The Irish comms regulator, ComReg, has published the final outcomes from a consultation on how to tackle voice and SMS scams that they instigated in June 2023. As I wrote at the time, the proposed controls represented the best thinking on how nation states can reduce the number of scam voice calls and SMS messages received by ordinary members of the public. It is hence pleasing that Irish telcos are in near perfect agreement with ComReg. The timeline for effecting each new control varies from 6 months to 2 years, but Irish telcos appear keen to progress more rapidly. Torlach Denihan of the Telecommunications Industry Ireland (TII), part of Ireland’s largest business association, commented:
…once we get the green light, we will implement with maximum haste those interventions
The Irish regulator observed that the country’s telcos had stepped up their anti-scam efforts ahead of the plan being finalized. Irish telcos have already been coordinating their work through a Nuisance Communications Industry Taskforce (NCIT) since early 2022.
ComReg wishes to acknowledge the valuable contribution of members of the NCIT to date… The work of the NCIT members has begun to have an impact with the monthly number of scam calls blocked noticeably increasing in recent months…
These are the decisions that ComReg has made.
- Block inbound international calls that present the number of an Irish fixed-line phone.
- Block inbound international calls that present the number of an Irish mobile phone after checking if the phone is currently roaming abroad.
- Block calls that appear to originate from numbers that match a national do-not-originate (DNO) list, reflecting organizations that use well-publicized numbers which are only meant to receive calls from the public.
- Block calls which match a national protected list of numbers that have not been allocated or are otherwise known to not be in service.
- Block A2P SMS messages that use a Sender ID which does not match an entry in a national registry.
- Implement firewalls that identify anomalous patterns of traffic using rules-based analytics and machine learning.
- Reject STIR/SHAKEN and the principle of attaching an ‘authentication’ signature to calls because it is impossible to impose any real authentication on calls that originate outside of Ireland.
- Encourage telcos to give customers the option to have SMS messages scanned for malicious content prior to receiving them.
There will be experts who will disagree with some specific details of this plan, but I encourage them to keep the big picture in mind. For example, some believe the bureaucracy involved in registering SMS senders is too heavy a burden relative to the effectiveness of this control. I would rather argue that there are much worse, more expensive and more obviously flawed controls that regulators have sometimes forced upon telcos in the name of consumer protection. Weak know-your-customer (KYC) processes are the rotten, porous underside of the communications industry, and they allow fraudsters to routinely infiltrate services. Registries create burdens but they also create a KYC barrier that negligent comms providers cannot ignore. It is better for the industry to stick together and to consistently implement common-sense controls that receive wide support worldwide than to quibble about details. Too much deliberation about minor detail leads to a fractured environment with inconsistent practices between countries, and it delays necessary progress. Vague plans that are not supported by any analysis showing how much value they are supposed to deliver should be opposed until the authorities are able to refine them, but specific plans backed by a credible analysis deserve support even if they require some compromise. With that in mind, these are the key takeaways from ComReg’s final plan.
Really Putting a Value on Fraud Prevention
The most unexpected outcome from this consultation is that ComReg did what many other regulators only pretend to do: they calculated the expected benefits of implementing controls to reduce consumer fraud. ComReg hence projected the return on investment.
ComReg estimates that the overall benefit of the current package of interventions once implemented is around €1.2 billion over the next seven years. When combined, ComReg’s package of interventions should bring around €55 euros in economic and social benefit for every €1 spent by operators securing their networks to reduce the rate of scam calls and texts
This level of precision sits in stark contrast to the lackadaisical reasoning offered by some other national regulators. Too many have sought to justify arbitrary decisions by asserting that frauds are so prevalent and have such a profound impact that any new anti-scam control is worthwhile. This is nonsense. Some controls are more effective than others. Some address a wider range of frauds than others. Some controls would duplicate others. There will always be better and worse combinations of controls, especially when automation is making decisions about which communications to block. For example, there are several stages at which a malicious call or message might be blocked, but each message or call can only be blocked once. ComReg’s combination of controls is projected to deliver benefits that are 55 times what they cost; it is not irrational to admit that specific choices have determined this ratio and that many regulators would be incapable of showing a 55-fold return for controls they have previously mandated.
One reason ComReg is able to provide a proper estimate is that they conscientiously considered a wide range of controls before determining which combination to execute. This is important because the extent to which controls interact with each other also influences their effectiveness. It is credible to estimate the impact of new controls if the combination is understood, but near impossible to calculate the impact of separate controls if each is implemented in piecemeal fashion at different times. The lack of a strategy often encourages lazy assumptions about every new control being a step in the right direction. Some controls can be a step in the wrong direction, or they may lack direction.
A two-year plan means ComReg now has an effective window for comparing the prevalence of scams before and after these controls are implemented. Allowing for a period of measurement after the implementation of a control is important. It means their real effectiveness can be assessed. By doing the hard work involved in making a genuine projection, ComReg has created a yardstick which can be used to improve their understanding of how well controls work in practice. The lessons learned will then help them to make better decisions in future, whether that involves seeking further enhancements to address adaptations in the methods used by criminals, or because they are reapplying their understanding of potential weaknesses to new communications services.
Standing Up to Big US Businesses with Ulterior Motives
It is worth reiterating the need to evaluate the economic value of new controls because many technologists bias important decisions by focusing on the technologies they most want to implement, instead of keeping an open mind about the merits of a much wider range of methods that could potentially reduce criminal activity. The USA still refuses to learn from possibly the stupidest misevaluation of the benefit to be generated by expensive new controls in the history of telecoms fraud prevention. The US Federal Communications Commission (FCC) did not produce a genuine calculation when vouching for STIR/SHAKEN, and instead argued the benefits would obviously outweigh the costs because Americans receive so many illegal calls. However, STIR/SHAKEN does nothing but attach additional data to a call; this gets described as ‘authentication’ but if no real authentication of the user occurs prior to the attachment of the data then the contents of the data serve no useful purpose. It was only after STIR/SHAKEN became mandatory that some sections of the US industry admitted the need for improved KYC checks. ComReg is pushing for tougher KYC checks in parallel with the introduction of its new anti-scam controls, whilst the US relies on the private sector to volunteer KYC standards that its authorities will not impose. Instead of looking to fix the KYC foundations of their own comms industry, the FCC quickly pivoted to excusing STIR/SHAKEN’s failures by blaming other countries for not implementing STIR/SHAKEN too. They concluded that STIR/SHAKEN was bound to deliver an unquantified benefit in fraud reduction, but the benefit of additional identity data is zero if the data does not reflect the actual identity of the user.
Thankfully, regulators like ComReg have learned from the mistakes made in the USA. The net cost to Ireland’s economy of STIR/SHAKEN would be negative, because Ireland would definitely have to pay for the additional technology and the bureaucracy surrounding it, but cannot impose KYC controls on calls that originate outside of the country. A sharp focus on the real-world impact for ordinary people is important, because it also explains why ComReg refused to back down to big US corporations that lobbied against the blocking of international calls that falsely present themselves as originating in Ireland. Whilst Irish telcos were hugely supportive of ComReg’s plan, the most outspoken opposition came from two big US businesses, Microsoft and Bandwidth. Both want a world where all calls have a STIR/SHAKEN signature because they also want multinational companies to have complete freedom to use any country’s phone numbers to originate traffic from offshored call centers. This is important to their businesses, but it has nothing to do with consumer protection. Taking orders from a US cartel that profits from cross-border telemarketing is not a good idea for smaller nations, especially as the USA has shown little appetite for imposing reliable KYC controls or collecting fines from the very few fraudsters that have been prosecuted.
I do not think it is a pure coincidence that Microsoft is singled out by the KYC consultation that ComReg recently began. That consultation document observes that Japan has imposed tough KYC rules and the result is that Microsoft applies stricter KYC processes to customers in Japan than they do in Ireland.
In relation to the new requirements in Japan, it is also worth highlighting that Microsoft has updated its advice on the requirements to obtain a Skype number in Japan, noting that users will have to take a live selfie or upload a headshot photograph, and install the Microsoft Authenticator app on their mobile device, in addition to uploading a suitable form of ID (passport, My Number Card14, resident card). ComReg understands that such a process is not currently in place in Ireland, and this lack of verification creates a clear avenue for scammers to obtain Irish numbers which can be used to commit fraud. ComReg strongly recommends that relevant operators should implement a verification process similar to that identified in Japan as part of its process of issuing Skype numbers (or alternatives) to end users.
The STIR/SHAKEN cartel that opposes controls on spoofed international calls says they should not be punished for wanting to ‘legitimately’ manipulate a CLI to make it appear as though it originated in the same country as the recipient. Both Microsoft and Bandwidth made the same identical argument in their submissions to ComReg, on behalf of the cartel of which they are founding members. They are lobbying hard for STIR/SHAKEN to be implemented globally because they expect to oversee the governance of calls with STIR/SHAKEN signatures and hence decide which spoofed calls are considered legitimate. In other words, the cartel will decide who belongs to the cartel, and there will be no blocks on calls made by cartel members. Their arguments would be more persuasive if existing cartel members showed any interest in voluntarily toughening KYC controls to prevent criminals from abusing their services. Weak KYC is a root cause of high levels of scam activity in the USA; the tendency to blame foreigners is designed to distract from fundamentals of fraud prevention that US businesses can control but refuse to control. ComReg is right to stand up to this cartel.
Privacy Laws Obstruct Scanning SMS Messages for Malicious Content
There was only one ComReg intervention touted in their original consultation which failed to survive to the eventual plan, though that was because of factors outside of ComReg’s control. They acknowledged at the outset that a change of law would likely be required so machines could scan all SMS messages for malicious content without first obtaining the user’s consent. ComReg’s enthusiasm for this control was evident from the decision to include it in an infographic created to communicate their plans to the media, despite the risk that it would have to be sidelined. Conversations between ComReg and the political powers obviously failed to deliver any promise of legislation to enable automated scanning of SMS messages in the near future.
It is easy to see why the use of a machine to read all messages would be politically sensitive, even if the stated objective is the prevention of crime. Europe will continue to struggle with defining the boundary between privacy rights and crime prevention because of the profound awareness of the evils conducted by secret police forces in European countries, both during the run-up to World War 2, and in the decades that followed. Many Europeans fear the equivalent of a Gestapo or a Stasi that could also harness the power of computers and AI.
The European Union’s GDPR privacy directive does allow governments to weigh the need to prevent crime against the need to keep communications private, but automated message scanning is on the extreme edge of what GDPR permits, which is why most EU members will first need to change the national laws that brought GDPR into effect. Commsrisk previously reported on Ireland joining Belgium, Poland and Spain in a vanguard of EU nations closely examining the relationship between privacy law and the automated scanning of SMS content. It is hence telling that ComReg chose to cite these other countries when explaining what it would like to do to reduce SMS fraud.
ComReg cannot proceed with the proposed SMS Scam Filter intervention at this time due to a lack of legislative basis. However, it will instead commence a separate consultation during the summer to consider other options that could be used to address SMS scams. Consideration of these options is all the more important as other English-speaking countries have already introduced full SMS Scam Filters while some other EU countries such as Belgium, Poland and Spain have either introduced scam filters or are planning to do so.
An Emerging International Consensus?
The extent to which ComReg has researched the anti-scam methods explored by other nations is impressive. Looking at the experiments of other countries may also have helped ComReg to be objective about the relative merits and weaknesses of each method. It is easier to be impartial if an assessment is based on practical results as well as theories about how to reduce fraud. That is certainly better than being panicked into accepting the solutions that are most aggressively promoted by self-interested businesses. The techniques that appeared to have the greatest chance of success when this consultation began in June 2023 are still those which appear most likely to succeed, with the additional benefit of another 9 months’ experience of how well they have performed in other countries.
Since ComReg first published their proposals, the European Conference of Postal and Telecommunications Administrations has recommended controls on inbound international calls consistent with those proposed by ComReg for calls using Irish fixed-line and mobile numbers. The number of SMS Sender ID registries keeps growing, with Denmark, Hong Kong and Australia each making progress in that direction. Spain’s current anti-scam consultation explores the need to block calls that appear to originate from unassigned numbers, which sounds like a more progressive form of the protected list proposed by ComReg. This article has already commented on the direction of travel for SMS content scanning, which has been more rapid in other parts of the world where privacy activists are less influential. For example, there are now circumstances when Singaporean telcos can be held financially liable for losses if they failed to scan SMS messages and block those which contained malicious URLs.
There are two elephants in the room whose influence on international scam reduction needs to be addressed without just parroting what they say about the topic. Leading fraud expert Tom Walker has observed that China has the greatest soft power influence over the way international scams are tackled. However, China leans heavily on proactive police work and deportations of scammers from foreign countries, and Western countries have neither the stomach nor the budget to engage in such assertive enforcement of the law. That is why decisions made in Singapore and Hong Kong should be followed closely. Both of these administrations offer a template that the Chinese Communist Party will be monitoring closely as they seek to go beyond heavy-handed policing to crack down on a scam problem that is treated as a potential threat to their authority. Hong Kong appears to be watching and reacting to the lead taken by Singapore, and there are very obvious similarities in the thinking of Singapore, Ireland and Australia, creating optimism of an alignment in the anti-scam methods pursued across Europe, China and the Asia-Pacific region.
The other elephant is heard trumpeting its supposed achievements more often, although its big flapping ears are not often used for listening. US multinationals like Microsoft are behaving like a proxy for the FCC by lobbying other regulators and pushing elements of the US legislative and regulatory environment that are also conducive to their business interests. That much was evident in reading Microsoft’s submission to this consultation. Microsoft told ComReg that they and a few other US businesses had already created a transnational governance authority for deciding which calls can be allowed and which should be blocked, and that the policy administrator for this authority would be the same company that the FCC had already appointed to perform that task within the USA. They evidently calculated that describing the formation of a new cartel might generate a positive response from a national regulator within a sovereign country. Perhaps the authors of Microsoft’s submission think they are making 3D moves in a game of hyperintelligent chess, but I rather see this as more evidence of the blundering naivety of the US strategy. Even corrupt regulators resist becoming subservient to multinationals. Regulators exist to oppose cartels, not to transfer power to them.
Microsoft and their kin have revealed their hand by using ComReg’s consultation to openly oppose a highly effective and efficient scam prevention control that already has irresistible momentum behind it: the blocking of inbound international calls that misleadingly present themselves as originating within the country. This just compounds the error of trying to go over the heads of politicians and administrators by aiming misinformation directly at foreign populations. It increasingly looks like North America will struggle to follow the consensus established elsewhere because its authorities have made too many concessions to corporate interests. It will be difficult for the USA to execute a change of direction without its authorities losing face, especially as they have had to boast to the American public about the success of a scam reduction strategy that appears like an expensive failure to the rest of the world.
Smaller countries with international ties, like Ireland with its transatlantic interests, and the similar role played by Singapore in East Asia and the Pacific, have a degree of agility that bigger nations can lack. They also have an acute awareness of what it means to successfully engage in international trade without allowing themselves to become subservient to foreign powers. For these reasons, I consider Ireland’s plan to be amongst the best current models for an emerging consensus in how most countries will tackle voice and SMS scams. Other countries should treat ComReg’s 55:1 ratio as a baseline for properly calculating the benefits of new anti-scam controls they consider, and we should all seek to learn about the effectiveness of these methods after there has been time to observe changes in the patterns of fraud endured by ordinary Irish people.
You can obtain the summary overview of ComReg’s decisions on how to tackle voice and SMS scams here, and their full analysis is available here.
