20.5k unique visitors in the last 3 days

When Fighting Scams, Why Do We Trust US Multinationals More than Impartial Academics?

US firms control the global governance of STIR/SHAKEN. We should pursue a UK alternative that prioritizes the public good over profits.

There have been many dispiriting aspects to the UK consultation on the adoption of STIR/SHAKEN, the technology that was supposed to reduce scam calls by preventing CLI spoofing in the USA but which proved to be an expensive flop. Ofcom, the UK comms regulator, has barely tried to hide its preference for STIR/SHAKEN instead of objectively reviewing all the possible mitigations of phone scams like Irish regulator ComReg did, leading to ComReg rejecting STIR/SHAKEN because it is useless when scam calls originate overseas. Ofcom rigged its consultation by creating multiple phases so STIR/SHAKEN can be selected without comparing its enormous cost to the significantly lower cost of other methods. It has gathered no data about how many scam calls originate outside of the country, and so cannot be tackled using STIR/SHAKEN. They hired an outspoken American lobbyist for STIR/SHAKEN to write a plan for its adoption in the UK that does not address the reasons it failed in the USA. But perhaps the most dispiriting aspect is the way huge US multinationals have now jumped at an opportunity to create new revenue streams for themselves by imposing a stealth tax on British phone users. Meanwhile, the UK taxpayer has already paid for academic research into a cheaper, better way of reducing CLI spoofing. The academics who developed this method are not seeking to make money by patenting it. We need more help from academia to fight fraud, so why does the communications industry and its regulators ignore academics when they do?

Huge US multinationals like Microsoft want STIR/SHAKEN to become a universal standard because it will be profitable for them. I believe in capitalism, but even the most ardent capitalist cannot seriously believe that Microsoft prioritizes what is good for the public over what is good for Microsoft’s shareholders. They were one of four US giants who responded to the UK consultation by stating they have taken control of the global governance of STIR/SHAKEN as if that was an obviously good thing. Only one percent of the world’s countries have chosen to adopt STIR/SHAKEN and the results so far have been abysmal, but big US corporations act as if every other country — including enemies like China — will inevitably follow their lead, whilst only occasionally acknowledging STIR/SHAKEN will fail to stop scam calls unless it is deployed everywhere without exception. Professor Feng Hao of the University of Warwick (pictured) politely explained the absurdity of the US strategy when he joined us for an episode of The Communications Risk Show. None of the businesses who have assumed control of STIR/SHAKEN globally would ever subject themselves to that kind of public scrutiny, even though control of STIR/SHAKEN means control of whose calls are allowed and whose calls are blocked. The big businesses behind STIR/SHAKEN just seek to ram it through by focusing their marketing and lobbying budgets at the biggest targets: the communications regulators in rich Western countries. They believe that regulators are like dominos. If they can topple the first few, then the rest will also fall. Their belief is correct. Regulators like to play safe by copying each other. But this just shows why it is so disappointing that the UK regulator ran such a slanted consultation that the big US multinationals did not hesitate to publicly affirm they will govern the international management of STIR/SHAKEN.

The British alternative to STIR/SHAKEN is named Caller ID Verification (CIV) and it contrasts with STIR/SHAKEN because it is supported by peer-reviewed research whilst the argument for STIR/SHAKEN has only ever been based on corporate revenue projections and marketing plans. CIV can be rolled out from phone to phone and telco to telco, so does not need to become universal before it delivers positive benefits. Its creators explain the clear choice between the two approaches:

STIR/SHAKEN relies on a public key infrastructure (PKI) to manage digital certificates, but scaling up this PKI for the global telecom industry is extremely difficult, if not impossible…

…we propose a PKI-free solution, called Caller ID Verification (CIV). CIV authenticates the caller ID based on a challenge-response process instead of digital signatures, hence requiring no PKI. It supports both IP and non-IP systems… We implement CIV for VoIP, cellular, and landline phones across heterogeneous networks (SS7/SIP) by only updating the software on the user’s phone. This is the first caller ID authentication solution with working prototypes for all three types of telephone systems in the current telecom architecture.

The academics behind CIV want to work with telcos to deliver a solution that works, not because they are trying to make money:

Our research is funded by public resources… We do not apply for any patent for this research output. To the best of our knowledge, our solution is not encumbered by any existing patents. So a telecom provider should feel free to use it as long as they see it useful. However, for anyone who is interested in implementing CIV, we welcome you to contact us first, so we can work together to ensure the protocol is implemented properly.

It is not unusual to see academics and businesses working side-by-side to improve cybersecurity. It is not unusual to see the communications industry linking the challenge of fraud prevention to the challenge of delivering robust security. But it is unusual to see the communications industry take advice on fraud prevention from academia. This is partly due to the small number of academics that conduct research into fraud reduction and consumer protection within the domain of traditional comms services like voice calls. But most of the blame lies with telcos and regulators who are not listening to academics when they have something constructive to offer. We need academics to help us fight scams. Let us start accepting their help, beginning with a fair evaluation of the merits of CIV.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email