‘Foreign Evil Actors’ vs Network ‘Sanctity’: Fevered Response to Latest US Robocall Consultation

The divide between the USA and the rest of the world on how to tackle nuisance robocalls has been blown wide open by a string of strongly-worded responses to proposals to impose US law on international carriers via a back door. The Federal Communications Commission (FCC), the US regulator, has implied they could punish and cut off telcos that receive traffic from foreign carriers which do not comply with rules like those already imposed within the USA. For example, carriers sending traffic to US telcos that are destined for numbers in the North American Numbering Plan would have to file an anti-robocall plan in an FCC database and implement STIR/SHAKEN, a protocol for authenticating the CLI of phone calls. The development of STIR/SHAKEN fell way behind schedule, its US rollout proved to be more expensive than many had hoped, and it has still not been made to work in practice for calls conveyed by a non-IP network. However, some responses to the latest FCC consultation resorted to language that maligned foreigners and demanded that the USA adopt more aggressive policies in order to protect Americans.

BICS, one of the largest international wholesale carriers, was singled out for criticism by ZipDX, a business which submitted two failed bids for the contract to perform all traceback investigations into the origins of spam calls terminating in the USA. ZipDX never had much prospect of being chosen by the FCC’s Enforcement Bureau because the traceback deal was so obviously created for the Industry Traceback Group (ITG) of USTelecom, a US trade association. However, one way ZipDX can boost their future prospects is to suggest they will protect American consumers more forcefully. This is the subtext to why ZipDX used the name of BICS 14 times during a damning submission to the FCC. The lawyers working for BICS made the tactical mistake of submitting their own filing well in advance of the deadline, with the result it was published online and gave ZipDX the opportunity to use BICS’ words to portray foreign carriers as complacent about fraud.

The Comments of Belgacom International Carrier Services SA (BICS), already filed in this docket, are an illuminating example. BICS explains:

  • “The nature of such traffic is not always clear and obvious to gateway and intermediate providers as they are not the traffic originators.” (page 1)
  • “[Gateway and intermediate providers] have no details on the traffic origination” (page 1)
  • “[T]he nature of the traffic … is not always known to the gateway and intermediate providers” (page 1)
  • “Gateway providers are not aware of the traffic origination nor the nature of the traffic.” (page 1)
  • “[W]e cannot guarantee though that BICS sending parties will also collaborate with Traceback requests as they will be obliged by their local legislations, regulations and contractual provisions.” (page 2)
  • “[G]ateway providers are unable, in most cases, to determine the origin and nature of each and every calls (as explained above).” (page 2)
  • “[Gateway providers] do not know the origin of the calls and that they do not know the nature of the traffic.” (page 3)

This is at the crux of our problem. BICS’ comments are not extraordinary; they align with what we know from speaking with numerous gateway, intermediate and foreign providers involved in illegal robocalling. They often know very little about their customers and their customers’ traffic.

It is only in recent years that anyone has suggested businesses should know a lot more about customers than the address to send bills and whether those bills were paid. Should postal services check who buys stamps and should social media networks ban anonymous users? Modern concerns about controlling who has access to communications do not reflect traditional expectations for how services should be made universally available. BICS’ comments reflect plain facts but ZipDX adopted a religious tone during their sermon.

With this lack of knowledge, they cannot know if their customer is operating as an originator, an intermediate provider, or an end-user for any given call, and thus they cannot know what role they are serving as the next provider in line. They only know that they are getting paid to funnel traffic into the USA telephone network and profiting from that activity. It should come as no surprise that with this level of disregard for the sanctity of our network, we face a never-ending barrage of unwanted calls.

An informed outsider might reasonably observe that the ‘sanctity’ of US telephony has long been undermined by choices already made by Americans. For example, US politicians and their supporters were responsible for approximately 10 percent of robocalls received by Americans during 2020; the US has chosen to make this behavior legal, even if voters dislike it. Nevertheless, ZipDX went on to further insinuate that BICS may be guilty of breaking US law by failing to provide accurate information to the FCC’s Robocall Mitigation Database (RMD).

BICS has certified in the RMD under penalty of perjury that it has a partial STIR/SHAKEN implementation, and yet it does not appear on the Policy Administrator’s list of authorized providers.

It was telling that ZipDX suggested telcos choose to serve every possible customer, when they might make more enquiries and be more selective about who they deal with. In reality, telcos have often been forced to make their services available to other businesses whether they liked to or not. This is because of concerns that telco behavior may otherwise be monopolistic. A failure to appreciate that other countries also have laws that determine who gains access to telecoms services will fatally undermine US attempts to impose their own rules more widely.

As BICS points out, many providers choose to know very little about their customers. It is easy to ask a new prospect, “You are a telecom provider, aren’t you?” and be satisfied with a “Yes, I guess so” even if they suspect the prospect is really an end-user call-center or outright fraudster.

ZipDx went on to suggest that the current implementation of STIR/SHAKEN is fundamentally flawed because fraudsters are able to attain the highest A-grade of attestation for their calls under a system that is supposed to prevent the misuse of originating telephone numbers.

Rogue callers acquire thousands – or even tens of thousands – of telephone numbers so that they can place calls with A-level attestation. This makes their scam calls appear authentic, which is the exact opposite of the framework’s objective.

Professor A. Michael Noll of the University of Southern California, who describes himself as a former advisor to the White House and a former engineer at Bell Labs, was even more critical of STIR/SHAKEN.

Based on the number of spoofed robo-calls I get each day, STIR-SHAKEN has failed. STIR-SHAKEN seems complex. Complex solutions never work, and certainly are ignored and subverted by evil actors.

Professor Noll went on to characterize robocalls as a national security issue on a par with terrorism.

These robo-telemarketers are terrorizing Americans — particularly elders…

Strong actions are required. More responsibility should be placed on our telecommunication providers to halt this abuse of service from foreign evil actors…

…the FCC should seek the advice and assistance of our national security agencies in stopping the abuse in order to restore the security and trust of our telecommunication network.

A trend becomes apparent whilst sorting through the responses to this consultation.

  • Foreign carriers consistently explained the limits of what they could do to mitigate robocalls.
  • Americans that know little about foreign telcos demanded tougher action.
  • US businesses that serve both the US and foreign markets keep expressing their support for the FCC but play down what can be accomplished in practice.

USTelecom, the association which won the right to trace robocalls, has relatively low expectations of STIR/SHAKEN and wants more foreign telcos to be forced to file robocall mitigation plans with the FCC instead. They argued STIR/SHAKEN will fail to deliver results with foreign carriers because it costs too much and delivers too little.

…any marginal benefit that a gateway provider attestation requirement could bring in mitigating illegal robocalls would in no way cover the substantial costs – up to eight figures for some providers – to deploy the upgrades necessary to do so. The upgrade process is more than just expensive: Replacing and updating existing gateway infrastructure to add capabilities to sign traffic would involve multiple years of complex project management activity. The thousands of person-hours required for the effort would be far better deployed for other projects that could bring far more meaningful protections to consumers.

The viability of STIR/SHAKEN would differ if it was implemented by telcos in a country for the benefit of phone users in the same country. However, the US-led plan for rolling out STIR/SHAKEN failed to anticipate the risk that other countries might not want to spend heavily if the only beneficiaries live somewhere else. That is why USTelecom places more emphasis on the second major aspect of the US robocalling strategy: demanding that telcos devise and implement their own anti-robocall plans.

…the Commission should focus on new measures that will effectively and efficiently enhance the Commission’s existing Robocall Mitigation Database (“RMD”) approach and empower the Commission and industry to police providers. In particular, the Commission should streamline and enhance its approach to the RMD by closing the intermediate provider loophole and requiring that all providers, regardless of their role in the call path and whether or not they have implemented STIR/SHAKEN, implement a robocall mitigation program. In particular, as part of their robocall mitigation programs, intermediate providers should be expected to accept traffic only from other providers in the RMD. Enhancing the Commission’s existing RMD approach – combined with active auditing of deficient database entries and aggressive and rapid enforcement – will help to foment trusted full call paths without causing unnecessary confusion and leaving opportunities for gamesmanship as a focus just on gateway providers would.

USTelecom then draw the correct inference that a plan focused on RMD filings would need to be backed by enforcement. This is perfectly true, but they may not have noticed this kind of initiative would have one major downside for the FCC: they would have to spend a lot of money on enforcement, and all of that cost would be borne by Americans.

…the Commission should – informed by industry traceback results – actively audit the database to ensure that foreign service providers that are indirectly sending traffic to the United States through intermediate foreign providers are adhering to their RMD commitments. It should then actively take appropriate action (including industry notification) to remove any registrant that does not comply with that registrant’s certification. The need to ensure compliance with RMD obligations are administrative and investigative functions the Commission itself must perform.

It was no surprise that iconectiv, the business which effectively oversees the operation of STIR/SHAKEN in the USA, and which would like to play a similar role in other countries, argued there is relatively little foreign carriers can do to stop robocalls unless they have implemented STIR/SHAKEN or a similar protocol. Contrary to USTelecom, iconectiv continues to describe scenarios where the underlying assumption is that STIR/SHAKEN – or a rival authentication technology – will need to be adopted by a majority of countries.

iconectiv understands that traffic paths between a foreign originator and the U.S. are highly dynamic, often multi-hop, and depend on congestion levels, balance of trade requirements, costs, etc. Therefore, a gateway provider is very unlikely to have a contractual or customer relationship covering all calls from foreign service providers or foreign call originators. Absent call authentication, which would clearly identify the originator, it would also be very challenging to know which originator contract applies to any traffic not directly connected to a gateway provider.

This analysis is fair, but does nothing to explain why anyone believes STIR/SHAKEN will be adopted universally, and thus able to provide the coverage needed to authenticate all calls ending in the USA. The need to expand coverage is the reason why the FCC wants to impose STIR/SHAKEN on intermediate carriers. The weakness of US efforts to engage with the rest of the world on a common plan to reduce nuisance calls was central to comments made by the Cellular Telecommunications Industry Association (CTIA), a US association representing mobile operators.

…to help encourage foreign providers to engage in robocall abatement, the Commission should also educate its foreign government counterparts on efforts to protect consumers from robocalls and encourage regulators abroad to promote foreign provider participation in robocall mitigation and the Commission’s RMD. Such education should include the importance of supporting cooperation on traceback requests, consistent with the Commission’s existing robocall framework. The Commission should update the public and industry stakeholders on its efforts to educate foreign stakeholders and the status of their engagement. Given that domestic voice service providers can only rely on the registrations and certifications in the RMD when accepting voice traffic, such outreach by the Commission will be critical to achieving the agency’s goals of increased certifications by foreign providers in the RMD prior to implementing the foreign provider prohibition.

Much can be learned by reading through the detail of all the submissions made to the FCC about applying anti-robocall rules to foreign telcos, but a lot can also be learned by observing who did not respond. The GSMA continues to work on adaptations of the US approach which they hope to market to GSMA members, but once again chose not to publicly engage with an important FCC consultation. The i3forum responded to the FCC on behalf of wholesale carriers that belong to their association, but this contrasts with the GLF, which says it wants international carriers to demonstrate their commitment to fighting fraud but is showing no leadership when it comes to robocalls. The recommendations of the i3forum were consistent with the advice submitted by BICS and iBasis, but some big foreign telcos with substantial wholesale carrier operations did not respond to the FCC’s proposals.

The US is several years and half a billion dollars into a plan that could only ever work if it received widespread international support. Obviously calls can originate within the same country as they terminate, or they may originate abroad. The US government and the FCC chose a path that involved implementing technology that only currently works on IP networks, only works if implemented end-to-end, and which could only be legally forced upon US telcos. They succeeded in persuading Canada to align themselves to the US approach. However, no other country chose to follow the plan.

Even if US methods proved effective at preventing robocalls from originating within the country – which currently does not seem to be the case – the inevitable result would be that more robocalls would be instigated elsewhere to compensate. Yet we have reached the current situation with none of the major players in the US industry or government having articulated any plausible explanation for why foreign telcos would want to follow their lead. There is no diplomatic outreach, no meaningful conversations with associations of telcos based outside of the USA, and no incentives offered. There is a lot of talk about ‘the industry’ and ‘international associations’ but when you scrape the surface you only find evidence of a conversation that exclusively involved inhabitants of North America. It beggars belief that none had the acumen or cultural sensitivity to recognize this was a recipe for failure.

Some of the leaders of the US telecoms industry have left it very late to call for ‘education’ of the rest of the world; soliciting the support of other countries should have occurred at the same time as hundreds of millions of dollars were spent on STIR/SHAKEN. This is why the FCC has increased the amount it talks about punishments for telcos that fail to comply with its rules. Enforcement is crucial, but the US position is far weaker than any of its proponents care to admit. This also explains why some would prefer to pivot towards the easier option of compiling a database of robocall mitigation plans, though nobody has stipulated what these plans should contain as a minimum.

There are almost 200 countries in the world, and calls can be made to the USA from any of those countries. The US has only persuaded one other country to follow its lead so far. There are vague hopes that a few others may still copy the US approach. Yet when the US suggests that staff be employed to respond to their traceback requests within 24 hours, no regard is paid to the total cost for smaller telcos if every country decided to impose the same burden. And how keen would US telcos be to respond to demands from China or Russia or Saudi Arabia to provide information about the source of calls that seemingly originated in the USA? It is fanciful to believe that the US can enforce its rules in an environment like this. Laws can be imposed when most would abide by them anyway. The US has adopted a strategy where the outcome suits the US, but failed to identify any convincing reason why others would also benefit from it.

The history of network fraud and abuse shows why it is so difficult to coordinate effective action between separate companies in separate countries. I found it hard enough when working for international telecoms groups where each operating company supposedly had to answer to the group head office! A good idea can be scuppered by a local law, or by the deliberate misinterpretation of a local law. A plan is only as good as the people who are tasked with implementing it. And woe betide anyone who thinks they can override differences in culture. As somebody who likes Americans without being blind to the clash between their culture and other cultures, I have two pieces of advice. You must first concentrate on making friends before you make threats. And if you cannot think of reasons why people would want to follow your lead, then nobody else will either.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.