Mentioned Content
- Number Spoofing
- STIR/SHAKEN
- CNAM
- Brand identity
- Branded Calling
- Call Authentication
- KYC (Know Your Customer)
- Call Authentication
- Telecom Trust Architecture
Rebekah Johnson: Welcome to Tuesday Talks, a live discussion series where we bring truth and shed light across the brand identity and communications industry. I'm Rebekah Johnson, Founder and CEO of Numeracle, and I'll be co-hosting today's session with Doug Ranalli, Founder and CEO of Gated Networks, a provider of enhanced display settlement services to the branding ecosystem. Prior to Gated Networks, Doug was Founder and Chief Strategy Officer at a little-known company called netnumber. Huge, powerful. You did amazing work there, and I became a big fan. At that time, netnumber was a leading provider of core network signaling control technology to the Global Communications Industry. The thing that you will learn very quickly about Doug is that he is a serial entrepreneur. He's the author of six communications-related patents and the subject of several case studies utilized by MBA programs around the world. He holds a Bachelor of Science in Industrial Engineering from Cornell University with distinction and an MBA from the Harvard Business School where he was a Baker Scholar. Welcome for the first time to the podcast!
Doug Ranalli: Thank you so much, Rebekah. I hope this is the first of many.
Rebekah Johnson: Absolutely. I cannot believe that we had this many Tuesday Talks and you were not a guest. I was thinking about it and I realized that's because we did so many other talking engagements that I probably forgot I need to have you as a guest on my podcast. So, I am very excited to have you here. I know that we will try to cram as much as we can into this short time frame, but I really couldn't think of a better guest to bring on to talk about trust and telecom trust transformation. And it really is a transformation. I'm looking forward to diving into this but as I always do, I love words and I love how they're defined, so I wanted to look at the word "trust" before we really take a deep dive into this concept with telecom. Trust is the belief in the reliability and the truth of something. Very simple. We hear talk that consumers have lost trust in the voice call. We hear it from the FCC, we hear it from the consumers themselves. You can Google it, you'll find it, it's in the news, in the media, and what this means is they do not believe in the reliability or the truth of the information presented to them at the time of a call. They don't trust the location. And that's what I'm referring to, that local area code prefix. We don't trust it anymore if we see it. They don't trust the name presented and they also don't trust who's on the other end of the call. They just don't trust this because the information provided is not reliable. What are your thoughts on that?
Doug Ranalli: I completely agree, Rebekah. When the public switch network was first created, it was actually a physical network. I think a lot of people still have a memory of that. There were wires that ran down the street and a wire literally ran into your house or ran into your business. If you picked up the phone, you were utilizing a dedicated wire that ran all the way through the network and a circuit was established and that was literally just linking together these wires from end to end. And everyone's seen old movies where people tap into the phone network, right? That's what was required to spoof something in the past. You had to climb a pole and actually intercept something on a wire. So, that practically didn't happen. If someone called you, you knew who called you, they couldn't spoof where it came from. But 20 years ago, we started making a transformation from the legacy circuit switch technology to what is today known as Internet technology or packet switch technology. When we did that, we inadvertently broke that trust model. We now no longer have a reliable way of knowing who originates a call. Bad actors worldwide have taken advantage of that and users have now suffered enough that they no longer trust for good reason. Bad actors are spoofing in an uncontrolled fashion trying to take advantage of us. And as an industry, as an economy, we just simply need to fix it. This has to go away completely.
Rebekah Johnson: It's kind of funny, I forgot when you mentioned someone climbing a pole and listening in. I actually used to fear that as a teenager. I thought my parents were going to listen in. I wasn't smart enough to know that all I did was pick up the other line in the house and try to easily lift up the clicker so that you couldn't hear. I did have fears that someone would be listening to the calls. This is what it really comes down to. I think we forget that the reason why we have a trust issue is like you mentioned, it's actually due to the technology. We, consumers, are talking about not trusting the information presented on our phones. We have to look at the delivery of this information and the technology that's used to deliver it. That's actually the root cause of where this trust is broken down. I took a little bit of time to do some research... Telecom goes back before I was born, so I go back to the 1970s and I was quite surprised that that's when the first kind of solutions were being created around delivery of information, around the caller just delivering the phone number that it's coming from. We used to have the operator who would connect you and you knew you had a call coming in from Susie. How such and such number was calling, would you like to accept it? We trusted that it was known information. We knew who was on the other end of the line. It could only be that one. Then, you plug and connect and there you go. Then we automated, and we still always want to know who is it that's calling us. It's a little knock on the door. Who's there before I answer? This technology has been in our minds for decades. When I look back, Doug, at the advancement, it was actually kind of rapid. It seemed like in the late 60s into the 70s, there were all these patents and new technologies, and then we hit the 1990s and then it just kind of stopped. We haven't really seen advancements around the delivery and the presentation size. It was like two components of the inventions that I was looking at. How do you deliver the information and then how do you present it? It's changed throughout the years. AT&T and The Bells were definitely some of the leaders in advancing that technology, but it's just stopped. One of those technologies is CNAM, where we are today. We still have CNAM as an option, but the newest technology would be Branded Calling. There are still some trust issues with that. So, why is it that we live in a state today where there is the CNAM solution and this new Branded Calling, yet we're still hearing from consumers that they don't trust who's on the other end of the call? What is broken with these solutions?
Doug Ranalli: The network today is missing, first, a requirement for knowing who's originating the call, typically known as the Know Your Customer requirement. That doesn't exist today. It should. There are Know Your Customer requirements in many industries, banking being the most obvious. You walk into a bank, you're not allowed to open an account and use the banking system without being known. You have to have an ID, and the bank is obligated to check it to make sure it's not fake. You're not allowed to use the banking system if you're not known as an entity. The same requirement should exist in the phone network. Why is it that some Russian hacker should be allowed to call me and pretend to be someone else? Why is that allowed? It's an intrusion on me as a person. It's a threat to me as an individual. And they're using the public network to reach in and attack me. Why? Because there's no requirement to know that customer that originates the call. So, that's really a regulatory matter, and I think there's lots of good work being done on that. Then, there's the technology matter of actually once you know the individual, how do you prove that as the call is originated and terminated. Now, on the technology front, the good news is we actually have all this technology. The Congress and the FCC have done a fantastic job of mandating the implementation of technology called STIR/SHAKEN. We're not going to bore people with the details, but what it allows you to do is with absolute certainty, know that when a call is originated, that the knowledge of that origination is protected and can be verified at the distant end. So, if you did the work to actually know the user, and then you signed it, the technology is called acCryptographic Signature. You signed it at the time of origination. We could eliminate this problem, but we have to introduce this important concept of Know Your Customer so that we can stop users from being abused.
Rebekah Johnson: Yes, and I think if we go back to the example that I gave about how we trusted when it was a hard line, the call's origination, and the call's termination was across a single line.
Doug Ranalli: It was hardwired.
Rebekah Johnson: It was hardwired. By the way, little known fact, my grandfather ran one of those. He had an AT&T switch. He used to hire and manage those. So, I saw a replica of one of those back in the day. But that's what it was. The delivery was there. That's the delivery mechanism to which it cannot be compromised. The second point that you made was the Know Your Customer. So, it was known when you plugged into that particular port, who the entity was on the other end. It was that particular house, that particular phone. When we move all of this technology to an open space like the Internet, we destroyed the line and we don't know who is there. Anonymity completely destroyed what was the innate trust in communications. We still have not gotten back to that. That's kind of how I view the KYC part of it, with STIR/SHAKEN. STIR/SHAKEN is the line to create that end-to-end delivery but the KYC is that missing element. Who is that on the Origination side, so that the terminating side can trust who that entity is? And that's fundamentally, I think, why the current solutions that our listeners have access to are experiencing these trust issues. CNAM is a database, and there are multiple databases. It's up to the terminating carrier to make the decision on whether or not to dip into a database and pull information. It's detached from the originator. The originator has no way to even influence it because they cannot tell a terminating carrier what database to use. It's their choice. And your information for a single TN can be replicated all over the place, and you do not really know how your identity is being associated with that telephone number. So it's broken. I mean, it worked in the beginning, and I think it had its time, it had its value, and it grew along with the technology, but it's just not trustworthy the way that it's been deployed. Now, I want to look at the other option that our listeners have, and that is Branded Calling. And look, I'm not here to say Branded Calling is a bad idea. I love it. I love it. I actually want it to be better, though. I think there is an opportunity for this concept to be improved. What Branded Calling out of band has helped is put the enterprise, the entity that wants to be known in as in the driver's seat, to force their identity down to the terminating side. So, they now can at least make sure when their call is delivered, their identity is presented. But they still don't have control over the line because a bad actor could also deliver a call to the terminating carrier using the exact same telephone number. We kind of wrapped identity up into this telephone number and have someone else's identity presented, allowing this bad actor to pretend to be a bank. You could take Bank of America's numbers and say, "Hey if I know they're going to get presented as Bank of America to their subscribers, why not pretend to be that?" What are your thoughts on where we are today? And then we're going to kind of move the conversation into what we think the future will look like.
Doug Ranalli: Whenever you have a really big problem like this, it's going to attract a whole bunch of people that want to enter and validly, want to try and solve it, want to try and fix it. That's what we're experiencing. There are a bunch of efforts underway. We're not going to name all the names, but there are many companies that have built their company-specific solution and they're out trying to address this problem. My personal belief is that's a great first step. It's highlighted the issue, but this is a much bigger issue. This is all about the actual integrity of the public phone network. Think of the national investment that's been made to have this network that allows us to reach out and communicate with anyone in the country. We've lost the value of that. We're not going to fix that with a mixture of maybe company A covers a little bit of it, company B, a little bit. Company C, a little bit, Company D, a little bit. That's just insufficient. We're not thinking big enough. We need a coordinated ecosystem. All those companies that want to participate need to participate, but under some common rules, some common obligations, some common structure, and it has to be audited and there have to be penalties for violating the rules. There are 30 million enterprises of all sizes in the United States that want to reach 300 to 400 million consumers. We need a real ecosystem. I view everything that's out there today as a fantastic first step. Every company that's doing it today will be and should be long-term participants. But we need to think bigger as an industry.
Rebekah Johnson: I think you touched on, to me, the biggest lacking part. It's not so much the technology, but it is that oversight. It's that trust architecture. It's the trust framework that just doesn't exist in telecom today. We have to create that. There are roles, there are processes just like you mentioned in the banking space. Banks would operate independently on their own and that made for money laundering. Very easy, very simple to do. So, there had to be some established processes, there had to be reporting mechanisms, there had to be oversight, and there had to be penalties. I mean, you and I can get caught up in that KYC process even on fund transfers. Just setting up my son's account has been a bit of a challenge and I'm not complaining because I'm like, well, you know what, we do have to have this KYC process on every single individual that wants to open a bank account because it can be used for nefarious activities if we don't have it. We've already accepted Know Your Customer as a consumer, we've accepted this in the banking space. So I think Doug, that's going to be one of the hurdles that we have to get through is the acceptance of it in the telecom industry. Telecom really does not like change at all. While you and I can talk about this very simple next step, it makes logical sense as far as an industry is concerned, including the standards side of it. The regulatory side of it is still a bit confusing on exactly what those next steps are. I think it requires innovators such as yourself. We also have some participants that I would put into that bucket of the innovators with each of us doing our little part to help move this along. Let's talk about the other part when we're looking to the future. We have to do this Doug. We cannot stay in the status quo as AI gets introduced, as the fraudulent actors get more sophisticated for the future of our children to leverage these services. This goes down to texting too, any communication channel we have got to implement and introduce the concept of a trust framework, and then we can grow from there. I guarantee the first one out of the gate is not perfect. I guarantee we're going to have to make some changes and we're going to make some people really upset. We'll make enterprises upset, it's going to make carriers upset. But we have to do something and I think we can at least get to the point where everybody would agree that the current state is just not secure enough. There's a future that we need to get to and when you look out to the future on where this is going to go, I know what I think the hurdles are going to be for the industry. Who else or what else would be pushing back on this? Why wouldn't the carriers and enterprises and service providers embrace this?
Doug Ranalli: Well, I think money is actually a big issue.
Rebekah Johnson: Agree.
Doug Ranalli: Back in the day when this network was a secure end-to-end physical network, it was a lot more expensive. I built a business decades ago in international communications, and I was studying a route from calls from New York to Tokyo, and this is back in the late 1980s. The first minute of a call was $3.60 for 1 minute of a call. It was very secure, but, boy, it was very expensive. In the intervening time, when we switched the network from physical infrastructure to packet-switched, we got this huge reduction in cost as a country. You can now call from New York to Tokyo for pennies because it turns out, transmitting those bits of data is very, very cost-effective. That's been great, but we lost trust. One thing that the industry has got to get used to is that trust is more expensive than bits of data. So, yes, you can connect a call for a very tiny little bit of money with no trust. But if you want trust, it costs more. It actually costs a lot more now.
Rebekah Johnson: It's more than $8.99 a month!
Doug Ranalli: The good news is we're not going back. We're not turning this back to the 1980s. $3.60 a minute... We're still talking about tiny amounts of money here. Enterprises have to get used to the fact that if they want to be trusted and they want people to trust them, that costs money and they shouldn't get upset about it. Think about how much money it costs to have someone call someone else. You're talking about many dollars. I'm discussing many cents. Okay? But you got to have to spend money to support trust. I think that's probably what causes the biggest consternation because people are always, of course, want things for less.
Rebekah Johnson: Well, and I think that's just the natural progression of it. I mean, when we move to an IP infrastructure, it becomes much more accessible. The barrier to entry goes all the way down, and it is a race to zero because of the way that we've taken advantage of these technologies. But it also introduced fraud on a massive scale. I think this is just that when we look back on this 20 years from now, we'll just see that that was just part of the natural progression to move to this next level. If we can bring back and keep the fraudulent actors out, my hope is that the voice channel actually does become more valuable, more valuable than just the value you get from the Branded Calling today, that we only have the good actors on the network, and the cost barrier helps keep out the fraudulent actors. I mean, Doug, it's on so many of the enforcements talking about why it was so easy to deliver millions and millions of calls in a month. Because it doesn't cost anything. It's so easy to rob people.
Doug Ranalli: Yes, it's so easy to rob people. And that's just not right.
Rebekah Johnson: Twitter taught us that you can't just charge for it. You actually have to have a KYC process to it. So, we learned from Twitter that the bad actors will pay. They will pay to be able to get their information through. We have to do more than just a credit card swipe. We actually have to put a KYC process in place. It's so critical that it be those two components and not one or the other. I think we'll see a combination of the delivery of this information. It could be in-band, or maybe it could be out-of-band, but it must be in a trustworthy, deliverable way that cannot be compromised or spoofed. Someone cannot mimic the identity. If enterprises are having their identity verified, then they deserve some protection if they're going to pay for it. From what I see in the industry, I think the response is going to be yes. There will be additional protections to ensure that your identity is not used against you because if it's allowed to do that, which is one of the issues with the out-of-band Branded Calling right now, it's a hard pill to swallow to pay for that.You might actually just be exposing yourself to having fraudulent actors take your identity. Final statement, Doug, from you. Before we close out.
Doug Ranalli: I just want to say thank you for doing this. Thank you for continuing to raise awareness. This is going to require, as I said at the start, an ecosystem. I'm very happy to be part of that, and I hope that we can achieve a world where everybody agrees. I just don't want to receive a call. If someone's not willing to do the work to be known, just please don't call me, okay? I don't even want my network to present it to me. This just needs to stop. And I hope we can continue to raise awareness and make progress.
Rebekah Johnson: I agree. We'd like to thank all of you for joining us for another episode of Tuesday Talks. I'll be back live on Tuesday, August 22, to tackle the dynamic relationship between Digital Trust and Zero Trust strategies with Dean Coclin, Senior Director of Business Development at DigiCert. In this episode, we'll challenge existing paradigms and provide actionable solutions that can be applied across all communication channels. It will be so good. We'll see you soon. Bye.
Rebekah Johnson is the industry’s leading expert in establishing trust in omnichannel communications through Numeracle’s Entity Identity Management™ platform. With over ten years of regulatory government and compliance experience, businesses have leaned on Rebekah’s expertise to guide them through the evolving complexities of maintaining successful call delivery and positive brand reputation in a changing ecosystem.
Rebekah is an active member of the FCC Hospital Robocall Protection Group, Chair of the Enterprise Communications Advocacy Coalition, and also represents the voice of the enterprise through her leadership on the ATIS IP-NNI Task Force, co-author of the SHAKEN standards. Prior to founding Numeracle, Rebekah served on the FCC’s Robocall Strike Force on behalf of the Empowering Consumer Choice Working Group.
Douglas Ranalli is the Founder and CEO of Gated Networks, a provider of enhanced display settlement services to the Branded Calling ID ecosystem administered by the CTIA. Prior to Gated Networks, Mr. Ranalli was Founder and Chief Strategy Officer of Net Number, Inc., a leading provider of core-network signaling-control technology to the global communications industry. Mr. Ranalli is a serial entrepreneur, the author of 6 communications related patents, and the subject of several case studies utilized by MBA programs around the world.
Mr. Ranalli holds a BS in Industrial Engineering from Cornell University (with distinction) and an MBA from the Harvard Business School where he was a Baker Scholar.