We tend to read in the news about things that have happened. Sometimes the most important decisions are those which determine something will not happen. The following is not going to happen.
STIR is spreading internationally
While the U.S. and Canada have taken the lead in introducing call authentication standards… As more and more regulators join the global effort, the industry’s ability to combat robocalls and call spoofing will continue to improve. [emphasis added]
And the following is not going to happen.
Q. Will SHAKEN work for international calls?
A. Not initially… However, ATIS has published a Technical Report (TR) that describes how the SHAKEN protocol can be extended to international calls once other countries adopt SHAKEN. [emphasis added]
And the following is not going to happen.
The initial SHAKEN specification was limited to a single country, but additional documents are now available outlining how SHAKEN can be extended to include other countries in a global ecosystem. [emphasis added]
A recent decision by Ofcom, the UK comms regulator, has effectively killed the prospect of STIR/SHAKEN, the twin American standards for validating the origin of phone calls, being imposed upon all telcos worldwide. Ofcom’s decision was made after a public consultation that was ostensibly about the general concept of validating call line identification (CLI), otherwise known as caller ID, but which proposed a specific plan that was copied from the implementation of STIR/SHAKEN in the USA and which was written for Ofcom by a well-known American lobbyist. The fact that Ofcom minimized references to STIR/SHAKEN in their consultation shows they were conscious that compliance with STIR/SHAKEN requires de facto submission to decisions made in the USA. However, pushback from telcos forced Ofcom to reject the use of STIR/SHAKEN in the UK. This was chiefly because STIR/SHAKEN would be ineffective unless every other country also made it mandatory and harmonized its use in actual practice. Per Ofcom’s formal decision:
…it is now clear that widespread international adoption of CLI authentication is unlikely to happen in the near-term.
Ofcom’s decision is a blow to advocates of STIR/SHAKEN who convinced themselves — and tried to persuade others — that the universal roll-out of STIR/SHAKEN was inevitable. The quotes at the top of this article evidence their overconfidence. The first two quotes come from an article written by Neustar, an American vendor that co-authored the STIR protocols and previously employed the author of Ofcom’s STIR/SHAKEN plan, the third comes from public advice issued by the governance authority for STIR/SHAKEN in the USA, and the final quote is from Jim McEachern of ATIS, the US-dominated association that controls the SHAKEN standards, as stated in an article that Jim wrote for Commsrisk in 2020. The assumption that the rest of the world would accept American leadership was mistaken. The rejection of STIR/SHAKEN by the UK, one of the USA’s key allies in network security, brings the debate about the merits of STIR/SHAKEN to an end. STIR/SHAKEN cannot work unless everybody uses it, and not everybody is going to use it, so STIR/SHAKEN cannot work.
I have no desire to rub salt into the wounds of the Americans who lobbied so aggressively for STIR/SHAKEN, but it is necessary to draw attention to the significance of Ofcom’s decision. Press releases from vendors and regulators tend to get amplified. In contrast, Ofcom buried the news that STIR/SHAKEN was rejected. That makes good political sense for Ofcom but is less helpful to regulators and telcos elsewhere. Supporters of STIR/SHAKEN have repeatedly debased themselves by spreading disinformation, so they will not be sharing the news of Ofcom’s decision. Fans and vendors of STIR/SHAKEN are unlikely to admit defeat. STIR/SHAKEN remains mandatory in the USA and Canada, even if it is ineffective, and the regulators in those countries will not want to lose face. But the world needs to move on. Every year we continue to waste on pipe dreams of a universal call validation system sold and controlled by US businesses is a year we delay reaching the international agreements needed to stem the flow of harmful calls across borders. Global STIR/SHAKEN is dead. Let us appreciate why it failed, learn the lessons that can be gleaned from failure, and then collectively devise a new international plan that has a chance of success.
Why Has STIR/SHAKEN Failed?
Competent risk managers understand there are several ways to analyze the roots of an erroneous prediction. In this instance, I will begin with an arena that engineers, bureaucrats, lawyers and politicians are rarely keen to examine publicly: the realm of human psychology. There were plenty of engineering, administrative, legal and political problems with STIR/SHAKEN but the most fundamental mistake was psychological in nature. Put simply, supporters of STIR/SHAKEN indulged in groupthink. They did not invite the opinions of outsiders. They did not listen to outsiders. They formed a self-aggrandizing clique whilst lacking a forum and the disposition to accept and learn from criticism. In modern parlance, they formed an echo chamber where their beliefs and assumptions kept being repeated back to them.
I am not an engineer but I can tell when an engineering solution is expensive by comparing its cost to alternatives. I am not a foreign affairs expert but I know the USA has enemies. I am not a bureaucrat but I can tell when a room full of people is spending a lot of time talking around a subject because nobody wants to be responsible for making an actual decision. These were the issues with STIR/SHAKEN that were not just apparent to me, but to many professionals, of many nations, who have spoken to me since I began sharing my criticisms of STIR/SHAKEN via Commsrisk. Instead of addressing these issues, advocates of STIR/SHAKEN chose to ignore them. Some may not have cared if STIR/SHAKEN could ever be made to work; there have been plenty of people who made a lot of money by selling dud technology. But whatever their goals, the reasons why STIR/SHAKEN was bound to fail are so obvious that it beggars belief that well-paid US professionals thought they could succeed by simply ignoring them. To reiterate those serious weaknesses:
- STIR/SHAKEN costs an enormous amount of money compared to better alternatives. It costs so much that the groupthinkers steadfastly refuse to deliver an estimate of its cost, whilst insisting the benefits must outweigh the costs. And then they refuse to produce an estimate of the benefits either, with the excuse that there is ‘no silver bullet’, and that the real benefits will only start to flow after some other money is spent on some follow-on endeavor. As a consequence, the advocates of STIR/SHAKEN concentrated on lobbying rich countries like the UK because they had no idea of how to make it seem affordable to poorer countries. But a waste of money is still a waste of money, even in a rich country.
- China is the enemy of the USA. The USA also has other enemies, and there are non-aligned countries. The notion that all international calls would be subjected to a form of governance dominated by the USA was fanciful. However, advocates of STIR/SHAKEN could offer no other explanation of how global coordination would be effected in practice. They embarrassed themselves by treating the support of the Canadian regulator as sufficient proof of an international mandate for their program, and they boasted of the support of multinational tech companies like Google and Microsoft as if nobody would notice where those companies are headquartered.
- The only way to stop a harmful call is to stop the harmful call. You can do all the detection and analysis that you like, but none of that matters unless something is stopped. An algorithm can automatically decide which specific call is blocked. A government agency can prohibit a crooked company from doing business. The police can decide to arrest the people who make harmful calls and lawyers can decide to prosecute them and a jury can decide to imprison them. However it is done, somebody has to decide to stop something from happening, where the power to make that decision comes from a legal code, a regulatory code, software code, or a combination of codes. But for all the bloviating about STIR/SHAKEN, not a single advocate for its use could offer a convincing explanation for how STIR/SHAKEN would lead to reliable decisions to stop bad calls in the USA, never mind anywhere else.
I am sorry to use harsh language. I really am. Nobody likes to be publicly belittled. But groupthink cannot be ended by negotiating with it. Groupthink has to be disrupted. Thousands of people suffer harm every day because the communications industry wasted time on fantasies concerning STIR/SHAKEN. The lessons to be learned from the failure of STIR/SHAKEN are so simple that they should hardly need to be stated. But the groupthink surrounding STIR/SHAKEN was so thick and impenetrable that those lessons do need to be stated, so here they are.
- Prefer methods to reduce harmful calls that are so cheap that every telco and every country will want to implement them. Dismiss methods that are so expensive that a tiny number of US corporations will spend a lot of time and money on lobbying regulators for it. If you desire, there will be plenty of time to argue about the need for untested and unproven miracle technologies after all the cheap and simple protections have been put into effect.
- Listen to a wide range of opinion and not just those which reflect your own nationality, culture, or domain of expertise. If your goal is to reduce crime, it would be helpful to solicit the opinions of people who are experts in crime, as well as people whose expertise lies only in narrow technological fields that may or may not yield effective solutions. Invite critics to challenge any proposal before you tell regulators that it is sure to work. Seek to encourage international consensus from the outset by engaging with people who may oppose your plans as well as the people who are most likely to support them. Any plan that just assumes China or India will submit to US authority is not worth considering.
- Be clear about outcomes. Explain what will be stopped. Explain who will decide to stop it. Explain how they will decide to stop it. If you cannot explain these things then go away and only return when you are able to explain these things. Anything you might say in the meantime would only be a distraction.
What Comes Next?
I will avoid the temptation to discuss specific technologies. Following on from the psychological assessment for why STIR/SHAKEN failed, any plan to tackle scam calls can only succeed if they align with human motivations. STIR/SHAKEN was a poor technological proposition that was marketed heavily to professionals outside of the USA who could readily see its flaws, and who do not share the narrow and specific motives of a highly politicized entity like the Federal Communications Commission (FCC), the comms regulator in the USA. I can identify four outline mechanisms to tackle scam calls that are worth pursuing because they each might receive sufficient support from the people who would need to support them.
Police the Telecoms Borders
The easiest way to overcome the headaches involved in international coordination is to avoid any need for coordination. STIR/SHAKEN had to be pan-national because the technology can only serve a useful purpose if it is applied from the origin of a call, to its destination, and by all the intermediary carriers between. A string of countries have since realized that trying to influence the application of STIR/SHAKEN in foreign countries is futile. So instead of doing that, they recognized that the quickest, simplest way to stop spoofed calls from overseas is to look at the phone numbers for each inbound call and to block them if they pretend to have a domestic origin. There will be some elaboration of this essential method to apply it to phone calls presenting a number which could be an outbound roamer but the principle remains the same: apply checks to calls coming into the country and refuse to connect the calls that are obviously dodgy.
This strategy has rapidly gained popularity. This is because different national regulators can see how well it has worked for their peers, but they also benefit from the simplicity of controlling execution within their country. To give a good example, Germany has benefited from a method of policing inbound international traffic that is quite like other European countries, but which also differs in the specifics because of the need to accommodate German cultural sensibilities. Just like a physical border, a country does not need the permission or help of its neighbor to erect a fence or institute checks on telecoms traffic that approaches its network borders. And because most scam calls originate overseas, the majority of scam calls can be prevented using this cheap and effective method.
The approach of policing the border is set to become the dominant approach in Europe. Several European countries have already begun implementing border controls that will become progressively more comprehensive as they are extended from landline to mobile numbers. The coup de grâce occurred when the Electronic Communications Committee of the European Conference of Postal and Telecommunications Administrations (CEPT) recommended in November 2023 that its 46 member countries should all adopt either a block of inbound international phone calls that spoof a domestic number, or a German-style removal of the CLI so that no apparent A-number is presented to the recipient.
It is worth noting why the relatively simple mechanisms required to police the border do not appeal to decision-makers in the USA despite a profound tendency for Americans to blame foreigners for scam calls. Neither the FCC nor the companies that have most heavily invested in the development of STIR/SHAKEN care as much about protecting ordinary people from crime as they care about continuing to enable telesales calls that originate in call centers located in foreign countries where staff are cheaper. If there were no telesales calls from call centers working on behalf of US businesses but located outside of the USA then policing the border would be much easier. If you want ordinary members of the public to be deceived by the presentation of a domestic phone number for a phone call that originated in a foreign call center then you need an elaborate mechanism to distinguish between ‘legitimate’ spoofed calls and all the other spoofed calls. This elaborate mechanism will always be prone to abuse because criminals are adept at pretending to run legitimate businesses. The elaborate mechanism has a name — STIR/SHAKEN — and the real motive for preferring it to simple border controls is to prioritize the objectives of big business over the protection of ordinary people.
Empower the Big Telcos to Make Decisions about Crime
As noted above, any system will ultimately succeed or fail depending on whether there are decisions that stop bad traffic. This is an essential truth, but it becomes harder to fathom as a legal and regulatory environment becomes more convoluted. There are times when poor countries are much more effective at tackling telecoms crimes than rich countries, despite the lack of investment in the technology of crime detection. Poor countries tend to have simpler decision-making procedures because they cannot afford the wasteful overheads that come with complexity. That is why the majority of African countries made simboxes illegal decades ago, whilst the UK only concluded that simboxes were illegal after its Supreme Court ruled in 2023 about the legality of a business which had been liquidated in 2005.
Dictatorships and other authoritarian regimes have their downsides, but an inability to make decisions is not one of them. There are also disadvantages in giving businesses like telcos the freedom to act like dictators. Either way, somebody needs to make decisions that will result in the blocking of bad traffic by bad actors, whether that somebody works for the government, for the telcos, or for some quasi-governmental body that sits between them. The danger with giving people power is that they may abuse it. The risk with not giving people power is that a necessary decision cannot be made.
One of the most striking aspects of STIR/SHAKEN is that American lawyers and vendors would give lectures about how it was supposed to operate in the USA that demonstrated a profound inability to see the wood for the trees. Here is one of the diagrams used to explain the relationships between the various entities that execute STIR/SHAKEN in the USA, as drawn by iconectiv, the business which secured the monopoly on administering STIR/SHAKEN policy.
Now here is a process diagram that explains how telcos worldwide have historically dealt with fraudulent traffic.
Telcos are more capable of identifying crime that occurs on their networks than anyone else. So you could just trust them to act in the best interests of the public. A country could simplify by giving telcos more freedom to block calls, or by giving them the right to refuse to interconnect with other telcos, on the basis that this is necessary to protect the public from harm. There is no technological obstacle to doing this. It could be done overnight. The obstacles are political in nature. Telecoms fraud managers spend half of their professional lives bemoaning the fact that they are not free to act to tackle crimes and criminals they have identified.
Telcos have more relevant information than anyone else, so intuition tells us they are best able to identify and stop crime. And they could further empower each other by sharing information between themselves. However, the more complicated regulatory environments, like that in the USA, will not let them act in this manner because of the fear that such power will be abused for anti-competitive purposes.
Criminals have the advantage in a complex regulatory environment because they move faster than bureaucrats. This is acknowledged by the FCC whenever they talk about ‘playing whac-a-mole’ with scammers, but they reach the wrong conclusions about how to remedy the situation. Criminals are faster than bureaucrats because bureaucrats make everything so very slow, not because criminals are inherently fast. STIR/SHAKEN, and the FCC’s subsequent fascination with using artificial intelligence, are attempts to try to increase the speed of law enforcement through the use of technology, but without removing any bureaucracy. This misses the point — decisions effected through algorithms still involve human beings making decisions before the software is executed in practice.
The bureaucracy of decision-making will remain in overcomplicated regulatory environments even if it means many committees arguing about which algorithms are acceptable before they are used in practice. And that is why it is so rare to hear anyone explain how STIR/SHAKEN has changed decision-making in the USA, because they still have not worked out those details. They have started turning the handle on a lot of data whilst hoping to later discover the correct recipe for automated decision-making. But bureaucrats will still not be competent to inspect that data. The people who are most competent to do that are the people who work for telcos. Which brings us back to the same circular problem of whether telcos will be trusted to make decisions or not.
So however this problem is couched, and however it is confused with questions about technology, each country has to decide how much it relies on telcos to decide which calls it should block, how much these decisions will be made by bureaucrats instead, and how often crime is allowed to persist because nobody is empowered to make a decision. One way of handing more power to telcos without prompting a backlash is to embed decisions in algorithms and to be vague about the significance of this transformation. It would be better if governments and regulators consciously chose to hand power to telcos rather than assuming algorithms will somehow perfect themselves, or that the businesses which supply technology will not be tempted to bias algorithms in ways that profit them at the expense of public safety.
Create and Use Call Validation Clearing Houses
The USA and Canada will continue to use STIR/SHAKEN. After many years of striving, Canada and the USA have finally progressed to the point where they are running a pilot on how to collaboratively apply STIR/SHAKEN to calls that pass between them. Meanwhile, France will likely persist with an incompatible version of STIR/SHAKEN. But other countries will never exchange STIR/SHAKEN signatures with the USA, Canada, or France. This creates an impasse, but it also creates a straightforward business opportunity. If countries like the USA will legally oblige gateway carriers to add a completely meaningless signature to inbound international calls rather than admit that the calls have not been authenticated, why not simply give intermediaries the option to add a meaningful signature instead? The signature need not reflect the adherence to STIR/SHAKEN at the call’s origin, but it could reflect other useful information. For example, if a UK telco blocks all inbound international traffic that spoofs the UK’s +44 country code, then it follows that any outbound traffic passing from a UK telco to the USA that is prefaced with +44 must have originated in the UK.
I must necessarily be succinct about how to implement the translation of validation performed by a telco in one country into a stream of data that fits the needs of a different telco in another country because there is a limitless theoretical number of combinations. Businesses like 1Route have only researched methods to implement a few such translations so far. However, the principle of translating validation data and exchanging it using automation is sound. Instead of expecting expensive one-size-fits-all protocols to be universally applied to all telcos, it is more sensible to let intermediaries enable the bilateral transfer of useful data by translating between the different protocols adopted by different telcos from different countries. This does not eliminate the issue of whether a telco can be trusted, but that problem still existed in STIR/SHAKEN and was only submerged by a refusal to admit that the ‘universal’ approach actually meant US authorities would have to vet and approve all traffic from all telcos everywhere. At least the open formation of bilateral relations using multiple protocols allows some much-needed flexibility in the ways different countries choose to help each other.
Cooperative Policing
INTERPOL did something very important and very unusual recently. They coordinated an anti-scam law enforcement operation across 27 different countries. The central goal was to dismantle the human trafficking rings that abduct people who are used as slave labor in scam call centers, but cutting off the supply of workers for scam compounds also affects the number of scams that can occur. Rather than spending billions on technology to merely detect and block bad traffic, countries should be spending millions on arresting the organized criminals who were responsible for that bad traffic, and who will keep generating more bad traffic if they remain at large.
The reason why cooperative policing does not occur is because politicians and police have little incentive to reduce crimes suffered by victims in foreign countries, and because it is politically expedient to transfer the cost of law enforcement to private companies rather than to increase the burden on the public purse. STIR/SHAKEN is an example of transferring the cost of law enforcement to the private sector. US telco insiders estimate they collectively spent half a billion dollars on implementing STIR/SHAKEN. That is equivalent to a 4 percent rise in the annual budget of the US Federal Bureau of Investigation (FBI). But the actual budget rise for the FBI in 2024 will be a measly 0.4 percent, despite plenty of rhetoric from authorities that say Americans are suffering an avalanche of fraud. Put simply, rich countries tend to spend too much on technology and too little on law enforcement because it is possible to force the private sector to pay for the former, whilst the latter cost has to be borne by taxpayers.
Some industry insiders have advised me that the USA is now spending money on law enforcement agents based in India and tasked with working with the Indian police to secure the arrest of scammers. This may also explain a recent uptick in the number of reported raids and arrests of Indian scammers. I would say that however much is being spent on aiding foreign law enforcement, the USA should choose to spend a lot more. Billions spent on technology to block calls will only lead scammers to generate many more calls that will also need to be blocked. Put the scammer in prison, take away their phone and their internet connection, and the need to block calls will diminish. And every crime boss in prison serves as a deterrent for anyone thinking of taking their place.
Conclusions
I have no doubt that there are self-professed experts who will find flaws in the alternatives I have outlined. I do not care because anybody who thought global STIR/SHAKEN was going to succeed has already demonstrated poor judgment. Fighting scams requires a multi-disciplinary as well as a multinational approach. The USA doomed its anti-robocall strategy by only asking for input from a narrow band of technologists and lawyers, and then trusting that the rest of the world would purchase the technology they wanted to sell and comply with the rules they expected to impose. I find it incredible that a group of intelligent individuals were so seduced by groupthink that they devised a strategy which depended on the compliance of the whole planet but without making the slightest effort to canvass outside opinion.
The devil is in the detail when it comes to devising cooperative ways of reducing scam calls that cross borders. Many contrasting needs must be acknowledged and accommodated. That is why we must always strive to avoid unnecessary complexity. The simpler our methods, the more likely they will succeed and will be replicated. Straightforward principles like punishing criminals, exchanging information about crime, giving telcos the freedom to take instant action to block dangerous traffic, and monitoring the nature of traffic that comes inbound from other nations will deliver superior results to grand schemes for the universal implementation of expensive technologies and a bureaucracy that would hold sway over all telephony everywhere. The global communications industry can do better. The time and effort already wasted on STIR/SHAKEN shows why we must.
