Suppose you registered to watch a webinar about voice spam. Would you be happy if you learned that your email address had been made easily available to any spammers that wanted it?
SIP Forum, the organizers of the SIPNOC 2020 series of webinars, added the email address of every registrant for those webinars to a single mailing list maintained via a web interface. These webinars were held in early December, and the subject was STIR/SHAKEN, the US technical protocols for preventing the spoofing of caller IDs, and hence for reducing voice call spam. As a consequence, the SIPNOC 2020 webinars attracted registrations from a large number of network and security specialists working for telcos, vendors and regulators. They may have appreciated that they would likely receive marketing emails from the sponsors of the event, including Diamond sponsors Bandwidth, iconectiv, Neustar and Somos. What they probably did not realize is that anyone who has been added to that email list can visit a URL where they can see their email listed alongside every other participant’s email.
A considerable number registered for the webinars using non-corporate email addresses, such as Gmail or Yahoo. This illustrates why it is easy for spammers to grab the email address of everybody who registered. They merely needed to create any email address, perhaps with a misleading name, and then use it to register for the webinars, whilst knowing that nobody scrutinizes the list to see if registrants have a genuine interest in the topic. Having gained access to the list, that person could then copy it and sell it, or add it to a larger list, or use it to spam their victims as they please.
I learned about this list because I received a spammy marketing email that was nominally from Marc Robins, Managing Director of SIP Forum, but which was actually an advert for another company. Having become aware of the existence of the list used to send the email, which is managed online with GNU free software, it required no special knowledge to gain access as a user. Each email address is also a username for that user’s account. Within a few clicks I used my privileges as a user to locate the page showing all other emails on the list. It then took a few more minutes to copy-paste the entire list to my computer, parse the information, and hence create a file that could be fed into any mass-email marketing system. To illustrate my point, the following table shows the ten most common domains amongst those email addresses.
| Domain | Count | Notes |
|---|---|---|
| gmail.com | 91 | personal email addresses |
| bandwidth.com | 54 | Diamond sponsor |
| cable.comcast.com | 34 | |
| team.neustar | 34 | Diamond sponsor |
| iconectiv.com | 31 | Diamond sponsor |
| somos.com | 30 | Diamond sponsor |
| verizon.com | 29 | Platinum sponsor |
| firstorion.com | 28 | Silver sponsor |
| att.com | 25 | AT&T; Gold sponsor | rbbn.com | 23 | Ribbon; Platinum sponsor |
As you can see, most of the biggest contingents came from the businesses sponsoring this event. Vendors looking to sell STIR/SHAKEN comfortably outnumbered those which might consider buying it, but some other interesting and surprising organizations also listened in. These included: 15 registrations from the FCC, who made STIR/SHAKEN mandatory in the USA; three from the US Department of Homeland Security; two from the FBI; three from Russian operator Megafon; two from the New York Department of State; two from the GSMA; one from the bankers at Wells Fargo; one from Salesforce; four from Canadian regulator CRTC; two from UK regulator Ofcom; and 12 from BT, who must currently lead the betting for which telco from outside North America will be first to buy STIR/SHAKEN. There were very few registrations from telcos to the South of the US border, but more than enough to violate GDPR privacy laws across Europe, as European privacy law applies whenever an organization provides services to residents of most European countries, even if the organization is based elsewhere and the services are free.
These lax privacy controls means it would be easy for me to contact all 1,693 participants directly, but then I might be breaking the same GDPR laws that the SIP Forum has almost certainly broken. I wrote to Marc Robins, Managing Director of the SIP Forum instead; you can see the letter at the bottom of this article. In that letter I outlined why it is likely that the SIP Forum has broken European laws by failing to implement appropriate measures to safeguard the personal data of residents of relevant European countries. I also gave Robins time to respond before publishing this but there has been no reply.
There is a better way of running the telecoms industry, that does not tolerate every cheap and tacky way of making a quick buck. It speaks to the dysfunction of the electronic communications industry that so much money should be spent on managing a glorified conference call, without a penny being spent on securing the privacy of those taking part. In my association, the Risk & Assurance Group, we have run online conferences seen all around the planet, and we are currently running the third season of our weekly live streaming interview shows, but we reach massive audiences without taking a single email address.
Our community suffers from a woefully lax attitude to privacy, and I believe this influences the poor performance of telcos who then disrespect the privacy of their customers. There is no good reason why telecoms professionals must be plagued by email spam from faceless salesmen just because they want to hear an employee of a regulator explain how they will enforce their rules, or hear a lawyer from a telco say they do not know how to interpret those rules, or hear yet another salesman claim that everything they sell is really, really good. Any idiot can broadcast a Zoom call to the whole world for free, and I am one of the idiots who has proven that is true. We do not need to line the pockets of abusive and wasteful middlemen who pretend they are essential gatekeepers of information, only to allow them to treat our personal data like dirt.
