
Washington’s new anti-robocall law won’t stop the calls - grzm
https://www.wsj.com/articles/washingtons-new-anti-robocall-law-wont-stop-the-calls-heres-why-11577367931
======
nahikoa
The technology behind STIR/SHAKEN is relatively interesting, integrating
certificate authorities into the SIP protocol:

[https://www.atis.org/sti-ga/resources/docs/shaken-
faqs.pdf](https://www.atis.org/sti-ga/resources/docs/shaken-faqs.pdf)

As the article mentions, there are some shortcomings. Caller ID spoofing is
necessary for some services, as in the VOIP world calls are broken up into
termination (dialout) and origination (dialin). If STIR/SHAKEN takes hold, the
CID phone number for termination will have to be signed by the origination
carrier. It should be fun to watch the carriers handle it. (There are 3 levels
of attestation, but that's the gist.)

Bandwidth.com also has a good overview:

[https://www.bandwidth.com/glossary/stir-
shaken/](https://www.bandwidth.com/glossary/stir-shaken/)

~~~
yellow_lead
I just implemented this at a telecom. To expand a bit, the three levels are A,
B, and C. There is also of course empty (no attestation). Three levels of
attestation are roughly:

A = I know the customer, they own this number.

B = I know the customer, can't confirm they own this number.

C = I'm sending this call out, but I know nothing of the customer or this
number.

Carriers sometimes don't want to receive anything other than A, because its
probably useless to them. By that I mean, if it's not A, they don't want to be
sent the attestation level or identity header at all.

~~~
nahikoa
Do you see any/some/most/all carriers implementing STIR/SHAKEN for termination
soon?

~~~
mehhh
As someone who works with multiple carriers, I doubt anyone outside of the
wireless carriers and Inteliquent will implement STIR/SHAKEN soon in the USA.

Inteliquent (aka Neutral Tandem, Onvoy, Exiant, Vitelity, plus 20 other sub-
brands) is the only provider implementing this protocol outside the cellular
industry, and most of the CLECs they work with are not capable of maintaining
SIP with a TLS certificate, let alone their own PKI as STIR/SHAKEN would
entail.

~~~
yellow_lead
Yeah, it's mostly wireless carriers at least for now. Already T-Mobile and I
think ATT are rolling this out to consumers, called Certified Caller ID I
think. However, the FCC is coming down hard on all carriers for this. I don't
know if there's any fines for not having it implemented, but I know Chairman
Pai said he expected it to be implemented this year. Obviously, telecom moves
slow and it's not possible for all carriers. Even some SBCs I'm sure don't
support it (specialized call handling hardware). It will be interesting what
kind of legal requirements they put in place with regards to this. I think
they will try to strong arm all carriers soon.

------
Jaygles
I've just stopped answering my phone altogether. If something is important
enough the person calling should leave a voicemail.

~~~
exhilaration
I always answer the call and then joyfully "block/report spam" the number in
the Android dialer. Being able to do something to fight back is satisfying
enough that I don't ignore the call.

I did just switch to T-Mobile and they pass "SCAM LIKELY" as the caller name
so I may start declining those.

~~~
unlinked_dll
the block button doesn’t do anything since most of the phone numbers are
spoofed (someone pretending to be someone else).

Filtering out any number that shares my area code and first three digits and
not in my phone book would go a long way to getting rid of spam.

~~~
tartoran
I agree, this only blocks legit numbers since they're spoofed anyway and next
spam call will be an auto-generated number anyway (form a similar area code).
My solution is to simply not pick up calls that are not in my phone's address
book. I still get a lot of annoying calls, from a few a day to dozens. It's
frustrating but I refuse to get annoyed, to keep my sanity. Most of the calls
that I get are making an announcement in Chinese. I am not Asian and I do not
understand Chinese. I've read somewhere that it's scam meant to swindle
Chinese citizens in the US for money.

My wife received a call from a person who was angry at some phone scammer and
started cursing her and telling her not to call anymore. My wife tried to
explain that she did not make the call, that the number was spoofed, but to no
avail, the curses continued until they hung up. I find this kind of breach
quite problematic and don't really understand how it can proliferate to this
extent.

------
Aardwolf
This problem doesn't appear to exist at that scale (there exist some spammy
call centers of course, and apps to block them...) in Europe.

Not sure if that is legislation, technology or culture/economy related, and
whether it's an active solution or it just passively works out.

But what stops the US from doing whatever it Europe is doing to not have tons
of robocalls?

For one, making calls costs money. How can robocallers actually do multiple
calls at the same time at a reasonable price in the first place? And then this
spoofing: isn't the solution against that technological rather than
legislation?

EDIT: A thing that gave me the impression the problem is much bigger in the US
than Europe, is that the first time I heard about robocalling was in a
Simpson's episode from 1996. So autodialers seem to exist for a very long time
already in the US, but in Europe they're not really being used (that I know
of. If they were used at large scale, I'd have noticed I guess?)

~~~
viraptor
> For one, making calls costs money.

It gets a lot cheaper at scale.

> And then this spoofing: isn't the solution against that technological rather
> than legislation?

"Spoofing" is just a name for using caller ID you shouldn't. There's no tech
solution for it... unless we create a global federated registry that can be
queried online, a new phone network which cares about it, and migrate every
phone in the world to it. POTS will be alive longer than us.

~~~
Aardwolf
I never noticed this spoofing ability in Europe though. Can someone make a
phone call and appear to have a different number (and is this about mobile or
landline numbers)? If so, why isn't it being done at large scale in Europe to
get around apps that block known call centers?

Why would there be no tech solution around fake caller ID? The phone company
knows who it's billing for this call, doesn't it?

~~~
y4mi
iirc, the calling number is reported from the calling device, not the service
provider.

I remember playing around with that on my rooted Android phone years ago
(around Android 2.0-2.2) in germany.

It would probably be possible to discard this information from the client and
overwrite it as the service provider, but they weren't doing that at least
back then. It would also be costly (like a MitM proxy overwriting headers)

That was around 10yrs ago though. Might have changed by now.

~~~
viraptor
It's not costly. There's a lot of similar processing already happening, the
proxies you mention are not mitm - they're part of the system. Most providers
do ignore what you send them about your external caller id - in many cases you
don't even know the correct one. Blind forwarding the cid is a bug rather than
something people decided to do for cost or other reasons.

------
mkaic
I’m one of those people who thoroughly enjoys scam baiting. I answer every
robocall I can, and connect to a live scanner whenever possible. Every minute
of theirs I waste is a minute they’re not successfully scamming someone else.

~~~
D-Coder
"My credit card verification number? Hold on a sec, my card is in the other
room, I'll go get it." Place phone on desk.

------
advisedwang
I find it amazing to see STIR/SHAKEN[1] mentioned in an act of congress.
Rarely does congress mandate specific technology, usually it just grants
authority to make rules to agencies or imposes some kind of duty. I wonder why
this law goes this route.

[1] [https://www.fcc.gov/call-authentication](https://www.fcc.gov/call-
authentication)

~~~
slaymaker1907
I think it is because the current FCC is proving itself to be too incompetent
to solve the problem of robocalls among other things.

~~~
imglorp
*beholden

------
daemonk
I wonder if it is possible to forward robocalls to another service that will
attempt to keep the robocaller busy as long as possible. It would be great if
everyone can just answer the robocalls and press a button to forward to a
time-waster service. Hopefully, every busy robocall is one less call to
another person.

~~~
QUFB
I have a pretty stupid bot set up with Asterisk. I think the record is 17
minutes, and the bot even repeated the script. When I get bored I put up some
calls:

[https://www.youtube.com/channel/UCYyYngFvpbNqsAhpAI6DoeA](https://www.youtube.com/channel/UCYyYngFvpbNqsAhpAI6DoeA)

~~~
heavyset_go
I love this. You wouldn't happen to have a blog post that details your setup?

~~~
jffry
I wonder if it's based on the same thing as
[https://old.reddit.com/r/itslenny/top?t=all](https://old.reddit.com/r/itslenny/top?t=all)

~~~
QUFB
Yeah. Lenny wasn't so effective for the vacation, Google Listing, or insurance
scams so I re-recorded it.

------
e2le
Perhaps allowing people to call via a static IPv6 address routed to their
phone would resolve the issue with spoofing. A single range would be reserved
for VOIP services such as 2002::/16 and subscribers would be allocated
addresses that could be shortened and made to look to like traditional phone
numbers.

I feel like any other solution adds yet more complexity and I would argue the
only thing that should be necessary to make calls is an internet connection.

Some VOIP applications already accept calling via IPv4/IPv6 addresses.

------
swsieber
My recommendation is to get a phone number for with an area code out of state.
It'll be pretty easy to avoid spam calls because they'll use your area code.

------
awinter-py
having a phone number will go the way of the landline

same with email addresses -- this is some combination of your identity and a
license to spam you

spam protection is the main feature of gmail because email wasn't designed
with fraud in mind -- an email system rebuilt from the ground up for 2019
would be safe for medical information, receipts, not be the giant password
reset security hole that email currently is, and not allow randos to spam you

every new product designed in this century needs prevent fraud by design
(including spam)

~~~
JohnFen
So then how would people reach me? Ignoring snail-mail, all means of reaching
me involve either my phone number or email address.

~~~
lmm
Perhaps you'd give them single-use invites, or invites that included some form
of certification path? I've noticed that Discord makes me go out of my way to
hand out a reusable/non-expiring invite URL instead of a 1-day use-up-
to-10-times link; obviously Discord's implementation relies on their hosting
all the servers, but one could imagine a cryptographic equivalent that worked
in a federated protocol.

~~~
JohnFen
I don't use (or want to use) chat apps like Discord and such, though. It would
also be a real challenge convincing the people I interact with routinely to
start using such apps.

~~~
lmm
Sure; my point is that we can imagine email/phone-like systems that would work
the same way.

------
inkeddeveloper
This is why we need more technology focused people in congress.

------
nkskalyan
I have stopped answering unknown numbers and let Google Fi Screen for me.
Robocalls mostly drop at this step.

------
neonate
[http://archive.md/i54VT](http://archive.md/i54VT)

------
righteous
This is an economic problem not a technical one. We simply need to make it
unprofitable to wholesale spam call citizens of the wealthy first-world.

Every outbound call should cost $1 to the terminating carrier. ATT,
Centurylink, Etc. Recipients can mark spam calls (*69, an app, whatever) and
the dollar is split between the carrier and consumer. After 60 days the money
is returned for calls not marked as spam.

No calls are connected that don't include this advance this money.

Now, the assholes who dial 2,000 people a minute will need to afford $2,000 a
minute of credit to run their operations.

Carveouts or credits can be extended to bona fide groups such as political
parties, 503c, etc.

Over time, trustworthy callers will have a revolving account or insurance to
cover the costs. Untrusted caller no longer can afford to make calls.

~~~
lilyball
You’re now incentivizing the carrier to deliver spam calls, and the customer
to report as spam every call they receive from a party they have no
expectation of talking to again regardless of whether it’s spam.

~~~
timbit42
That's fine as long as the spammers are disincentivised enough.

------
8bitsrule
I'm not sure why Washington has to be involved in this.

I've owned a landline phone that had a blacklisting feature. A little useful,
except everyone got one shot ... until the available memory slots were used
up. I bought it.

Why any phone with a CPU would not offer a whitelisting option is a mystery.
Not on the list ... zero attention paid.

