prerequisite for your proposal. These calls will not be authenticated per the conventional meaning of the word, which means proving the call is true, genuine or valid. Applying a C-grade attestation to inbound international calls means no meaningful authentication has been applied to the call at all, as you must surely be aware although you misleadingly included this aspect of your proposal in a chapter entitled ‘how CLI authentication would work’.
Throughout your proposal you compare the harm done by all calls that have a spoofed CLI with the potential benefits of a method that can only be usefully applied to calls that originate within the UK. You provide no analysis of the segment of harmful calls that will not be addressed by your proposed method because they originated in another country. Asking the public about how many of them have been harmed by calls or the amount of harm they have suffered is irrelevant to determining the protection they might receive from your proposal; they cannot tell if the origin of a harmful call was inside or outside of the country. On the contrary, most independent sources of data indicate the vast majority of the most harmful calls originate outside of the UK. These calls may be greatly reduced by some of the other methods outlined in your consultation document, but the feasibility of those other methods only serves to illustrate why your proposal is not feasible for calls that originate outside of the UK. A harmful call that has already been stopped using one of those other methods cannot be stopped a second time using your proposed method, even if your proposal could be adapted to work across borders.
The way you describe your proposal and the decision to engage Richard Shockey of the SIP Forum as a consultant indicates that your proposal is essentially a copy of the way that STIR/SHAKEN has been implemented in the USA, minus some of the bureaucratic overhead created by their desire to separate the roles of governance authority, policy administrator and multiple certification authorities. It is hence informative that you list the USA and Canada as examples of STIR/SHAKEN being implemented to reduce harmful calls but make no mention of how you would reduce harm by blocking inbound international calls that have been authenticated in the USA and Canada, but which would not be blocked by any entities in those countries because their interest only lies with calls that terminate within those countries. The Federal Communications Commission and the Canadian Radio-television and Telecommunications Commission have grossly exaggerated the benefits of STIR/SHAKEN to the US and Canadian public but have manifestly failed to usefully apply the method to the very many calls that pass between the two countries. If considerable effort and expenditure by those two countries has yielded no credible plan for implementing STIR/SHAKEN at an international level, even between two countries that are both committed to using STIR/SHAKEN, then you must not have a feasible plan for using STIR/SHAKEN to authenticate international calls either.
Question 5.2: To what extent could adopting this approach to CLI authentication have a material impact on reducing scams and other unwanted calls? If you consider an alternative approach would be better, please outline this and your reasons why.
Your consultation document uses skewed measures throughout, presumably to exaggerate the projected benefits of your proposal. For example, it would not matter if CLI authentication was applied to a great many calls passing between BT customers and Vodafone customers in the UK because it is highly unlikely that criminals would choose to originate large volumes of illegal calls on either network. What matters is whether CLI authentication will be meaningfully adopted by the communications providers that currently profit by originating most scam calls. The majority of respondents can hence be expected to follow your lead, telling you that the benefits will be material because there are many harmful calls, but they will all be in the same position as a member of the public as they cannot distinguish between harmful calls which might be stopped using your proposed method and a harmful call which cannot be stopped that way.
If there is a genuine desire to reduce harm in a cost-effective manner then it should be straightforward to separately analyse the costs and benefits of each of the methods described in your proposal, so there is no double-counting of benefits, and each individual method is given the credit it is due. Anyone who produces data about the number and severity of harmful calls, but who then cannot show if a material proportion of harmful calls actually originated within the UK, and who cannot usefully estimate how many scam calls will be eliminated by methods that do not rely on CLI authentication, has no sound basis to estimate what the impact of CLI authentication would be. The majority of respondents to this consultation will likely fall into this category.
Question 8.1: Do you agree with the proposed framework for impact assessment and the potential categories of costs and benefits? Please identify any other factors that we should take into account in our assessment.
No. The most important factors in assessing the beneficial impact of your proposal are the extent to which harmful calls originate inside or outside of the UK, and the extent to which harmful calls that originate outside of the UK are already being reduced or will soon be reduced by other methods that do not rely on CLI authentication. Both of these factors are noticeably absent from your proposed framework for assessing the impact of CLI authentication.



