UK Adopts New Rules to Stop CLI Spoofing but Not STIR/SHAKEN

The UK comms regulator, Ofcom, has revised its rules with the intention to reduce the number of spoofed calls received by consumers and thus protect them from scammers. However, Ofcom has confusingly changed only the high-level wording of what is mandatory for all comms providers whilst simultaneously extending the non-mandatory guidance on detailed controls that comms providers should execute. This tactic could be meant to give Ofcom leeway to subsequently strong-arm some larger telcos into trying new techniques they are not strictly required to implement, if the methods listed in the current guidance prove insufficient. Ofcom will be keen to avoid the mistake made by the US government, which passed a law imposing the use of the expensive STIR/SHAKEN technology but has since watched it fail to deliver the promised reduction in scam and nuisance calls.

General Condition 6 was the specific rule amended by Ofcom; this condition now includes the following wordings:

6.4 When providing Calling Line Identification Facilities, Regulated Providers must: a) ensure, so far as technically feasible, that any CLI Data provided with and/or associated with a call includes a valid, dialable Telephone Number which uniquely identifies the caller; and b) respect the privacy choices of End-Users.

6.6 Where technically feasible, Regulated Providers must: a) take all reasonable steps to identify calls, other than calls to Emergency Organisations, in relation to which invalid or non-dialable CLI Data is provided; and b) prevent those calls from being connected to the called party, where such calls are identified.

The notion of technical feasibility leaves room for requirements to evolve as technology changes. US vendors of STIR/SHAKEN will be especially focused on the UK plan to transition to all-IP networks before the end of 2025 as SIP signaling is conducive to the exchange of digital signatures. However, the potential for technological progress must be balanced against the qualification that only ‘reasonable’ steps need to be taken to identify and block bogus CLIs. In other words, it is fine to use more advanced technology but not at any cost.

It appears Britain’s authorities want a more low-key compromise with telcos compared to the high-profile and demanding laws passed in the USA and France. Ofcom will neither prescribe mitigations implemented by telcos in the way the US has, nor will they stipulate that calls must be blocked if they have not been authenticated, as is required by French law. The British regulator will instead engage in an ongoing dialogue about which mitigations have proven effective in practice and which will unofficially become mandatory for all comms providers over time. The rationale for this approach is that it keeps the regulator’s options open, letting them take advantage of evidence that shows which methods are succeeding or failing, whether in the UK or elsewhere. Ofcom could still seek to mandate particular controls and technologies if the majority of telcos have adopted them but others are taking too long to act.

One area where Ofcom has seemingly learned from mistakes made in other countries is the attention they have given to know your customer (KYC) controls on business customers. Organized criminal gangs are also businesses, operating behind fronts that appear to be legitimate companies. The enormous US investment in STIR/SHAKEN has been fatally undermined by inadequate KYC, leading to huge numbers of bad calls being authenticated. Placing greater onus on UK telcos to implement KYC controls will deliver far greater benefit than a misplaced desire to use digital means to ‘authenticate’ calls when nobody has examined the businesses that placed those calls.

The guidance on how to tackle spoofing looks like it could have been copied from Australia’s anti-scam strategy and now represents the mainstream philosophy of most regulators who are acting to reduce nuisance calls. The mean features are that telcos should block calls:

  • which are routed inbound from overseas but which present a domestic CLI for the A-number;
  • which present a CLI that matches any number listed in Ofcom’s national Do Not Originate list;
  • which have a malformed CLI that is inconsistent with the UK’s dial string formats.

Evidence from other countries already suggests that blocking foreign calls that present a domestic number is a highly effective means of reducing the volume of scam and nuisance calls. Ofcom has obviously listened to UK operators who have made the same argument. For example, Ofcom’s press release highlighted the results TalkTalk obtained by voluntarily introducing this control.

Our guidance to telecoms firms to identify and block calls from abroad that falsely use UK numbers is based on an industry initiative, which some providers have already implemented voluntarily. One of these – TalkTalk – previously stated it had seen a 65% reduction in complaints about scam calls since it introduced this measure.

Vested interests in the USA will be disappointed by the results of this consultation after repeatedly hyping the likelihood that STIR/SHAKEN would soon be implemented in the UK. An influential advisor to the US authorities publicly stated the expectation that Britain would be the third country to adopt STIR/SHAKEN after the USA and Canada. Ofcom seemed to be leaning in that direction for a while, but the outcome of this consultation shows they were not as convinced of the merits of STIR/SHAKEN as its advocates have often tried to pretend. The new rules mean the UK regulator has not followed the approach desired by the US government but there is enough ambiguity about the future for this not to be seen as an outright snub.

Vendors of STIR/SHAKEN still have some comfort because Ofcom’s approach leaves the door open to implementing STIR/SHAKEN as the UK completes its transition to all-IP networks. However, these vendors will also fear that the cost-benefit argument for STIR/SHAKEN will no longer be tenable if the number of spoofed and scam calls has been greatly reduced in the meantime. This is the main reason they are always in a rush to persuade regulators to adopt STIR/SHAKEN. These vendors will now have to rely more on the political pressure that the US government will apply to other countries. Having failed to reduce unwanted calls in the USA, the US government and regulator have shown themselves keen to blame foreigners. They repeatedly state that STIR/SHAKEN must be implemented by other countries.

American marketeers have exploited a fog of uncertainty because STIR/SHAKEN has been central to the anti-robocall strategy communicated to the public by US politicians and regulators, even though it has been implemented alongside a confused hotchpotch of other techniques that are also meant to reduce nuisance and scam calls. Whilst they appear desperate to ensure STIR/SHAKEN gets most credit, it is likely that many of the cheaper methods are actually doing more to protect consumers. Trialing the more affordable methods first, as is happening in the UK, will give a clearer indication of whether the high cost of technologies like STIR/SHAKEN that rely on the creation and propagation of digital signatures can be justified relative to the expected benefits.

Ofcom’s press release about tackling spoofing can be found here, their consultation report explaining the change to General Condition 6 is here, and Ofcom’s advice on preventing the misuse of numbers, which includes KYC requirements, is here.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.