There are few things I hate more than seeing taxpayers’ money wasted. The sad truth is that nobody wants to spend money on consumer protection unless a big company is lobbying for lots of money to be spent on their consumer protection solution. This leads to anachronistic decisions; relatively cheap and effective ways of protecting the public are not pursued because nobody champions them. So when a whole bunch of US companies descends on a country and starts lobbying the regulator to mandate the purchase of an ultra-expensive consumer protection ‘tool’ then you should instinctively know they are not doing it because they care about protecting that country’s consumers. And when the regulator in that country chooses to ignore an alternative solution developed using GBP1mn (USD1.3mn) of taxpayers’ money then you know they are rigging the outcome of their decision-making process to justify the huge amounts that will go to the US companies doing all the lobbying. This is the scenario we face with the consultation currently being run by Ofcom, the UK comms regulator, on whether to adopt STIR/SHAKEN, the expensive US method of authenticating CLIs by attaching digital signatures to calls and conveying them via SIP signals.
- STIR/SHAKEN is the brainchild of Henning Schulzrinne, former CTO at the US Federal Communications Commission (FCC), and several other US technologists whose primary interests lay in finding ways to exploit the potential of the SIP signaling protocol. Their work in the field of consumer protection is hence a straightforward example of the bias known as Maslow’s Hammer: “If the only tool you have is a hammer, it is tempting to treat everything as if it were a nail”. They chose an approach that is completely reliant upon SIP in full knowledge that many US telephone calls and most of the world’s telephone calls will be carried on non-SIP networks for the foreseeable future.
- Under the influence of this group, the FCC conducted a vague cost-benefit analysis which decided the harm caused by CLI spoofing was so great that it did not really matter if the total cost of implementing STIR/SHAKEN in the USA would be billions of dollars or just hundreds of millions of dollars. In other words, it was the kind of cost-benefit analysis that no rational investor would respect if they were staking their own money. Immediately following the imposition of STIR/SHAKEN, a series of tendentious claims, backed by inadequate data, were made by the FCC and advocates of the technology about how STIR/SHAKEN had immediately reduced undesirable phone calls, and thus was delivering the promised benefits to the public. But in the two years that have passed since then, the goalposts used to determine the benefits of STIR/SHAKEN have repeatedly been changed, or become subject to ever more sophisticated ‘interpretation’, not least because the most basic and objective measure says the number of US robocalls keeps rising. This outcome is the opposite of the result promised by advocates of STIR/SHAKEN.
- Advocates of STIR/SHAKEN insist on making excuses for its failures by asserting it is just one tool amongst many. This is misleading. It is the most expensive tool by far, and the decision to purchase this tool has serious implications for other decisions that will subsequently be made. Purchasing the tool equates to making a strategic choice, though few are honest or clear-sighted enough to clarify this publicly. Choosing STIR/SHAKEN for CLI authentication is like choosing to upgrade transportation options by spending hundreds of millions of dollars on laying new train tracks. The tracks are ‘just a tool’ in the sense that they are useless unless you also intend to spend money on trains, stations, ticketing systems, ticket inspectors and the like. Future investment will have to be directed towards exploiting the existing investment in the ‘tool’ and will not be spent on alternatives like cycle lanes or road bridges or airport runways. Referring to STIR/SHAKEN as ‘just a tool’ is to ignore that the enormous cost of the tool will result in a country’s consumer protection strategy being defined by how it uses the expensive tool it has purchased and which then requires complementary tools to also be purchased as part of an ongoing strategy for reducing the number of undesirable phone calls.
- Two years ago, Ofcom commissioned a report from the Chairman of the Board at the SIP Forum, one of the leading lobbying groups for STIR/SHAKEN, as funded by businesses which supply STIR/SHAKEN. He unsurprisingly recommended that the UK regulator make STIR/SHAKEN mandatory in the UK. In exactly the same way that lobbying was conducted in the USA, he simply paid no attention to the possibility of solutions that do not depend on SIP. He then publicly boasted that Ofcom would mandate STIR/SHAKEN in the UK.
- There are alternatives to using signatures conveyed by SIP for authentication. Hardly any money is being spent on developing these alternatives because they are each likely to be much cheaper to implement, thus leading to far less opportunity to generate profit for suppliers. None of them would lead to enormous follow-on sales of complementary ‘tools’.
- One of those alternatives is to develop a method that works independently of SIP by authenticating the CLI using a callback procedure between the A and B party. Various academics around the world have independently proposed this approach. The most advanced version of this method comes from a team of researchers at a British university, the University of Warwick, whose work has been supported by a GBP1mn (USD1.3mn) public grant.
- When Ofcom announced this year a consultation on how to authenticate CLIs, they only proposed the two year old plan they purchased from the American lobbyist. They ignored the poor results delivered in the USA in the interim, and they ignored all the work done in Britain to construct a superior alternative. By ignoring all alternatives, Ofcom is showing it is willing to gerrymander its own cost-benefit analysis. This will allow them to avoid a situation where they have to publicly explain why they prefer the most expensive ‘tool’ available, even though there is no evidence that it will deliver better results than cheaper alternatives. The deadline for responses to this public consultation is June 23.
It is a genuine shame that so few professionals are going to examine the merits of the University of Warwick authentication method, which they refer to as Caller ID Verification, or CIV. One reason to like cheaper methods is to think of the cost of living, and whether it is sensible to mandate enormous expenditure on STIR/SHAKEN at a time when phone bills have already been rising much faster than inflation. Another reason is to look at the job cuts being made in telcos. C-level executives will eat the cost of STIR/SHAKEN for the sake of public relations if they calculate they will receive less grief from government when they next impose mass redundancies.
British fraud managers have been frozen out of conversations about STIR/SHAKEN, which have been dominated by engineers obsessed with SIP. These fraud managers should ask themselves if this anti-fraud ‘tool’ is one they will get to use, or which will instead be used to justify cuts to their team. Not having any influence over the single most expensive anti-fraud initiative in the history of this industry only suggests they will have no influence when arguing against cuts to their department. The quality of information used to manage communications fraud is so low that, contrary to allied fields like cybersecurity, it never occurs to most fraud managers that their work might be improved by methods developed by academics. But if you are interested in the method that Ofcom’s full-time employees simply do not want to consider as an option for reducing the fraudulent misrepresentation of the origin of calls, keep reading for a short synopsis of CIV, excerpted from the most recent paper written by its developers.
CIV avoids two of the most serious flaws of STIR/SHAKEN
…STIR/SHAKEN suffers from two inherent limitations in the system design. First, it critically relies on trusted certificate authorities (CAs) to certify signing keys in a public-key infrastructure (PKI). VoIP networks normally involve a PKI when using SSL/TLS to protect the data transmission in certain paths, but the PKI we discuss here in STIR/SHAKEN is a new infrastructure. To spur the deployment of STIR/SHAKEN, the FCC has appointed several telecom companies in the US as the CAs. To comply with STIR/SHAKEN under the FCC rule, telecom providers in the US shall pay these CAs subscription fees for the issuance of certificates, normally based on the company’s annual revenue (subject to a minimum fee). Although the FCC has been urging a global adoption of STIR/SHAKEN, it is extremely unlikely that the FCC-appointed CAs will be trusted by all other countries. (Similarly, if China appoints its own CAs, it is equally unlikely that they will be trusted by the FCC.)
Second, STIR/SHAKEN involves the transmission of digital signatures and a chain of certificates (several kilobytes) as part of the signaling data. The original design is to support only the SIP (VoIP) system, which leaves the traditional SS7 (landline and cellular) systems unprotected. Although there are retrospective proposals to support STIR/SHAKEN in SS7 systems, e.g., by transmitting signature data out-of-band through a trusted third party, such a trusted third party is difficult to find in reality. The FCC acknowledges that “the STIR/SHAKEN framework is only operational on IP networks”, but requires that “providers using older forms of network technology to either upgrade their networks to IP or actively work to develop a caller ID authentication solution that is operational on non-IP networks”. However, the “caller ID authentication solution” for non-IP networks has not been specified, which leaves a gap in the regulatory rules.
The essential idea behind CIV is much simpler than STIR/SHAKEN and could be implemented anywhere without network upgrades
CIV authenticates caller ID based on a challenge-response protocol. As we will explain, it does not require a PKI and works with existing heterogeneous networks (SS7/SIP), hence addressing the two major limitations of STIR/SHAKEN. Our solution does not require any trusted third party and can be deployed by updating the software on the user’s phone (or switches in the telecom cloud). This follows a bottom-up approach as opposed to STIR/SHAKEN’s top-down approach.
CIV has been shown to work in practice
- We present concrete prototypes of CIV for landline, cellular and VoIP phones and show how they work across heterogeneous telecom networks (SS7/SIP).
- We systematically evaluate the performance of CIV in PSTN, cellular, and SIP networks to show the feasibility. This is the first demonstration of a caller ID authentication solution that works on all three types of phone systems across heterogeneous networks.
CIV would easily defeat STIR/SHAKEN in an unbiased competition based on costs and benefits
Cost. We consider two types of costs: one-time setup cost and ongoing cost… For the stage 3 deployment of CIV, the challenge-response process is performed between the switches of the two communicating carriers in the telecom cloud. This should only require a software update in the telecom cloud. The software update on the user’s phone is optional. We may update the phone display showing the verification outcome of CIV, but it is also possible to inform the user via pe-recorded audio (i.e., whether the caller ID is verified or not) when she answers the phone. The latter can work with existing phones without modification as we have done with the trueCall prototype. By comparison, different levels of attestation (A, B, C) in STIR/SHAKEN cannot be communicated succinctly via audio; a STIR/SHAKEN compatible phone is required to display this complex information. The more significant cost in STIR/SHAKEN involves certificate registration and the private key management by each carrier. We note that it is unsafe to manage private keys in software. The best practice requires private keys to be managed in hardware security modules (HSMs), which are costly. Furthermore, each carrier must pay ongoing costs to CAs for certificate maintenance (e.g., possible revocation and replacement) and annual renewal. These certificate-related costs do not occur in CIV.
Benefit. The primary goal of STIR/SHAKEN and CIV is to prevent caller ID spoofing attacks by scammers. Hence, we evaluate the benefit in terms of how effectively the solution can achieve its goal. We focus on analyzing the main mode of operation by scammers: they call from an overseas VoIP provider but use a spoofed local number which they do not own in order to deceive the receiver. The digital signature in STIR/SHAKEN does not address this problem per se. A C-level attestation only states that the call is routed via an international gateway but says nothing about the authenticity of the caller ID. (Usually, the gateway lacks the knowledge to tell whether an overseas caller is authorized to use a local number or not.) CIV addresses this problem by sending a verification call to the local number, hence preventing spoofing attacks without requiring the cooperation of the overseas VoIP provider or the gateway. This shows that, to address caller ID spoofing as an international problem, it is actually sufficient to deploy CIV domestically.
The commercial angle for CIV that the researchers did not talk about
An academic paper is not the right place to discuss how telcos could monetize call authentication. However, CIV also has one potential commercial benefit that telcos should consider, if they are not too busy saving money by cutting staff. The main downside to CIV relative to STIR/SHAKEN is the time required for the challenge-response protocol that occurs at the beginning of each call. This increases the duration of the call from the perspective of the originator, though not from the recipient’s perspective, as time spent performing authentication occurs before the recipient’s phone starts ringing. However, this downside is a relative positive compared to the cost of purchasing yet more ‘tools’, of the type being implemented in the USA to help American businesses convince customers to pick up their calls again. A business that is worried that its calls will be ignored should tolerate waiting several seconds before the recipient’s phone starts ringing if it means the recipient will have the confidence to pick up. But those additional seconds do represent potential additional revenue for telcos, or they can be avoided by offering an alternative value-add service.
The beauty of CIV is that the challenge-response sequence can occur without making any network modifications, but that does not mean telcos cannot choose to implement tech which would speed up the authentication sequence. A telco like BT could easily implement a more rapid challenge-response sequence between two gateways in the cloud, and then charge enterprise customers for the reduction in time before the recipient’s phone starts ringing. So whilst STIR/SHAKEN can only add to the costs of telcos, with all of the expenditure going to the suppliers of STIR/SHAKEN and the bureaucracy required to govern it, CIV would not just be cheaper but could also potentially generate new revenue for telcos.
I have seen some biased regulatory consultations in my time, and the lesson I have learned is that regulators can get away with anything if the public is not paying attention and business executives are not willing to fight. That is why I expect STIR/SHAKEN will be forced upon UK comms providers. The current UK government wants to be able to say it is cracking down on fraud, and is so far removed from the detail that they do not care if enormous amounts are wasted on ineffective technology. They just want their regulator to help them win the next election.
Executives will rightly calculate that the better deal for their shareholders is to play nice when asked to spend money on boondoggles like STIR/SHAKEN, in exchange for getting an easier ride when they pursue mergers and mass redundancies. Most fraud managers simply cannot identify the sequence of events where they lose their jobs because industry ‘collaboration’ resulted in a centralized bureaucracy that took important decision-making away from individual comms providers, allowing most anti-fraud staff to be replaced with AI-powered bots.
But if you want to imagine this industry can occasionally make good decisions based on the best interests of the public, then the new paper that explains how CIV works is available here.