Global Titles are an essential part of the modern communications ecosystem, providing the addresses used to route signals for SS7 networks. Without them, different networks would not be able to ‘talk’ to each other. As with other aspects of the telecoms industry, some businesses have chosen to generate revenue by selling on the rights to their underexploited resources, in this case by leasing Global Titles to others. Monetizing the rights to Global Titles makes sense, but it also encourages abuse. There have been numerous documented instances of surveillance businesses offering to track the locations of targets by using signaling to repeatedly enquire about the location of a person’s phone. Robotexters are always looking for unguarded entry-points so they can flood victims with spam and smishing messages. The leasing of Global Titles makes it harder to determine who is really to blame for privacy and spam abuses, though the lessor of a Global Title should always retain some responsibility for the bad behavior of the businesses it leased to. Apart from this straightforward observation, is there more that can be done to reduce the abuse of Global Titles?
A code of conduct for businesses involved in the leasing of Global Titles was published earlier this year by the GSMA. It was edited by a former colleague of mine, Stephen Ornadel, who is commonly regarded as one of the leading experts in the nexus of security and roaming. Stephen knows far more about Global Title leasing than me, but I worry that the code of conduct is more effective at highlighting problems than solving them. The requirements all appear sensible, and they include:
- Lessors should conduct due diligence checks on the businesses they lease to
- Lessors should not object to being named in threat intelligence sharing reports; this reinforces the fact that they remain responsible for their Global Title
- Lessors should store full signaling trace data for at least 10 days
- Lessors should contractually oblige lessees to declare any subletting of addresses
- Lessors should immediately terminate any contract when a lessee has falsified information
- By the end of this year, transit carriers should cease enabling routing via lessee only; such an arrangement means the lessor has no visibility of traffic
- Transit carriers should store full signaling trace data for at least 7 days
The difficulty with requirements like these is that good businesses do not need to be told to comply, whilst bad businesses will not choose to comply. A further limitation is that all the requirements are oriented around lessors and transit carriers because few lessees will be GSMA members. Lessors and transit carriers may declare their compliance with the code of conduct, and if enough of them do this voluntarily then it may lead to some economic pressure being placed on those businesses which do not. However, it is not likely that the GSMA will take a tough stance towards enforcing the code. Organizations that generate revenues from their members have a strong disincentive to punishing or ejecting a business, even if it behaves badly. The GSMA’s weakness is apparent to anyone who has ever questioned why Huawei is able to exercise so much influence over matters relating to security.
My guess is that this code of conduct will become another statement of intent which is let down by the absence of any real enforcement. Voluntary codes can work well if a powerful majority use them to punish the transgressions of a small minority. There is less chance of any real improvement if there is a more even balance between good and bad players in the market. The reason human beings accept the need for governments is because governments can enforce consistent rules for everybody, and the management of Global Titles is another area which should be overseen by an inter-governmental body like the International Telecommunication Union (ITU), instead of falling into the purview of a member’s club like the GSMA, which does not even have the lessees as members. But the problems surrounding Global Titles are not new, and the ITU spends more time serving its own bureaucracy than the rest of humanity, irrespective of the scale of harm caused by robotexts and privacy violations. More needs to be done to rein in the abuse of Global Titles. The chances of it being done appear slight.
Correction 13:35 UTC, July 19, 2023: The article has been amended to state Stephen Ornadel was the editor of the GSMA Global Title Leasing Code of Conduct, not the author as previously stated.