Why Ireland’s New Nuisance Communications Industry Taskforce Should Have Included Fraud Managers

ComReg, the Irish communications regulator, has announced the formation of an industry taskforce that will advise on methods of reducing nuisance calls and messages. The taskforce will include representatives of the electronic communications industry. There is only one problem: they repeat the mistake of other countries by excluding the people who most need to be involved.

The new Nuisance Communications Industry Taskforce (NCIT) will meet on a monthly basis. It is tasked to…

…identify and recommend practical interventions that can be taken in the short, medium and long-term to combat nuisance communications by operators, in line with the objectives of the taskforce, setting out an intervention strategy and plan for same

This will involve the production of two reports at half-yearly intervals.

At six months, a report should include:

  • an update on interventions under development or already in-place, and
  • a set of recommendations and actions to combat nuisance communications on a long-term and durable basis.

As part of the report at 12 months, this should include a review of whether the taskforce could continue beyond the initial 12 months and if so an intervention strategy and plan for same. The report should also provide an update on interventions under development, and an update and effectiveness (sic) of interventions already in-place.

It is suggested that redacted versions of the reports will be created but it is unclear if these will be circulated to the public. Perhaps ComReg will wait to see the contents before they make that decision. However, NCIT has very little time to decide what it is going to do.

By the third meeting of the taskforce [it will] provide a copy of its agreed implementation roadmap to ComReg. This should clearly set out the intervention strategy and plan that the industry has agreed to tackle the problem of nuisance communications.

The objectives set for the NCIT are laudable. The problem is with its composition. Members must work for telcos and they must also be:

…network specialists within their organisation, with specialist knowledge of:

  • the operation of electronic communications networks and services,
  • mitigation measures/interventions to mitigate nuisance communications on electronic communications networks and services.

There are many nuisances in life, but not all of them are illegal. There are times when it is legal for a salesman to call my phone number, even if I would prefer the salesman leaves me alone. If the goal was to stop illegality, then the terms of reference should have asked for specialists in fighting illegality as well as specialists in network operation. In other words, they should have explicitly asked for fraud managers to be involved, because they have more experience of fighting the crime that occurs across communications networks than anyone else.

The problem with most of these taskforces is that they ignore one of the best ways of reducing nuisance calls: arrest the people who make them. The concept of arresting bad people is not unworkable, even when crime occurs across borders. The Chinese authorities have effectively pursued a strategy that involves arresting and extraditing scammers working from call centers in all sorts of countries. Fraud managers appreciate the problems with pursuing such a strategy, but also know how to overcome them. Network engineers, in contrast, only seek to put barriers in the way of criminals. If you put a fence in the way of a criminal he will just dedicate himself to finding ways to climb over, or walk around, or tunnel under. Sometimes the fraudster just bribes a member of the defending forces to leave the gate open. Engineers know how to build fences and that is a legitimate component of a defensive strategy, but no fence and no wall is ever mighty enough to block every invader. The Chinese know this from their history, and Americans are coming to this realization too.

Asking network engineers to solve the problem of nuisance calls without the input of fraud managers is like appointing military advisors who know everything about manufacturing warships and jet fighters and tanks and guns and ammunition whilst refusing to appoint any generals or admirals. Technology and machinery are vital to success in a war, but you also need people who know how to fight and how to win. Engineers can build protective fortifications but you need generals to defeat the enemy. This is because the actions taken by human beings also influence the outcome of a war, and there are human beings fighting on both sides. A good general should understand both the machinery of war and the way their opponent thinks. The criminals who are responsible for the vast majority of nuisance calls have a keen understanding of how telcos work, just as they have a keen understanding of how to manipulate their victims. They are hardened veterans who have won many battles already. Fraudsters do not win because they have superior technology but because they understand and exploit their enemy’s weaknesses, many of which are rooted in human nature.

I have no reason to be rude about the competence of anyone working in Ireland, but the USA has already shown why a strategy devised by network engineers will be prone to failure. Half a billion dollars has been spent on reducing robocalls received by US consumers with negligible effect. Now the USA faces a crisis as they desperately seek to force other countries to follow their strategy in order to make it workable. If a country with a population of 330 million lacks the engineers to reduce nuisance calls because it cannot force other countries to follow its lead then I think it unlikely that a country with a population of 5 million will find engineers that can do much better. US engineers were ‘amazed’ to discover a flaw in their approach that should have been predicted and which has since grown worse. I believe any senior fraud manager would have correctly identified the weakness in the current US strategy for reducing nuisance calls, but no fraud managers were apparently involved in the formulation of that strategy.

It is unlikely that anyone will change their position because of my predictions of failure. I am interested in the reasons why people keep making mistakes; if most other people shared my interest then they would not keep making mistakes. Back in the early 00’s I tried to explain to the UK’s regulator why its audits were too superficial to guarantee accurate bills and that real errors would hence remain hidden for years instead of being uncovered. These days the same regulator busies itself pretending it was effective at rooting out the kinds of errors that hurt more than a quarter of a million customers over a period of 15 years. If a quarter of a million overcharged customers cannot get a business to notice it is failing, how many spam calls and messages will need to be received by subscribers in order to draw sufficient attention to failure? Some will argue the problem of nuisance calling is fundamentally different. But if it is so different, then why did nobody act before the problem of nuisance calling had already grown out of hand? ComReg set up this taskforce because “fraud in the form of nuisance communications rise (sic) substantially in Ireland”. It is good that they care about fraud even if they are so careless that nobody proofread their document before it was published. Engineers should have known that cheaper calls and IP networks would encourage a surge in crime, but anticipating and fighting crime is not central to their mission. If we want to reduce fraud, we should let the big decisions be made by people who know most about fighting fraud.

The good news is that Ireland is unlikely to emulate some of the worst failings of the US strategy because they simply cannot afford to waste that much money. That is not to suggest Ireland is poor. On the contrary, Ireland’s GDP has rocketed upwards in recent decades, not least because it has become the European home of many big US tech businesses. A lot of these companies will push the Irish authorities to follow the lead of the USA when it comes to nuisance calls. These are also the same US businesses that have so successfully manipulated Ireland’s approach to data protection that other European data protection agencies have to overrule decisions made by Ireland’s Data Protection Commission. So it is possible that Irish phone companies will be forced to take on huge costs just because of the political pressure to meet American expectations. However, I expect Ireland’s telcos will resist by observing they have no more influence over foreign countries than the US has, and that a far larger proportion of the calls received in Ireland will have originated overseas. And this brings us back to the most fundamental challenge faced by every country that wants to reduce nuisance calls: as long as criminals can freely wander around your perimeter, they only need to find one gap to make your entire fence worthless.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.