38.4k unique visitors in the last 3 days

Why Is the USA Trying to Disconnect Saudi Arabia’s Second Mobile Operator?

The FCC says Mobily needs a better anti-spam plan despite flawed plans from other telcos including Deutsche Telekom and Etisalat.

If you do not understand bureaucracy then you are doomed to relying upon descriptions of how bureaucracies work that come from the bureaucrats who run them. This is especially problematic when bureaucrats are incompetent. These observations spring to mind upon learning that Mobily, an operator with 40 percent market share in Saudi Arabia, is one of 20 businesses that the Federal Communications Commission (FCC), the US comms regulator, has threatened with imminent disconnection. Per an FCC press release which named Mobily amongst others:

Today’s Enforcement Bureau orders demanded that the following 20 non-compliant companies show cause within 14 days as to why the FCC should not remove them from the [robocall mitigation] database for deficient filings…

…Removal from the database would require all intermediate providers and terminating voice service providers to cease carrying the companies’ traffic, these companies’ customers would be blocked, and no traffic originated by these companies would reach the called party.

The FCC is almost exclusively run by lawyers, so their choice of words tends to be scrupulous with respect to factual accuracy, and unscrupulous with respect to misleading any layperson who listens to them. However, you will have already surmised that the FCC has no power to interfere with things that Saudi Arabian telcos do in Saudi Arabia. The FCC is guilty of overreach when they give American voters the impression they could police the entirety of global telecoms traffic just to stop some bad people making some bad calls to American phones. The idea that the FCC will disconnect Saudi Arabia’s second largest telco is absurd. The exaggerated wording of the announcement is partly explained by a simple though annoying confusion between the the United States of America and the entire planet. The formal demand issued to Mobily somewhat corrects the defect:

Removal of Mobily’s certification from the Robocall Mitigation Database will require any intermediate providers and terminating voice service providers to cease accepting calls from Mobily sent to residential or business subscribers in the United States using U.S. NANP numbers.

Note the words at the end of the sentence: ‘using U.S. NANP numbers’. The thing about most telecoms operators around the world is that they do not ‘use’ the numbers in the North American Numbering Plan (NANP) that correspond to the USA in the sense intended here, i.e. as the originating number for phone calls. The main exception to that rule is that outbound roamers from US networks will inevitably ‘use’ numbers of that type. So does every mobile operator in the world need to comply with US regulations on reducing spam if they accept roamers from the USA? That would appear to be an extreme stretch.

I suspect the FCC is guilty of hyperbole because they make no effort to distinguish between every one-person VoIP outfit run from Nebraska, Wyoming or Arkansas and the enormous telecoms companies found in other countries that have their own legal system and which do not need to obey US law. If you think this distinction is unimportant then consider how little the FCC actually checks what is happening inside genuine US telcos, and then multiply that by the silliness of supposing they went and checked every telco everywhere. Or maybe I am wrong, and in a few days there will be a highly embarrassing international incident when some of the 2,733 US military personnel based in Saudi Arabia suddenly lose service to the US mobile phones they carry with them.

Mobily is a big and serious telco. It is partly owned by Etisalat, one of the largest telecoms groups in the world. In some respects, it can be argued that Mobily’s entry in the FCC’s Robocall Mitigation Database (RMD) is deficient. The plan they attached to their RMD entry consists of a single piece of paper which is completely blank, apart from a poorly printed line that crosses the paper approximately one-third of the way down. This looks to me like the way somebody who does not speak good English, and does not understand what is required of them, would satisfy an online interface that forces them to upload a PDF file in order to save their submission, even though the person had no idea of what was supposed to be written on the piece of paper they scanned and turned into a PDF file.

To put Mobily’s entry into context we might review the submission of another company which is not on the list of the 20 companies threatened with disconnection. Etisalat also has an entry in the RMD. This is the entire wording of Etisalat’s robocall mitigation plan.

As of now, the suspected numbers are being blocked based on the various alerts configured

Currently looking at the feasibility to test and activate STIR/SHAKEN policy for the calls, wherever possible. It is still under testing.

That is the whole of the robocall mitigation plan provided by an even bigger Arab telco which partly owns Mobily. If the FCC’s complaint is that a blank piece of paper is insufficient then I can somewhat understand their point of view, but that does not make the FCC’s approach any more realistic. Threatening major telcos around the world with disconnection will not lead to useful and systematic raising of standards worldwide if Etisalat’s submission remains an example of a compliant submission to the RMD.

I doubt whether Mobily or Etisalat ever needed to submit to the RMD in the first place. Even if their lawyers decided there was a need to submit then this will have been motivated by a ‘safety first’ attitude rather than a clear understanding of what rules they might otherwise be breaking. Telcos do not need to submit if they do not make ‘use’ of US numbers. But the definition of the ‘use’ of US numbers has not been sufficiently articulated to help foreign telcos determine if the rules apply to them. This counts double for telcos where English is not the first language and there is no wing of the company focused on serving American enterprises. The need for foreign telcos to submit to the RMD mostly stems from the American corporate obsession with cutting costs by employing people in foreign call centers whilst pretending they are making calls that originated within the USA. The FCC knows this, but instead of concentrating enforcement attention on the big call center providers they cast their net as wide as possible and hoped every telco in the world would voluntarily swim into it. This largely defeats the point of the exercise; the very many telcos who willingly submit to FCC overreach are not the few crooked businesses that the FCC most needs to scrutinize.

Instead of wasting time trawling through ‘deficient’ RMD submissions, it is much more likely that many submissions from foreign companies were never required in the first place, and hence will be of a low quality. Professionals who do not speak English as a first language inevitably felt some fear when reading about the big threats emanating from the FCC. Some people even contacted me directly to ask for advice. The FCC’s threats were ominous but their requirements were vague. They gave zero advice about their expectations. An exercise like this is performed by a regulator if they want to grab a lot of information, then rank the quality of the information they receive, then punish the telcos at the very bottom of the ranking. This may seem like a sensible way to deliver progress until you recognize that the FCC has now ranked over 8,000 plans and that the 20 plans at the very bottom included blank pieces of paper whilst those above the bottom included plans which consist of three ungrammatical sentences centered on a vague promise to do something in future ‘wherever possible’. And it has been two full years since telcos submitted their plans to the RMD, meaning it has taken two full years just to get to the point where the completely blank plans are now being challenged.

It is easy for members of the public to get animated about the need to ‘do something’ about spammy and scammy robocalls. They may imagine the RMD is a vital step in ensuring all telcos do their utmost to reduce robocalls, just like the lawyers at the top of the FCC say it is. But imagine giving a member of the public 8,000 PDF files to read without any guide as to what those files should contain. Imagine trying to rank those 8,000 PDF files according to the quality of the contents. Imagine not even knowing if a PDF file was submitted by a company that actually needed to submit. Now imagine the pay grade of the lowly FCC clerk who has been given this task in reality. Not many members of the public would do this job well. Most would quit before they had read through half of the submissions. Now imagine how well this job will be done when the FCC attempts to get these PDF files updated more frequently by many more companies worldwide. If you think this is a job that bureaucracies can perform well then you know nothing about the human beings who work for bureaucracies.

Remember that we were just talking about words on digital pieces of paper. Not a single person has been employed to check if any of the words are true.

Readers of Commsrisk are unusually well informed, so they may forget that there is no global newswire telling every telco employee about everything they may need to know because somebody in another country thinks they should know it. Or to put it another way, telcos around the world are not staffed by dozens of people continuously monitoring any nonsense spouted by the FCC. Nor should they. Companies like AT&T and Verizon do not employ dozens of people to monitor the regulatory diktats issued by the regulators in Mongolia, Bulgaria and Surinam. I doubt US telcos even monitor regulations imposed by big countries like China, India and Nigeria. Not caring about regulators in other countries is entirely normal. It is abnormal that the US regulator thinks everybody should care about every inane diktat they issue.

If the FCC’s demands had been more specific then most regulators would have already told the FCC to shut up and stick to their own affairs. Regulators work for governments, and governments do not like being told what to do by anybody, including other governments. So part of the reason the FCC has made even this tiny amount of progress with compiling a database listing what international telcos are doing about robocalls is because nobody had any clear idea of when the FCC might dare to punish any major foreign telco for a perceived transgression. And that means the quality of each foreign telco’s submission depends more on whether they have somebody with the requisite skills to explain any spam mitigation efforts in English, and the time to waste on submitting this idiotic document to some unknown bureaucrat who lacks the skills required to judge if those efforts are adequate.

I performed a simple test to determine if submissions to the RMD were dependent more on the chance awareness and beliefs of telco personnel then any systematic application of policy. Vodafone Group says they have operations in 17 distinct countries. There are even more partner operations using the Vodafone brand. This means they have one of the world’s largest and most diverse mobile groups. If every mobile operator ‘uses’ US numbers by virtue of accepting outbound US roamers then every Vodafone mobile operator should be listed in the RMD. Inspection of the RMD showed the overwhelming majority of Vodafone-branded companies have not submitted to the RMD, though a few have, such as Vodafone French Polynesia. Does anybody really believe that Vodafone French Polynesia is under a greater obligation to block bad robocalls than Vodafone UK or Vodafone Spain? There are no entries in the RMD for the latter two opcos. And whilst Vodafone French Polynesia is listed in the RMD, they found a way to save their entry to the RMD even though there is no robocall mitigation plan attached to it.

Perhaps Vodafone French Polynesia is one of the minority of telcos who chose to submit their RMD plan as confidential, thus preventing them being included in the public database. Perhaps they worry that scammers will read about their robocall mitigation plans and then find ways to work around them. That would seem to be overkill given the quality of the RMD plans made public by much bigger telcos. And it differs from the various telcos who allowed their documents to be shared publicly but who redacted details relating to specific controls. But irrespective of the details that were submitted by Vodafone French Polynesia, the reality is that the whole of French Polynesia would have already been cut off by US networks if it was the source of lots of fraudulent traffic. US telcos have long demonstrated their willingness to cut off whole countries which produce abnormally large amounts of traffic. The population of French Polynesia is just a quarter of a million people. Nobody is confusing this remote island chain with a potentially cheap location for a call center that serves US consumers. Vodafone French Polynesia is about as pointless an addition to the Robocall Mitigation Database as it is possible to imagine. Guilhem Bessie, Interconnect Manager at Vodafone French Polynesia can be called at +68989199XXX by anyone who wants to find out why he made more effort to comply with FCC stipulations than countless people working in similar jobs at other telcos. But I do not intend to call Guilhem because I also think it is a bad idea to publish names, job titles and telephone numbers to an open database that any idiot can download from the internet.

In contrast, Vodafone New Zeland distinguished themselves amongst Vodafone-branded businesses by uploading an unusually long document to the RMD and allowing it to be publicly visible to all. The document is 13 pages long and well-written compared to other submissions I reviewed for this article. The only problem is that it is not the robocall mitigation plan of Vodafone New Zealand. They uploaded the country’s code of conduct for dealing with scam calls. This code of conduct supposedly applies to every telco in New Zealand. So I compared it to the plan uploaded by Spark, a New Zealand-based carrier. Spark submitted an identical copy of the same document. Meanwhile, New Zealand mobile operator 2degrees did not get the memo about sharing the same homework, so they actually wrote their own one-page submission. This states they also participate in the forum which produces the country’s code of conduct for dealing with scam calls. Why did nobody tell the representatives of 2degrees at a forum meeting that it is sufficient to just upload the country’s code of conduct and leave it at that? And which does the FCC consider more valuable when determining if a telco’s robocall mitigation plan is adequate: 13 well-written pages that were simply copy-pasted from an existing document, or one solitary page of notes that was uniquely written for the FCC’s benefit?

Regular Commsrisk readers will remember that the US traceback group has been tracing more scam calls to Deutsche Telekom than to any other major international operator. I decided to look at their robocall mitigation plan to get some perspective on how a foreign telco can comply with FCC expectations despite being the demonstrable source of illegal robocalls. Deutsche Telekom’s robocall mitigation plan consists of one-and-a-half pages of spiel, which makes it longer than many others. It follows a pattern that I would expect of a big Western European telco that wants to maintain a good reputation but does not really know what the FCC expects to hear from them. Included in the plan is a vital caveat which should really be included in the plans of most national operators based outside of the USA. If you work for such a telco then I recommend you copy the wording when submitting RMD plans to the FCC. Deutsche Telekom’s plan clarifies that it does not…

…in its usual course, utilize North American Numbering Plan (NANP) numbers or resources; the main exception thereto being roaming use cases. TDG’s traffic to the US otherwise includes traffic from its own subscribers, other Deutsche Telekom group entities, and traffic from other international providers — the vast majority of all of which is not originated using NANP numbers or resources.

But they still submitted, just to keep the FCC happy. That plan was submitted in June 2021, and the facts have changed in the meantime. Per their robocall mitigation plan, the company takes an ‘active’ role in tackling robocalls by…

…defin[ing] the best approach and guidelines for the international wholesale carrier community to fight against fraud in general and robocalls and CLI Spoofing in particular by joining the i3Forum Fight Fraud workgroup and the i3Forum Technical Workgroup.

That sounds like a good idea. International carriers would be wise to work together to solve the problem of reducing bad international traffic through the One Consortium, the new non-profit initiative recently established by the i3Forum. But this statement in Deutsche Telekom’s RMD plan has not been accurate for a long while. Deutsche Telekom left i3Forum over a year ago in order to cut costs. Nobody updated Deutsche Telekom’s entry to the RMD to reflect the change in the facts. And nobody in the FCC is in a position to check the accuracy of statements like these.

As you might expect, the US tech press who reported on the FCC’s threat to disconnect 20 telcos (see examples here and here) just repeated the FCC’s nonsense because they know too little about the rest of the world to offer any criticism. But anybody who understands the global telecoms sector would draw the same conclusions as me after 20 minutes of randomly surveying the RMD plans submitted by various big-name international telcos. The RMD is a farce. Its contents are junk. The only purpose it serves is to give the FCC a list of companies to harangue about compliance because otherwise they would not even know who needs to be compliant. And they still do not know who needs to comply, or what the compliance standards really are, except that a blank piece of paper is not good enough, whilst a two year old statement with factual inaccuracies is considered satisfactory.

The contents of the FCC’s Robocall Mitigation Database can be accessed here.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email