There has recently been a lot of publicity for the UK’s second fraud charter for the telecommunications sector. I did not bother to comment on the publication because:
- Pieces of paper come and pieces of paper go (much like the UK’s first fraud charter for the telecommunications sector). I am more interested in things people have done before and things they will do next than words which sound much like other words as said by people who have also said other things.
- If lots of people jump on a bandwagon then I usually pause and consider the caliber of the people already on the bandwagon before forming an opinion about the direction taken by the bandwagon.
- Anything said by a politician should be treated with skepticism. Every politician says they are a good politician who is doing good stuff now, unlike those bad politicians who were not doing good stuff before. Hence we can logically conclude that not everything politicians say will be true.
- Everybody always says they are doing everything possible to tackle crime. And yet we find ourselves in the world we actually live in, not the utopia we would expect if every promise was kept.
But now I feel the need to comment on one thing that strikes me as peculiar about the new charter.
Signatories will:
- Commit to actively engage with the development of a UK Traceback solution, allowing providers to trace the origin of suspicious or fraudulent calls across interconnected networks. By doing so, operators will be able to more quickly identify the source network, and, where possible, the origin of scam calls, helping to disrupt fraud at its origin.
Traceback seems like a good idea. Nobody ever seems opposed to it. These factors may explain why the process for tracing calls in the UK was documented in 2014. NICC is an association of Britain’s technical eggheads (and related businessfolk) who have an interest in telco interoperability. ND 1437 is the NICC document entitled “Guidelines for the Tracing of Calls Across and Between Networks”. The following extract is taken from version 2.1.1, published in 2014.
Introduction
Customers report nuisance or unwanted calls (such as unwanted marketing calls or silent calls) to Communication Providers (CPs), Ofcom or other regulators. Such calls can be the cause of considerable annoyance and concern for consumers who are expecting action to be taken to protect them from these calls. In order to trace a suspect call a consistent approach is needed between Ofcom/ICO and the CPs whose networks are involved in the call in terms of the process and information flow that is used between them. The aim of this document is to describe an approach that will help to identify the source of nuisance/unwanted calls so that further appropriate action can be taken — the action to be taken to prevent or reduce such calls is outside the scope of this document.
1 Scope
The present document describes the information required and available to trace nuisance or unwanted calls between networks, and the information that is expected and available in the tracing response. It describes types of call tracing, and processes for requesting such call tracing. The process described is not intended to replace the processes currently agreed for tracing malicious calls.
The process described in issue 1 of this document was trialled by Ofcom and CPs to ensure that it met its objectives and to identify any improvements or additions that were required. This 2nd issue has been produced to reflect changes/improvements identified during the trial.
Is there something wrong with methods currently used to trace calls in the UK? That would seem to be implied by the near unanimous support for what is now being called a ‘UK Traceback solution’. The 2014 guidance was written in a kinder time when everybody was more concerned with ‘nuisance’ calling than repetitive and systematic fraud, but otherwise there appears to be no difference between the goals of the 2014 traceback guidance and the goals of whichever new solution is demanded by the fraud charter.
NICC is one of the many bodies in favor of having this new UK Traceback solution. Earlier this year NICC wrote a letter to Lord Hanson of Flint, a career politician now tasked with spearheading the UK government’s drive to maximize the reduction of fraud at minimum cost to taxpayers. The relevant part of NICC’s letter said:
Traceback
Traceback refers to the process of identifying the origin of a call, particularly when dealing with illegal or suspicious calls, such as robocalls or scams.
Traceback is a potential tool for tackling fraud which is currently under discussion in the UK. It would significantly help identify and provide evidence of fraudulent activity and then to identify the fraudulent actor for law enforcement.
NICC is working with Ofcom to investigate technical options for a traceback solution and encourages the regulator to consider examples from other jurisdictions.
NICC believes that traceback should be mandated in the UK and is willing to contribute to the discussions to define that legislation. In the United States, voice service providers today are required by law to cooperate with traceback requests from the registered traceback consortium.
It was interesting that the word ‘potential’ was used. This implies the potential for traceback has not yet been realized, despite a decade of experience of tracing calls. Why not? And when was this realization reached? Did people know the UK had inadequate traceback capabilities ten years ago, or has something changed more recently?
I am not going to argue against considering examples of traceback from other jurisdictions, so long as some consideration is also given to the example of traceback from the same jurisdiction. If the traceback methods that already exist are not fit for purpose, it would be appropriate to learn why they are not fit for purpose and when they stopped being fit for purpose.
Here are some relevant questions that would be asked of any genuine appraisal of the current way UK telcos perform traceback:
- How many traceback requests are there currently? Are current methods incapable of coping with demand? If so, when did it become apparent that current methods were inadequate? What caused demand to change around that time, and how should this be factored into projections of the demand for traceback in future?
- What limitations on systems and processes cause bottlenecks when attempting to satisfy traceback requests? Are the causes of bottlenecks due to limitations on automated systems or human resources? If the limitations are due to a lack of human resources then what was done to engage additional human resource to reduce bottlenecks?
- Do any attempted tracebacks currently fail? How many fail? Why do they fail? If the number of failures is too many to tolerate, then what is the tolerance?
- How long does a current traceback take to complete? Does the time to complete a traceback need to be reduced? If so, why?
- What actions are currently taken as a consequence of the information obtained through traceback? If tracebacks were completed in less time, would those other actions also be taken more promptly? If tracebacks were to double in number, would the number of subsequent actions also double in number? What other investments and solutions would be needed to take full advantage of any enhancements to traceback?
There are going to be people who dislike me making these perfectly reasonable observations about designing a national method to trace calls. They will claim they were made angry by the following paragraphs when they were already angry because I dared to ask the preceding questions.
Some of the people who will seek to influence the implementation of traceback in the UK are going to dislike me because they do not give a flying fuck about protecting the public from crime. They just grabbed a new opportunity to rebadge a money-making exercise they have already been unsuccessfully touting for years. They know they need the support of government to enforce the use of their preferred technology because otherwise their gambit would make less money. They also know that the more expensive a decision to invest in an information technology project becomes, the less likely anyone senior will criticize wasted expenditure.
Britain often loses sight of the supposed purpose when investing in projects that are meant to serve a public benefit. GBP13.5bn (USD17.7bn) will be spent on rolling out smart meters when the chief reason Brits suffer from sky-high electricity prices is a lack of investment in domestic energy production. Two giant aircraft carriers that cost GBP6bn (USD7.8bn) will be obsolete by the time they enter service because enemies will have hypersonic missiles and swarms of drones. The cost of one high-speed rail line could exceed GBP80bn (USD105bn) despite being shorter than originally promised and at least 7 years behind schedule. But when people like me ask sharp questions about both the effectiveness and the cost-effectiveness of consumer protection methods we get rebuffed by newly-emerged experts whose interest in the subject oddly coincided with the prospect of influencing how money will be spent. Where were these experts during the years when nobody wanted to spend money on protecting phone users from scams?
They correctly trust politicians to agree to anything if there is no direct cost to the public purse but the politician gets to make speeches claiming they were responsible for a fall in crime. It is conveniently forgotten that customers always have to pay in the end. I have no objection to businesses making money; I only object to businesses manipulating the design of systems and processes to the detriment of satisfying the ostensible purpose of those systems and processes, which in this case would be protecting the public from harm. So if this new mandatory ‘traceback solution’ proves to be a new ‘traceback and putting the logos of corporations on the screens of ordinary people’s smartphones solution’ then we will know it was hijacked by people who were full of shit. But it will be too late by then, and we might need to wait another decade before another redesign of traceback actually concentrates on the goal of reducing crime.
The main problem with traceback is not with traceback. The main problem with traceback is that people are reluctant to do anything as a result of traceback. Suppose there are a string of tracebacks to simboxes containing SIMs from a major mobile operator. Will the operator be fined? How much? What conclusion will be drawn about the mobile operator failing to identify simbox use on its own network, or the extent to which it supplied SIMs to criminals? A new traceback solution is not a prerequisite for the government badgering telcos to do more about the ways criminals gain access to the communications ecosystem, such as they do through SIMs and simboxes. The UK has wisely decided to make simboxes illegal. Both sides of the political divide get credit for that decision; the work on the legislation began under a Conservative government and was completed under a Labour government. But I hope we do not have to wait for a new improved traceback solution to be implemented just to motivate the elimination of all simboxes. The signatories to the fraud charter could eradicate simboxes now.
The astute and regular readers of Commsrisk will be aware of the sensitivities around this topic, and how the public can easily be misled. They already know that the USA has a ‘traceback and putting the logos of corporations on the screens of ordinary people’s smartphones solution’. It is telling that the USA was singled out as an example in NICC’s letter to Lord Hanson. Readers will also be aware that claims of several years of unbridled success for the US traceback solution did not prevent the installation in New York of enough simboxes to send a scam message to every American within the space of 12 minutes. Will any American corporations be fined as a consequence? Will anyone in the USA be prosecuted? No arrests have been announced yet, two months after the simboxes were discovered by the US Secret Service, despite repeated claims about the need for traceback to be speedy. The only outcome has been the placing of blame with unspecified foreigners. No country needs an expensive method of tracing domestic traffic at scale just to conclude there is no corporation inside their country that has ever done anything wrong.
Nobody would be happier than me to see the implementation of a fast, efficient process to trace bad traffic at scale if it results in punishment for businesses that fail to block bad traffic, or fail to prevent bad traffic being originated. But that is not what has happened in the USA. So if the UK is to have a whizzy new traceback solution, and will make it mandatory for all telcos to support it, let us also ensure that politicians, regulators and law enforcement change the rules, commit enough resources, and demonstrate an intention to act upon the information obtained through traceback.
The UK’s second fraud charter for telecommunications can be found here.
