No, they have not, but this story is worth telling anyway. This is a story about why you should not trust misinformation spread on social networks, even if it originates from a source like the BBC, and how the motives for spreading misinformation can be disguised as concern for the public good.
On Monday the BBC tweeted that Ofcom, the UK comms regulator, issued a new ‘order’ to British telcos that requires them to block scam calls which originate overseas. BBC News jumped on to this bandwagon in response to an article in this Sunday’s Telegraph that claimed to offer an ‘exclusive’ about ‘landmark’ plans to block calls. Whilst such stories will interest millions of people who receive scam calls, the result is that a lot of people have been misled, and this effect has been amplified by social networks like LinkedIn. It is easier to create misinformation than to correct it, but we can start by identifying an especially poor choice of words by one of the journalists that works for BBC News.
Ofcom orders phone networks to block foreign scam calls https://t.co/FRbWYZfPaF
— BBC News (UK) (@BBCNews) October 25, 2021
The word ‘order’ is used even though there has been no actual order. Ofcom is not a Mafia don that can call a secret meeting of gangland bosses and then verbally instruct them on how to behave. Ofcom’s orders have to be written, which means they use specific words that people can check and double-check. And that means that any vagueness in the choice of words leads to a lot of pushback from telcos who otherwise cannot tell what they have been ordered to do. The actual BBC article uses much softer language, such as the regulator ‘asking’ for things to be done to reduce spam. However, the BBC used the word ‘order’ in the original headline for the article that was published to the web, before realizing their mistake and correcting it several hours later (but without stating that any correction has occurred). The original misuse of the word ‘order’ can be found here.
That journalists want to turn a request into a demand shows how they maximize sales and eyeballs by portraying telcos as bad actors that need to be controlled by governments and regulators. A more balanced story about businesses working with government to solve common problems would generate less interest, as these journalists fully appreciate. That is why they always use the most divisive choice of words that they believe they can justify. It is also worth remembering that news media continues to suffer a rapid decline because the internet means the world no longer needs thousands of unreliable middlemen distributing information when only one or two good (or bad) news outlets is enough to satisfy most people.
The foundation of this trumped-up story is that conversations occur between regulators and telcos on a regular basis, and some of them relate to the treatment of spam and fraudulent calls and messages. This is not news, even if the Telegraph wrongly pretends they have an ‘exclusive’ story. Any journalist who did a few minutes of background research would find references and mentions of conversations about mitigating spam and fraud in publications by Ofcom and by the other participants to those conversations. And if an actual instruction was issued by Ofcom then it would be impossible for a single newspaper like the Telegraph to run an exclusive story when any such instruction must already have been put into the public domain by Ofcom.
Anybody who reads Commsrisk on a regular basis will already know that Ofcom is considering whether to tackle voice spam through the adoption of STIR/SHAKEN, the US-devised protocol that can identify spoofed CLIs. That story was published in April, and draws upon what has publicly been stated by Richard Shockey, an American consultant who advises the FCC and is known to have met with Ofcom, and by the contents of Ofcom’s plan of work for 2021/22. So instead of being an exclusive, the Telegraph’s ‘milestone’ update reflects nothing more than a continuation of conversations that any real expert would recognize as ongoing. The law in the UK requires Ofcom to engage in a public consultation before making decisions of the type that the Telegraph implies have already been made. I am a cynic about how much respect Ofcom pays to the consultation process, but even I believe decisions are not final until a public consultation has been scheduled and completed!
It is a sign of the poor quality of the research performed by the Telegraph and BBC that they both confused the potential for increased blocking with the potential to implement STIR/SHAKEN. The following quote is taken from the BBC’s article.
The Sunday Telegraph, which first reported the story, cited Whitehall sources that have cast doubt on Ofcom’s plans.
They say blocking traffic from foreign VoIP providers will not work to stop scam texts and calls, because much of the UK still relies on old copper-based networks dating back to the 1970s.
The second sentence is factually incorrect, and probably not because of any mistake made by ‘Whitehall sources’. If the journalists understood what they were writing about they would know that using copper in a network has nothing to do with the general issue of whether it is possible to identify calls that should be blocked. They have latched on to the word ‘copper’ because of a confusion surrounding the specific use of STIR/SHAKEN as a possible way to identify some calls that could be blocked.
Telcos are broadly capable of identifying a mismatch between the use of a UK CLI and the arrival of an inbound call using a foreign route. They can do this irrespective of whether the call has been carried across ‘copper’, which is the journalist’s flawed way of referring to a TDM network, or if the call has only been carried by IP networks. Looking for these mismatches is the basis of the current Australian approach to blocking spam calls. It makes perfect sense for the UK regulator to consider emulating the approach Australia has taken, which appears to be enjoying considerable success. This is entirely separate from a different question, which is whether it is worth implementing some version of STIR/SHAKEN in order to authenticate a call’s CLI. The problem with STIR/SHAKEN is that it will not work unless IP networks are used to handle the call from its origin to its destination, but the UK only has a target of becoming all-IP by 2025. This explains the garbled comment about ‘Whitehall sources’ doubting some aspects of possible plans to tackle scam calls.
There are so many confusions and errors in the way the BBC and Telegraph wrote their stories that it is worth repeating some important distinctions that these journalists lack the experience or understanding to identify and explain to the public.
- The methods used to determine if a call is spam are distinct from the methods used to block calls. You can have one without the other. Calls from a certain source could be indiscriminately blocked, or they might be selectively blocked according to some rules or analytical principles. Calls can be identified as spam without being blocked, as occurs when a US consumer receives a STIR/SHAKEN warning on their handset that says an incoming call is likely to be spam.
- Some spam calls have spoofed CLIs, but not all do. It is not known if tackling the issue of spoofed CLIs will reduce the number of calls originated by spammers, or whether they will revert to making spam calls where the CLI is not spoofed. One way to perform the equivalent of neighbor spoofing would involve fraudulently obtaining SIM cards whose associated numbers reflect the country or region whose numbers would otherwise be spoofed.
- STIR/SHAKEN may accurately identify spoofed CLIs for calls that begin and end within a single country, but nobody has worked out how to apply the method to international calls. To do that requires cross-border agreement about how to implement the technology and who is trusted to manage it.
It is unfortunate that no-one seems to be in a position to tell these journalists how misinformed their articles are. I occasionally speak to journalists, and whilst some are good and make an effort to listen, others only listen to the parts they want to hear. Some of the latter journalists also choose peculiar so-called experts to comment on their stories. It is telling that the original version of the BBC article dwells far longer on the ‘experts’ who provided quotes for the article, only for their contribution to be severely cut just a few hours later. One of these experts discussed quantum encryption, which is as pertinent to the identification of spam voice calls as allowing a doctor to put his finger up your anus because you asked him for a headache pill.
Having spent too long reading articles on the BBC News website, it is clear to me that the BBC’s approach to finding experts in this field is akin to looking for someone to comment on the hunting of polar bears amongst the indigenous tribes of the Amazon rainforest. Some will know something about hunting animals in general, and one of them may have spoken to somebody who spoke to somebody else who once hunted a polar bear, but none are so expert that they can tell the BBC the names of any real experts.
Given the terrible quality of the BBC’s original article, which could only be partially saved by the severe edits it later received, I do not believe this news story was prompted by any of the topics that the story claims to be about. It was not prompted by the NICC, a UK network industry body, developing guidance on the blocking of international calls, because that is not new. It was not prompted by an Ofcom mandarin trying to deflect criticism or secure praise by exaggerating their influence because that is not new either. My guess is that this story is prompted by North American businesses wanting to generate pressure for the adoption of STIR/SHAKEN in the UK.
The roll-out of STIR/SHAKEN in the US has been a massive money generator for its suppliers but that wave has already peaked and is in decline. When a business enjoys such a surge of revenues, it does not want to stop receiving them. The only way to maintain the flow of money is to create new waves of business from other countries, though only at a measured pace. If all countries adopted STIR/SHAKEN at the same time then lots of other vendors would necessarily be sucked into the market, diluting it for the North American vendors who currently have most experience at delivering STIR/SHAKEN.
The ideal strategy for vendors would involve rolling out STIR/SHAKEN to new countries in an orderly sequence. That is why American consultants like Richard Shockey openly talk about the UK and Australia being next in line for STIR/SHAKEN. Why not focus on other countries first, such as the many Caribbean countries whose international dial code is also +1, because they belong to the North American Numbering Plan? Or why not concentrate on Mexico and Latin America, where there is likely to be lots of cross-border voice traffic that seeks to defraud Spanish speakers living in the USA? The reason for that would be those other countries are not as rich as Australia and the UK, and because North American vendors mostly employ people who speak English.
The UK must avoid being rushed into committing to an expensive program like STIR/SHAKEN. The longer the UK waits, the more data it can obtain from the US experience. The USA is the first country to make STIR/SHAKEN mandatory, though only after a long series of delays caused by technical glitches and problems with administration. Independent measures of spam have hardly changed since all the major US networks adopted STIR/SHAKEN, whilst the FCC has again found itself imposing new rules and deadlines, withdrawing them, rewriting them and then proposing completely new rules to reduce spam. The latest data shows that some categories of calls certified using STIR/SHAKEN are more likely to be spam than calls that cannot be certified because they passed over TDM networks. It makes no sense for other countries to rush to copy the US approach if the US regulator is still struggling to work out how to reduce spam several months after the adoption of its flagship anti-spam technology.
It is likely that many STIR/SHAKEN vendors are nervous about the future. Investors may have spent heavily on developing STIR/SHAKEN in the belief it will be adopted worldwide. The longer it takes them to sell STIR/SHAKEN to a new country outside of North America, and the longer those measures of US spam remain stubbornly high, the harder it will be for regulators like Ofcom to argue that the benefits of STIR/SHAKEN outweigh the enormous cost. Perhaps this explains why the public is being targeted by a marketing campaign that presents a deliberately confused picture about the ways spam can be reduced. It might also explain why some ‘Whitehall sources’ are briefing journalists against STIR/SHAKEN.
There are a few reasons to be optimistic about the future use of STIR-style digital certificates to authenticate calls, and so identify spam, whilst simultaneously rejecting much of the SHAKEN-style administration that makes it so difficult to effectively use those digital certificates across borders. Bodies like the GSMA are sniffing around this problem and may find a way to decentralize administration so STIR can be adopted more cheaply and gradually whilst delivering reductions in international spam sooner. Businesses like 1Route take a flexible stance which emphasizes the prospect of making STIR/SHAKEN interoperable with different paradigms for spam identification and prevention, so countries help each other without being forced into the same technological straitjacket.
Given how long it took the USA to turn STIR/SHAKEN from a blueprint into a working reality, and given how much it is now scrabbling to redraft the blueprint because the plans are not working as well as expected, it will take time for bodies like the GSMA, businesses like 1Route, and regulators in multiple countries to come together to agree foolproof ways to block traffic that avoid the serious danger that overblocking will interrupt genuine communications too. Journalists never seem to mention this danger in current articles, but they will not hesitate to write about overblocking if it begins to affect the first and second-generation immigrant communities who are most likely to suffer as a result. And whilst headlines about excess spam hurt telcos now, I dread to think what would happen to the reputation of telcos if they were accused of racial bias in the choice of calls they block.
Everyone should ask themselves a simple question whenever they read a news story about risks, frauds and security for phone and internet services: was the story written by a journalist or analyst with a relevant track record, like Brian Krebs, Edward Finegold or Patrick Donegan? Or was it written by some no-name journalist that churns out new articles on such a wide range of subjects that they never gain more than a superficial understanding of the topic? Risk managers should be conscious that work can be complicated and humans are fallible. It follows that they should anticipate mistakes and simplifications in the reporting of complicated issues like the search for effective ways to reduce spam. Humans are always fallible, but they tend to grow more fallible when somebody stands to generate a profit from mistaken decisions. Commsrisk has a long history of reporting on news stories that have been manipulated by governments and businesses across the world. Just because a story comes from a source like the BBC is no reason for anyone to let their guard down.