If you are reading this, you probably work for a telco, but that telco might be anywhere in the world. You are unlikely to know anything about Arkansas, a US state with a population of 3 million situated toward the south of mainland USA. You may mispronounce the name of this state; say Arr-can-saw not Arr-cans-ASS. Inhabitants refer to Arkansas as ‘the natural state’ because of the extent and beauty of its wilderness, as pictured above, but Arkansas is not home to many important technology businesses, so you may be surprised to be reading about Arkansas’ contribution to global telecoms law. The reason you need to know about Arkansas is because they passed a law to reduce robocalling in 2019, and it is likely that your telco, irrespective of where it is in the world, has been breaking that law ever since.
Senate Bill 514 amended Arkansas Code Title 5, Chapter 63, Subchapter 2, to add section 5-63-205, which includes the following clause:
It is unlawful for a person, in connection with a telecommunications service, to cause a caller identification service to transmit misleading or inaccurate caller identification information unless the person has verified that the caller has a right to use the name and the phone number displayed.
You may be tempted to assume this law only applies to businesses in Arkansas. If you do that, you are wrong. However ridiculous it may seem to you, Arkansas has passed a law which applies to businesses everywhere. Their state prosecutors could potentially seek punishment for anyone that violates their law, with no restriction based on location. All that matters is whether the phone calls were destined for Arkansas. Any telephony provider could potentially violate this law, unless they have decided not to handle any calls made to Arkansas numbers.
If you look at the detail of this law, it is apparent that it was written by politicians who have no idea about how telecoms providers should meet their obligations. They made it unlawful to transmit misleading or inaccurate information unless you know the caller has the right to use the number.
- If the caller has the right to use a number, then how could it ever be misleading or inaccurate for them to use it? The twisted wording of this law makes it seem to be about bad people attempting to mislead people, when really the law is about telcos being forced to check who has the ‘right’ to make every call.
- Why does the law refer to misleading or inaccurate information? Is it possible to mislead people with accurate information? Misleading information is a subset of inaccurate information, so if you prohibit inaccurate information you have already prohibited misleading information. Politicians keep referring to deception to avoid focus on the real result, which is to force telcos to authenticate every call.
- The transmission of the information is unlawful unless the CLI has been checked and it has been shown the person using it also has the right to use it. But taken as a whole, only a tiny fraction of all global calls could be said to meet this requirement. Telcos, in actual practice, routinely pass on the CLI they receive without doing any check about who has the right to use that CLI. Most of the time they are not even capable of performing a check.
- The vast majority of US telephone calls violate this requirement to check who has the right to use a CLI. You will have heard that US federal regulations have made STIR/SHAKEN mandatory for IP networks operated by larger US telcos, but this Arkansas law was passed a full two years before STIR/SHAKEN was made to work in practice. STIR/SHAKEN means a kind of certificate may be attached to a call to show where it has come from, but it is not mandatory for non-IP networks, largely because of the difficulty of making it work. Approximately three-quarters of all phone calls originating in the USA are still not checked using STIR/SHAKEN, or any other method.
It is possible that my interpretation of this law is completely wrong. I am not a lawyer; are you? Even if you are a lawyer, how much do you know about Arkansas law? Lawyers know not to make assumptions. Arkansas can pass laws about robocalls, California can pass laws about privacy, and Portland can pass laws about facial recognition, and all of them can have implications for businesses anywhere in the world, if those businesses infringe the new rights created for Arkansians, Californians and Portlandians. The risk lies not in the specifics of each separate law, but in the impossibility of knowing every law you may be breaking.
In this world there are people who are honest and realistic, and there are people who will say they honestly believe total nonsense because the law/their bosses/the government/their friends and family want them to say they believe in nonsense. We can also split the world between people who only have experience of the country and culture into which they were born, and people who have travelled widely and appreciate the different cultures found in different places. My next few assertions are written for realists who appreciate that cultures vary. I have no interest in debating with people who choose to ignore reality or who know so little about the world that they assume there is only one global mono-culture.
People within the USA generally treat laws like this Arkansas law as being a serious attempt to protect consumers. They expect these laws will be widely respected.
People outside of the USA, in most other countries in this world, treat laws like this Arkansas law as a joke. They will ignore them. In fact, an unusually high number of Commsrisk readers will have ignored this article because the title refers to the ‘Arkansas Anti-Robocall Law’.
It should not be hard to explain to an American why other cultures laugh at laws like this. Imagine if we interviewed the average Arkansan and asked them if they spend any time ensuring they respect the laws of Lesotho (population 2 million), Mongolia (population 3 million) or Croatia (population 4 million). But those are actual countries, with passports and armies and seats at the United Nations. Many US businesses do not even respect the laws of the European Union (population 447 million), as confirmed by news about new privacy violations almost every week and my own battles with the champions of the US telecoms industry. Businesses in the USA have been systematically ignoring European data protection laws for the last 20 years, despite generating enormous revenues by selling products and services to residents of the European Union.
Proponents of STIR/SHAKEN will argue it is in the interest of foreign telcos to comply with US federal law and regulations because following these rules will reduce the risk they will be punished. However, competent and impartial lawyers for these foreign telcos – the kinds of people I have worked with in the past – will privately warn that the opposite may be true. If you start to acknowledge a need to comply with US federal requirements, but then fail to satisfy all of them in practice, you have opened the door to more punishment than if you ignored US law completely. For example, adding your telco’s details to the Robocall Mitigation Database maintained by the FCC, the US comms regulator, may mean they can no longer punish your telco for not being listed in the database, but only at the risk that your telco is much more likely to be punished for other non-compliances with obligations imposed at both federal and state level.
The attorneys working for Arkansas and other states almost certainly lack the competence to build a case about a foreign telco failing to perform adequate checks of the accuracy of a CLI, but they would be able to capitalize on any work done at a federal level, such as reusing information your business has volunteered to the FCC about your efforts to reduce robocalls. States attorneys would capitalize by imposing their own additional penalties. As much as you may be tempted to laugh off the fact that Arkansas passed this law, and as much as you may think you can ignore its requirements, the real danger is that you do not know the size of the penalties Arkansas has written into law. The penalties imposed by states could be much worse than penalties imposed at a federal level. Perhaps you should get your telco’s lawyers to check the detail of Arkansas law because breaking their anti-robocall laws is considered a ‘class D felony’, a category that can result in prison sentences of up to 6 years.
Some of you have spent a lot of 2021 speaking to your lawyers about whether your telco needs to comply with US federal laws and regulations, and what specifically needs to be done in order to comply. You will have undoubtedly expressed some frustration that these rules are vague, or impossible to follow in practice, or unrealistic, or keep being changed, or all of the above. But I would be surprised if any lawyer in any non-US telco has bothered to check Arkansas law. All the talk about US federal law and regulation may mislead you into believing you know more about complying with US law than you really do. The truth is that trying to comply with rules written at a federal level makes businesses more likely to be targeted for failing to comply with separate laws created by each state – and there are 50 states in total. If you feel that learning about federal anti-robocall rules is a burden, consider the need to research the rules imposed by 50 individual US states, with none of them needing to be consistent with federal rules. After all, Arkansas passed their laws two years in advance of when any US telco had worked out how to implement technology that might satisfy their law.
The worst part about needing to check the laws of 50 states is that nobody maintains a list of states that do not have laws. You might think I exaggerate the legal minefield because not every state will have passed an anti-robocall law. But do you know how many have? I do not. My guess is that nobody actually knows, because nobody has ever reviewed the laws of all 50 states. Arkansas has an anti-robocall law, as does New Jersey, but suppose you cannot find an anti-robocall law when checking the statutes for a third state. Does that mean they have no law, and your business is not at risk? Or does it mean your search was incomplete and you failed to identify the relevant in that state? To put it another way, how much is your business prepared to spend on engaging American lawyers just to learn which state laws you need to comply with?
The truest sign that the US has a serious problem with inconsistent enforcement of the law comes from an FCC press release that praises efforts to reduce inconsistency and increase cooperation between state and federal agencies. No such press release would be needed if state and federal law were aligned to begin with. The progress boasted about is troubling meager: ‘partnership agreements’ have been signed by just 16 states in total.
FCC Chairwoman Jessica Rosenworcel today welcomed the newest state law enforcement leaders to the agency’s ever-growing list of robocalling partnerships, and applauded the State Attorneys General of Colorado, North Carolina, and Tennessee for their ongoing efforts to help facilitate more states and territories to build similar robocalling partnerships with the FCC. The FCC today announced it had also signed new robocall enforcement MOUs with Colorado and Vermont, which brings the total of state-federal partnerships to 16 with the goal of extending this level of collaboration to every state and territory…
“Protecting consumers from robocall and spoofing scams is an everyday challenge for local, state, and federal law enforcement. By sharing information and closely cooperating on investigations, we can better protect consumers everywhere,” said Chairwoman Rosenworcel.
For a country that spends a lot of time blaming foreigners for robocalls, it is remarkable that the federal comms regular considers itself proactive because it has signed outline agreements to coordinate robocall law enforcement with one-third of the states within the country’s borders.
The European Union has many flaws, but the basis of their approach to data protection illustrates why the US constitution makes the USA fundamentally unfit to impose rules over international communication when many businesses will be motivated to break those rules. Even with a population of 447 million, the EU knows that businesses located elsewhere may feel entitled to violate the personal data of EU residents. The EU has minimized the burden on foreign businesses, and hence minimized the excuses for non-compliance, by harmonizing data protection law across their 27 member countries. Harmonization is not easy, nor has it been quick. The biggest story in data protection is that Ireland’s data protection regulator, which oversees the majority of big US businesses providing internet-based services in the EU, keeps taking a radically different interpretation of those rules than other European regulators. But at least the EU is trying to be fair to everyone. They have presented to businesses around the world a consistent set of rules to follow. They have a mechanism to deliver consistency in their application. This is in sharp contrast to way the US functions as a country of 50 states.
Even if the US federal government had the will to pass a single set of anti-robocall laws and prevent states from passing contradictory laws, the attempt could easily lead to years of fighting about whether the federal government can curtail the rights of those individual states. This is not just an academic theory. Individual states can fight federal control on topics as fundamental as whether a woman may have an abortion, or as banal as whether car drivers must obtain insurance, or as divisive as restrictions on who may use which public toilet.
The USA also suffers from long legal battles about nationwide laws that may or may not conflict with other nationwide laws. The United States Supreme Court had to rule about the constitutionality of a federal anti-robocall law as recently as 2020, and there was a 7-to-2 split in the decision by the judges. The majority concluded that a 2015 law about robocalls was unconstitutional… though presumably businesses in 2015 thought they could rely upon that law. Protracted legal wrangling between states and federal government, and between various courts tasked with reviewing various laws, is not a bug in the US constitution. Prolonged wrangling over inconsistent laws and inconsistent interpretations of laws is a feature of how the US constitution operates.
The US model of government, with its many laws, many states, many courts, and time-consuming way of handling disagreements between them, is unsuited to the task of coordinating the consistent application of rules for modern networked activities that occur across all borders. Nobody urging the rapid worldwide adoption of the US approach to robocalling – whether they work for the Federal Communications Commission, a vendor that supplied STIR/SHAKEN, or a US telco – is willing to discuss these critical problems with the way the USA is governed. They may prefer to talk about technology, but human beings will remain ultimately responsible for every call that is blocked. Proponents of STIR/SHAKEN keep skirting around this topic but you cannot set up technology to identify calls that deserve to be blocked without some human being deciding the difference between a call that deserves to be blocked and a call that does not deserve to be blocked. Much of the approach taken to STIR/SHAKEN seems to be designed to obfuscate which human beings are responsible for making those decisions and who they answer to.
The biggest of the big data businesses are American, but it is the Europeans that have taken the lead with defining good practice for data protection worldwide. Those Europeans are still struggling with this burden 20 years after they began their work. There is no reason to believe the governance of a system that allows literally anybody to call literally anyone else will be resolved more rapidly. Abuses of telephone calls have previously been reined in by the cost of making those calls, but the cost of a phone call has fallen precipitously.
Honest Americans will acknowledge why the US will struggle to lead the world in the arena of protecting consumers from bad business practices. A country that is widely derided for its poor record on data privacy cannot realistically expect to foster international consensus on the operation of the global phone system and rules to prevent its systematic abuse. The passing of different laws in different states shows that the US is not capable of enforcing consensus on how to handle problems of this type even within its borders. Or if you think my analysis is flawed, then I wish you good luck with your hunt for a resource that will reliably inform you of the next time the Arkansas State Legislature decides to amend Subchapter 2 of Chapter 63 of Code Title 5.