- STIR/SHAKEN
- Global call authentication adoption
- Robocalls
- TRACED Act & Regulatory changes
- Industry Traceback Group
- Perimeter vs. prosecution approach
- Examples of illegal robocalling and lack of punishment
Pierce Gorman: Welcome to Tuesday Talks, a live discussion series where we bring truth and shed light across the brand identity and the communications industry. I'm Pierce Gorman, member of Numeracle's Technical Staff, here to do a Tuesday Talks takeover as your host for today. The last Tuesday Talks podcast billed me as the 'Industry Legend Pierce Gorman.' I'm not a legend in my own mind, but I am Pierce Gorman, and I worked for more than three decades at Sprint and T-Mobile, with most of the last eight years focused almost entirely on standards, regulation, governance, and implementation of STIR/SHAKEN call authentication technology.
I've been a member of all three of the FCC's Call Authentication Trust Anchor (CATA) Working Groups, as well as a member of the USTelecom Industry Association's Traceback Group and the ATIS SIP Forum Joint Task Force and IP-NNI that wrote the SHAKEN standards and the Secure Telephone Identity Governance Authority Technical Committee, also known as the STI-GA.
Lastly, I was the Lead Network Design Engineer at Sprint, responsible for the design and implementation of Sprint's STIR/SHAKEN call authentication infrastructure, and was privileged to continue work on advanced use cases for call authentication at T-Mobile. Our guest today is Eric Priest Count, the Chief Executive at Risk & Insurance Group and editors of Commsrisk.com. Welcome, Eric. Can I encourage you to describe a little about yourself before we dive into today's topics?
Eric Priezkalns: Thank you, Pierce. I don't know what else you can say since you've given the title as away. Otherwise, I'm just known as generally being a troublemaker in the industry, always flapping my big mouth and saying what I think about things. I started Commsrisk.com back in 2006 and have said a lot of things in the meantime about what I think is going right and what's going wrong in the way we manage risk in the industry.
I'm very grateful that you've invited me to join you on the show today, Pierce. A lot of people wouldn't go near me with a barge pole so I'm very grateful indeed that you are prepared to have these conversations with me and listen to both sides of the argument when it comes to these kinds of things.
Pierce Gorman: We're very happy to have you here, Eric. As I've teased you, I think of you as the Gadfly of Athens, Socrates, the guy that comes and challenges people to understand what is truth and let's not corrupt the youth. You have been outspoken about the STIR/SHAKEN technology, its implementation within the United States, and the challenges that you've seen that you think people should be thinking about. I was wondering if I could ask you to review a few top issues and concerns on your mind about STIR/SHAKEN technology and its implementation, regulation, etc.
Eric Priezkalns: Well, it's fair to say that I've said a lot of things about STIR/SHAKEN so it can be quite hard to condense it down to a few points. But there are three broad themes in terms of areas that I think people need to look at again with STIR/SHAKEN and the US strategy for reducing robocalls in general.
The first of those, we could say, is a theme that has been dominant throughout my entire career, which is that a lot of effort can be put into detecting a problem, detecting the source of a problem, finding the root cause of a problem. Sometimes, in the telecoms industry in particular, we find that people put so much effort into detecting the problem, they don't know what to do after they've detected the problem or they run out of steam, they run out of energy, they run out of resources, they lack the enthusiasm, or they just allow themselves to be distracted by the task continuously looking for the problem, but they never get round to resolving it or taking action in addressing the root cause of the problem.
I think that is an issue with the US strategy for reducing robocalls. I don't want to besmirch STIR/SHAKEN as a technology. I think the technology does what the technology is supposed to do. The question is, how does it fit into a strategy? I think that there is a problem in the extent to which does it actually dovetail into the kind of action that needs to be taken to address the source of robocalls?
One could say there's two ways. I think there's a confusion between two ways that STIR/SHAKEN can be used in practice. One of those ways that STIR/SHAKEN can be used, and I know that you speak highly of the success of STIR/SHAKEN in this particular area, is the extent to which it's used to trace the origins of a bad call.
I think that makes perfect sense that you could implement STIR/SHAKEN to trace the origins of a bad call, but are people in power prepared to actually take action when they've identified where that bad call is coming from? Are they prepared to penalize, punish in some way, or deny that person that business because there's an opportunity to reenter the telecoms ecosystem, perhaps under another name, another front.
The other way in which STIR/SHAKEN may be useful is in helping to modify the accuracy with which bad traffic is identified for use in automated blocking. That's the area where I think the data shows it hasn't been so successful so far, and therefore, unfortunately, that's the area where it's easier in the legal framework in the US to see people taking action. So there's a bit of a mismatch between what can be done versus what the technology is doing well.
That then leads to two more themes where I become critical. One of those is cost versus benefit. I'm not going to talk at length about the cost of but STIR/SHAKEN clearly people can have an opinion about whether it's the, shall we say, the least inexpensive or perhaps one of the more expensive ways of tackling this problem.
Spending money is perfectly fine if you're getting benefits. If it's not dovetailing with the strategy, that begs the question about whether the money is well spent. It might be more appropriate to take more economical approaches to dealing with a problem. Then that lends itself to a third theme that I tend to explore, which is international cooperation, which takes us back again to whether the costs versus the benefits are lining up because if the costs don't line up with the benefits, it's going to be difficult to persuade other people to follow the strategy.
If other countries are not following the same strategy, will that therefore enable the US to take the action that needs to be taken in order to deal with the root cause? That, in a nutshell and as distinctly as I could possibly do it, are the three areas that I think we've got problems will.
I know that you, Pierce, feel very strongly about trying to change the parameters for STIR/SHAKEN and look at different ways to make the technology more useful on an international level, which is why I'm very gratified to hear that are people, like yourself, working on trying to make the solutions more amenable to being operated across the global level.
Pierce Gorman: Yes, that's true. Boy, you've covered a lot of ground. I hope people are taking notes or are willing to listen to the podcast again because there's a lot of material.
Eric Priezkalns: It's only half an hour. I could go on one point for half an hour and just bore everybody solid on that one point. So I'm trying to cover all of the ground.
Pierce Gorman: I don't think it's boring, that's for sure, and if we do as we've done in our previous conversations, we're not going to have trouble eating up 30 minutes. One of the first things that you said was about enforcement. So what's the strategy that the United States has in mind? Well, that strategy largely has to be determined by the FCC, they're the ones in Congress who passed the TRACED Act.
The FCC issued multiple mandates, with more in the way, I'm sure, so the strategy has been to combat illegal robocalling and one of the primary or key things to do that with was STIR/SHAKEN. As you mentioned, STIR/SHAKEN's key value, at least in my mind, is that it provides the identity of the originating service provider. In theory, if you have a critical mass and all of the service providers in the US are using the call authentication technology and unbeknownst to them, bad callers originate calls on SIP networks.
The analytics running on the different downloadable applications on people's, devices or the analytics available from the three major providers in the carrier ecosystem, which are TNS, Hiya, and First Orion, will identify those bad calls. One way or another, the information in the STIR/SHAKEN signatures will be examined, they'll find out who did it and then eventually, hopefully, enough information gets turned in through the Industry Traceback Group (ITG) and gets back to the FCC Enforcement Bureau or the State's Attorneys Generals, which have all been collaborating on trying to combat illegal robocalling. Now, that's the general approach.
The ironic thing about all this with STIR/SHAKEN is that the original idea of developing call authentication technology was to combat number spoofing, which STIR/SHAKEN is actually almost completely hopeless at being able to do in the United States. That's because number spoofing is not illegal and it's used for lots of legitimate purposes and because the signature is applied by the originating service provider, the number spoofing that might have occurred that is of most concern to the Enforcement Bureaus is illegal number spoofing. By the time the originating service provider gets the call, that spoofing will have already been done so then it's on to them to understand if they know enough about that call to think that the originator actually had the authority to use that number or not.
And that comes back to the point about what kind of attestation should be put on a call to warn or inform the terminating service provider about the providence of the calling number and the relative trustworthiness of the caller. That speaks to your comment about how useful or how effective STIR/SHAKEN has been in terms of using that attestation level. Having just skimmed over what the ideas were and what the strategy was, there is a lot of manual interconnections that have to go on between several pieces of that ecosystem.
For instance, many of the call authentication verification servers that the terminating service provider are provided by one vendor, whereas the analytics might be provided by a separate vendor. This will certainly be true of most of the carriers in the United States, the large carriers, in some cases, have reasonably good integration, or I presume they do, I only worked two of them.
But the small service providers who are largely not required to deploy STIR/SHAKEN until June of next year I assume may not even offer an analytic service and they might just leave it to their customers to use Nomorobo or whatever else and all they'll have is a verification server. The ability to tie the identification of bad calls to the origination of the bad calls, there is a step there that's not necessarily a clean step.
Once you have done that and you feed this information back to the Industry Traceback Group or to the Enforcement Bureaus, what are their abilities to sift through all of this, weigh it against all the rest of the stuff that they're already working on, and then bringing some sort of an action? What do you do when the action is overseas? It's a tough not to crack. I know that you are not fond of the phrase, "It's not a silver bullet," but it isn't but I will say that it's still a foundational technology.
The deployment of STIR/SHAKEN is still an experiment in the United States to see if STIR/SHAKEN will do what we want it to do. But just the ability to be able to send cryptographic signatures in call signaling, it's a massive accomplishment in the US industry. And I think that it will reap great benefits both in the United States and internationally. Although, as you say, there are things that I think that need to be looked at that I hope will improve the way trust information is captured, distributed, made available for verification and improving trust in communications.
Eric Priezkalns: The reason I don't like that phrase, "It's not a silver bullet solution," is I think it glosses over a really important question that needs to be answered and we don't have the answer. We can accept that there are multiple possible solutions to any problem. That does not mean that you have a viable strategy if you throw resources at a lot of different possible solutions. You should be clear about where resources are being focused as part of a strategy for dealing with a problem.
I fear that phrase, "No silver bullet," is used as an excuse for a scatter gun approach to spreading resources. While a lot of different things are being done, and one can imagine strategies in which those things fit into the strategy, but because the resources are spread around, you're not really focusing resources on any strategy that will be effective overall. That's my point with that phrase and I want to come back to this notion.
I was thinking about how to explain this to an audience that doesn't know anything about the telecoms industry the other day. I was thinking one way to view, if you're receiving all these phone calls coming in and spamming your phone all the time and causing frustration, one way to view this is as a dystopian future where you and a tiny band of normal human beings survive surrounded by this enormous plague of crazy bandits in the desert who are running around driving in a Mad Max scenario where society has broken down and they're all trying to get at you in your tiny little village that's still got a wall around it and you're trying to maintain some kind of civilization.
Or it could be that there's just five or six big criminals out there. Why are we all hiding behind a wall? Why don't we just go out and get them? Because if we get them and we put them out of business, we will have a lot less problems to deal with. One could view this as a perimeter strategy, building a wall around your community to keep the bad guys out because there's so many bad guys and you don't know how to deal with them.
Or let's go out in, what I call, the prosecution strategy. Let's go out and let's get the bad guys. This links to the idea of whether you're going to take a strategy focused on tracing the bad traffic to find where the origin is and then the question is, what are you going to do when you find the origin? How are you going to punish the person responsible?
Or the strategy can be, let's build up the walls, and I think that lends itself to blocking. If you go down that road of building up the walls, you are saying to yourself while not pursuing the strategy of prosecuting the bad guys as much because in the effort put into building up these walls, you may not fully understand how many bad guys there are out there. If you're building up the walls, what in the end is your criteria for success? Because no blocking algorithm will ever be perfect.
So to what extent are you prepared to accept that either good calls will be blocked or some bad calls will keep on getting through your perimeter? You don't need to talk about technology; the Great Wall of China is a great example of how you can put a lot of effort into putting up a wall, but there's a lot of different ways you can subvert it, whether it's bribing a general to let you in or just ransacking and attacking a particular weak point in the wall.
The danger with the perimeter strategy absorb a lot of resources. I would like to see the US more methodically pursue the prosecution strategy, because I think the data does suggest there's not that many bad guys, but there is plenty of data suggesting the US keeps letting the bad guys come back again and again and again. Here's another phrase people talk about: 'Whack-A-Mole.' I don't think 'Whack-A-Mole' is a good analogy because there could be lots of different moles. I think the analogy that we're dealing with here is 'Cat and Mouse.'
I think the USA has now got another tool in its armory, STIR/SHAKEN, but it was actually catching the mice before, just catching the mice and letting them go so they're coming back again. You shouldn't be surprised, therefore, at the scale of the problem. The problem is the release of the mice back into the environment, not the inability to catch them. We can talk about real life examples where illegal robocallers have been caught already and they're being let off with no real penalty whatsoever.
Earlier this month, Roy Melvin Cox, Jr. was cited as a result of the great work by the Traceback Group and identified as being one of the leaders of this criminal consortium that are said to be responsible for 8 billion illegal robocalls, mostly to do with car warranties since 2018. I did the math and that would be 3.5% of all robocalls suffered by US consumers since 2018. They were saying in the notice with cease and desist letters to a whole bunch of telcos telling them to block the traffic that's basically being created by Roy Melvin Cox, Jr. and his accomplices of which there are front organizations in Panama and in Hungary.
Now, Roy Melvin Cox, Jr. Should be perfectly well on the radar for enforcement bodies because in January 2013, he was banned from all telemarketing activities. He reached a settlement with the Department of Justice where he agreed to admit that he had broken the law, that he had used vague names to mask the caller ID, the origin of telemarketing calls, some of them for car warranty-type calls, he had made calls to those on the Do Not Call list, and that he had used front organizations in Panama and Hungary.
So he's using exactly the same modus operandi back then as he's currently using now that he was banned from using. A monitoring regime was put in place where he was supposed to report on a monthly basis about all his business activities, all the associates he had around the world, and he was given a fine, a $1.1 million fine. He didn't serve any prison time and he didn't have to pay the fine either. He just had to say, "I don't have the money," so therefore they didn't make him pay the fine.
Realistically, in 2013, he had no actual punishment and all he did was walk away and say he would not do this kind of thing again and signed some kind of deal where people were supposed to be monitoring his business activities on a monthly basis for the next 20 years to stop him doing this kind of thing. And yet now we're back, the Traceback Group is having to do a lot of work to find these calls and telcos have been told to block these calls.
Why has Roy Melvin Cox, Jr. not been effectively taken out as a threat?He's clearly using the same modus operandi. There's probably not that many people with the insider savvy and the acumen to build an operation like this. The names of the accomplices are different, have changed the names of his accomplices in Hungary have changed, the names of his accomplices in Panama, have changed, well, who's clearly the mastermind of the operation? It's Roy Melvin Cox Jr. who's the mastermind of the operation with no real penalties. The big question now is, will there be any penalty this time?
In May of this year, Mohammad Usman Khan was found responsible for tens of millions of illegal robocalls promoting bogus cleaning services related to COVID-19, he spoofed caller ID's, and he made calls to the Do Not Call list. This is very similar to what Roy Melvin Cox, Jr. was doing. He was given a nominal $3.2 million fine, he said he couldn't pay it so he doesn't have to pay it, he got no prison time, and he promised not to do anything bad again.
My point here is very simple: we are not learning from the past and our message from the past is we sometimes see the FCC, for example, announce enormous fines, calculating enormous notional funds that we know the criminals can't possibly pay. There's no real punishment, there's no real penalty, and that means there's no real deterrence and no real reason for the criminals to change their behavior. They are going to just be recidivists. Why not? They make good money and they never suffer any real punishment.
So my point about STIR/SHAKEN is you can put an enormous amount of effort into catching the mice, which is what STIR/SHAKEN is doing, but if you're going to release the mice each and every time and there's no punishment, why would you expect it to change? And more crucially, why would you expect other countries to cooperate with the USA if the USA isn't dealing with, in the case of Ride Melvin Cox, Jr., criminals within the USA, people who should be prosecutable?
Pierce Gorman: Those are good arguments and I don't really have any counterarguments because I tend to agree with pretty much everything you've said. I do know from anecdotal remarks made by Richard Shockey that there's a real challenge in the Enforcement Bureau, at the Attorneys Generals, and probably within the industry Traceback Group, which is a small group of pretty hard working and dedicated professionals, to deal with how much information they have coming in. If you look at how many cases get prosecuted and how many make the news, it's not very many. Obviously there's billions of calls and it's not just from two or three guys, it's going to be more than that.
I don't disagree with you but what I would say is there would need to be some lobbying towards either state legislatures or federal legislature or both to try and put some teeth behind putting those criminals in jail. This has come up before in conversations and there seems to be, and maybe it's just my view of things and it's not a correct view, that there seems to be reluctance to add criminal jail penalties associated with fraud in using the telecommunications network.
As you mentioned, there are these multi-million dollar fines, I don't want to say billion or trillion because they could just find whatever size they want, it doesn't matter. If you're not going to make them pay and they can't pay, it's a ridiculous thing and it just makes them look foolish. I wish they would stop that part. A few million dollars would probably be suffice if they would actually collect it, but for sure, they should be looking at jail terms and encouraging other jurisdictions to have the same kinds of penalties. I wonder if other jurisdictions wouldn't be more willing to.
Eric Priezkalns: I want to see telcos pushing back. It's one thing to absorb the cost of STIR/SHAKEN, but then it's necessary to push back and say, "We've got STIR/SHAKEN, we're helping the Traceback Group, we know it's difficult to do the traceback work to find these people, so what are you actually going to do to deter crime?" To be fair to Jessica Rosenworcel, who is now the Chair of the FCC, is that she has spoken in the past about this problem of the FCC issuing large nominal fines, generating headlines, but never collecting. Never collecting because it's the Department of Justice that has to collect and the Department of Justice just never collects.
She's spoken less about it since she's become Chair because obviously it's less politically appealing to talk about the problem when it's her problem as opposed to being her predecessor Ajit Pai's problem. And when it was Ajit Pai's problem she would never shut up talking about this problem but now she doesn't want to talk about prices. But to be fair to her, she wants the lawmakers to change the law so that she's less reliant upon others to collect the fines. She wants the FCC to go out and collect the fines.
So we can see that there's some appetite there, some bites to go out and penalize people, but it does mean the lawmakers have got to stop basking in all this reflected glory of millions being spent. And we do care, and we care deeply about our veterans, we care deeply about our seniors, we care deeply about the billions of dollars of harm being, so then change the law. Change the law so that people can actually be properly prosecuted. Because the problem is we're not learning from these past mistakes where, as I said, we're catching them, we're letting them go. So to be fair to Jessica Rosenworcel, though she has to be more politically subtle about it, she does want to have a change in the environment. We can put more pressure on the politicians is what I'm saying.
Pierce Gorman: Looking at our time, it looks like we're not going to be able to move on to the other aspects that I wanted to cover.
Eric Priezkalns: I'm sorry!
Pierce Gorman: No, that's quite all right.
Eric Priezkalns: We wanted to talk about blockchain and how we could use blockchain to reduce the cost of this technology globally, which I love, by the way. Can you not just do it in two minutes before the end of the show?
Pierce Gorman: Well, what I can say is that I did want to transition the conversation to look at the yin and yang approach to using call authentication technology. We've talked about how we try to use call authentication technology to identify and punish the bad guys, but it can do more than that.
One of the emerging technologies or emerging signature types is called rich call data, which can help promote the good guys so we can try and tamp down the bad guys and try and promote the good guys. But the technology, the key and certificate management technology that's used to support that functionality, I think is going to be challenging to scale, at least internationally, and I think probably domestically as well.
We can have another conversation about that but I'm glad that you did raise the comment about blockchain because one of the things that I know that you've worked on at the Risk and Assurance Group is working on a blockchain solution to help service providers around the world share information that helps combat fraud. I think that we could talk more about international revenue fraud and other kinds of things that call authentication technology can be used for and work that's been done by different folks in the STIR Working Group at the IETF and other places. We didn't have time for any of the questions, so we'll look at the questions and see if we can get some responses back to people.
Eric Priezkalns: There were some great questions, unfortunately I gabbed on for too long. To everybody who had a question, it's my fault. I'm sorry, everybody.
Pierce Gorman: Well, we'd like to thank all of you for joining us today for another episode of Tuesday Talks. It was great to lead the conversation today after being an audience member and see what it's like to host. Eric, it was great to have you as my guest today.
We definitely plan on having more of these Tuesday Talks takeover sessions to continue our conversation from today so be on the lookout for Part II which I'm sure will be coming soon. Our next live session will be on Tuesday, August 2nd and we hope to see you there! Take care.
Pierce Gorman has helped shape the standards, architecture, and deployment of technologies critical to the continuous advancement of the telecommunications industry. He most recently worked at T-Mobile, responsible for voice architecture development for VoIP robocalling protection and STIR/SHAKEN call authentication design and standards development. During his 30-year tenure at Sprint, he drove cooperative development and implementation of next-generation voice and VoIP signaling, routing, and services architecture.
Pierce is a member of four ATIS working groups, all three of the FCC's NANC Call Authentication Trust Anchor (CATA) working groups, the STI Governance Authority Technical Committee, and the CTIA Technical Committee in support of the Registered Caller branded calling initiative. He has also actively participated in the US Telecom Association (USTA) Industry Traceback Group, SIP Interconnection Working Group hosted by NTCA, and the Internet Engineering Task Force (IETF) Secure Telephone Identity Revisited (STIR) working group.
Eric Priezkalns is the Chief Executive of the Risk & Assurance Group, an international association of telecoms professionals concerned with risk management and business assurance. Many people also know him as the Editor of Commsrisk.com, a website that has presented news and opinion about risks faced by communications providers since 2006. Previously, he was a senior manager and business consultant specializing in risk management and business assurance for telcos.