Robocalls and Call Authentication: Commsrisk Show Episode 12

Risk managers need to be conscious of the ‘attention gap’, the difference between the amount of attention needed for a decision-maker to understand a complex problem and the amount of attention the decision-maker is willing to give to that problem. Some regulators have an especially severe attention gap when it comes to reducing unwanted and illegal robocalls, which is why many solutions promoted by regulators have delivered terrible results so far. However, The Communications Risk Show seeks to fill the gaps by giving the fullest possible examination of the big risks facing the comms industry, and there is no more intractable problem than unwanted calls made by machines, which are commonly referred to as ‘robocalls’. They may be harmful, they may be illegal, or they may just be a nuisance, but despite the billions of robocalls received by phone users in countries like Brazil and the USA, the data used to analyze the problem is usually superficial and promises made on behalf of proposed ‘solutions’ often stray into the realm of fantasy. That is why yesterday’s episode of The Communications Risk Show featured three experts who offered contrasting insights into how to stop bad actors who spam and scam phone users.

  • The research conducted by Sathvik Prasad at North Carolina State University directly addresses a core failing of most robocall reducation strategies: the inability to distinguish between legal and illegal robocalls. The definitions of what makes a call legal or illegal often depend on the content of the call, but telcos cannot be expected to listen in to every call their customers receive. That is why Sathvik has been using automated analysis of calls received by a honeypot to categorize calls between various kinds of scams, or the several legitimate uses of robocalls. Sathvik’s methodical gathering of data represents the right starting point when developing a strategy to reduce robocalls.
  • Pierce Gorman is the kind of network engineer who can tell you 101 reasons why STIR/SHAKEN was a desirable way to authenticate the origin of calls received by Americans, and 101 reasons it may fall short in practice. Like any good engineer, he is less interested in the politics of making excuses for past projects and is instead focused on learning from mistakes so he can deliver better results in future. Pierce distilled the decades of wisdom he acquired whilst at Sprint and T-Mobile US into an unusually balanced and cogent explanation of what STIR/SHAKEN does well, where it has exceeded expectations, and what are its most severe limitations.
  • Professor Feng Hao of the University of Warwick has an impressive track record for developing cryptographic protocols that involve the exchange of keys without using a public key infrastructure (PKI) of the type that underpins STIR/SHAKEN. As he explained in our show, the most important downside to PKI is that it requires an authority to be trusted to maintain order. Only a painfully naïve person would believe appointing this authority would be straightforward when seeking to govern phone calls that can be made from anyone on the planet to anyone else on the planet. That is why he is developing a radically different authentication mechanism which involves an exchange of information between the A- and B-party to each call, but does not require the appointment of any authority to oversee that call.

My co-presenters, Ed Finegold and Lee Scargall, offered their perspectives too, helping me to link the problems created by robocalls with related issues including artificial inflation of traffic and cross-border regulation. But ultimately it is impossible to usefully summarize the content of our discussions, which is why you should just watch! Next Wednesday’s livestream will be the last in the current series but we will return with a 15-week season of new shows beginning on August 23. In the meantime, you can always replay past episodes from the archive at Yesterday’s show can also be watched below.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.