The US and UK are using a technology called SHAKEN-STIRRED that would dramatically reduce scam calls. Why aren’t we using it?
These words preface an opinion piece by Hugh Bradlow that was published in Australia’s Brisbane Times on December 19. It seems peculiar that the good people of Brisbane (population 2.5 million) need to be told about one highly-specific and little-understood combination of telecoms technologies and governance rules by an Emeritus Professor from the University of Wollongong (1,000km south of Brisbane). Brisbanites might instead have appreciated a more general and nuanced review of all the methods Australia has already adopted to reduce scam calls, and of other methods still being considered. But even if you think the general public really needs to know more about STIR/SHAKEN, I hope every reader of Commsrisk can agree on one specific point about this article: the claim that the UK has implemented STIR/SHAKEN is an inexcusable lie.
To recap, the UK has not even completed part one of a supposed two-part public consultation on whether STIR/SHAKEN might be adopted in future. The UK regulator, Ofcom, first mooted the adoption of STIR/SHAKEN in 2021 but the chances of that happening have steadily fallen over time because other countries — including Australia — are massively reducing the number of scam calls without STIR/SHAKEN. This means there is very little prospect that the method will ever be used to address the majority of scam calls that are transmitted across international borders. But even if the UK regulator’s plan was adopted in the form it was originally written, by an unashamed American lobbyist who was previously employed by one of the leading vendors of STIR/SHAKEN, there would still be no intention to have it operational in the UK before 2025. This is because of the rate at which the UK is transitioning to the IP networks that are a prerequisite for transmitting the digital signatures which are essential to STIR/SHAKEN.
Bradlow also used to be the Chief Technology Officer of Telstra. He spent 6 years as President of the Australian Academy of Technology and Engineering. He should understand how networks function by now. He can read what regulators publish, especially when their output is published in his native language. So what possible excuse can there be for linking his name to a barefaced lie about the implementation of STIR/SHAKEN in the UK, other than Bradlow and his publishers expect that nobody in Brisbane knows enough to challenge them?
This falsehood rankles because I have heard it so often, even though it is easy to disprove. I have heard it spoken at conferences for experts within the telecoms industry. I have seen it repeated on email threads exchanged by such people. I have felt the need to interrupt presentations that reiterated this claim. Each time the lie was stated as fact without any evidence to support it, because there is no evidence to support it, by people who do not even live or work in Britain. This is the first time I have seen the lie so brazenly repeated in print, but I struggle to believe that so many people from disparate countries each independently formed a false impression about the UK. Nobody in the UK is under the illusion that STIR/SHAKEN has been implemented already, so somebody must be responsible for spreading this lie. But when confronted, nobody will admit where they first heard it.
Regular readers will know how often I criticize journalists who lazily repeat press releases from comms providers, regulators and vendors without the slightest attempt to verify the accuracy of their contents. But this misinformation from the Brisbane Times is much worse. A quick search of the UK regulator’s website would have revealed the claim to be false. Moreover, this assertion is not some mere error caused by being too trusting of a press release. This statement is a pure fabrication not supported by any document that has any claim to authority in this domain. Whatever Bradlow’s motives for exaggerating the benefits that STIR/SHAKEN has delivered in other countries, the Brisbane Times has shamed itself by repeating a lie.
We should expect high standards from Bradlow. He is on the board of various companies. He is feted as an industry thought leader. His most recent post on LinkedIn was about curbing misinformation. His final job title at Telstra described him as a ‘scientist’. Put simply, when he says things then others will believe him. But his article for the Brisbane Times presents all the usual canards beloved by STIR/SHAKEN salesmen and fanboys. For example, Bradlow refers to the problem of scam calls originating in overseas call centers, but neglects to mention that Australia is a world leader in blocking spoofed calls from outside the country, and that STIR/SHAKEN is useless if it has not been implemented at the origin of a call.
Blocking bad international calls is central to the strategy of the Australian Communications and Media Authority (ACMA). They deserve credit for signs of a dramatic reduction in scam calls and text messages, especially over the last two years. But this is how Bradlow chooses to twist the facts to make it seem like the ACMA’s strategy is failing:
ACMA and Australian telcos have been quick to claim how successful this plan has been, noting millions of calls have been blocked before reaching Australian customers. But from a user perspective, the number of blocked calls is of little interest if it is dwarfed by the number of calls that get through, which according to ACMA data is in the billions.
Bradlow has no data to support the claim that the number of calls being blocked is ‘dwarfed’ by the number of bad calls that are still being connected. I know this because if such data existed then I would have seen it and would be writing articles about it. The ACMA’s data suggests the opposite: far more scam calls are being blocked than are being connected. But Bradlow has to hype up the problem in Australia to justify the second element of the STIR/SHAKEN myth: that the USA is now a paradise because of how few illegal calls remain.
Contrasting the Australian government’s approach to that of the United States, a stark difference can be found.
I give Bradlow some credit for the deviousness of this sentence, because his words are misleading without being untrue. The approach being taken in the USA is different to that in Australia. The USA has STIR/SHAKEN, Australia does not. Australia blocks inbound international calls that spoof a domestic number, the USA does not. But saying the USA has a different approach is not the same as saying the USA has a better approach. The preface of the article promises STIR/SHAKEN would ‘dramatically reduce scam calls’ but Bradlow hedges his bets when it comes to justifying the enormous expenditure that would be required to implement STIR/SHAKEN in Australia.
Of course, this technology is not a silver bullet. Scammers will always find a way around measures, even sophisticated ones.
Note the telltale words that always seem to be on the lips of everyone demanding enormous amounts of money be spent on STIR/SHAKEN: ‘not a silver bullet’. Regular readers of Commsrisk appreciate how often these words get repeated, also by people in vastly different countries, who are all supposedly independent experts, and all thinking for themselves. It was over a year ago that I charted how US businesses keep repeating this phrase in their international marketing of STIR/SHAKEN. If these so-called experts have independently formed their opinions, why do they always copy the language of marketeers verbatim? Did Bradlow pen this article, or is he just acting as the front for a ghostwriter?
If Bradlow was impartial he would have examined the data from the USA and concluded that they are doing a far worse job of reducing scam calls than Australia is. It is the USA which has a problem with the number of blocked calls being ‘dwarfed’ by the number of bad calls still being connected. But Bradlow can get away with perpetuating the urban legends surrounding STIR/SHAKEN because public debate in the USA is stuck in a rut. All of the leading US experts supported the adoption of STIR/SHAKEN so they are now all compelled to find contrived justifications for the dismal results delivered since. They have to find excuses because they cannot admit they were complicit in making excessive promises to the US public in order to bolster support for half a billion US dollars spent on implementing STIR/SHAKEN. This money has been very much wasted because it distracted from more important improvements that were needed first, and which could have reduced the number of scam calls prior to the implementation of STIR/SHAKEN, such as the enforcement of rigorous know-your-customer checks.
In November 2018, the architects of STIR/SHAKEN predicted a ‘progressive drop in robocalls’ in USA Today. In July 2019, the editors of The Washington Post told readers worried about the robocall epidemic that ‘an end may be in sight’. If you go back and read old press coverage you will see there has been no change in the names of the people who advise the US authorities about how to reduce scam calls. But if you read their more recent contributions, they have to shift the focus away from STIR/SHAKEN, probably because they would otherwise need to apologize for overoptimistic projections for how much difference STIR/SHAKEN was going to make.
The USA has STIR/SHAKEN, and they have made paltry progress with reducing scam calls. Germany, Britain, Australia and other countries do not have STIR/SHAKEN and they have reported much more significant reductions in scam calls. Draw your own conclusions about who should be copying whom, but not before you ask yourself one vital question: if the US strategy is so successful, why does the US comms regulator, the Federal Communications Commission, never compare the results it has attained with the results reported by numerous other national regulators it has signed bilateral information-sharing agreements with?
But this kind of technology would make it all the harder and, importantly, costlier, for the scammers to reach Australians. Surely, that’s a sound investment.
Australians can be grateful that Bradlow is no longer working at Australia’s biggest telco if this is how he performs a cost-benefit analysis. He says nothing about the cost of STIR/SHAKEN, which would likely be several hundred million dollars for a country like Australia. Nothing is said about the benefits to be delivered, apart from that unsubstantiated promise of ‘dramatic’ improvements per the preface to the article. The entire article flies by without a single mention of the much cheaper methods the ACMA has used to reduce scam calls or the other cheaper methods they might also adopt. But somehow the public is told that STIR/SHAKEN, the most expensive method of all, must be a sound investment. If you have invested in a company which has Bradlow as a board member then you may want to sell your stake now.
Life does not have to be like this. There are honest people who can provide the public with a reliable, balanced account of whether STIR/SHAKEN may be a cost-effective way to reduce scam calls. I coincidentally stumbled across a Hungarian example just a few days after Bradlow’s article. On December 21, HWSW, an information technology magazine, published a lengthy and thoughtful article about bank frauds and phone numbers. The article quotes Domonkos Tomcsányi, an ITC Security Consultant at umlaut company, a German-headquartered consultancy business which became part of Accenture in 2021. Tomcsányi succinctly explained the widely-acknowledged weakness with using STIR/SHAKEN unless all other countries have also implemented STIR/SHAKEN:
A helyzet pont olyan, mint minden biztonsági intézkedésnél amelyiket egy globálisan elosztott rendszerben megpróbálnak bevezetni: amíg van szereplő aki nem használja és tőle muszáj forgalmat elfogadni, addig a rés továbbra is ott van.
The situation is exactly the same as with all security measures whose implementation is attempted in a globally distributed system: as long as there is an actor who does not use it and has to accept traffic from it, the gap remains.
This then leads the author of the article to draw a perfectly sensible inference about STIR/SHAKEN.
Az operátorok ettől függetlenül külföldi mintára hazánkban is alkalmazhatnának hasonló megoldást, ám mivel viszonylag könnyen megkerülhető ez a védvonal is, alighanem a rendszer implementálásának költségeire tekintettel elvetették a lehetőségét, hogy legalább egymás között használják ezt a fajta hívószám-hitelesítést.
Regardless, the operators could apply a similar solution to foreign models in our country, but since this defense line can be bypassed relatively easily, they probably rejected the possibility of using this type of phone number authentication at least among themselves in view of the costs of implementing the system.
It is often said that the global communications industry would do a better job of reducing fraud and protecting the public if more intelligence was shared by comms providers and countries. Hucksters do not want accurate information to be shared because it undermines their marketing flimflam. We should feel ashamed that liars can seek to secure enormous budgets for boondoggle projects by perpetuating lies about matters of public record, such as the status of STIR/SHAKEN in the UK. They keep doing it because they believe that nobody in this industry knows enough or cares enough to call out their lies. If we cannot even rely upon professionals to tell the truth about easily-verified facts, we should not be surprised if our plans to reduce crime continue to disappoint.



