29.8k unique visitors in the last 3 days

This Jurisdiction Issue Makes International Traceback Useless

If there has to be legal permission to get traceback data from the entire route then traceback can easily be defeated, even if there is blanket permission from the originating and terminating countries.

An average member of the public might question why internet traffic from Los Angeles to Washington DC would ever be routed through China. They might be aghast to learn that this actually occurred for 30 months in a row because of the way routing announcements are propagated. I do not normally write about international routing security because a proper understanding of the topic requires a degree of expertise that I lack and which only a small number of people possess. However, I know enough to appreciate that Border Gateway Protocol (BGP) errors and hijacks are an ongoing threat to the routing of traffic. There are also more mundane reasons why comms providers may not always fully understand which routes are being used for international traffic, or may choose routes that would seem bizarre to a member of the public.

There is a theory that the problem of scam voice calls which cross borders will eventually be solved by some form of international traceback. I find this theory to be implausible for multiple reasons.

  • Just because you can trace a call does not mean you can do anything about the people responsible for the call. Everybody knows there are enormous scam compounds in Cambodia and Myanmar; we do not need to trace calls to locate them because the challenge is to find somebody local to the scam compounds with the power and motivation to shut them down. We also know that scammers are making calls using simboxes and mobile networks located inside the USA. Again, the hype surrounding the US Industry Traceback Group does not explain the lack of any regulatory or law enforcement against the mobile operators who supplied those SIMs, provided service to those simboxes, and pay for the US Industry Traceback Group.
  • Weak or non-existent know-your-customer (KYC) obligations mean criminals remain free to create business fronts that will simply disappear when illegal traffic is linked to them. Only comms providers will be held liable for criminal traffic when no actual criminals can be brought to justice. The simplistic notion of punishing telcos for scam traffic will appeal to politicians and the public but it elides the practical limitations of KYC controls; they create a burden for genuine customers while a sufficiently motivated criminal will still overcome even the most stringent KYC checks. Setting and enforcing KYC expectations is difficult enough in a domestic context as proven by the failures of the US Federal Communications Commission, but it is impossible to set and enforce KYC expectations in an international context. If one country can punish telcos in other countries for not preventing scam traffic then they effectively gain the right to impose KYC obligations on foreign telcos too. Plenty of national authorities will resist attempts to have rules enforced on domestic businesses by foreign agencies, and we are a long way from any realistic prospect of agreeing harmonized global rules for KYC.

The advocates for international traceback will not give up; they stand to profit from its implementation in ways that are unrelated to whether traceback is useful at reducing crime or not. Lobbyists are pushing for some form of initial traceback alliance between rich Western countries. For this alliance to work, each country will need to first implement a domestic traceback solution, then argue they can and should be connected together. The drawbacks to this plan should be obvious to any impartial observer. As a Brit who likes my privacy, I question the benefit of allowing notoriously untrustworthy American government agencies to invent reasons to trace whichever international calls they fancy. Meanwhile, countries that originate many scam calls will not be part of the traceback alliance. Some of the alliance members have already shown they are incapable of taking action against domestic networks that originate scam traffic. But advocates will push on regardless, arguing that eventually all the obstacles will be overcome until they have delivered a genuinely global mechanism for tracing every international call to its origin. They ignore the jurisdiction problem that will inevitably derail these fantasies.

All the chatter between the rich Western countries that give credence to these aspirations relies upon the assumption that members of the alliance will all agree to share data. The initial groundwork has begun through bilateral agreements, and more recently by a five-way agreement between the countries that belong to the Five Eyes intelligence alliance. The rationale is that tracing depends on governments at the origin and termination of a call agreeing to the transfer of intelligence about calls because they both want crime to be stopped. This ignores a crucial requirement for traceback to succeed in its current proposed form.

Lobbyists want traceback not just between the originating telco and terminating telco, but to trace every hop involving every intermediate carrier too. This is vital to encouraging the spread of international traceback beyond the initial Western members of the alliance. If intermediate carriers can be punished for handling scam traffic even when the traffic cannot be traced to its origin then it creates an opportunity to pressure upstream comms providers and upstream countries who have not joined the alliance. The intermediate carriers will be motivated to identify those upstream comms providers and upstream countries that generate most scam traffic, so diplomatic pressure can then be applied in a way that matches pragmatic priorities. However, this means any data sharing will also need to be supported by the jurisdictions of every intermediate carrier between originating and terminating members of the alliance. If those intermediate jurisdictions do not support the sharing of intelligence then traceback falls into a black hole because of routing, even if the traffic originated and terminated in countries that belong to the alliance.

This is why the example at the beginning of this article is pertinent. The average politician, lawyer or member of the public may not appreciate it, but there has always been lots of zany routing of international traffic. Even traffic between one mainland US city and another mainland US city can be routed via China, never mind the myriad routes that may be used between cities on different continents. Anyone assuming that a UK-US bilateral agreement is sufficient to authorize the exchange of hop-by-hop tracing data for all calls between the UK and US is wrong. They are not only wrong, but they threaten to create an incentive for traffic to be deliberately routed through other countries just to defeat a simplistic approach to traceback. This is an analogous problem to scammers successfully circumventing STIR/SHAKEN in the USA by sending traffic along non-IP routes that cannot support SHAKEN signatures carried in the form of SIP signals, an obvious weakness that policymakers have ignored because it is politically inconvenient.

There are two ways to defuse this jurisdictional issue involving intermediate businesses in intermediate countries.

  1. Abandon the needless obsession with tracing calls through every intermediate hop. It should be obvious that a plan built on a bilateral legal agreement between a country that originates a call and a country that terminates a call would best be served by a technology that only involves the relevant businesses in those two countries, and not by a technology that necessarily involves every business along the route between those two countries. It would be cheap and easy to construct an out-of-band mechanism that directly exchanges verification data between the originating and terminating telcos. The data exchange would be independent of the routing of the call. The only significant challenge involves synchronizing the flow of the verification data with the execution of the call, but this is a minor technological headache compared to the diplomatic challenge of persuading China to submit to the data gathering demands of the USA. However, the lobbyists will oppose such a straightforward remedy for reasons outlined below.
  2. Donald Trump takes over every country that does not want to share data. And if that seems ludicrous, consider the probability that governments hostile to the USA will hand over their data just because some telco nerds asked them for it. The bulk of the US reports about their attempts to perform international tracebacks showed how little success they were getting by asking for data, until the point when they decided not to publish those reports because they were so embarrassing. They struggled to get traceback data from Germany, never mind countries which are hostile to the West.

Sadly, the leading lobbyists for international traceback are low quality American lawyers, which is why they will simply ignore inconvenient truths about the laws of countries they cannot influence. Equally sadly, they will persist with their plan for three reasons.

  1. International traceback is a distraction from anti-scam initiatives they previously supported which failed.
  2. International traceback is a distraction from useful controls, such as enhanced KYC obligations, that would reduce scams but which their paymasters want to avoid.
  3. International traceback is an excuse to engineer revenue-generating opportunities from international telemarketing services that would present data to consumers about the businesses which phone them.

I warned in 2020 that American advocates of STIR/SHAKEN would fail to deliver on their promises because their plan for reducing scam calls was not realistic about international relations. Five years have passed and the zombie plan stumbles onward, now under the guise of international traceback. It continues to suffer from the same facile reasoning about international relations. We might imagine the benefits of living in a world where Donald Trump, Xi Jinping, Narendra Modi, Lula da Silva, Bola Tinubu and Vladimir Putin all joined hands and agreed to work together to stop crime, but that is not the world we live in. The number of ordinary Nigerians who care about implementing intelligence-sharing systems just to appease American policymakers may be even less than the number of American readers of this article who recognized the name of Bola Tinubu, the President of Nigeria, the world’s sixth-most populous country and a place often associated with scam activity.

Our fundamental issue with tackling international scams is that solutions need to be cheap and effective to have any chance of spreading worldwide but most of the lobbying is done by rich Westerners who propose solutions designed to serve corporate interests. I would be pleased to see a Nigerian involved in the design of international traceback but there is no sign of that happening. We are instead stuck with the same small thought processes by the same small group of people. A lack of diversity encourages groupthink. Agreements between countries that consider themselves to be victims of crime will accomplish nothing if the goal is to tackle crime that originates elsewhere. More lateral thinking is required if we are to attain more rapid progress but such thinking also poses a threat to those with an interest in maintaining the status quo. So perhaps another five years will need to be wasted before the comms industry can reach a consensus around the reasons why international traceback also failed to deliver on its promises.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email