Comreg, the Irish comms regulator, has issued proposals for how to tackle scam calls and text messages. It identifies a series of cost-effective steps to protect Ireland’s population but dismisses STIR/SHAKEN, the expensive US anti-spoofing technology which has been hyped out of all proportion to its usefulness.
Analysis of the positive recommendations contained in Comreg’s consultation document will be given below, but it is first necessary to concentrate on the reasons Comreg rejected STIR/SHAKEN. There is a deeply misleading industry narrative that insists the worldwide adoption of STIR/SHAKEN is inevitable. However, the following observations from Comreg have cut through deliberate obfuscation about STIR/SHAKEN’s efficacy in an international context.
…given that many of the nuisance calls in Ireland are generated offshore, there would be little value currently in implementing these standards in Ireland on its own unless it became a globally adopted approach or the balance of nuisance communications swung heavily toward onshore generation. Consequently, its effectiveness will depend on its use globally…
Implementing a STIR/SHAKEN type intervention would require the input and cooperation of other countries at least on a quasi-global scale. Such input and cooperation would need to be carried out at least at a European level, most likely by the Conference of Postal and Telecommunications Administrations (“CEPT”), so as to encompass all of Europe and would thus require the commitment of many nation states, European and beyond, and far more than the two that have done so in North America.
Even the phrase ‘quasi-global’ understates the most fundamental flaw with the design of STIR/SHAKEN. We currently live in a world where anybody can call anybody. Unless the US has a plan to stop Chinese and Iranians from calling Americans, Germans and Egyptians, then calls will continue to flow across borders unmolested. Spending billions of dollars on a technology that might stop bad calls which originate in the same country as they terminate will be of little comfort to phone users plagued by scam calls which originated in all the other countries.
The USA has a large population. This has allowed its authorities to disguise the fundamental weakness of STIR/SHAKEN by conflating descriptions of how it works within a single country with vague assertions about other countries also wanting (or being forced) to implement the same technology. Sadly, the US Federal Communications Commission (FCC) is not alone in trying to misdirect the public; my own response to the UK regulator’s consultation on STIR/SHAKEN focuses on how they are trying to rig the cost-benefit analysis by comparing the harm caused by all bad calls with the cost of a system that can only reduce the number of bad calls that originate within the UK.
It is possible to see why authorities in larger countries may hope to dupe the public by obscuring the critical weakness of a method which can only be successful if it is first applied where a call originates. The USA has a population of over 330 million and a woeful track record when it comes to prosecuting spammers and scammers it identified in the past. Many bad calls originate within the USA, making it easier to argue that a single-country method like STIR/SHAKEN can deliver significant benefits. This also allows the authorities to stall for time as they pursue unrealistic plans of semi-mandating international carriers and semi-begging foreign regulators to implement STIR/SHAKEN in a way that complements their domestic set-up. But when you apply the same thought process to a smaller country, like Ireland, it soon becomes apparent that a single-country method of tackling bad calls will deliver no measurable benefit. This also explains why the USA keeps lobbying big countries to follow their lead, whilst ignoring the many small countries covered by the North American Numbering Plan.
Perhaps there would be some reason to indulge the utopian fantasy of the entire planet agreeing upon a common approach to blocking bad calls if the STIR/SHAKEN technology could be universally implemented today. But it cannot. A lot of the planet’s calls are carried on networks that cannot support that fantasy. Ireland serves as an example, as Comreg points out.
Given the substantial use of non-IP networks in Ireland currently – the use of STIRSHAKEN (sic) absent a solution for non-IP based networks would mean that STIRSHAKEN may be technically feasible but it is not viable at this point given the extent of legacy non-IP technologies in Irish networks…
The wheels are falling off the STIR/SHAKEN bandwagon. Ireland’s rejection of STIR/SHAKEN is just the latest in a series of knock-backs that the advocates of STIR/SHAKEN do not want regulators and telco professionals to know about.
The usual argument for STIR/SHAKEN is that everyone will adopt it because it has already been adopted by the USA, Canada, France, the UK… The ellipsis at the end of the argument is important because it is assumed the listener will fill in the gaps. This is because the proponents of STIR/SHAKEN do not want to provide the full truth. I have personally heard many telecoms professionals from other countries state that the UK has ‘decided’ to adopt STIR/SHAKEN. The UK consultation on STIR/SHAKEN only ended on Friday, so they were repeating falsehoods spread by US lobbyists who were impatient to list more examples of countries following the USA’s lead. They seek to create the illusion of an emerging ‘club’ of countries which will deploy STIR/SHAKEN in a way suited to cross-border interoperability between its members. However, the insider news from France is that their so-called STIR/SHAKEN implementation is not actually compliant with the standards for SHAKEN, as written by ATIS, a US-dominated association. So whilst France has also been described as one of the countries to join the cross-border STIR/SHAKEN club, the full truth is that the authentication signatures they will apply to calls originating in France will be incompatible with the versions used in the USA and Canada, making it even less likely that STIR/SHAKEN will ever be made to work on a ‘quasi-global’ basis.
Commsrisk will soon publish an analysis of the call authentication methods to be deployed in Brazil, the country that suffers from more spam calls than any other. Brazil will also serve as a fascinating counterexample to the belief that STIR/SHAKEN will be used across international borders. The Brazilian approach will exploit the same underlying technology of applying a digital signature to authenticated calls, but their philosophy is radically different because they are focused on improving controls on telemarketing businesses within Brazil, and do not have a significant problem with scam calls from overseas. Brazil, like Ireland, does not have the comprehensive IP networks needed to make the US approach to STIR/SHAKEN viable, so they rejected the IP-based approach put to them by the original authors of STIR/SHAKEN. They will instead convey the authentication signatures out of band, begging further questions about why the USA is infatuated with an expensive and fragile method of consumer protection that only works if IP-based SIP signaling is able to support in-band conveyance of signatures from end to end, across international borders.
A more realistic approach for international cooperation in consumer protection would see national regulators choosing from a variety of different methods for validating calls within their own country, then later agreeing on the development of ‘clearing houses’ for validation of traffic between countries. A federated approach would allow national regulators the freedom to focus right now on methods that immediately address the actual problems faced by phone users within their country. Clearing houses would later become responsible for translating the validation applied in one country into a format which is compatible with the controls on inbound international traffic implemented by gateway providers or terminating operators that serve a different country. A clearing house that is already tasked with managing multiple protocols will far more readily maintain continuity of protection whilst adapting to future changes than would be possible if the world really did adopt a global one-size-fits-all architecture in the style advocated by STIR/SHAKEN’s supporters.
Instead of subordinating themselves to a globalist dream, the Irish regulator has identified a series of sensible steps to mitigate scam calls and messages. I believe Comreg’s list of proposed anti-scam controls will soon become standard for other national regulators.
- Blocking inbound international calls that present a CLI associated with an Irish fixed-line number.
- Blocking inbound international calls that present a CLI associated with an Irish mobile number after checking if the number belongs to an outbound roamer. The new infrastructure required to exchange data on outbound roamers will be implemented in two phases, with the initial phase using the Mobile Application Part (MAP) SS7 protocol, and a later phase using proxy servers that will integrate mobile number portability data and provide support for VoLTE roamers.
- Blocking calls which match a national protected list of numbers that have not been allocated or are otherwise not in service.
- Blocking calls which match a national do-not-originate (DNO) list of numbers belonging to key organizations. Both the protected list and the DNO list have already been trialled successfully.
- Anticipating how fraudsters will adapt to the improved controls by implementing a voice call firewall over a period of 18 months. The firewall will identify anomalous traffic patterns using analytics based on both rules and machine learning.
- Blocking A2P SMS messages that use a Sender ID which does not correspond to an entry in the national ID registry.
Comreg is also keen to implement a filter that will scan the content of SMS messages and block those which match patterns associated with scams. However, they are legally inhibited from pursuing this option at present because of European laws concerning the interception of messages and data protection. They will instead await anticipated changes to the law which will create an exemption from the ePrivacy Directive and GDPR for automated message scanning.
The Irish regulator is to be commended for the authoritative way they have conducted research into the anti-scam methods used by other countries, and the transparent way they discuss their findings and explain their reasoning. They have made simple but accurate observations about the various methods they considered, such as the fact that SMS Sender ID registries have led to significant reductions in SMS spam elsewhere, or that STIR/SHAKEN is ‘relatively expensive’. As a consequence, the rationale for their decisions can be appreciated by non-professionals, which also makes it easier to scrutinize or challenge any flaws in their thinking. This stands in stark contrast to the way some other national regulators have chosen to behave. It also means that I was unable to find any reason to object to anything Comreg wrote. Their consultation document is a model that others should read and follow.
Comreg’s common sense will be a bitter blow to US businesses that insist STIR/SHAKEN is a global inevitability. Many big US corporations maintain their European headquarters in Ireland. They seek to influence Irish affairs in ways that suit their transatlantic objectives. The deleterious consequences of US influence over technology decisions have been especially apparent in Ireland. It has caused Ireland’s data protection authority to be meek with respect to enforcing European-wide rules, and lenient with their interpretation of what those rules permit, often leading to clashes with their counterparts around the European Union. Some of those US businesses are amongst the members that ATIS cites when describing themselves as an international standards-setter; the business may be multinational but ultimately run from the USA by executives who care more about appeasing American expectations than any other. That those multinationals will not have Ireland as a bridgehead for implementing STIR/SHAKEN in the European Union will greatly diminish the chances of STIR/SHAKEN being adopted elsewhere in Europe.
By focusing on STIR/SHAKEN, I may have placed insufficient emphasis on the merits of each anti-scam and anti-spam control that Comreg argues for. I believe every country should adopt all of their recommended controls, as bulleted above. The evidence weighs heavily in favor of these controls. They are cost-effective to implement within realistic timeframes that will lead to measurable benefits for consumers in the immediate future. But there is also a need to be negative about STIR/SHAKEN because it has become an enormous distraction from the work that regulators and telcos should be prioritizing to protect phone users from harm. Other mitigations of scam calls can protect consumers much sooner than STIR/SHAKEN ever will. Those controls should be implemented without delay, and arguments about the costs and benefits of STIR/SHAKEN can resume after we have witnessed the impact those other controls have had.
US consumer advocacy groups should stop echoing what the FCC has told them about STIR/SHAKEN and should start questioning why so little progress has been made towards realizing the same kinds of consumer protection measures as identified by Comreg. US progress towards implementing a national registry for A2P SMS has been woeful. US progress towards adopting a national DNO list has been woeful. US progress towards blocking inbound international calls that spoof domestic US phone numbers has been woeful. But instead of addressing these deficits, the FCC and its cronies keep using weasel language about ‘whac a mole’ and ‘no silver bullets’ whilst continuing to insist that consumer protection must revolve around STIR/SHAKEN.
If you work for a national regulator then be like Comreg. And if you work for a comms provider, then tell your regulator to be like Comreg. The Irish comms regulator, and the businesses which assisted their research, have done a superb job of identifying how to protect the Irish population from scam calls and messages. They have written a roadmap we can all follow. There may not be any silver bullets, but there is a gold standard, and Comreg has just written it.
The full Comreg consultation document on “Combatting scam calls and texts” can be found here and a short summary is here.



