I am not a fan of the way the US Industry Traceback Group (ITG) promotes its work. They talk a lot more about how they interpret their results than about the raw data they have compiled, even though the publication of this data is mandated by law. Either a call was a scam call, or it was not. Either it was legal, or not. Either it was traced to its origin, or not. So it should be a simple matter for ITG to publicly report on whether it is tracing more scam calls than before, whether it found the origin of those calls, and who is originating the calls that are traced to their source. As the supposed purpose is to support the enforcement of the law, it should then be straightforward to explain whether the work done to trace calls is leading to more prosecutions. I defy any advocate for the ITG to show where this information can be found, even though the ITG is legally obliged to produce its ‘transparency’ report each quarter.
To illustrate my observation that misdirection can occur in plain sight, the last paragraph also contains a misdirection. It is logically true that a call is either legal or not, but that does not mean the legality of a call is currently known. Legal systems do not work at the speed of computers and networks. They can take a long time to reach a conclusion on whether something was legal or not. This is a fundamental problem that few like to acknowledge; how should data scientists and engineers choose which traffic to block when politicians and lawyers expect us all to be subject to a process that cannot determine the legality of that traffic before the public has already been harmed? The application of ‘public policy’ to the domain of scam communications tends to involve a lot of slipperiness. This should lead us to be extra careful about the conclusions we draw from data.
The most interesting statistic derived from the most recent quarterly report of the ITG is a number that you will never find by reading the report itself. Uncritical fans of the ITG’s work often say it is responsible for a reduction in the number of illegal calls received by Americans, even despite the observation in the previous paragraph about our not always being sure whether a call is legal or not. However, there is one circumstance where we can be sure that a traceback will never reduce illegality: when the call that was traced was legal. The lawyers surrounding the ITG are savvy; each quarterly report of traces conducted is caveated:
This report does not constitute a finding of illegal activity… This report in itself is not determinative as to whether the calls identified in Attachment 1 are illegal, or as to whether the parties identified in Attachment 1 have violated federal statutes or the Commission’s rules or engaged in any unlawful conduct.
So let us be clear. Per the quantum superposition required by a process that was created to trace scam calls to their source, in concert with another process that may later decide if those calls were legal, then all the calls that were traced and listed in the ITG’s quarterly report are illegal and legal at the same time. We know they are illegal because the authorities want telcos to block calls like these, although neither the authorities nor businesses are entitled to block legal communications. But we also know they are legal because their legality has not yet been determined in law, and the presumption in criminal law is innocence until proven guilty. This latter point helps to illustrate why the authorities in the USA prefer to treat phone scams as a civil matter, even though the victims of scams are the victims of crime.
But whilst we were distracted by looking at all the calls listed in the ITG’s report, some of you may not have noticed all the other calls that were traced by the ITG and which were not listed in their report. The ITG creates a sequential reference for each call it traces, but you will not find every sequence number in their quarterly transparency reports. They simply omit the traces where they are sure the call that was traced is legal. The latest quarterly report, covering April to June 2024, was made public a few weeks ago. The sequence in the report begins with trace 17499 and ends with trace 18538. So we can deduce there were 1,040 traces performed by the ITG during those three months, although there are just 570 unique reference numbers in the transparency report. 470 traces, over 45 percent of the total, have been omitted because the calls were deemed legal.
That 45 percent of traces were conducted on legal calls does not solely represent wasted effort by the ITG. It also represents wasted effort by the comms providers who assisted with tracing those calls. This should be kept in mind when assessing whether collaborative efforts are yielding the desired results. The level of wasted effort has been getting worse. It was 21 percent for the last quarter of 2023, and 28 percent for the first quarter of 2024. The ITG is on course to waste more time tracing legal calls than it spends on illegal calls.
It has become a commonplace to assert that we need more collaboration to protect the public from scams. Transparently reporting on the results of collaboration should be considered a minimal reward for teamwork. It is also a minimal control over the objectivity of the work being done. The ITG is lobbying for non-US telcos to devote more resources to satisfying requests for traces from US institutions even though many of the calls currently being traced are not illegal. A simple metric could be published to discourage time-wasting by institutions who seek the investigation of legal communications traffic. That metric is not being transparently reported.
Objective metrics also counter the danger that some telcos will receive preferential treatment. Scams occur because seemingly legitimate businesses enable them. The problem persists because it is not against the law for a telco to do very little to identify and stop scams. When others prattle about wanting more collaboration, I hear the absence of an equally important word: ‘consistency’. The motivation for collaboration is denuded if there is not a matching commitment to consistency. This must ultimately be backed by penalties for telcos that profit from crime, whether they directly benefit by aiding criminals, or indirectly benefit by failing to weed out criminal activity.
Twilio was threatened with summary disconnection from the US telecoms ecosystem in January 2023 on the strength of tracebacks conducted by the ITG. The US Federal Communications Commission (FCC) was unlikely to follow through on the threat to cripple a comms provider with a stock market valuation exceeding USD10bn. Such dramatic action would have hurt too many investors. But the threat illustrated fundamental issues with the US legal system. It can be arbitrary, and it is influenced by politics. The Commissioners who lead the FCC are nakedly political appointments, chosen because of their party affiliations. Prosecutors also have to be politicians in the US system. One of the individuals currently vying to be President of the USA has climbed to the top of American politics via becoming the chief prosecutor of the city of San Francisco, then the chief prosecutor of the state of California.
As somebody who actually reads the ITG’s transparency reports, I am struck by how many calls are traced to US entities, and how this has not resulted in a surge of prosecutions for US comms providers. The preponderance of scam calls that terminate in the USA were originated by American firms per the data contained in the transparency report; it is safe to assume that many of the traces excluded from the report were also traced to a US origin. Meanwhile, a rather unsubtle illustration on the ITG website depicts a scam call being traced from a victim in the USA to a hypothetical origin in South Asia. It is understandable that Americans want to blame foreign influences for scams, and would hence like foreign help to tackle those influences. But it would also be naive for a foreign company to expect to receive the same treatment as a US business. AT&T has spent over USD4mn on political donations this year. Verizon’s donations total over USD3mn. Those figures sit within the context of even larger amounts spent on lobbying, part of which occurs through industry associations that also receive millions of dollars from US comms providers. Spending on this scale is designed to buy a lot of influence. The ITG sits alongside other associations that expect to be bankrolled by the big US telcos. Four companies fund ITG at its highest tier: AT&T, Comcast, T‑Mobile US and Verizon.
It is not hard to see why the ITG wants to blame scams on foreign telcos even whilst its own transparency reports show that it is tracing many more calls to member companies than to any comms provider based abroad. Per the most recent quarterly report, 353 calls were flagged as ‘ORG’ i.e. they were traced to an originating provider inside the USA. Three of ITG’s top financial backers appeared amongst the top six sources of calls they traced:
- 34 calls were traced to T‑Mobile US, placing them #1 in the quarterly charts
- 18 calls were traced to Verizon (#5)
- 13 calls were traced to AT&T (#6)
So over 18 percent of scam calls that had a domestic origin were traced to the three leading MNOs in the USA. This compares with 11 calls traced to Deutsche Telekom, the top foreign origin for traced calls during the quarter. Just 37 calls were traced to an origin outside of the USA, barely over one-tenth of the number of listed calls that the ITG traced to US entities.
Some will leap to the defense of the US industry by arguing more calls would be traced to foreign comms providers if there were more foreign comms providers willing to assist the tracing of calls. That claim is not supported by the data in the ITG’s transparency report. Their report says 180 calls could not be traced because a telco failed to respond to the ITG’s query. So the total of calls that were traced to a foreign originating entity or which were not traced to an originating entity is 217 calls, compared to 353 calls that were traced to an originating US entity. If the majority of bad calls received by Americans really did originate outside of the USA then the tracebacks should indicate a much higher proportion of incomplete traces and traces to foreign telcos. However, the data instead shows that the majority of traces originated within the USA.
There are some American professionals who will insist there are other facts which demonstrate that more of the scam calls received by Americans have originated abroad. My response to them is simple: show your data. I trust myself to be impartial; that is why I bother to check details like sequence numbers, and why Commsrisk republishes data in a format that makes it easy for others to check our workings. I keep finding plenty of reasons to question the findings preached by American institutions. If there is data that substantiates the demand for more effort from foreign telcos then the correct starting point is to show that data. It would be convenient for the US industry if most of the illegal calls received by Americans could be blamed on foreigners. The very convenience of the proposition is why impartial risk professionals should remain circumspect until there is hard evidence to support or disprove the theory.
There is hard data that shows Americans are being hit from scam calls from abroad. It comes from the stories of modern-day slaves being liberated from scam compounds in Cambodia, Laos and Myanmar. But that shows we do not always need to trace bad calls to know where they originate. All the fuss made about needing collaboration to trace calls just obfuscates a more important question: what does the USA intend to do about the scam compounds we already know about? The authorities in the USA have ducked this question. The US government has repeatedly refused to impose sanctions on Cambodians responsible for trafficking the people forced to work in scam compounds, despite US legislators already passing a law and already obtaining sufficient evidence to justify sanctions. If they will not seek to punish the organized scam gangsters who represent the very worst threat to phone users everywhere then repeated demands for more international traceback collaboration can only serve as another form of misdirection.
The interpretation that the ITG applies to its own work receives less criticism than it should. This is an example of a more general failure to demand rigorous statistical analysis when somebody offers an easily-understood and highly convenient explanation of the world that is rooted in words, but not in numbers. That we fail to apply statistical rigor to the analysis of communications data is especially damning. We know that fraudsters will always seek to hide their activities in the noise created by genuine phone users. Machine learning and clever algorithms are unlikely to save us from fraud if decision-makers insist on applying slapdash short cuts to their reasoning just to arrive at convenient answers. Nassim Taleb made a relevant point in his best-selling book about understanding the difference between causal relationships and coincidences, Fooled by Randomness:
Why do I want everybody to learn some statistics? The answer is that too many people read explanations. We cannot instinctively understand the nonlinear aspect of probability.
Taleb might as well have observed that no amount of collaboration will enable people to solve a problem if none of the collaborators have correctly interpreted the raw data, or if key collaborators do not actually want to solve the problem because enforcing existing laws can sometimes be politically inconvenient. But as I still retain some small faith in humanity, see below for the ITG transparency report data for the quarter ending June 2024, reformatted so you can perform your own analysis, and also available for download from here. Feel free to contrast the convenience of sharing data as a spreadsheet that anyone can download from the cloud with the unhelpful PDF report created by the people who keep saying they really want to collaborate with you.



