UK Regulator Delays STIR/SHAKEN Decision; Pretends to Launch an Anti-Scam ‘Crackdown’

It can be difficult to be a national comms regulator. They have to assure consumers that the interests of the public are protected even if nobody knows how to protect them. National regulators also have to deal with the risks created by misuse of comms systems in other countries although those systems lie beyond their jurisdiction. The global increase in CLI spoofing is a natural consequence of the switch to IP networks, the historic lack of integrity in the design of voice communications, and the insatiable desires of career criminals. Ofcom, the UK comms regulator, has just published a new document that tells everybody that something must be done about scams facilitated by CLI spoofing. Their publicity goons even used the word ‘crackdown’ to suggest how much Ofcom is going do about it. However, reading through the detail of their so-called plan clarifies that the British regulator is still waiting for somebody to tell them what to do.

Ofcom’s new ‘policy positioning statement’ on tackling scam calls and texts clarifies that no decision will be made about whether to mimic the US STIR/SHAKEN protocols until the fourth quarter of this year. There are no useful suggestions about other methods to reduce fraud, except that Ofcom wants to persuade more British telcos to emulate controls already implemented by the best telcos. The paper begins with the usual yada yada about the need to protect customers but soon descends into platitudes about strengthening rules and guidance, begging the question of how strong a guide can be before it becomes a rule.

  • We aim to disrupt scams by making it harder for scammers to use communications services to reach consumers. We propose to strengthen our rules and guidance, while at the same time supporting providers to develop their own technical solutions to detect and prevent scam traffic.
  • Scams are increasingly complex, often involving different companies and sectors. So, a coordinated approach is vital to ensure more scam attempts are blocked or disrupted. We will collaborate and share information more widely, including with Government, regulators, law enforcement and consumer groups.
  • Given the pace at which scammers change their tactics, we understand it will not be possible to stop all scams reaching consumers. We are working to help consumers avoid scams by raising awareness so consumers can more easily spot and report them.

A cynic might re-write this as four steps towards nowhere in particular.

  1. Wait to see which telcos are doing a good job, then write some strongly-worded guidance explaining how other telcos might like to copy them.
  2. Have more committees and larger meetings because there was a shortage of committees and meetings.
  3. Tell customers how to identify the most common scams because all other protections, no matter how expensive, are bound to be inadequate.
  4. Say absolutely nothing about arresting the criminals responsible for scams.

Then Ofcom chose some words which gave the game away.

A significant amount of work is already underway in the telecoms sector to help prevent customers being scammed…

That is true. However, the dolts working for Ofcom’s public relations team have touted this document as containing ‘tough new plans’. For something to be new it has to contain something new. There is a conspicuous lack of anything new in this document, except the news that Ofcom will instigate some new consultations i.e. invite other people to tell Ofcom what to do. All that can be gleaned from this document is that Ofcom would like telcos to travel in the direction they were already moving. A full-page summary of Ofcom’s proposals can be edited to just the following few sentences because everything else they wrote was just dressing.

What we are proposing

…strengthen our rules and guidance so that providers do more to detect and block the most obviously spoofed numbers…

A good practice guide… In this guide we set out what we expect providers to do to ensure they know their business customers and how numbers will be used by them. The guide contains processes that should be in place to check customers are using numbers in compliance with our rules, and for responding to reports of misuse…

We worked with UK Finance on a ‘Do Not Originate’ (DNO) list… We have updated our guidance for using the list and will consider whether it can be expanded to include numbers from a wider range of organisations…

…We are exploring the introduction of technical standards that make it possible for the network originating the call to confirm the caller’s authenticity before passing it to the network of the person receiving the call… We plan to issue a call for inputs in Q4 2022 seeking views on the role of CLI authentication…

Note the strange emphasis on making it possible for the originating network to authenticate the caller. I assume this means the paper was written by somebody with such a poor grasp of the issues that they actually think this a problem that needs solving. The originating network is not at risk when a scammer places a call; it is the recipient that needs to know if the dialing party is genuine. The originating network already has procedures for ensuring each SIM card is allocated to the right customer, or that holes are drilled in the right person’s wall. Authenticating the CLI is a separate issue to preventing identity-based frauds like SIM swaps. CLI authentication technology is designed to give assurance to the terminating network by passing information which was attached to the call by the originating network. It is not designed to tell the originating network something they are already supposed to know.

If we ignore the author’s confused understanding of CLI authentication, the rest of these plans reflect good common sense. There is no reason to delay obvious improvements like expanding a Do Not Originate list to include hospitals, utilities, and the like. But it is fair to observe that not everybody has common sense. For example, I wonder if it ever occurred to the US regulator that they might provide a guide on how to perform basic Know Your Customer checks. If they had, they might not have discovered that half a billion dollars of CLI authentication technology can be rendered worthless by allowing scumbags to have their CLIs authenticated too.

When you look beyond the small number of straightforward common sense suggestions, there is not much evidence of the ‘crackdown’ that Ofcom wants the press to report. Any high school English teacher would have fun circling the verbs in this supposedly tough new plan. They include ‘strengthening’ rules and guidance, but you can only strengthen something if it already exists. They include ‘updating’ guidance, which also means the guidance must have already existed. And they involve ‘exploring’ the introduction of new technology, which means you may or may not implement something new at a later date because you have not decided yet. Planning to make a decision is not the same as deciding a plan of action.

And that is basically the only content in this document that really matters. 37 pages can be reduced to just a few sentences. The remainder of the document just exists to give journalists a lot of graphs and statistics they might like to copy whilst they sing the praises of Ofcom for bashing evil telcos. Only the hardest of hard-working journalists will even flick through the document; the remainder will just copy from the much shorter and punchily-worded press releases that Ofcom likes to feed them. I expect at least a dozen ignorant journalists will write headlines saying the “crackdown” has already begun. And then I expect a lot of people who claim to be telecoms experts will uncritically recycle those headlines on social media. Feel free to tell me if I was wrong – this paragraph was written on Wednesday 23rd February, so a whole day will pass before this prediction becomes public.

When it comes to reviewing the content in the rest of Ofcom’s paper, the task is as futile as attempting a firm grip of running water. There are four pages devoted to “Ofcom has been working for a number of years to reduce unwanted calls”, so nothing new will be found there. There are three pages on “the nature of the problem is changing, and new responses are required”, which is really just a bit of rationalization for why Ofcom has been perfectly happy with allowing people to be defrauded so long as the regulator is not required to admit to its own mistakes. There are nine pages about “understanding the problem of scam calls and texts”, which is a hotchpotch of results from surveys of various quality and anecdotal reports from fraud victims. As a consequence, 19 pages of the 37-page document are devoted to preludes and histories, whilst “Ofcom’s approach to reducing the harm from scam calls and texts” only begins on page 20.

When it does begin, the section describing Ofcom’s approach starts with half a page of word-for-word repetition of the three-bullet summary presented at the beginning of the paper, which I have already quoted above. Then there is a page listing things telcos are already doing to prevent scams. Then there are two pages saying guidance should be strengthened, but without saying how it will be strengthened. Then there is a page saying Ofcom will consider the use of CLI authentication – i.e. some variant of the US STIR/SHAKEN protocols – but that all this consideration will “entail a significant amount of work”.

Luckily, Ofcom will not need to work alone because they intend to have lots of meetings with industry stakeholders – salesmen, lobbyists, network engineers, and perhaps a few execs but probably no fraud managers – to hear their views on whether they would like to sell/buy/implement/play with expensive American tech. If Ofcom asks the question the right way, they will almost certainly be told the answer they want to hear, because nobody is opposed to making money, and few people are opposed to spending money on shiny new toys so long as somebody else is paying for them. And who wants to argue against spending money on protecting customers from fraud, even if the shiny toys will be useless at protecting customers from fraud? The more money that telcos waste, the more it proves that they care.

After the flimsy flirtation with new technology the paper presents four pages exalting the old-fashioned business practice of having very many meetings. I would be not be surprised if some of these meetings require people to be appointed Chairman, or Secretary, or Chief Liaison to the Other Meeting. Some of these individuals will deserve an increased pay packet to compensate them for the additional burdens they will carry to and from the meetings. This section of the paper lists many recurring meetings that already take place on a regular basis between various people and agencies within the UK but which will not be sufficient for all the collaboration that will be required in future. This is then followed by one-and-a-half pages praising the scam awareness campaign that Ofcom “recently” launched. This campaign refers to scams of a type that were already popular several years ago. Once again, Ofcom’s own choice of words draws attention to the speed with which they are tackling the problem of consumer scams. The document then ends with four pages of copy-and-paste of relevant laws and a glossary.

I will defend Ofcom when they are unfairly criticized by the press, but it is utterly shameless they used the word “crackdown” in association with 37 pages of hollow waffle that is devoid of new ideas and which makes no guarantees about future action. What is really happening is that Ofcom is hoping to entice industry lobbyists into doing their work for them. If Ofcom really wanted to avoid bad decisions they should seek to learn from the bad decisions made by their peers. However, this is the entire length of the paltry section about Ofcom sharing information with other national comms regulators.

4.33 The problem of unwanted calls and texts reaches beyond the UK and we have benefitted from sharing our approaches for tackling these problems with regulators in other jurisdictions. Experiences in many of these countries have mirrored those in the UK, indicating that the problem of scam calls and texts is a global one.

4.34 Regulators are implementing a variety of solutions and it is useful to learn from these experiences. For example, in the US the Federal Communications Commissions (FCC) has recently implemented a CLI authentication standard and the Australian Communications and Media Authority (ACMA) has introduced a code requiring companies to detect, block and trace scam calls. In addition, many scams that we see in the UK originate outside the UK, making international cooperation even more vital.

Is it really so difficult for regulators who each separately tell the public how much they expect to learn from each other to sometimes show some evidence they have learned something valuable from one another? I suspect that most regulators are wary of teaching anything to another regulator because people mostly learn from their mistakes but regulators never admit to making any. Regulators can become divorced from what happens in practice, leaving them only able to repeat what telcos and vendors have told them, although they have no confidence that those telcos and vendors are telling them the truth. The US regulator is currently cracking down on the failure of two big US telcos to comply with its CLI authentication deadline in June 2021, having discovered this deadline was missed by reading some paperwork that was filed in October. Perhaps the FCC might like to reflect on the impossibility of enforcing a deadline when the only check involves asking for paperwork three months later.

Ofcom provides just 127 words about how it shares information with national regulators in other countries even though the subject of this document is a global problem that requires global solutions. Nothing here suggests Ofcom has done anything more arduous than simply reading what was posted to the websites of the US and Australian regulators (or reading Commsrisk on a regular basis). It is no secret that many of the scams that plague UK consumers originate with call centers in India, so has Ofcom made any effort to speak to their counterparts in the Telecom Regulatory Authority of India (TRAI)? If not, then when do they expect international collaboration might finally extend to engaging with law enforcement bodies that could actually arrest some fraudsters for a change?

Nothing in Ofcom’s long and largely pointless statement indicates they have learned anything about the relative successes or failures of the methods already tried by telcos in other countries. Australia has spent little, claims to be blocking an enormous number of calls and text messages, and has not implemented CLI authentication technology. The USA has spent half a billion dollars on CLI authentication technology, is seemingly not blocking much more than it did before, and is ‘authenticating’ so many lousy calls that certain categories of authenticated calls are three times more likely to be nuisance robocalls than calls which have not been authenticated at all. It is impossible to have learned anything by reviewing progress in the US and Australia without also forming an opinion as to which has been more effective so far. That Ofcom is behaving as if no foreign regulators have made mistakes shows they will gladly repeat those mistakes, so long as they can spin a story about having a positive plan.

Not all problems can be easily solved, but regulators always endure attacks from idiot journalists who argue anything can be accomplished so long as large enough punishments are threatened. Oddly, the same journalists never argue that global warming might be solved by torturing climate change scientists or that the pandemic would have ended sooner if guns had been pointed at the heads of vaccine researchers, so even the stupidest journalist must know human ingenuity has some limits. Nevertheless, pressure is rising because CLI spoofing has been made easier by the rise of IP-based voice traffic. When a human being is placed under pressure, they will feel the need to do something, even if it is the wrong thing. What we need is regulators who prioritize the real interests of consumers over the flimflam that sells newspapers or pleases the Twitterati. In other words, we need less empty talk about crackdowns and more focus on the fraud prevention methods that actually work.

You can download Ofcom’s 37-page statement on tackling scam calls and texts by clicking here.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.