Rebekah Johnson: Welcome to Tuesday Talks, a live discussion series where we bring truth and shed light across the brand identity and communications industry. I'm Rebekah Johnson, Founder and CEO of Numeracle, and I'll be co-hosting today's session with Anis Jaffer, Chief Product Officer at Numeracle. Anis, it's great to get the two of us back together again for the season 3 kick-off. It's been a while. I'm looking forward to discussing trends and predictions in the first episode of season 3, and you may have noticed there are some changes with our live recording, and we hope that you enjoy these changes. We have also added an anonymous Q&A feature should you have any questions during our talk. So, Anis, welcome, and let's kick it off.
Anis Jaffer: It’s great to be back, Rebekah. A lot of things have happened. Things are evolving and changing in the robocall space, but still, it seems like the status quo remains. We have a lot of things to cover today-- we'll be discussing branded calling, standards, 10DLC, and identity, and you also mentioned the entrance of AI to voice scams, so I'm looking forward to hearing what that is.
Before we deep dive into these topics, I would like you to give an update on regulatory and enforcement.
Rebekah Johnson: Yes, on the enforcement side there's definitely been an increase, which I think was part of the prediction that we made last year that would occur towards the end of the year. We're seeing this both from the FCC and the FTC. So, the FCC-- one of the biggest ones was the shutdown of a mortgage robocall scam campaign. This is where we have State AGs working with Traceback Groups, working with the FCC; they're all working together to try to stop bad business practices that leverage the voice channel to exploit its victims, essentially. The FCC’s Enforcement Bureau ordered telecommunications companies to block traffic from a company called PhoneBurner, which was sending calls from its customer that was a real estate brokerage firm, MV Realty.
What was interesting about this is that that letter went to Twilio. So, here we have what kind of sounds like a KYC situation to me, where Twilio needs to know its customer, and needs to know its customers’ customers. That created a lot of conversation just from that particular one.
Then, the FTC embarked on its effort to prevent illegal calls from entering the United States from overseas, and of course, no project can go without a name. This project is called Point of No Entry Project or PoNE. [POHN], I guess, is how you say it. They have targeted 24 service providers, marking them responsible for routing and transmitting illegal robocalls between 2021 and 2023 in connection with, get this, 307 telemarketing campaigns, including government and business impostors. We have the COVID-19 relief payment scam, student loans debt relief-- it just went on and on. The traceback data showed that after being contacted by Project PoNE staff, 22 of the 24 targets significantly curbed or altogether stopped the flow of illegal robocalls entering the country over their networks. I think what the enforcement is showing is that when your hand gets slapped, somehow you can magically find a way to comply. It's quite interesting. Before I go into FCC deadlines, any thoughts on the enforcement side and what that means for this year?
Anis Jaffer: I did look at some statistics and I saw that the trend for illegal scam calls is trending down. It makes sense that some of these things are taking effect, especially calls that are coming from overseas. However, I also saw that– and I think everybody has experienced this– the actual number of calls that we're getting still going up. It could be that enterprises are now calling and those calls may not be wanted by consumers or may not be illegal, but the true spam calls are still going on. That's what I notice across trends.
Rebekah Johnson: I think we're definitely going to see more of that this year, and maybe we can get a definition for “unwanted,” or maybe we need to rethink how we collect this information from consumers. Consumers definitely have spoken up that they want control over the types of calls that are being delivered, even if they’re ones that they've signed up for and they no longer want to receive. They want to deem those as unwanted. It's still an area that we have to explore, and I think on an enforcement side, even on a rule-making side, that's a really hard one to weigh in on. I think the market has to figure that one out. When we look at deadlines that occur, there are quite a few since our last season and the kick-off of this season.
We have the DNO list blocking that, by December 19th, gateway providers were supposed to block based on reasonable Do Not Originate lists. Where those reasonable lists exist is somewhat of a challenge…
We had January 11th—gateway providers had to submit certification and mitigation plans to the RMD. So we saw that occurring and an influx in the RMD.
The Know Your Upstream Provider requirements also, began January 2023. Again, this is on the gateway providers to follow Know Your Upstream Provider rules, which require them to take (here are those very defined words) “reasonable and effective steps to ensure that their upstream foreign providers are not providing, you know, illegal traffic. It looked like, from the enforcement on the FTC side, a good bit of them figured out how to do that whole Know Your Upstream Provider. I hope we can get some information from them in the future.
We have upcoming deadlines as well. Implementing STIR/SHAKEN for gateway providers is June 30, 2023. It seems to be June is the deadline for STIR/SHAKEN implementation, but this year it will be on the gateway provider, so I’m sure we'll have talks about it.
My expectations for this year: more enforcement, more rulemaking, and maybe-- just maybe-- an actual reduction in illegal traffic across voice and messaging. Although sadly, I highly doubt it. And I say this, Anis, because telecom gets organized around the cons. It needs to get organized around the concept of identity for both consumers and businesses and if they do not get organized around that, we will not move the needle forward. The bad actors are more sophisticated, agile, innovative, and creative than the carriers whose networks they exploit. Speaking about actor ingenuity. This year they launched a new product, Anis. It's called voice simulation scam calls. It's horrible! Have you heard about it?
Anis Jaffer: I have not. Tell me more about it.
Rebekah Johnson: This is a recent one where a mother received a phone call and it sounded like her daughter screaming, yelling, who had been kidnapped. And the kidnapper got on the phone, and obviously, the mom was panicking and said, you have to transfer certain money. While this conversation is going on, the teenage daughter, whose voice she heard on the call, comes walking on the stairs and basically asks, “Mom, what are you doing? Who are you talking to? And why are you freaking out?” It's frustrating.
This is where the mom in me really comes out. It's egregious that the telecom space is still not talking about identity. We're still trying to figure out what to do with STIR/SHAKEN. STIR/SHAKEN, you know what, we deployed it, it's an avenue for identity. We have got to move the conversation over to verified identities in order to restore trust in communications because the entrance of AI and these bits will just erode this entire infrastructure, rendering it useless. We cannot trust what's on the other end of the line.
Anis Jaffer: Yeah, that's crazy, I mean, but everybody has heard about ChatGPT and the development in AI, but this is going to be really difficult if voices are being impersonated, right? And as you said I think identity is the key. How do you make sure that the calls are being initiated by the right person or entity? So, identity is the key. For far too long the telecom industry has been depending on telephone numbers’ identity which is completely wrong. You have to shift the mindset here and build processes that will truly get to the real identity of an individual or an enterprise to solve this problem.
Rebekah Johnson: Yup! And the closest thing that makes an attempt to display an identity to a consumer is “branded calling,” but this is not built on identity standards of any kind. And the current branded calling doesn't even leverage STIR/SHAKEN. It's completely out of band, over the top. So, I'd like to make a plug for NIST Standard 800-63 for just a moment, because that actually is a standard for identity. If you don't know the standard, then I think we need certain actors to stop talking about trust and secure communications. We cannot use these words if we're not implementing the proper standard around identity and then injecting it into the voice call. Everything else is going to fall short. So, I think that's our job, Anis, part of this year too, is to bring the subject matter experts-- I want the standards writers in the space of identity, who are fighting this on a global scale, to educate and bring awareness into the telecom space, so we can innovate around it.
Anis Jaffer: I 100% agree. I think we have some sessions identified to talk about identity, so we'll get the right people on. We’ll probably have a session on it and go through the standards that you just mentioned. So, more to come later this season. Now, talking about branded calling that’s currently being positioned as a way for identity-- again, those solutions are not assets available today and are not structured to identify who's calling. Anybody who has access to that branded provider can get enabled. However, there is no check on who's actually originating the call, so you could have an enterprise sign up for branded calling, but then you could have another person or individual use the same number and get branded calling. It's broken as it is available today.
I think these solutions that are available are mostly name-only assets available and it's a rebatch CNAM solution, and we all know that that's broken. The way the carriers have decided to implement branded calling today is very broken. They do not have the operational procedures to identify who the enterprises are and the entities that are behind making those calls, especially when you have enterprises and BPOs supporting them in originating calls. I personally don't think the current brand of calling solution that's available is not the solution to have a secure calling experience.
Rebekah Johnson: I like what branded calling offers and I appreciate the innovators in that space, but it is not the solution for secure delivery of calls. It is not the solution that restores trust. If anything, it is the avenue through which a bad actor can hide. We're just giving them another place to slow down and put someone else's name in front of them. I personally had my Citi card– got a call, it's a Citi card number, and it says that it's from the bank because it presents the name, because it's CNAM, it's not secure, you can spoof it. I get on the call and this gentleman is talking the right stuff, tells me that my card has been compromised, he's here to help me, and wants to make sure that we shut it off. Oddly enough, my card had been compromised months prior, so the false transactions sounded really familiar. That seems about right. He lost me when he asked for the credit card number. He got very upset and he got angry and got mad, And he's like, “No, no, I'm trying to help you.” The scary part is that he says, “Hold on a second, I'll prove it to you.” Time goes by a small amount, comes back, and gives me the balance of the card to a T. That's terrifying. That is terrifying. And that is exactly what I was afraid of with branded calling– that once the bad actors knew that this feature was available and it knows what TNS belong to what bank, they can call and pretend to be them. Then all your analytics and analysis would not work because that number was an accurate number. The message reflected the name on the call. How would you know? So we've got to shift. For the sake of consumers, we've got to shift.
Anis Jaffer: I agree. On the standards side, delegate certs were expected to at least have some layer of additional information as RCDs were added as passports to this base certificate. It should have helped with having an accurate way of attaching to the RCD asset, but it has its own flaws. It is cumbersome for enterprises to get their own delegate certs and have them sign those calls because calls are getting signed at the OSP level. That was one issue. The subordination involved multiple entities. Then, you have enterprises behind BPOs and it was just way too complicated. Even after, let's say, somebody is able to get it in and they're able to sign the call, it still has to go through multiple nodes and there is no guarantee that the RCD passport will even make it to the terminating service port. Let's say it makes it there and then the terminating carrier has to trust that they got this in a secure way and render it on the device. I think the model is okay, especially on the server that was proposed, there’s a good thought process behind it as an idea, but the implementation of the execution is not viable at this point. That's another area that we are watching. There are some models that are being proposed in the next few months; we may get to know more about what else can be done so that we can have trusted players with specific roles in a secure ecosystem so that when calls are made, a terminating carrier can render the outside information by trusting all the players. Essentially, I'm looking forward to seeing if there is a Zero Trust Model where every player can be verified along the different nodes before it actually gets to the terminating carrier. So, something to watch for as we go through this year.
Rebekah Johnson: If nobody else is going to bring the conversation to the table, we're going to do it– we need to talk about Zero Trust Architecture, yet again. Yet again, telecom is a wonderful location to deploy some of these security concepts. So, I would like to see that folded in under what we are doing holistically as an industry and everybody's role, whether you're a CPAs provider, you're the enterprise gateway provider, terminating service provider, or originating service provider. Guess what? You can participate in a Zero Trust Framework. I think we need to start shifting our conversation to that as well. So, it's already out there, it's published, there are experts right here in DC and I would love to have some of them join on a Tuesday Talk, but that will help move us down that direction because we definitely just don't need more products on the market. We need security within the telecom infrastructure.
Anis Jaffer: Right.
Rebekah Johnson: Speaking of more products…
Anis Jaffer: Yeah, let's move to the messaging world. We talked about voice quite a bit. So, as expected, robotexts and scamming on the messaging channel have increased. The 10DLC campaign registry process seems to have its own issues. We're getting several inquiries from clients who are trying to navigate this space. Any updates that you have that you can share with the audience on the messaging side?
Rebekah Johnson: So, 10DLC is the soap opera that never ends. The characters die, and then they come back through some miraculous surgery, and then people dating the same people, and the storyline just never seems to progress. That's your update for 10DLC. That's it. But in all seriousness, this is a solution that doesn't seem to be taken seriously anymore due to the ever-moving goalpost deadline for registration. So, this stick does not have a carrot, my friend. Simply put, terminating carriers such as AT&T continue to threaten increased rates for unregistered traffic, which is quickly becoming more problematic. I think 10DLC could use a redo, perhaps. Step back, maybe. Let's see why this isn't progressing forward. Is it structured properly? What are the challenges, and how do we get over those challenges? I think its deployment into the messaging ecosystem and the carrier's dependency upon service providers and aggregators to play a role, in my opinion, is where the whole thing went wrong. And I can say that because it's not successful and this deadline keeps moving. If it was successful, we wouldn't be at this point.
I would like people to stop defending what 10DLC is and where it's at. I'm not saying anybody's a bad actor, but it's broken and it's got some problems. So, I would really like for this year, if we could move to actually solving it. The carriers need this to work. I don't put the blame on the AT&T's and the T-Mobile’s. They had every right to throw their hands up in the air and say, “For the love of all things mighty, all that traffic that keeps coming into our network– we're doing everything we can to protect our subscribers, but we've got to up the game.” Do you know what's interesting about 10DLC? It's just identity. It's identity and how you deliver it across the messaging framework. Looks like another opportunity for a Zero Trust Architecture to be applied to end-to-end for messaging. I might have some ideas on that. So, I would like to see that be a topic and bring some people into the Tuesday Talks podcast that can speak to that– tell us what needs to be changed and also hear from enterprises on the challenges that they have with it.
The reason why that switch is not going to get flipped where all traffic that's not registered is going to get blocked immediately is that it's not fully deployed. We stand the risk of shutting off hospitals, schools– that's too risky. That's too risky. We’ve got to make some changes. What's been your experience? I know you talk to people about it as well.
Anis Jaffer: Most enterprises are frustrated that there is no clear direction on how to get their messages through the rates and the tariffs that seem to be changing. I also saw that the deadline got pushed out. That's another moving goalpost. We don't know if it’s going to continue to happen or if this is the final deadline. Nobody knows. It's something that from a product perspective, yes, I want to see if I can figure out a solution that would be available for enterprises. But that's something that we have to look at and evaluate as we go through this year. I agree with you, it has to come down to identity. How do we make sure that the organizations who are leveraging messaging platforms are identified and have a way to transfer that identity so that it can be trusted all the way through? Talking about identity, I know you spent some time looking at identity, especially in terms of how individual identity plays on the internet, and attended some conferences. Give us an update. What did you see, what did you learn? How do you think it can be applicable to us in the telecom world?
Rebekah Johnson: Well, this East Coaster went to the West Coast and dropped myself in Silicon Valley with a bunch of identity people. It was refreshing. It was kind of nice to be surrounded by people who think about identity and are eager to solve problems with identity. There's a lot of really nice, genuine thought that's been applied, even from the standards. I met some of the standards writers, phenomenal human beings, very brilliant, very smart, and passionate. Anis, the almost desperation of these identity experts for the industries to adopt it was overwhelming at times and they are extremely alarmed, especially around AI, which I said, we're going to have some of those guests, this is what they live and breathe. I returned back from that event really motivated that we're on the right path, here. Even though Numeracle is somewhat alone in the conversation of identity for telecom at this level within STIR/SHAKEN, it's the right path for the industry and there are a lot of experts who would agree. So, I'm really looking forward to bridging that expertise that's out there on the West Coast– we got to bring it over here into the DC area– and I actually led a session about how we get these experts into the lawmakers and the regulators. and I think I'll be participating in some of those activities because it's needed. It was refreshing to see that but I think that's the conversation we have to have that on a regular basis. Innovators in Telecom should be thinking about how do I bring identity into this, into what we are doing, which is what our team focuses on all the time. So I was energized. I think it's the absolute right thing to do and I'm looking forward to how that can change and actually restore trust in communications.
Anis Jaffer: Awesome. So, more to come on that, I guess. We'll have to get some of those folks on the Tuesday Talks as well. Yes, I think we are about four minutes. Maybe we should take some questions.
Sarah Blantz: Yes. The first question we have for the both of you is what is the single most impactful recent move by the FCC that enterprises should keep an eye on?
Rebekah Johnson: I'll address that one. The FCC is really focused on the service provider. So, this is a good question because you have to tie what the FCC is doing with regard to who it has the authority to regulate and then bring that down to the enterprise impact. From that, I think the most important thing that the FCC is doing from the enterprise perspective is whittling away the exemptions for STIR/SHAKEN. Far too many calls, now, are still not being signed. They're still not being signed. So the only ones that are signed regularly are mobile-to-mobile. I know when I call my children or my children call me, those calls are getting signed. That's not my problem area. Until all call routes are signed, the value of STIR/SHAKEN is diminished dramatically and that's the negative impact on enterprises, and what enterprises should be looking for is the FCC removing all those hurdles and connecting all the pipes.
Sarah Blantz: Alright, the next question we have for you is how do we trust our calls to answer them?
Rebekah Johnson: The answer: you don't.
Anis Jaffer: Sadly, I don't trust, especially when I don’t recognize the numbers. I let it go to voicemail. I guess I’m still against– along the same answer as before– until all carriers adopt end-to-end verification of trust, it's going to be difficult to trust who's calling. If it's a contact that you already have and it's closer to a person, it's a little better off, but otherwise, it's challenging as we have it today.
Rebekah Johnson: Until we start talking trust and identities, it's not going to happen. You don't just fall into this. Someone has to actually build it and put effort into it. Anis, from this perspective, I think it'd be good to get feedback from enterprises on what hurdle they’re not willing to cross over in order to have their identity verified and delivered as trustworthy to the consumer. I don't think there is one. So, everyone's here to support it. We just need the carriers to deliver it and the FCC to require it. That's it. So simple. So simple.
We'd like to thank all of you for joining us today to kick off our first episode of Tuesday Talks, season 3. We'll be continuing the conversation of identity at our next live Tuesday Talk session on Tuesday, May 9th, where we'll be updating you on the FTC enforcement actions we predicted in season two, our discussions on KYC, and then flipping the conversation to introduce the concept of Know Your Vetter. It's a term that we're introducing and defining for the industry. So, we hope you'll come and join us with plenty of questions for us. Thank you and we hope to see you again!
