French Telcos Are Breaking the Law Today, and STIR/SHAKEN Is to Blame

What is the difference between a law you can enforce, because it is possible for people to comply with it, and a law you cannot enforce, because it is not possible for anybody to comply with it? The law is often personified as a stern-faced lady with a confidence in her own abilities that borders on the religious. These ladies leave no room for doubt, and in the strictest legal sense, there is no difference between a law that people can obey and a law that people cannot obey. The law is the law. You can be punished for breaking the law even if it is was impossible for you to do otherwise. The law does not have to be fair. But if we stop acting like lawyers, most sane people would agree that a law which people cannot obey must be a bad law. This mental exercise of how we should treat laws that cannot be obeyed is no mere hypothetical thought experiment. It gets exemplified in practice with increasing frequency, and a common example involves governments mandating the implementation of a new technology that does not currently exist. They may want it to exist. They may have been told it can be developed. But passing the law does not make the technology exist. There is no better illustration of this than laws designed to force the implementation of STIR/SHAKEN, a combination of anti-spoofing technologies and governance protocols which does exist, but which does not deliver the results that its advocates have promised.

All that is needed for the passing of an impossible law is that the government frames a law based upon the results that must be realized, even though there is no actual way to realize them. And that is why France now has a law, which is nominally enforceable today, but which cannot be enforced because nobody in France is capable of complying with it. Here is what French law 2020-901 literally states, followed by my machine-assisted translation into English. The following words have been incorporated into section V of Article 44 of France’s code for postal and electronic communications.

Les opérateurs sont tenus de veiller à l’authenticité des numéros issus du plan de numérotation établi par l’autorité lorsqu’ils sont utilisés comme identifiant d’appelant pour les appels et messages reçus par leurs clients utilisateurs finals.

Operators are required to ensure the authenticity of numbers from the authority’s numbering plan when they are used as the calling line identity (CLI) for calls and messages received by their end-user customers.

Just because an operator receives a call does not mean they know where the call came from. They can no more ensure the authenticity of calls that used a French phone number then I can ensure the authenticity of postage marks on an envelope that was shoved through my letter box. STIR/SHAKEN has been promoted as a method to provide that missing knowledge for voice calls, but one pre-condition of delivering that knowledge is that the comms provider which originated the call must have implemented STIR/SHAKEN. If they have not, perhaps because they are not subject to French law, there is nothing the receiving telco can do about it.

Les opérateurs utilisent un dispositif d’authentification permettant de confirmer l’authenticité des appels et messages utilisant un numéro issu du plan de numérotation établi par l’autorité comme identifiant d’appelant.

Operators use an authentication device to confirm the authenticity of calls and messages that use a CLI from the authority’s numbering plan.

This sentence does not really add anything to the requirement imposed by the previous sentence. All it shows is that French legislators thought the goal of ensuring the authenticity of a call’s origin could only be satisfied by using some kind of dispositif/device. So when they passed this law in July 2020, they were acting under the belief that this dispositif/device would be constructed by the deadline they chose.

Les opérateurs veillent à l’interopérabilité des dispositifs d’authentification mis en œuvre. A cette fin, la mise en œuvre par chaque opérateur du dispositif d’authentification de l’identifiant de l’appelant peut s’appuyer sur des spécifications techniques élaborées de façon commune par les opérateurs.

The operators ensure the interoperability of the authentication devices implemented. To this end, the implementation by each operator of the CLI authentication device can be based on technical specifications drawn up jointly by the operators. The operator interrupts the routing of the call or message when the authentication device is not used or when it does not confirm the authenticity of a call or message intended for one of its end-user customers or passing through its network.

Let us look at the two aspects of this requirement very closely. Suppose it was possible to invent a magic device that could satisfy the previous requirements without being interoperable. Why would we care about interoperability? We would have already achieved the real goal, which is protecting consumers from spoofed calls. Interoperability is only a means to an end. In other words, the writers of this law were already aware of the fact that their intended dispositif/device would only work if it is implemented on a reciprocal basis. A and B telcos would need to have interoperable systems because each will be in situations where they depend on the other to perform authentication of calls that begin with one telco and end with the other telco. It is almost as if somebody told them STIR/SHAKEN only works if interoperable. All of this is logically fine, except that it ignores the obvious problem that there are very many telcos which are not subject to French law.

Now look at the second demand. If a call is not authenticated using the French-approved dispositif/device then the law says the call must be filtered. Here is the essence of why French telcos are now all breaking the law. They cannot possibly authenticate the origin of very many calls they receive. If they followed the law as worded so far, then every single outbound French roamer would be unable to make calls back to France for as long as they remain out of the country because this paragraph says that all of those calls must be filtered.

The next paragraph is very important. It has to be read carefully.

L’autorité définit les conditions dans lesquelles les opérateurs dérogent à l’avant-dernier alinéa du présent V afin de permettre le bon acheminement des appels et messages émis par les utilisateurs finals d’opérateurs mobiles français en situation d’itinérance internationale.

The authority defines the conditions under which operators derogate from the penultimate paragraph of this [section] V in order to allow the proper routing of calls and messages sent by end users of French mobile operators in an international roaming situation.

Put simply, this says the law applies except when this paragraph is used to stipulate that it does not apply. The law does not have to apply to calls made by French outbound roamers. The authors of this law knew there would be problems with creating a dispositif/device that could be forced on foreign telcos in order to provide authentication for international calls, so they constructed a loophole in advance. But the phrasing of their loophole is wrong. It says the loophole can be utilized when there is international roaming. But the loophole is not just required when real customers of French mobile operators are roaming abroad. It is also required to skip the enforcement of these laws when any inbound international call uses a French mobile number.

There is no completely reliable authentication technology that can always tell the difference between a call from an outbound roamer and a call that has been spoofed so that it appears to be from an outbound roamer. The letter of the law says French telcos can be given a derogation for calls made by roamers, but they needed a derogation that could be applied to calls which have been spoofed, and which were not made by roamers. This is the specific place where French legislators screwed up, first by creating a legal obligation that was impossible to satisfy, then by creating a legal loophole which does not correctly match the gap in what the technology can deliver.

Le V de l’article L. 44 du code des postes et des communications électroniques, dans sa rédaction résultant de la présente loi, entre en vigueur trois ans après la promulgation de la présente loi.

[Section] V of article L. 44 of the postal and electronic communications code, in its wording resulting from this law, comes into force three years after the promulgation of this law.

This law is dated July 24, 2020. The three years written into the law have now passed. That is why French telcos have just begun breaking the law, though probably nobody in power has realized that the law is now being broken every single time a call with a CLI that spoofs a French mobile number is connected to a phone user in France.

I imagine the telcos will not be keen to point out the flaw in the law. They already have enough problems because they also needed other exemptions in practice. These exemptions were not written into the law; they have been manifest using the gray process of people in power simply choosing not to use the powers they promised to use. For example, French telcos need an exemption whenever a call is not conveyed over IP networks from end-to-end, because they are trying to use STIR/SHAKEN to comply with the law but STIR/SHAKEN cannot be made to work unless it is implemented across IP networks. French telcos have also received a different form of exemption; they have been told the rules will not be enforced straight away, giving them more time to get their systems working, even though the law specified exactly three years to comply.

Just as happened in the USA and Canada, the deadline that was set by people in power could not be met in practice, not least because the technology that was supposed to satisfy the stated goal is both expensive and fragile. Telcos have been pushed to implement STIR/SHAKEN — an interoperable dispositif/device for authenticating calls — and told to block calls which have not been authenticated using STIR/SHAKEN. But the actual goal should not have been focused on implementing STIR/SHAKEN or an alternative that has the same fundamental design philosophy as STIR/SHAKEN. The focus should have been on protecting consumers from harm, with the understanding this goal can be pursued through controls that are far less complex and which could have been implemented long before today.

If progress in France proceeds in the same fashion as that which occurred in the USA and Canada then we can expect several years of delays and piecemeal fixes to the various broken parts of STIR/SHAKEN whilst the French authorities pretend their law is the reason for slightly more calls being blocked than before. Meanwhile, countries like Ireland, Norway, Finland, Oman, Bahrain and the United Arab Emirates are racing ahead with a far simpler approach that involves blocking spoofed mobile numbers without performing any authentication. Instead of stipulating that authentication is the one and only way to address the problem of spoofed calls, their telcos have been encouraged to perform the inverse of the check that is fundamental to the design of STIR/SHAKEN. Rather than ensuring a call is authentic, those telcos will use a much simpler method to identify if the riskiest calls are inauthentic.

Checking if an inbound international call is inauthentic can be accomplished without the support of any foreign telco. It only requires the exchange of data with other domestic telcos, in the knowledge that they will all be subject to the same national rules. To test an inbound international call that looks like it came from an outbound roamer, all that is needed is to query a source of data that can report if there is a match to the phone number of a user who is actually roaming at present. If the user associated with that number is not roaming, then the call is not authentic and it can be blocked. This process is easier to implement and will protect consumers far sooner as a consequence, but it requires abandoning the core prejudice that has defined STIR/SHAKEN and the strategies pursued by authorities in the USA, Canada and France.

Charles Dickens wrote “the law is a ass — a idiot” in Oliver Twist. The process of making the law has not greatly improved in the 185 years since those words were published. Our current era tries to solve too many problems by passing laws, even when laws are not suited to providing solutions. It is easy for lawyers to write words which insist a problem will be solved in a certain way, even if their chosen solution is not effective. STIR/SHAKEN and laws like those found in France appeal to people who want the appearance of certainty: all calls will be authenticated or they will be blocked. But what happens when the authentication technology cannot really ensure a call is authentic, and suffers from lots of drawbacks, leaving only incomplete protection? The result is the mess we have in three of the world’s richest economies. A proposition that sounded like definitive protection when stated in words will give Americans, Canadians and French far less protection in real life. Nobody would suggest the inverse control being implemented in Ireland, Norway, Finland, Oman, Bahrain and the United Arab Emirates will be perfect, but a practical control that eliminates 99 percent of a problem today is better than a theory about how to get 100 percent perfection at some unknown point in the future. Laws are suited to the language of absolutes; what we can accomplish in the real world is usually a lot messier and imperfect.

The fundamental thesis of STIR/SHAKEN is flawed. The world will never see a uniform agreement on how to authenticate all calls. But we do not need uniform agreement to begin implementing sensible checks that will stop many inauthentic calls. That is why we should prefer methods that would soon deliver measurable reductions in nuisance calls over pie-in-the-sky theorizing about a global authentication framework. Anyone who fails to understand why will be doomed to pick through the flaws in the laws and regulations that have to be passed just to begin the impossible task of building their temple of authentication.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.