There is no more basic form of collaboration than publishing data so others can use it. Scientists publish so other scientists can reproduce the findings — or to discover reasons why the previous conclusions may be flawed. This contrasts sharply with how the communications industry collaborates on the management of risk. What we describe as collaboration tends to remain superficial because the concentration of information is either exploited to generate revenue or treated as a potential threat to those in authority. Executives do not want outsiders to see evidence that their businesses have been poorly run; governments do not like the public to discover that laws have not been meaningfully enforced. Commercial confidentiality and crime prevention are genuine reasons to keep some information secret, but they also serve as excuses to disguise incompetence and hide corruption.
Conclusions based on unsound reasoning might be challenged if collaborators derived policy decisions from objective raw data rather than the say-so of a few individuals with privileged access to information. Quis custodiet ipsos custodes? The few individuals capable of scrutinizing the work done by the biggest comms businesses are discouraged from openly expressing their opinions. We are all encouraged to recite four legs good, two legs bad instead of asking to see the raw data which supposedly justifies the maxims we are expected to repeat. This week’s bulletin begins with an analysis of the latest data which the US traceback consortium is obliged to publish by law, but which hardly anyone is paying attention to, perhaps because we are so used to being told what to think that we have lost the habit of weighing up the evidence for ourselves.
Accepting somebody else’s conclusions about criminality in the communications ecosystem without examining the underlying data is not just bad science. It is bad business and bad ethics. Telcos compete with each other; they should be wary of competitors gaining an advantage by abetting crime. Criminality cannot be neatly divided between bad people on the outside and good people on the inside. Systems to fight crime can be corrupted too. Trusting individuals solely on the basis of their position inside the current hierarchy is a recipe for increased corruption, not for increased collaboration against crime.
- T‑Mobile US Tops Charts for Latest US Scam Call Traces
- Ugandan Tax Authority Paid USD4mn to Dodgy Kenyan Telco Auditor
- Huge Increase in Filipinos Repatriated from Scam Compounds in Laos
- Other News
T‑Mobile US Tops Charts for Latest US Scam Call Traces
I am not a fan of the way the US Industry Traceback Group (ITG) promotes its work. They talk a lot more about how they interpret their results than about the raw data they have compiled, even though the publication of this data is mandated by law. Either a call was a scam call, or it was not. Either it was legal, or not. Either it was traced to its origin, or not. So it should be a simple matter for ITG to publicly report on whether it is tracing more scam calls than before, whether it found the origin of those calls, and who is originating the calls that are traced to their source. As the supposed purpose is to support the enforcement of the law, it should then be straightforward to explain whether the work done to trace calls is leading to more prosecutions. I defy any advocate for the ITG to show where this information can be found, even though the ITG is legally obliged to produce its ‘transparency’ report each quarter.
To illustrate my observation that misdirection can occur in plain sight, the last paragraph also contains a misdirection. It is logically true that a call is either legal or not, but that does not mean the legality of a call is currently known. Legal systems do not work at the speed of computers and networks. They can take a long time to reach a conclusion on whether something was legal or not. This is a fundamental problem that few like to acknowledge; how should data scientists and engineers choose which traffic to block when politicians and lawyers expect us all to be subject to a process that cannot determine the legality of that traffic before the public has already been harmed? The application of ‘public policy’ to the domain of scam communications tends to involve a lot of slipperiness. This should lead us to be extra careful about the conclusions we draw from data.
The most interesting statistic derived from the most recent quarterly report of the ITG is a number that you will never find by reading the report itself. Uncritical fans of the ITG’s work often say it is responsible for a reduction in the number of illegal calls received by Americans, even despite the observation in the previous paragraph about our not always being sure whether a call is legal or not. However, there is one circumstance where we can be sure that a traceback will never reduce illegality: when the call that was traced was legal. The lawyers surrounding the ITG are savvy; each quarterly report of traces conducted is caveated:
This report does not constitute a finding of illegal activity… This report in itself is not determinative as to whether the calls identified in Attachment 1 are illegal, or as to whether the parties identified in Attachment 1 have violated federal statutes or the Commission’s rules or engaged in any unlawful conduct.
So let us be clear. Per the quantum superposition required by a process that was created to trace scam calls to their source, in concert with another process that may later decide if those calls were legal, then all the calls that were traced and listed in the ITG’s quarterly report are illegal and legal at the same time. We know they are illegal because the authorities want telcos to block calls like these, although neither the authorities nor businesses are entitled to block legal communications. But we also know they are legal because their legality has not yet been determined in law, and the presumption in criminal law is innocence until proven guilty. This latter point helps to illustrate why the authorities in the USA prefer to treat phone scams as a civil matter, even though the victims of scams are the victims of crime.
But whilst we were distracted by looking at all the calls listed in the ITG’s report, some of you may not have noticed all the other calls that were traced by the ITG and which were not listed in their report. The ITG creates a sequential reference for each call it traces, but you will not find every sequence number in their quarterly transparency reports. They simply omit the traces where they are sure the call that was traced is legal. The latest quarterly report, covering April to June 2024, was made public a few weeks ago. The sequence in the report begins with trace 17499 and ends with trace 18538. So we can deduce there were 1,040 traces performed by the ITG during those three months, although there are just 570 unique reference numbers in the transparency report. 470 traces, over 45 percent of the total, have been omitted because the calls were deemed legal.
That 45 percent of traces were conducted on legal calls does not solely represent wasted effort by the ITG. It also represents wasted effort by the comms providers who assisted with tracing those calls. This should be kept in mind when assessing whether collaborative efforts are yielding the desired results. The level of wasted effort has been getting worse. It was 21 percent for the last quarter of 2023, and 28 percent for the first quarter of 2024. The ITG is on course to waste more time tracing legal calls than it spends on illegal calls.
It has become a commonplace to assert that we need more collaboration to protect the public from scams. Transparently reporting on the results of collaboration should be considered a minimal reward for teamwork. It is also a minimal control over the objectivity of the work being done. The ITG is lobbying for non-US telcos to devote more resources to satisfying requests for traces from US institutions even though many of the calls currently being traced are not illegal. A simple metric could be published to discourage time-wasting by institutions who seek the investigation of legal communications traffic. That metric is not being transparently reported.
Objective metrics also counter the danger that some telcos will receive preferential treatment. Scams occur because seemingly legitimate businesses enable them. The problem persists because it is not against the law for a telco to do very little to identify and stop scams. When others prattle about wanting more collaboration, I hear the absence of an equally important word: ‘consistency’. The motivation for collaboration is denuded if there is not a matching commitment to consistency. This must ultimately be backed by penalties for telcos that profit from crime, whether they directly benefit by aiding criminals, or indirectly benefit by failing to weed out criminal activity.
Twilio was threatened with summary disconnection from the US telecoms ecosystem in January 2023 on the strength of tracebacks conducted by the ITG. The US Federal Communications Commission (FCC) was unlikely to follow through on the threat to cripple a comms provider with a stock market valuation exceeding USD10bn. Such dramatic action would have hurt too many investors. But the threat illustrated fundamental issues with the US legal system. It can be arbitrary, and it is influenced by politics. The Commissioners who lead the FCC are nakedly political appointments, chosen because of their party affiliations. Prosecutors also have to be politicians in the US system. One of the individuals currently vying to be President of the USA has climbed to the top of American politics via becoming the chief prosecutor of the city of San Francisco, then the chief prosecutor of the state of California.
As somebody who actually reads the ITG’s transparency reports, I am struck by how many calls are traced to US entities, and how this has not resulted in a surge of prosecutions for US comms providers. The preponderance of scam calls that terminate in the USA were originated by American firms per the data contained in the transparency report; it is safe to assume that many of the traces excluded from the report were also traced to a US origin. Meanwhile, a rather unsubtle illustration on the ITG website depicts a scam call being traced from a victim in the USA to a hypothetical origin in South Asia. It is understandable that Americans want to blame foreign influences for scams, and would hence like foreign help to tackle those influences. But it would also be naive for a foreign company to expect to receive the same treatment as a US business. AT&T has spent over USD4mn on political donations this year. Verizon’s donations total over USD3mn. Those figures sit within the context of even larger amounts spent on lobbying, part of which occurs through industry associations that also receive millions of dollars from US comms providers. Spending on this scale is designed to buy a lot of influence. The ITG sits alongside other associations that expect to be bankrolled by the big US telcos. Four companies fund ITG at its highest tier: AT&T, Comcast, T‑Mobile US and Verizon.
It is not hard to see why the ITG wants to blame scams on foreign telcos even whilst its own transparency reports show that it is tracing many more calls to member companies than to any comms provider based abroad. Per the most recent quarterly report, 353 calls were flagged as ‘ORG’ i.e. they were traced to an originating provider inside the USA. Three of ITG’s top financial backers appeared amongst the top six sources of calls they traced:
- 34 calls were traced to T‑Mobile US, placing them #1 in the quarterly charts
- 18 calls were traced to Verizon (#5)
- 13 calls were traced to AT&T (#6)
So over 18 percent of scam calls that had a domestic origin were traced to the three leading MNOs in the USA. This compares with 11 calls traced to Deutsche Telekom, the top foreign origin for traced calls during the quarter. Just 37 calls were traced to an origin outside of the USA, barely over one-tenth of the number of listed calls that the ITG traced to US entities.
Some will leap to the defense of the US industry by arguing more calls would be traced to foreign comms providers if there were more foreign comms providers willing to assist the tracing of calls. That claim is not supported by the data in the ITG’s transparency report. Their report says 180 calls could not be traced because a telco failed to respond to the ITG’s query. So the total of calls that were traced to a foreign originating entity or which were not traced to an originating entity is 217 calls, compared to 353 calls that were traced to an originating US entity. If the majority of bad calls received by Americans really did originate outside of the USA then the tracebacks should indicate a much higher proportion of incomplete traces and traces to foreign telcos. However, the data instead shows that the majority of traces originated within the USA.
There are some American professionals who will insist there are other facts which demonstrate that more of the scam calls received by Americans have originated abroad. My response to them is simple: show your data. I trust myself to be impartial; that is why I bother to check details like sequence numbers, and why Commsrisk republishes data in a format that makes it easy for others to check our workings. I keep finding plenty of reasons to question the findings preached by American institutions. If there is data that substantiates the demand for more effort from foreign telcos then the correct starting point is to show that data. It would be convenient for the US industry if most of the illegal calls received by Americans could be blamed on foreigners. The very convenience of the proposition is why impartial risk professionals should remain circumspect until there is hard evidence to support or disprove the theory.
There is hard data that shows Americans are being hit from scam calls from abroad. It comes from the stories of modern-day slaves being liberated from scam compounds in Cambodia, Laos and Myanmar. But that shows we do not always need to trace bad calls to know where they originate. All the fuss made about needing collaboration to trace calls just obfuscates a more important question: what does the USA intend to do about the scam compounds we already know about? The authorities in the USA have ducked this question. The US government has repeatedly refused to impose sanctions on Cambodians responsible for trafficking the people forced to work in scam compounds, despite US legislators already passing a law and already obtaining sufficient evidence to justify sanctions. If they will not seek to punish the organized scam gangsters who represent the very worst threat to phone users everywhere then repeated demands for more international traceback collaboration can only serve as another form of misdirection.
The interpretation that the ITG applies to its own work receives less criticism than it should. This is an example of a more general failure to demand rigorous statistical analysis when somebody offers an easily-understood and highly convenient explanation of the world that is rooted in words, but not in numbers. That we fail to apply statistical rigor to the analysis of communications data is especially damning. We know that fraudsters will always seek to hide their activities in the noise created by genuine phone users. Machine learning and clever algorithms are unlikely to save us from fraud if decision-makers insist on applying slapdash short cuts to their reasoning just to arrive at convenient answers. Nassim Taleb made a relevant point in his best-selling book about understanding the difference between causal relationships and coincidences, Fooled by Randomness:
Why do I want everybody to learn some statistics? The answer is that too many people read explanations. We cannot instinctively understand the nonlinear aspect of probability.
Taleb might as well have observed that no amount of collaboration will enable people to solve a problem if none of the collaborators have correctly interpreted the raw data, or if key collaborators do not actually want to solve the problem because enforcing existing laws can sometimes be politically inconvenient. But as I still retain some small faith in humanity, see below for the ITG transparency report data for the quarter ending June 2024, reformatted so you can perform your own analysis, and also available for download from here. Feel free to contrast the convenience of sharing data as a spreadsheet that anyone can download from the cloud with the unhelpful PDF report created by the people who keep saying they really want to collaborate with you.
Uganda Tax Authorities Paid USD4mn to Dodgy Kenyan Telco Auditor
Regular readers of Commsrisk will be aware that African telcos have been plagued by ‘tax audits’ conducted by incompetent clowns who promise to deliver enormous returns to the authorities in exchange for a quick rummage around telco CDRs and a percentage of any money they find. Instead of finding any tax evasion, these so-called auditors usually provide evidence of the gullibility or venality of the civil servants working for the tax authorities. Thankfully, some African journalists are holding government agencies to account. An investigation by TV10 Ganomazima has found that a dodgy Kenyan business called Safaritech was paid UGX15.7bn (USD4.28mn) in addition to the promise of 5 percent of any additional taxes levied on the country’s telcos, despite the company having no registered address and a track record of making dubious audit findings that were later withdrawn.
An earlier investigative report by TechFocus24 highlighted how Safaritech was behind a claim that MTN Ghana had underpaid its taxes by USD730mn. The claim was quickly withdrawn by Ghana’s tax authorities when it became apparent that Safaritech’s analysis was flawed. Safaritech immediately tore down their own website to discourage further scrutiny from the press. They have since refused to answer questions about the location of their offices in any African country, or the location of servers they were obliged to purchase per their contract with Uganda Revenue Agency (URA).
In August, TechFocus24 reported that URA had withdrawn a bill issued to MTN Uganda for UGX280bn (USD76.3mn) in back taxes because it had been based on Safaritech’s frivolous approach to auditing. The Ugandan Head of Revenue Intelligence, Brendan Adiru Wadri, was said to have warned Ugandan President Yoweri Museveni not to engage the services of Safaritech. Now the TV10 Ganomazima is going one step further, accusing the authorities of signing a deal with Safaritech that was “deliberately designed to facilitate fraud”.
Huge Increase in Filipinos Repatriated from Scam Compounds in Laos
A television interview given last week by the Philippine Ambassador to Laos has further highlighted the methods used by organized crime to staff the scam compounds that they run. Deena Joy Amatong told RTVM that approximately 160 Filipinos have been helped to return home from scam compounds in Laos since the beginning of this year. That figure contrasts with just 80 Filipinos repatriated from scam compounds between 2021 and 2023. Click here to watch the interview on YouTube.
Other News
- Chinese hackers penetrated wiretap systems of big US telcos
- Ukraine arrests man behind VPN service that accessed sanctioned Russian sites
- US telco pleads guilty to fraudulently claiming over USD100mn of government ‘lifeline’ subsidies for low-income households between 2012 and 2021
- UK to restrict which number ranges can be used for revenue sharing



