20.5k unique visitors in the last 3 days

Zero Trust: Why Europe Is Beating the USA in the War on Telecoms Scams

The recent CEPT workshop on fraud prevention showed that European comms regulators are on the right track.

I had the honor of being invited to speak at the anti-fraud workshop of the European Conference of Postal and Telecommunications Administrations (CEPT) held two weeks ago in Copenhagen. It has taken me two weeks to sift through all the information absorbed during the event in order to pinpoint the single most important takeaway: Europe will win the war against telecoms scammers because it has adopted a zero trust philosophy. 46 countries belong to CEPT. If they all take the most direct route to reducing telecoms scams then it is likely that the whole world will eventually walk the same path.

There was good reason to be optimistic before I attended. The European Communications Committee (ECC), the policy-making division of CEPT, issued ECC Recommendation 23(03) in November. All countries should follow this recommendation, not just the ones in Europe. There are already other countries, including India and Saudi Arabia, that have independently settled upon the same approach. It is also the approach that I have advocated since 2022, after Australian and British operators had already begun talking about it being stunningly effective. Stated as succinctly as possible, the approach involves blocking inbound international calls that spoof a domestic phone number. Germany only removes the CLI of these calls instead of blocking them, but German telcos also report considerable success in reducing scams. Part of my motivation to attend the workshop was to tell regulators how well this technique is working in the countries that have already implemented it. It is no exaggeration to say it represents the biggest advance in scam call prevention in the history of telephony. There has never been a period in time that was so conducive to international scam calls, so adopting a zero trust method that blocks the vast majority of these calls should be seen as a reset of risk parameters that counters what would otherwise be an explosion in scam traffic.

However, I did not really need to persuade the audience about the merits of ECC Recommendation 23(03). The attendees already included many representatives of different European countries who were fans of the method. By my count, representatives from Belgium, Finland, Ireland, the Netherlands, Norway, Portugal and the UK all spoke approvingly of controls on spoofed inbound international calls. It is possible that my list is incomplete because there was so much support for this method expressed during the event. The mood in the room was obvious. There was also broad support for other zero trust measures to protect the public from scams, including the use of do-not-originate lists and SMS Sender ID registries. Perhaps I should not have been surprised by the inclinations of the regulators who attended. I spoke in favor of a policy that was already advocated by CEPT’s own policy-making division. That I had been invited to speak demonstrates that at least one person knew what I was likely to say and had decided that the rest of the room should hear it too. Even so, it was both reassuring and inspiring to discover many European comms regulators believe the best way to protect the public is to allow no tolerance for suspicious calls or messages. A zero trust, zero tolerance approach will inevitably and sharply reduce the amount of traffic carried by telcos, and hence the amount of revenue they earn. That is a small price to pay to avoid a crisis caused by runaway consumer crime.

Regular readers of Commsrisk have already guessed my other motive for attending the CEPT workshop. Somebody needs to counter American disinformation about scam prevention. I am one of the few people who is sufficiently rude, vain and informed to publicly challenge this disinformation. Americans have many admirable qualities but learning about best practice by listening to the experiences of other countries is not one of their strengths. As a consequence, they lack perspective on how well their anti-scam methods have worked in comparison to the methods used elsewhere. They are trapped in a bubble where they keep telling themselves that the rest of the world will inevitably copy US policies even though they have delivered derisory results so far. An article I published earlier this year cited multiple examples of Americans talking as if every country would implement STIR/SHAKEN. That article was motivated by the realization that some Americans had consciously spread lies about the UK adopting STIR/SHAKEN in order to further their selfish goals.

Despite the waves of disinformation, the UK rejected STIR/SHAKEN. This caused a shockwave across Europe and beyond, obliterating the credibility of the most brazen American liars, who had previously been treated with respect. But that does not mean that everybody in the USA is consciously lying when they express confidence in the current US strategy. Most of them are merely repeating the disinformation they have been told. And they will keep repeating it, even when speaking to foreign audiences, because of idiosyncrasies that are particular to the American psyche. The US Federal Communications Commission (FCC) is so deeply political that its leadership is badly flawed; few countries politicize aspects of government administration to the extent that the USA does. So when there is bipartisan agreement on a course of action within the USA, this is generally treated as a sign that the decision must be good because it is unanimous. That ignores the possibility that two rival groups of politicians may agree on something because neither places the needs of the public above the factors which help politicians to gain and maintain power. Pleasing businesses is one way to gain and maintain power, especially in the USA. The result in the USA is an unhealthy obsession with prioritizing the profit-making goals of private enterprise even when the wealth gained as a consequence is badly outweighed by the costs borne by the rest of society. Or to put it another way, there are many bad actors who behave selfishly within the US telecoms ecosystem, but neither Democrats nor Republicans have the resolve to block large amounts of unwanted traffic because that will hurt the profits of some big corporations. Europeans are much more varied in their attitudes towards the advantages and disadvantages of free markets, and so are more willing to listen to warnings about the inadequacies of the free market when uttered by people like me.

It was after I spoke that I realized the essential difference between STIR/SHAKEN, the subject I had been invited to speak about, and ECC Recommendation 23(03), the method that Europeans were following instead. This epiphany was prompted by a presentation given by another speaker, but I will not name him because I do not want his business to suffer as a consequence! ECC Recommendation 23(03) is based on the concept of zero trust. STIR/SHAKEN is not. US anti-scam tactics are all predicated on the belief that a new bureaucracy can be instituted that will discriminate between who is trustworthy and who is not trustworthy, and that the role of technology is to convey the decisions made by the bureaucracy so that trustworthy actors will automatically gain entry to the community of networks, whilst untrustworthy actors will be progressively excluded. STIR/SHAKEN is a technology that communicates the decisions made by the bureaucracy. But the presupposed bureaucracy is a fantasy. There is no serious intention to make it real. That is partly because there is no clean slate from which the telecoms industry can select only trustworthy actors to institute a new bureaucracy. It may not be the case that every business is rotten, but we have to act as if every business is rotten because rotten businesses often succeed in appearing trustworthy too.

An analogy helps to explain what the US strategy really is, once we strip away a lot of propaganda about technology being able to accomplish miracles by magically making decisions that are independent of any human flaws. Imagine you live in a village. It was the kind of village where everybody left their front door unlocked because everybody trusted each other. That analogy is appropriate given the history of every telecoms network trusting every other network. Now imagine there is a spate of burglaries in the village. What should be done? One approach could involve the entire village coming together to discuss, formulate and institute a new hierarchy of trust, where village elders have copies of the keys of every front door so they can access buildings as and when they need to, and the elders can create copies of keys that are issued to other people they trust, and there are delegated powers to make further copies of keys as needed, so that we recreate the liberty where everybody who is good and decent remains free to enter everybody else’s homes, and only the burglar and other untrustworthy folk are denied copies of keys, even though nobody has yet identified who the burglar is. Or we could just live in a village where everybody has the key to their own door, and they lock it when they go out. Europe is harmonizing on the zero trust strategy. The USA wants to engage the Europeans in a strategy of creating circles of trust, with American decision-makers convinced that they should occupy the highest circle, and very few people in Asia or Africa being given any role beyond subjugating themselves to a new kind of networked colonialism. Europeans will tend to find this hierarchy unappealing, though some of them could hope to gain a seat at the top table with the Americans. However, even this ambition is undermined by the realization that the US is infested with more telecoms crooks than any European nation, and has so far proven woefully unwilling to catch or punish them, especially as the crooks get bigger and bigger, and look more and more like the big mainstream telcos that are routinely accused of violating all sorts of other consumer protection rules.

Some will complain that my narrative is the Hans Christian Andersen version of how to distinguish between US anti-scam tactics and the zero trust philosophy being adopted in Europe. Please indulge me; I began to formulate this perspective whilst walking around Copenhagen and admiring statues of the writer and his characters. If I am reducing this story to the level of a fairy tale it is only to counter the fairy tales that Americans keep reciting. Hardly anybody understands the US approach to scam reduction because it is a salad of words proclaimed through a blizzard of press releases and marketing brochures that lacks any core narrative. Intelligent people claim to understand the US strategy for scam reduction, but artlessly have to pivot away from any examination of how it works in practice. For example, the speaker at the CEPT conference who attended on behalf of Microsoft, a company that had openly chided the Irish regulator for putting the protection of Irish people ahead of the business objectives of US multinationals, explained how Microsoft is represented on the Board of Directors of the STI-GA, an international governance body for call validation. Except the STI-GA is not an international body. Its remit is to govern the implementation of STIR/SHAKEN in the USA. It has no authority anywhere else. Should the misinformation spread by this speaker be dismissed as a simple slip of the tongue? That might have been plausible if the speaker had not formerly worked as a lawyer for the FCC. Lawyers are supposed to understand the meanings of the words that come out of their mouths. A national authority is not an international authority. Confusing the two is a poor mistake if the goal is to convince foreigners that you can be trusted.

Perhaps the speaker from Microsoft mistook the STI-GA for ATIS, the standards-setting body which wrote the SHAKEN standards. The latter often says it is international, even though its membership is dominated by companies headquartered in the USA. One of the justifications that ATIS gives when explaining how it is international is that its members include multinational firms like Microsoft. So that would mean an American from Microsoft said they are helping to govern an international body that says it is international because Microsoft is a member. That seems like pretty circular logic to me. Or perhaps the speaker was referring to a new governance body whose creation was announced by Microsoft and others at a time that was chosen to pressure the Irish regulator about their zero trust anti-scam plan. This new body also described itself as international. It promised to play the same role as the STI-GA, but for the whole world, even though all its members are American, and it immediately decided that global policy should be administered by the same US company as that which administers policy in the USA. So it is easy to see how this new body could be confused with the STI-GA, apart from one crucial difference. This new and so-called international governance body currently has no purpose, because nobody outside of the USA has agreed to submit to its governance. So that would mean Microsoft is telling the audience that it belongs to an international governance body that appointed itself and which currently governs nothing nowhere. Either way, I prefer my Hans Christian Andersen version of how to make the world a better place, because the Microsoft plan involves many words that are devoid of meaning.

The other American speaker on the agenda was a representative of Somos, a company that is clearly on maneuvers having recently signed up with the aforementioned STI-GA and its policy administrator to become a certification authority for STIR/SHAKEN in the USA. Somos hired Chris Wendt, one of the authors of the STIR specification, soon after STIR/SHAKEN became mandatory for US telcos. Wendt is a man who describes himself as a thought leader with a proven ability to foster new products who is heavily involved in using STIR/SHAKEN to combat illegitimate robocalls. So it is safe to assume Somos does not have an open mind about the pros and cons of using STIR/SHAKEN. But they did not send somebody like Wendt to the CEPT event, where he might get challenged about the practical limitations of using his favored technology. Their representative was another person who has spent a career discussing rules with the FCC, and she presented evidence of the FCC’s success at tackling scam calls in the form of an old press release from the FCC. Unfortunately for her, there are only four actual instances of the FCC proposing a fine for robocall violations between the beginning of 2022 and the end of 2023, and she picked a press release about a fine that had nothing to do with protecting the public from scams.

For reasons that defy credulity, the speaker highlighted a press release issued by the FCC concerning the Scammerblaster case. This case, and the publicity surrounding it, was a flagrant attempt to mislead the American public about whose priorities were being served by the FCC. ‘Scammerblaster’ is the pseudonym of a silly person named Thomas Dorsher in real life. Dorsher made a lot of automated calls as part of a traffic pumping fraud; he was ripping off telcos, not the general public. Dorsher thought he was going to get away with it because the content of the recorded messages played by his calls pretended to be warnings about robocalls. This paper-thin ruse was bound to infuriate both the FCC and the telcos that were defrauded, but it hardly took a great deal of skill to track Dorsher down. He repeatedly described his crime on his YouTube channel, and the company he tried to hide behind was registered in his own name, at his home address. It can be debated whether a lunatic like this really deserves a USD116mn fine when the FCC only proposed a fine of USD2mn for a telco that applied A-grade STIR/SHAKEN signatures to calls that tried to trick voters into believing a senior representative of the Democratic Party wanted them not to vote in a primary. But what is beyond debate is that Dorsher’s calls did not target the public, meaning his case cannot be an example of enforcement action leading to a reduction in the number of scam calls received by the public. Dorsher did not target the public and he was fined USD116mn for causing financial losses to telcos. A telco profited by enabling a scam that targeted voters, and the FCC only wants to fine them USD2mn. This tells another story about the FCC’s enforcement priorities, but not the one recited by the speaker from Somos.

On the other hand, there is plenty of evidence suggesting that scammers are fooling the FCC over and over again, not that you will ever read about it in an FCC press release. For example, a source that wishes to remain anonymous reports that he knows of at least 10 occasions when telcos which were registered with the FCC have been listed with named representatives whose identities were stolen and used without the person’s permission. In other words, if the FCC did take enforcement action against one of these legal entities, it would make no difference to the people behind the legal entity, because the FCC has no idea who they really are. This illustrates why the US strategy of creating elaborate trans-national circles of trust is based on an absurdity which cannot be addressed by Americans because it is so politically embarrassing. You cannot sustain a circle of trust if you perform such negligible identity checks that you literally do not know who you have allowed into the circle. That is another reason why European regulators should reject US exaggerations about how effectively they enforce anti-scam controls. US pretensions to lead the fight against scams must be rebuffed until such time as its authorities exhibit a modicum of competence at identifying the many bad actors who still run registered companies in the USA that continue to profit from scam communications. Europe needs to adopt a zero trust philosophy to defend its citizens from American bad actors. This is a message that Americans find hard to process because they prefer bipartisan bluster to a thorough appraisal of how dysfunctional their government agencies and legal system really are.

In researching this article, I went back and double-checked how the STI-GA describes itself, so I could better understand why even an FCC lawyer might be mistaken about its purpose. Re-reading their own material, I was impressed by how well they avoided stating plain facts about who they are and what they do, and instead painted a rosy picture of what they are supposed to accomplish. Per their FAQ, one of these seemingly inevitable accomplishments is going to be their undisputed role as world leaders.

There is general recognition that as SHAKEN begins to reduce unwanted calls in the U.S., it is likely that the focus of the scammers will shift to target countries that haven’t yet deployed SHAKEN.

This made me wonder who had appointed General Recognition, and where is the army he commands? His followers appear to include Major Disappointment and Private Shame, two other soldiers that eagerly anticipate foreign deployments of SHAKEN, despite countless defeats on home soil.

Here we see how the business model for American for-profit corporations was announced well in advance, and they will stick to this marketing pitch because they have no alternative. They must pretend they are winning, and that means everyone else must appear to be losing. But if other countries reduce scam calls more rapidly by following zero trust principles like those enshrined in ECC Recommendation 23(03), then the US corporate model for international expansion is kaput, as the Germans might say. I saw evidence of that at the CEPT workshop; it was telling that the showing from US apologists for STIR/SHAKEN was so weak. Vendors of STIR/SHAKEN will doubtless try to rally by lobbying rich Arab nations but those countries are even less suited to STIR/SHAKEN than the European countries which have rejected it. Most of the Arab nations now being targeted by the STIR/SHAKEN lobby have large populations of expatriate workers relative to small native populations, and consequently have relatively high volumes of cross-border traffic. In other words, Arab countries already have the conditions where blocking inbound international calls is more effective than implementing STIR/SHAKEN, which helps to explain why some Arab countries were amongst the first to adopt blocks on inbound international calls and have been reaping the benefits.

That some Americans have an absolute and unshakeable conviction that STIR/SHAKEN is the universal answer to all telecoms crime was amusingly confirmed during the two weeks since the CEPT conference. AT&T has once again embarrassed itself and put the public at risk with yet another massive leak of personal data. Commentators have rightly observed that this data is another gift to scammers. So is the answer to enforce the kind of data protection regime now considered somewhat passé by Europeans? The Europeans have accumulated decades of experience of obeying tough privacy obligations, culminating with the rules published in 2016 by the General Data Protection Regulation. However, according to some quarters, the correct response to the AT&T breach is to mark any calls that do not have an A-grade STIR/SHAKEN signature as spam. My mind was blown by the utter stupidity of this belief. There are no calls coming into the USA from foreign countries that have A-grade signatures. Not even calls from Canada, which supposedly has harmonized its strategy with the USA, belong to the circle of trust yet. So is the intention to mark every inbound international call as spam? And if not, then how will this proposal do anything to protect all the victims of the AT&T breach who will now receive calls at the numbers which were compromised? Another way to tackle all of the negative consequences of data breaches would be to stop having so many data breaches. But that might involve admitting that Europeans are way ahead with enforcing rules that protect personal data, and that the USA needs to learn from their example.

The problem with General Recognition, Major Disappointment and Private Shame is they only ever seek validation of the direction they have chosen for their march. They never stop to consult a map or to ask the locals for directions. As a result, they never learn of quicker routes to the destination. Other nations are taking a short cut by eliminating the reliance on trust. Sadly, I find too few Americans will listen to individuals like me, although I am trying to help them by shaking them out of their complacency. We can shout at fools to warn them they are going the wrong way. If they ignore the advice and fall off a cliff, then so be it. The more attainable goal is to discourage others from following them over it.

The nadir of debating with US professionals comes when they cite data about US consumers not complaining about scam calls as much as they used to. So what? No scientist would ever assume that the number of consumer complaints has a robust correlation to the frequency of the thing that is complained about. Some Americans complain that Donald Trump will start World War 3, though he failed to do so when he previously had the opportunity. Others complain that Joe Biden is exhibiting such a rapid physical and mental decline that the second term of a Biden presidency would be even shorter than the fourth term of Franklin Roosevelt’s presidency. I pick examples from both sides of the political divide to illustrate how one person’s absolute certainty can be another person’s irresponsible slander. Facts are facts, and the US telecoms industry is incredibly poor at presenting solid facts about how well it tackles scams. Counting consumer complaints is a lousy substitute for a measure of actual scams.

But even if it were supposed that consumer complaints are a good proxy for the number of scam calls, this would still show that the US is lagging, not leading other countries. Take a look at the complaint numbers for countries like Australia and the UK, the two countries that initially prompted me to research the effectiveness of blocks on spoofed inbound international calls. The complaints statistics for those countries show more rapid falls than the equivalent US statistics. But nobody in the USA seems to have noticed, because they do not seek to learn from foreigners. The FAQ for the STI-GA assumed the US approach would be copied by other countries because scammers would migrate from targets in the USA to targets in other countries. It never occurred to them that if other countries adopt a zero trust philosophy which delivers a more rapid reduction in scam calls, then the scammers will be migrating away from those countries, towards the USA and the many gaps in its overly-elaborate, poorly-implemented defenses.

There is a simple message for any European regulators reading this: keep going forward as you are. You are facing the right way, and the only thing that can stop you is a loss of faith in your approach. Do not be distracted. Do not take detours. Do not be bamboozled by disinformation, no matter how confidently it is presented. Zero trust is the right mentality. Telcos and other businesses will huff about the cost to them in terms of reduced traffic, but that just means you are eliminating a lot of bad traffic very quickly. Your success is a further embarrassment to the Americans, but you will do the average American more good by shaming their leaders into executing an about-turn.

I rarely praise regulators, but the views expressed at the CEPT workshop on fraud prevention renewed my faith in regulators as guardians of the public interest. ECC Recommendation 23(03) and other initiatives that are in vogue within Europe will have a profound impact on telecoms scams. They may be so successful that some regulators will not receive the pat on the back that they deserve. But it is better that regulators do great work to protect the public which goes unheralded than to watch a regulator demean itself by manipulating public opinion in order to disguise its failure. The goal is not to massage the egos of individuals who gain power and prestige by climbing a political ladder. Protecting the public by preventing scams should be our overriding priority.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email