What If China Created a Rival to the US STIR/SHAKEN Program?

The enormous US problem with nuisance and fraudulent robocalls is not improving; Americans received an average of 4bn robocalls per month since the beginning of 2022 according to statistics from the YouMail call blocking app. The problem persists despite the US government introducing new obligations for telcos and tougher penalties for offenders by passing the Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) Act at the end of 2019. The most expensive of the TRACED mitigations is STIR/SHAKEN, a combination of technologies and governance protocols that are meant to prevent the spoofing of the originating phone number. STIR/SHAKEN has several weaknesses but the most obvious is that it only works if the technology is adopted by every telco involved in handling a call from end-to-end. It seems to have occurred to none of the architects of the US strategy that there is little or no incentive for other countries to follow their lead. This means they have left open an opportunity for a rival power to usurp their leadership.

US politicians routinely express the one-sided thinking behind STIR/SHAKEN. They talk a lot about the extent to which robocalls harm US consumers and the US economy, but are reduced to parroting platitudes about robocalls being a global issue. The scale of this issue will vary from country to country. Forgive me for being blunt, but criminals usually prefer to steal from people who are richer than them, which is why scam call centers in India are staffed with people using fake American names and not vice versa. However, let us indulge the conceit that robocalls are a truly global problem. If we suppose other countries can decide there is a need to prevent the spoofing of CLIs, then why would they wait for the US to tell them how to do it? China began its scam call crackdown in 2016. The Chinese strategy has involved extraditions of scammers from foreign countries and harsh prison sentences for fraudsters whilst the US seems incapable of either. So what would happen if China devised a separate technological program for the detection and prevention of CLI spoofing that openly competes with US technology?

Proponents of STIR/SHAKEN are often so absorbed by technical details that they cannot give a plain explanation of what STIR/SHAKEN does. These are the bare essentials:

  • Attach information to a phone call so centralized authorities can enable a comparison of that information to the CLI which would be presented to recipients
  • The same information can be used to identify where a call came from in order to impose a punishment, or to ensure the blocking of future calls from that source

Chinese technology companies are clearly capable of devising technologies that would satisfy these requirements. STIR/SHAKEN encountered numerous delays but most of them stem from design decisions unrelated to the minimal specification given above. In particular, a more complicated design is necessary if you suppose there is a free market where multiple suppliers compete for the right to provide essential aspects of STIR/SHAKEN to telcos and other businesses. There is no reason to believe a country like China would see that as necessary, especially as STIR/SHAKEN’s competitive framework must overlay a governance process where somebody ultimately has to decide if a telco has behaved so badly that it loses its right to carry calls, somebody ultimately has to decide when it is appropriate to block calls, and somebody needs to build the legal case to punish the individuals behind criminal conspiracies. STIR/SHAKEN is mired by a political malaise which acknowledges the need to make these decisions but tries to obscure who is responsible so nobody can be blamed if a bad decision is made. A government regime like that found in China could simply set aside these obstacles by imposing unified control over networks, allowing them to stamp out spoofing within their own borders.

If the Chinese solve the problem of spoofing within their own country, and can demonstrate its success, then they could seek to export the approach to its neighbors. Neighboring countries have already shown a willingness to work with Chinese law enforcement, not least because scams that target the Chinese mainland can also be repurposed to target large Chinese-speaking populations in other countries too. There might be some negotiation about who gets to make final decisions over the banning of companies and blocking of calls, but it would not be hard to imagine the development of bilateral agreements and governing bodies. China’s Belt and Road Initiative (BRI) has already seen the Chinese government obtaining considerable influence over client countries, and China is also working with Asian partners on cross-border banking arrangements designed to facilitate the exchange of digital currencies issued by central banks. A scheme to reduce cross-border phone scams and cybercrime could be pursued alongside such developments.

China’s diplomatic approach to common verification of CLIs could see them improving upon the piecemeal progress emanating from the USA. Canadian authorities have been mirroring the US adoption of STIR/SHAKEN, although the two countries only recently signed a memorandum of understanding (MOU) on robocall prevention, begging a question about what the Canadians hoped to achieve if they might have used STIR/SHAKEN without agreeing to further cooperation with the USA. A bilateral MOU on robocall prevention was signed by the USA and Australia in May 2021, though Australia has not committed to STIR/SHAKEN yet. When you consider that Australia signed an MOU with New Zealand in April then you get a clear sense of a pattern forming amongst an elite club of former British colonies. The UK has not yet signed any similar bilateral agreement, but influential US consultant and STIR/SHAKEN advocate Richard Shockey publicly stated the UK will be the next country to adopt STIR/SHAKEN and has also expressed his belief that Australia would follow soon after. The inclusion of the UK would mean all of the countries in the Five Eyes intelligence alliance belonged to a common technology and protocol for checking the origin of phone calls, although the purpose would presumably be focused on stopping unwanted calls that originated outside of those countries. If such an anti-robocall alliance makes sense for the anglosphere, it could just as well be emulated by Asian countries that have good reason to work together but which would likely be treated as second-class members of any group headed by the Five Eyes.

China would have every reason to disrupt any attempt by a ‘white man’s club’ to impose increased control over who may convey phone calls. They have already seen their telcos banned in the USA and their network manufacturers banned from other Western countries too. China has nothing to gain by giving increased power over phone calls to the USA and its closest allies, especially as China is currently embroiled in political fights over the extent to which national authorities can control the internet within their borders. If China constructed a rival international nexus of countries and telcos that collectively prevented the spoofing of CLIs then this would dilute US influence whilst helping the Chinese authorities to secure the important goal of protecting their citizens from crime. And by framing themselves as an alternative to the ‘white man’s club’, China would be able to appeal to some countries who may not trust the motivations of former colonial powers that seem to be threatening to block international phone calls whilst simultaneously refusing to prosecute robocallers based within their own countries.

Suppliers like Huawei and ZTE could provide Chinese authentication technology as part of the overhaul of networks. This would likely make them cheaper providers of CLI verification technology than US firms that sell STIR/SHAKEN. This is because Huawei and ZTE would be able to include the sale as part of a much bigger deal, whilst US vendors of STIR/SHAKEN have smaller product ranges and will need to generate a clear margin on each STIR/SHAKEN sale they make. Huawei’s long-term thinking could also see them wanting to further subsidize the cost of their rival CLI authentication product and its associated services. The network vendor’s motivation would be to deepen ties between them and their telco customers, whilst simultaneously supporting the strategic goals of the Chinese government. Deals like these could be especially attractive in Asian and African countries where BRI has already secured increased Chinese influence and there is a hunger for investment in networks, but where there will also be political concerns if the abuse of phone services causes widespread harm amongst the populous.

The US has a problem with robocalls and it is not going away. Politicians and regulators would like to shift blame to foreigners, partly to disguise their failure to punish fraudsters living in the USA. In response, a foreign nation could turn the tables by questioning the benefits of joining a US-led coalition whilst the US authorities fail to impose penalties on the criminal enterprises that originate billions of robocalls from within the borders of the USA. There is a hint of white supremacy to a scheme which would see the winners from the era of colonialism trying to dictate which calls may come into their networks, whilst failing to take responsibility for crime that originates within the country and which might target victims elsewhere.

This article is a speculation about how the Chinese government could use the verification of CLIs to further its goals within the context of Cold War 2. They might not take such approach. But anyone who thinks it is inevitable that China and other countries will accept the roles being assigned to them by the architects of STIR/SHAKEN should stop and consider why they believe that.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.