The Commsrisk Review of 2015

Father time is holding up his mirror, reminding us that another year has passed, and most of us are not looking any prettier. If readers are concerned by the bags under their eyes, or a sag around their waist, or a few more gray hairs on their head, at least they have a good excuse: they deal with risk and assurance in the comms sector. 2015 had it all: hacks, fights, scandals, buy-outs, bust-ups and crackdowns. Risk management never seemed more vital, but never has it faced such a struggle to remain relevant as old business models come under sustained attack, and governments take matters into their own hands. 2015 was the year when many thought the answer was Big Data, only to wonder if they were still asking the right questions. If you can say you predicted the events that unfolded in 2015, then you must be a liar. Here is a reminder of what happened during a topsy-turvy year for assurance and risk.

January to March

The year began with an extraordinary row in Ghana about how to tackle simbox fraud. Ghana’s government promised to save millions by implementing a national interconnect clearing house, whilst the opposition described the plans as ‘dishonest’. The public was so confused that the best-dressed man in business assurance, Nixon Wampamba, appeared on television to explain what everybody should do. Nixon told Ghana that the only real solution is to reduce the difference between national and international rates. Sadly, Ghana’s government did not listen.

Whilst the authorities in Ghana and Malawi were accused of using revenue assurance as an excuse to spy on the public, American and British intelligence agencies went one step further and hacked the world’s largest supplier of SIM cards. Despite this, the Brits pretended to be transparent by issuing a heavily redacted parliamentary report about GCHQ, the UK’s premier electronic eavesdroppers. The report said nobody need worry, because although GCHQ has access to lots of routes used by lots of people in lots of countries, they only have enough ears to listen to a tiny fraction of all the calls they are capable of intercepting. Not wanting to feel left behind in the competition for bragging rights amongst spy agencies, China’s government finally admitted they possess network attack forces. Literally nobody found this surprising.

Security and privacy were hot topics at the Mobile World Congress, and Visa unveiled its plans to use the location of a customer’s phone to verify credit card payments. In a taste of things to come, data taken from UK telco TalkTalk was used for phishing attacks, whilst the FBI arrested hackers who infiltrated eight email service providers and stole one billion email addresses, using them to spread spam. Meanwhile, customers who inserted smileys into ‘free’ text messages were left frowning by handsets that automatically converted their SMS into an MMS, resulting in unexpectedly big bills.

There were some interesting developments amongst specialist risk vendors, with LATRO offering a new technology for detecting simboxes and recruitment taking place at Cartesian and cVidya. Meanwhile, new comms risks became evident following Apple’s entry into the watch market, and by observing the wide array of networked but lightly-regulated medical sensors touted at events like Wearable Tech 2015.

April to June

Verizon’s data breach report told us there was a significant rise in the number of personal records which had been compromised, but no great leap forward in the techniques used by hackers. AT&T learned how much breaches can cost, agreeing a record USD25mn settlement after information was sold by workers in their call centers. On the other side of the world, Huawei CEO Xu Zhijun openly criticized the Chinese government’s approach to cybersecurity.

The fashion for hands-on assurance by African regulators was confirmed when Nigeria budgeted half a million dollars for a national RA system and Zimbabwe tendered for an RA system so advanced that it makes your tea and collects your dry cleaning. However, nosey governments did not save Vodacom Tanzania from being embroiled in a scandal after a blogger published internal corporate documents that suggested Vodacom had covered-up “enormous business losses” caused by a dealer pirating electronic recharge vouchers.

In comparison to all the action in Africa, UK comms regulator Ofcom talked a lot about the need for accurate billing, but failed to do anything useful. For example, Ofcom promised to make bills more accurate by ‘reducing’ the extent of bill accuracy regulation. Soon afterwards, a slew of complaints prompted Ofcom to investigate the accuracy of Vodafone UK charges. By year’s end, that investigation had still not resulted in any action or public announcement, despite Vodafone’s postpaid mobile service generating twice as many complaints as the industry average.

European Commissioner Andrus Ansip tried to get ahead of technology change with a vague new strategy for a European ‘Digital Single Market’, though like everything to do with electronic communications, an earlier and more radical draft was leaked. Ansip’s strategy promised to help network providers, not by reducing their regulatory obligations but by creating new burdens for their OTT rivals. One of the few concrete proposals promised an end to geo-blocking of content within the EU, and this was supported by the EU Parliament.

Mass CDR collection briefly became the biggest news story in the USA, after a federal court decided the NSA had collected bulk phone data without proper authority, and Presidential hopeful Senator Rand Paul followed that by speaking for 10 hours about the evils of excessive data gathering. Paul’s Herculean effort resulted in a very brief interruption to the US government’s collection of phone records, but normal service was resumed soon after, except telcos were told to retain data in case the NSA needed it later, instead of handing it over immediately. One of the issues raised by Senator Paul was how surveillance damaged American business, and this was later confirmed when an American founder of Silent Circle, suppliers of encrypted comms products and services, explained why they chose to base their company in Switzerland.

Market research reiterated that Portuguese vendors WeDo were leaders in the RAFM space, whilst the FY15 financial results for Indian rivals Subex showed modest improvement compared to the previous year. Neural were also on the front foot, with a revamped strategy and marketing; they later announced a USD1mn contract with Singapore’s StarHub. In contrast, results from a survey by the TM Forum prompted cVidya’s CTO to take a drastic and untried approach to charming potential customers, by describing some RA managers as ‘deluded’.

New and under-appreciated sources of risk were identified everywhere, including messages of death for iPhones and Skype, IMSI-catchers located all around London, and security weaknesses in the most common protocol for smart meter communications. Meanwhile, Commsrisk research highlighted the suspicious way that Google funds a network neutrality lobbying initiative that collects lots of data about internet users.

Commsrisk also showed itself ahead of the curve by noticing the threat to the EU-US Safe Harbor agreement for personal data, when Austrian privacy activist Max Schrems succeeded in appealing his dispute with Facebook to the European Court of Justice (ECJ). We celebrated a major milestone just a few days later, with the publication of our 1000th article.

July to September

OTT bypass emerged as the biggest talking point of the year, generating more hits than any other recurring topic on Commsrisk. The general fear of OTT was vindicated when one OTT service provider admitted they were a ‘threat’ to operators.

Many minds were concentrated on risks posed by the Internet of Things (IoT), with hackers showing how to remotely disable a moving car, and Ofcom commissioning a very useful report that highlighted the huge challenges when seeking informed consent for IoT data gathering and processing. The most ubiquitous smart device was the subject of surprising new research by the Wall Street Journal, questioning if smartphone kill switches reduce crime.

The importance of security was reiterated when users of the Ashley Madison dating service found their marriages at risk after blackmailers obtained their data. A separate data breach by Carphone Warehouse affected 2.4 million customers. However, anyone wanting help from the United Nations should think again, after its new privacy chief tried to explain why the internet needs its own version of the Geneva Convention. Bizarrely, he linked the genuine and pressing issue of internet privacy to the alleged problem of too many CCTV cameras being used to spy on remote parts of the English countryside. Repressive governments worldwide must have enjoyed the revelation that the UN’s top priority is protecting the privacy of English hikers and English sheep.

There was an acceleration in the transformation of business models, as more retail telcos engaged with the business of distributing content. This was underlined by Cartesian’s acquisition of a specialist digital TV consultancy. Neural were also keen to grow their business, but their approach involved recruiting 30 percent more staff.

Another important industry trend was confirmed when attendees of the summer meeting of the Revenue Assurance Group unanimously decided to change their name to the Risk & Assurance Group.

October to December

The snowball of data breaches ran out of control in the final quarter of the year. 15mn customers of T-Mobile USA were affected by a breach at credit bureau Experian whilst TalkTalk’s CEO went into public relations overdrive to claw back some of the 30 percent drop in her company’s share price following yet another hack attack. But the combined corporate failures on either side of the Atlantic were insignificant compared to the devastation caused to US and EU data protection law by Max Schrems’ day in court. Schrems persuaded the ECJ to unceremoniously dump the EU-US Safe Harbor, successfully arguing that the agreement was invalid because the US government gathers data in ways that conflict with the rights of EU citizens.

The relationship between technology and the law was tested all over the world. In Kenya, Safaricom found themselves in a legal battle relating to whether anti-money laundering requirements should be applied to businesses that transfer money using bitcoins. Spain’s Supreme Court reached some important conclusions on the extent to which the ‘right to be forgotten’ can be used to edit a person’s history. An Australian court reached the crazy conclusion that publishing a hyperlink means creating a legal liability for the content which is being linked to. Meanwhile, YouTube said it will go to court and fight for selected customers’ right to ‘fair use’ of copyrighted content.

MTN Nigeria faced an eye-watering USD5bn fine for not disconnecting SIMs when ordered to for security reasons. As a result, parent MTN Group lost 20 percent of its value on the Johannesburg stock exchange. Ironically, MTN South Africa were then ordered to reconnect SIMs known to be used for the gray routing of traffic, after a judge decided the telco had not established any crime or contract violation had taken place.

In a sign of changing priorities, President Obama bowed to pressure from Google and Apple and dropped proposals to compel tech companies to provide ‘back doors’ for surveillance. However, tax always remains a priority for every government, and Sprint were hounded by the New York Attorney General for USD300mn damages after they decided not to add sales taxes to customer bills. But even the US authorities must be impressed by the zeal of Ghana’s tax collectors, which publicly argued with Ghana’s comms regulator about who has the right to test for simbox fraud, and hence to assure termination revenues. Unperturbed, Ghana’s comms regulator signed a contract which means SIGOS will execute at least 400,000 simbox test calls per month.

Lycamobile, a cut-rate international comms group, found themselves suffering unwanted publicity when a newszine published evidence of alleged money laundering. The evidence was circumstantial in nature, and the original source was an investigation by private detectives hired by Lebara, the main competitor to Lycamobile. Lycamobile and Lebara are run by two Sri Lankans with a bitter personal rivalry, leading many to conclude that Lycamobile were the victims of a smear story.

The long-anticipated sale of cVidya finally appeared to inch closer, with the Israeli press reporting rumors of a USD30mn acquisition by Amdocs. Meanwhile, Neural announced the purchase of Enterest, a business that specializes in data integration.

After a lot of talk about the importance of Big Data, then a lot of talk about how Big Data had been overhyped, a survey commissioned by Guavus reported that most telcos already have a Big Data strategy. Emphasizing the importance of technology and data suited the mood at the TM Forum, which revised its RA maturity model to judge the quality of measurement data as more than twice as important as the quality of human staff employed to analyze and respond to that data. However, the reasons we should all want comprehensive data were illustrated by Google’s research into how many emergency service calls are caused by ‘butt dialing’.

And Beyond…?

One sure prediction is that the future will be increasingly hard to predict, because everything is getting more complex. Even if we possess a lot more data, human minds still make the ultimate decisions, and human beings still suffer the same old biases and frailties. The expansion of Commsrisk’s remit to cover a wider range of topics has illustrated the blurring of the boundaries between telecoms and other kinds of business, and also the tendency for new technology to pose questions that only receive a proper answer after we have experienced what can go wrong. Just as governments were wrong to try to deal with the mismatch between EU and US data protection law through the flawed Safe Harbor agreement, game-changing technologies like wearable medical sensors and cryptocurrencies will further test how societies cope with the upsides and downsides of new networked technology. The hottest topic of 2015 was OTT bypass, which has the potential to cause havoc to voice termination. However, neither governments nor the public have observed the likely relationship between an undesirable OTT customer experience and the way network neutrality is imposed. Serious questions can only be answered by serious people; assurance and risk professionals need to supply not only the answers, but also the data that supports those answers.

Thanks to you, we can be confident about something else: Commsrisk serves a useful purpose. Our readership numbers reached unexpected new heights in 2015. As Editor, my aim is to weave together seemingly disparate stories, showing them side-by-side, and then highlighting the links between them. This way, we can observe the main trends relating to change and risk, and so separate the key drivers of business success from the surrounding cacophony of complexity. Commsrisk will continue to be here in 2016, presenting the stories that matter to anyone working in communications risk and assurance. With your help, we intend to rise to the many challenges that lie ahead.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.