The battle to reduce illegal robocalls is going poorly in the USA. It makes uncomfortable reading for some American professionals, but they will find it difficult to argue with the following.
- Insiders estimate that the US telecoms industry has collectively spent around half a billion dollars on measures designed to reduce robocalls.
- The latest data from the YouMail Robocall Index shows that the number of robocalls received in the USA during March has risen back to the levels experienced before the FCC made STIR/SHAKEN a mandatory component of the anti-robocall operations of every large US telco.
- Half a billion dollars for a negligible reduction in the number of robocalls represents a terrible use of money, though supporters of the current approach are blinding themselves to reality by arguing critics of the US strategy want perfection to be the enemy of the good.
The chief problem with the US approach is so fundamental that it is almost impossible to address. The architects of the strategy are listening to the wrong people. If the US comms regulator, the Federal Communications Commission (FCC), keeps relying upon the advice of the wrong people then they will keep making bad decisions based upon that advice. Or to put it another way, if the waste of half a billion dollars does not motivate them to seek new advisors, then nothing will. The FCC passively relies on businesses and other organizations to tell them how to solve the issue of robocalling, which effectively means they spend most of their time listening to those who can afford to put most effort into lobbying.
I like data as much as any sane person should like data. However, the most widespread and damaging mistake in telecoms risk management is to become so obsessed with creating, collating and analyzing data that you ignore your inability to effect any meaningful change as a consequence of playing with all that data. Unlike China, which aggressively goes after telecoms fraudsters wherever they are located, the US government lacks the political will to arrest and imprison even those scammers who live in the USA. They hence favor lobbyists who insist robocalls would be reduced if more data was gathered to identify robocalls. They demand a growing number of telcos gather and act upon this data. They want punishment for telcos who fail to collect and act upon this data. However, the failure to reduce robocalls has very little to do with gathering data. Those fraudsters caught using the methods already available to US authorities typically receive huge fines that are never paid because the fraudsters will shut down the businesses held liable and pretend to be bankrupt. They remain out of prison, and so they are free to set up another business that repeats the same scams. Is it not obvious that the lack of any meaningful punishment or deterrent for those criminals that create robocalls should be addressed before seeking to find ways to criminalize intermediary telcos that carry their traffic?
If you follow the debate closely enough, you can see a grouping of lobbyists who all want to focus blame on legitimate carriers in the belief they are not doing enough to block robocalls. This argument has some merit. However, the lobbyists go too far, and they ignore other failings that lie elsewhere. The merit of their argument is undermined by the refusal to address the root cause of crime. If a drunk driver kills a pedestrian we punish the driver, not the car manufacturer for failing to make a car that is drunk-proof. When a burglar smashes a window to gain entry into a house we punish the burglar, not the manufacturers of the glass because they did not make stronger windows. A cabal of US lobbyists want to place all the emphasis on forcing intermediary carriers to block more traffic, with no regard for the dangers that some carriers may respond by blocking legitimate traffic, or will raise prices to compensate for the increased risk and burden whenever they carry traffic that is destined for the USA.
Meanwhile, nothing is said by this group about imposing meaningful penalties on the criminals who are the root cause of robocalls, even though this issue was repeatedly raised by Jessica Rosenworcel prior to her appointment as the Chairwoman of the FCC. It was easy for Rosenworcel to talk about necessary change when her political opponents were in the ascendency. There has been no mention of delivering more effective punishment of robocallers since Rosenworcel obtained the top job. Talk is cheap, and US politicians lack the resolution to change a legal system that treats multi-million-dollar fraudsters as a trifling nuisance instead of handling them like the economic terrorists they really are.
One of the lobbyists driving this unhealthy crusade against intermediary telcos is ZipDX, a peculiar company that repeatedly insists it knows how to end robocalls even though their entire business model is based on selling conference call solutions. You may remember ZipDX as the company that accused international wholesale carrier BICS of showing “disregard for the sanctity” of US phone networks. ZipDX compensates for a lack of diplomatic skills with a surfeit of amateurish enthusiasm for their cause. That cause is sadly shared by many other lobbyists in this arena. Their collective goal is to find new ways to bash intermediary telcos to distract from the lack of punishment for the criminals that make the illegal robocalls in the first place. A recent presentation that was given by ZipDX to a large number of FCC lawyers helps to illustrate how misguided this lobbying can be.
ZipDX’s most recent presentation to the FCC is entitled “What Must We Do to Prevent Illegal Robocalling?”, though it has literally nothing to say about most of the methods that might be used to mitigate illegal robocalling. It focuses blame on intermediate carriers, which might be convenient if the FCC chooses to ignore the half billion dollars already spent on mitigating robocalls.
The presentation opens with a slide that lists some of the worst robocall scammers identified in recent years. That slide does not list the amount of prison time served by these fraudsters. Can you guess why? The presentation then goes on to argue that the reason the problem persists is because carriers generate annual revenues of USD75mn from illegal robocalls. To maintain perspective, let me reiterate that the US industry collectively spent half a billion dollars on tackling robocalls. It has been repeatedly stated that an individual telco might spend upwards of ten million dollars on implementing anti-robocall technology mandated by the FCC. But after all that money was spent, apparently nobody anticipated the need to make a lot of other telcos spend more on call blocking whilst turning away customers. Perhaps if the US legal system was capable of putting robocallers behind bars then it would protect consumers and save some money at the same time.
ZipDX then argues it is necessary to make illegal robocalling less financially attractive to comms providers. But fraudsters work inside a system where the disreputable businessmen who originate illegal robocalls can just shut down, create a new business front, and open up again. If disreputable businessmen who are the source of illegal robocalls can clone their criminal schemes then so could the disreputable businessmen offering to carry those illegal robocalls. Such weak enforcement only leads to change amongst fundamentally honest businesses, not the real crooks who are to blame for the majority of robocalls. An effective legal system does not find it so hard to punish wrongdoing. My main argument with ZipDX and the other fantasists in their camp is they seek to ingratiate themselves with failing public authorities by pretending it will always be easy for the private sector to discriminate between good traffic and bad traffic, and that telcos are simply choosing not to do so. They might as well argue that the US legal system simply chooses not to deal with determined organized criminals, but that argument will curry less favor with the politicians running the FCC.
Whatever arguments are put forward by ZipDX and their ilk, they all ignore how criminals become very good at disguising bad traffic as soon as somebody gives them a motive to do so. That much should already be obvious from one of the most telling failures of the existing US robocall strategy. Within months of its adoption, the three-tier attestation system for STIR/SHAKEN was corrupted by scammers who achieved B- and C-grade attestations for their bad traffic. They were so successful at getting STIR/SHAKEN authentication for bad traffic that calls which receive a B-grade or C-grade attestation are three times more likely to be robocalls than calls which receive no attestation whatsoever.
The frequency with which fraud managers say they play ‘cat and mouse’ or ‘whac-a-mole’ with fraudsters leads me to sometimes grow tired of these clichés. However, if we accept the fundamental truth that organized criminals change their methods to avoid detection, why would we ever endorse some trite argument about the ease with which fraud can be detected based on the data currently available? The whole point of the cat-and-mouse/whac-a-mole metaphor is to explain how it can be easy to identify the criminal until you try to catch them. Nevertheless, ZipDX are not alone in presenting stupidly simplistic arguments about identifying patterns in fraudulent traffic. According to them, illegal robocall traffic is characterized by:
- Low Average Call Duration (under 60 seconds, vs. 3+ minutes for conversational calling)
- > 95% of calls shorter than a minute (vs. 50% for conversational calling)
That makes it sound simple to identify fraudulent traffic and to do something about it. It sounds so simple that I wonder why ZipDX contradicted a statment they made in a different FCC submission, dated just a few weeks earlier, that “typical conversational call traffic has more than 40% of the calls lasting more than a minute”. This makes me believe these round number estimates are not derived from any real data seen by ZipDX, but are the kinds of figures that people bandy around when they want to sound important but are not taking any real responsibility for anything.
I have never seen much corporate data from US telcos, but I was surprised at seeing an estimate which says the average call duration is over 3 minutes. Perhaps this is true for most US telcos, but it is dangerous to assume it always holds true. For many years I worked in finance departments and needed to be able to quickly estimate the financial impact of even small changes to the duration of calls, such as changing the way the duration was rounded. This meant I needed to apply rules of thumb to perform the calculations in my head. After looking at the data, the rule of thumb I adopted earlier in my career was that an average call lasted 90 seconds, though later in my career the weight of subsequent data led me to change my rule of thumb to 2 minutes. I would be very surprised if ZipDX has methodically determined that there are no telcos where the average call duration falls between 60 seconds and 3 minutes, even though they present this as a fact derived from empirical observation.
When it comes to calculating the mean average of durations, it is apparent that some calls will go on for hours, though showing the true length may require some effort if several partial CDRs are created for a single call. But there are also many short calls, as exemplified by the high proportion of calls which are forwarded to voicemail. There will be fraudsters whose traffic profile is so heavily skewed towards short calls that it becomes obvious that the traffic is illegal but I do not believe the world can be so simply divided between legal and illegal traffic profiles in the way ZipDX is pretending. I struggle to understand any of the lobbyists who claim all robocalls are incredibly short when presumably robocalls are at least as likely to be redirected to voicemail as other calls, and so will not always be ended by the intervention of a phone user.
However, let us indulge ZipDX’s conceit by assuming we can currently discriminate between wholly legitimate and wholly illegitimate traffic profiles. ZipDX’s argument hinges on the belief that it is impossible for the fraudster to close the gap between these profiles, perhaps by blurring the two kinds of traffic together. For example, they say conversational traffic must have an average duration of more than 2 minutes. Obviously I find this stipulation impossible to reconcile with my experience of working for big telcos during an era when there were no robocalls but the average duration of real traffic was often less than 2 minutes.
ZipDX then demand that carriers should know if they are carrying any traffic originated by a machine, and if they are, they must vet all their traffic. This is the realm of pure fantasy. First, I look forward to illustrating how this cannot be policed in practice by programming a computer to make a few calls on my behalf, using a regular phone line, and then waiting to see how any telco involved in handling those calls can claim to know that all my calls must be ‘conversational’ in nature just because they checked their duration. If I can do this at a small scale then criminals will test how far they can scale up this approach without being detected. Second, if I can bleed automated traffic into a stream that also includes real traffic, then so can any carrier. And if any carrier can do that, then how is the next carrier in the custodial chain supposed to identify the naughtiness of the carrier that came before them? ZipDX only offers crude tolerances to distinguish between good and bad traffic, which means any carrier is placed in an impossible position if they received traffic from a carrier that has already blended good with bad.
Though they only present the flimsiest maths to back their conceits, ZipDX say carriers should adopt a ‘zero tolerance’ approach to fraud, which is essentially an insult to every carrier that already does their best to stop fraud. I can imagine fraud would be a lot easier to detect and prevent if fraudsters always behaved in the conveniently stupid way that ZipDX says they do. Even so, ZipDX insist their crude methods could never be gamed in practice.
- Example Robocaller makes 500,000 calls daily
- Average call duration of 12 seconds
- Total connect time = 100K minutes
- Concerned about ACD [Average Call Duration] metric
- He tries to hold calls up longer, but recipients still hang up
- ACD goes to 30 seconds; connect time = 250K minutes
- He hunts for other traffic to blend with his robocalls
- 100,000 calls @ 9.5 minutes each adds 950K minutes (VERY difficult)
- Now his ACD is (950K+250K minutes) / (500K+100K calls) = 2 minutes
- His costs have gone from $200/day to $2,400/day (@ $0.002/min)
This is like a red rag to a bull, when it comes to distinguishing between people who have a genuine security mindset and nincompoops who think they have found a foolproof way to always win at whac-a-mole. Let us see if you and I can come up with a few ways of winning a game where ZipDX says they cannot possibly be beaten.
- The first and most essential mistake is ZipDX believe fraudsters want people to hang up quickly to keep the cost of the average call down. This is nonsense. Fraudsters do not make calls because they want people to hang up as soon as possible (unless they are wangiri fraudsters, and they are irrelevant because they always hang up first). Scammers actually want people to listen to the recorded message. Some of them use robocalls as a preface to connecting the victim to a person working in their call center. Some of those frauds then involve keeping victims on the line for many hours whilst the scammer harangues them into transferring money.
- Suppose the fraudster cannot keep people on the line for fraudulent traffic for more than 12 seconds but he works inside a corrupt or negligent carrier that allows the fraudster to blend those calls with real traffic. If the average conversational call really does have a duration of 3 minutes then just 900,000 real calls would need to be added to the mix to satisfy the 2-minute threshold. This has not increased anyone’s cost because the traffic is real and has been paid for by legitimate customers.
- Suppose the fraudster wants to increase the average but has no access to real calls to blend with their own. There are still plenty of other frauds that permit criminals to make calls without paying for them. A fraudster willing to commit one kind of fraud will be open to committing other types of fraud as well. Then the fraudster just needs to make 7,628 calls that each have a two-hour duration to raise his 12-second average duration to a 2-minute average duration. Somebody with the equipment to make 50,000 automated calls a day is not going to struggle to make another 7,628 calls a day. They will not pay for these calls, and may set up equipment so the calls are terminated on numbers they control, meaning they decide the duration from both ends.
- Does it make a difference if a victim listens to a recorded message when the robocall is placed, or listens to the recording via their voicemail at a later time? If the fraudster does not care either way, then there are tricks to force calls to go straight to voicemail. The maximum length of a voicemail varies, but most permit messages that last longer than 2 minutes.
I am sure an experienced fraud manager can think of a dozen other ways to game the laughably crude methods proposed by ZipDX. But mostly their method is hokum because it assumes fraudsters are not trying to communicate with their victims, and the main issue is to keep operating costs down. The whole point of making the call is to communicate something to the victim, and this represents a direct contradiction of ZipDX’s assumption that fraudsters will never succeed in keeping victims on the line for longer.
What should really upset competent risk professionals is that ZipDX was given not one but two separate opportunities to present this same ridiculous technique to the FCC. Were the FCC lawyers who saw the presentation on the first occasion so weak at their job that they could not tell the presentation was garbage? Are FCC employees given so little real work that more than a dozen of them ultimately chose to devote time to listening to this low-data flatulence?
And then there is the other reason this ZipDX analysis must fall apart. Everything about the US approach is predicated on telcos blocking bad traffic. The consultation that ZipDX was nominally responding to was about intermediary carriers being forced to block traffic. As soon as one carrier blocks any traffic, then the profile of the traffic received by the next carrier changes. The next telco does not receive any calls blocked by the previous telco. So why are all these examples written as if a telco must see all the illegitimate traffic created by each source? That could only be true if the traffic originated on the telco’s network, or if no other telco before them has done any blocking whatsoever. In real life there is a potential overlay of one blocking algorithm over another blocking algorithm over a third blocking algorithm and so on, where all these blocking algorithms could potentially halt the same call. Lobbyists offering purely theoretical examples may insist it is easy to identify fraud by examining all the calls that fraudsters make, but fraudsters also have tolerances, and they will accept some calls being blocked so long as others get through.
If it was so easy to spot fraudulent traffic patterns in practice then there would be no reason to compel intermediate telcos to do anything. The terminating network in the USA would also be able to identify each batch of fraudulent calls. They fail to do so because they lack sufficient data to reliably distinguish the bad from the good. But the mathematical complexity of the challenge faced by the terminating network could be replicated for any intermediate carrier, because there is no upper limit on the number of telcos that might have carried that traffic beforehand. So when it comes to the lobbyists insisting intermediaries should find it easy to block bad traffic, whilst acceding that the same task is impossibly hard for terminating networks, they only reveal their own poor understanding of the maths of complexity. Perhaps this explains why they only offer simplistic mathematical examples that assume fraudsters are too stupid to work around the crude controls these lobbyists propose.
Contrary to what some people say, I believe there is a silver bullet for fraud: severe punishments for fraudsters. I am not proposing more multi-million dollar fines that nobody expects the fraudsters to pay anyway. It would be better to put some fraudsters into a stinking prison for thirty years and then observe how much this will deter others. It is often said these people cause billions of dollars of economic damage, and they typically cause hurt and distress to the most vulnerable members of society. If that is really true, then why be squeamish about giving them long prison sentences? The same fraudsters would not be treated so kindly if they were caught ripping off Chinese phone users instead of ripping off US phone users. Some may argue I am wrong; the deterrence effect may not be as great as I suppose. Perhaps so, but we will not know until we collect some real-life data. It would make a refreshing change if a country that spent half a billion dollars on failing to solve a $75mn crime experimented with punishing the actual criminals it catches.