Commsrisk’s new partnership with the Mobile Ecosystem Forum will see us publish weekly bulletins from now on. This is the first of those bulletins, although it covers a longer period, with a lot happening during that time. It seems hard to believe that just five weeks ago I was planning to take a lengthy break from the communications industry. But after 17 years of people watching me continuously update this website, a global association finally decided it was time to lend a helping hand, prompting a 180° U-turn and the re-creation of Commsrisk as a news round-up to be published each Friday. So much like Sisyphus, I find myself once again pushing eerily similar subjects up the same blasted hill that some would prefer to ignore…
US Experience Proves You Cannot Authenticate Calls Without Authenticating Customers First
It is ironic that many journalists complain about misinformation being spread on the internet when even Reuters writes misleading headlines.
Lingo Telecom agrees to $1 million fine over AI-generated Biden robocalls
This is a bit like saying somebody was imprisoned for 3 years over their admiration for Adolf Hitler when their actual crime was robbing a liquor store at gunpoint. You may not like neo-Nazis, and you may not like deepfaked robocalls. For the record, I do not like neo-Nazis, and I do not like deepfaked robocalls. But if there is no specific law against being a neo-Nazi, or against making a deepfaked robocall, then it would make sense to mention the laws that people are being punished for violating, unless we wish to live in societies where punishment is arbitrarily meted out to whomever is considered unpopular. Despite a slew of misleading headlines, the US Federal Communications Commission (FCC) has definitely not fined Lingo Telecom for making AI-generated robocalls that sound like President Joe Biden. They have not done this because the US comms regulator:
- Lacks the authority to punish people for telling lies;
- Failed to establish any rules on AI-generated calls at the time these calls were made;
- Does not want to draw attention to flaws in rules that they hardly ever enforce anyway; and
- Knows that the news media will repeat the contents of an official FCC press release without checking any facts.
AI deepfakes and election fraud are two exceedingly sexy topics. What is not a sexy topic is that some businesses do not implement basic know-your-customer (KYC) checks before allowing other businesses to make large numbers of automated calls. And now you know the real reason why the FCC threatened a modest USD2mn fine, before they reached an even more modest USD1mn settlement with the lawyers representing Lingo Telecom. What follows is the stuff that the FCC’s lawyers include in the more boring documents that they write, and which does not get neatly summarized for their sexy press releases.
Lingo Telecom submitted evidence to the Bureau that Life Corporation had provided Lingo Telecom with a certification that Life Corporation would identify its customers and had verified that the telephone numbers used for all calls were associated with the customers. Lingo Telecom concluded that Life Corporation could legitimately use the telephone number that appeared as the calling party of the New Hampshire calls based on: (i) Life Corporation’s certification to Lingo Telecom that Life Corporation would identify its customers and had verified that the telephone numbers used for all calls were associated with the customers; (ii) the past Know-Your-Customer research that Lingo Telecom had performed on Life Corporation; and (iii) the 16-year history of Life Corporation’s traffic patterns as a customer of Lingo Telecom. Based on this conclusion, Lingo Telecom provided A-level attestations for the New Hampshire calls. Lingo Telecom took no additional steps beyond those recited above to independently ascertain whether the customers of Life Corporation could legitimately use the telephone number that appeared as the calling party for the New Hampshire presidential primary calls.
The FCC needs to distract attention from the fact that a US telco applied A-grade STIR/SHAKEN signatures to calls that illegally spoofed a phone number. If the public became aware of the glaring omission in the FCC’s robocall reduction strategy it would undermine everything the FCC has previously said about STIR/SHAKEN supposedly proving that a call is trustworthy. So whilst the FCC had to punish Lingo Telecom for facilitating a shameless election fraud, they did not want anyone thinking too clearly about the following:
- Despite all the many claims to the contrary, STIR/SHAKEN does not authenticate calls;
- Human beings are essential to the process of authenticating calls because only human beings can make the often complicated judgments involved in deciding whether a person or an organization is who they say they are;
- Nobody has written any actual rules for what these human beings should be doing when they make these judgments; and
- A lot of businesses just rely on other businesses to perform know-your-customer checks.
The lawyers of Lingo Telecom must have appreciated all of these points, which is why they were able to negotiate a 50 percent reduction in the penalty they paid, despite being partly to blame for the robocall equivalent of a neo-Nazi coup. If you read Lingo Telecom’s press release, they make it plain that their settlement agreement did not involve any admission of any FCC rules being broken at all.
The settlement announced on Wednesday contains no findings of any rule violations, and Lingo Telecom continues to believe that it complied with all FCC rules, including those pertaining to STIR/SHAKEN call attestations.
KYC is an essential precursor to a technology like STIR/SHAKEN. The technology of STIR/SHAKEN is like applying an unremovable, unfakeable label to a box that says the contents of the box have been ‘quality assured’. But as clever as that labeling technology may be, it serves no useful purpose if nobody actually bothered to check what is inside the box. Without KYC, the ‘authentication’ tick displayed when a handset receives a call is as unreliable as a headline written by a journalist who copies from a press release without checking the facts. This gaping black hole in the US strategy for protecting the public for scam calls is apparent to many people in the US industry, although nobody seemingly knows how to close it. Respected US comms lawyer Jonathan Marashlian highlighted the core problem with Lingo Telecom’s settlement.
Despite the settlement, the FCC provided little guidance on what additional steps telecom providers should take to avoid similar penalties, leaving many in the industry uncertain about their compliance obligations.
A Chinese Bid for Cross-Border Call Governance?
The new Chinese call validation standard, CHAKEN, remains a mystery to most of the rest of the world, despite promises that CHAKEN will be live and protecting one billion Chinese phone users by November of this year. Big businesses with global footprints that are involved in the delivery of CHAKEN have been strangely tight-lipped about the technology, even though it is the subject of a published national standard within China. However, there are the first signs that some enterprising folks intend to sell CHAKEN to customers outside of China. East Money reported that a seminar on the international application of CHAKEN was held in Shenzhen during July. A state-owned business called Eastern Communications Company, otherwise known as China Eastcom, has seemingly established a ‘China-ASEAN Cross-Border Trusted Identity Trust Center’, per the way Google translates such things. Given that 300,000 modern-day slaves are forced to work in scam call centers located in Cambodia, Myanmar and Laos, and that these three countries all belong to ASEAN, this could be the beginning of a major upgrade of China’s anti-scam strategy. If so, it will also have significant knock-on benefits for phone users all around the planet because these same scam compounds target victims worldwide. Let us just hope the Chinese authorities learn a lesson from the mistakes made by the FCC in the USA, and they will check if a call center is being run by human trafficking gangsters before they decide whether to apply CHAKEN signatures to their calls.
DLT Will Tackle the A2P SMS URL Smishing Problem In India
Western countries have lost interest in blockchain and other distributed ledger technologies (DLT) in the mad rush to solve every problem with AI, but India continues to build upon a highly successful implementation of DLT that prevents scam and spam calls and messages. The Indian DLT is already used to prevent imposters from hijacking the messaging Sender ID associated with reputable organizations, and all A2P SMS messages have to conform to pre-approved templates saved with the DLT. Now the Telecoms Regulatory Authority of India (TRAI) is taking consumer protection a step further with new anti-smishing constraints implemented via the DLT. Whilst Malaysia has chosen to block the use of any URLs in A2P SMS messages and a growing number of European countries are considering automated scanning of SMS messages to identify and block harmful content including URLs, India is going to use the leverage created by their existing DLT to ensure only safe URLs will be allowed, without the threat to privacy implied by automatically reading every message. URLs will now need to be pre-approved and added to the DLT if an organization wants to include them in an A2P SMS message they send. In addition, the DLT will manage the allow-list when A2P SMS messages include:
- Callback phone numbers;
- Links to OTT communications services; and
- APKs, as used to distribute phone apps.
Blocking of new content which does not match the DLT will begin on 1 September.
Same Sh*t, Different Channels: Arresting the Telegram CEO
The stories told by individuals who escaped from the aforementioned scam compounds in Southeast Asia should make us reconsider how we categorize and compartmentalize our responses to networked crime. Criminals do not divide the world in the same way that comms businesses, regulators and governments do. When making the initial connection in the hopes of duping somebody into handing over their life savings, crooks do not care if the connection is made by robocall, SMS, RCS, Whatsapp, Facebook, Tinder, or hundreds of other online messaging platforms and marketplaces. Their objectives and their modus operandi will be largely the same in each instance. When different business sectors work independently to mitigate scams they may not appreciate and address what these crimes have in common. Inadequate KYC is a common problem, whether it is the KYC performed by a CPaaS before sending bulk SMS messages, or the KYC that a social media platform performs to ensure a new user is a genuine person. There may also be commonalities in potential mitigations. For example, Europe seems to be increasingly oriented towards scanning content across multiple kinds of online platforms and messaging services, despite opposition from privacy activists.
Differences of opinion about when it is appropriate for the authorities to scrutinize the content of private messages will come to the fore as a consequence of France arresting Telegram founder and CEO Pavel Durov. The preliminary charges are that Durov allowed criminal activity to occur through Telegram’s messaging service. This may be true, but it is also true that Telegram is used by journalists and democracy activists to evade the laws imposed by some governments that European democracies consider to be oppressors of human rights. Durov previously left Russia and sold his share of a successful business just to deny the Russian government obtaining similar kinds of oversight to those now being sought by France. Modern communications are global, as is crime. However, moral expectations are not the same everywhere. French prosecutors will argue the state needs to exert control over the messages which can be conveyed using Telegram in order to protect the public. If they succeed, there will still be inconsistencies in what different countries consider morally acceptable to include in messages communicated across borders, even if every nation used the same methods for controlling communication across every different channel.
The globalization of moderation that comes with globalization of networked services means that much of the content of the web is allowed or disallowed based on the prevailing morality within the USA, because of the outsized US influence on the information technology industry. Boosters of AI have so far been blind to what this could potentially mean for national cultures if AI is used for moderation. China stands as a counterexample to US dominion because of its size, language, and the differing priorities of the Chinese Communist Party, and it is inevitable that other countries sometimes feel frustration about the import of foreign standards even when they lack the resources to override them. China also ranks as leaders in the development and export of AI. There is some irony in the fact that France is one of the European nations that most actively defends and promotes its national culture as a bulwark against foreign influence. Supporters of the arrest of Durov by the French authorities should keep in mind the consequences when individual nations try to unilaterally decide what may be communicated through global networks.
Other News
- Privacy Commissioner of Canada and US Federal Communications Commission sign information sharing agreement
- Kenyan police warn that SIM swap fraud is being underreported by the public after arresting yet another swapper in Bomet County
- India begins to accept more telecoms investment from China
- British mountain rescue team complains that their emergency callout SMS messages were wrongly blocked as spam



