Hacker News new | past | comments | ask | show | jobs | submit login
Apple needs to change iPhone’s call UI because robocalls are killing us (spencerdailey.com)
268 points by spenvo on Dec 26, 2018 | hide | past | favorite | 294 comments

"At the telelphony-infrastructure level, it’s a supremely difficult problem that lacks a short-term fix because the underlying protocol is hopelessly insecure."

This is only partly true. Technologically the solution is difficult, but it's easy from the social side as carriers can blacklist the smaller carriers that allow this fraud to take place.

The real problem is that everyone except the consumer benefits from this. Every phone company in the chain from the scammer to you takes a penny out of the scammer's profits.

At this point these scam phone calls may be nearing the majority of the phone calls placed in the USA, so it's going to be a huge financial disruption to the carriers when they have to give up their game.

There already is a proposed technological solution to this: https://transnexus.com/whitepapers/stir-and-shaken-overview/

The FCC has recently "demanded" US telecoms to implement this [0], but at this point I don't believe there is actually a regulatory requirement to do so.

[0] https://docs.fcc.gov/public/attachments/DOC-354933A1.pdf

I prefer an economic solution. Currently, you can sue a robocaller under the TCPA, but good luck collecting. Make each carrier liable for judgments against robocallers routed through their network. So, if I sue John Doe for robocalling me and I can’t collect, and I’m a Verizon customer, the make Verizon liable for those damages. This should come with some limits, but they should be large (say 10% of nationwide annual revenue, and there could plausibly be a limit per carrier that routes to Verizon). This liability should be unaffected by any terms in Verizon’s contracts with its customers (e.g. arbitration clauses), and telcos should not be able to penalize their customers in any way for collecting.

I bet that a law like this would get the problem fixed fast.

So by 'economic solution', you mean requiring litigation in the courts at tremendous cost to all parties (including the taxpayer) to create an outcome that could easily be enforced proactively by the FCC?

How is adding a burden to the courts with suits you know will be unfruitful than a simple regulatory requirement that carriers must do what is clearly the righ thing to do?

I am far from convinced that the FCC is capable of picking a technological solution by fiat that will actually solve the problem, especially since, like almost all crypto, it will surely be easy for the telcos to be lazy and mess up the implementation in a way that robocalls get through.

Instead, I think the regulation should focus on the outcome: if a telco allows an illegal call through and cannot trace it back to a responsible party who can pay the fine, then the telco messed up and should pay for it. Then they’ll have a financial incentive to solve the problem in a way that works.

Ofcourse this can be fixed. Other countries did it. The problem is that consumer protection is... lacking in the US and big business is God.

i bet that instead, you'd just get a new contract in which verizon decided that it was only free to talk to other verizon numbers, and would require you to pay extra to call outside the network. Then, they'd ask you to provide a birth certificate, SSN, CC number, and pay via direct deposit to have an account. if you want to penalize rob dialers, don't penalize companies that are not robodialing, or push the burden of law enforcement on them.

Eh. They do all of what you said in Europe and noone complains. Except it's not even free to call your own network.

Huh? Those robocalls are not originated on Verizon cellphones. A contract like that would do nothing to reduce Verizon’s liability, but it would certainly help drive customers elsewhere.

The point is that they would not do anything to reduce the calls, instead, they would erode your freedoms and charge you more to pay the fines.

We have hard enough time imposing net neutrality. Why do you want to kill it in a place where it exists.

There probably is a market for MVNO that requires to solve voice captcha before being able to reach callee.

Love it

How about people in your contact list get to call and text you for free and everyone else has to pay 10 cents? Telecoms definitely have the tech to do such billing. They could even take a cut. 9 cents for me and 1 cent for the telecom. This would solve almost all spam immediately and would be a long term solution.

This is my favorite solution. Time is money, if a caller is willing to pay me for it, I'd be ok with it. Make spam directly uneconomical, and spin the customer/vendor/3rd-party dynamic back to where it's supposed to be.

Your post advocates a

( ) technical ( ) legislative (x) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses

( ) Mailing lists and other legitimate email uses would be affected

(x) No one will be able to find the guy or collect the money

( ) It is defenseless against brute force attacks

( ) It will stop spam for two weeks and then we'll be stuck with it

(x) Users of email will not put up with it

( ) Microsoft will not put up with it

( ) The police will not put up with it

( ) Requires too much cooperation from spammers

(x) Requires immediate total cooperation from everybody at once

( ) Many email users cannot afford to lose business or alienate potential employers

( ) Spammers don't care about invalid addresses in their lists

( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it

(x) Lack of centrally controlling authority for email

( ) Open relays in foreign countries

( ) Ease of searching tiny alphanumeric address space of all email addresses

( ) Asshats

(x) Jurisdictional problems

(x) Unpopularity of weird new taxes

( ) Public reluctance to accept weird new forms of money

( ) Huge existing software investment in SMTP

( ) Susceptibility of protocols other than SMTP to attack

( ) Willingness of users to install OS patches received by email

( ) Armies of worm riddled broadband-connected Windows boxes

( ) Eternal arms race involved in all filtering approaches

( ) Extreme profitability of spam

( ) Joe jobs and/or identity theft

( ) Technically illiterate politicians

( ) Extreme stupidity on the part of people who do business with spammers

( ) Dishonesty on the part of spammers themselves

( ) Bandwidth costs that are unaffected by client filtering

( ) Outlook

and the following philosophical objections may also apply:

(x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical

( ) Any scheme based on opt-out is unacceptable

( ) SMTP headers should not be the subject of legislation

( ) Blacklists suck

(x) Whitelists suck

( ) We should be able to talk about Viagra without being censored

( ) Countermeasures should not involve wire fraud or credit card fraud

( ) Countermeasures should not involve sabotage of public networks

( ) Countermeasures must work if phased in gradually

(x) Sending email should be free

( ) Why should we have to trust you and your servers?

( ) Incompatiblity with open source or open source licenses

( ) Feel-good measures do nothing to solve the problem

( ) Temporary/one-time email addresses are cumbersome

( ) I don't want the government reading my email

(x) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(x) Sorry dude, but I don't think it would work.

( ) This is a stupid idea, and you're a stupid person for suggesting it.

( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!


Are you using a framework of sorts to provide this answer?

It's a classic template: https://craphound.com/spamsolutions.txt

The Last-Modified header says it's from early 2004.

It's an old meme that has been out at least since ESR released his Bayesian spam classifier.

Yea, yea. Funny.

Telephone spam was very rare when long distance calls cost $1 a minute. No reason that could not be enforced as an option by the phone owner. It is really too bad that phone communication is being wrecked by spam like email was/is, so much so that you think the email analogy to phone calls is a valid/witty one.

I don't think the analogy to email quite works. Telecom companies currently charge money to customers based on usage.

You want to upload your contact list to your to telecom provider?

Until there is a regulation requiring stir & shaken to be implemented, you won't be able to trust your caller ID. Most of the telecom industry is stuck on legacy tech stacks that they actively resist upgrading, thus why calls are slung bareback over the web with no encryption on the metadata or the audio stream for nearly all providers.

The phone companies don’t benefit, because they are nearing a situation where people stop communicating with phone numbers. Probably there is nothing that can reverse that at this point, the telephone has fewer features and is less secure than alternatives.

There are so many simple solutions to this it's not even a challenge. Here's some simple ones:

1. If you want to make more than ~5k calls per month from a number, you must deposit $50,000 for every 10k calls you wish to make. If your number gets reported more than some cutoff number of times, you forfeit this bond money.

2. Call throttling. As a certain number (or customer) makes more calls, the interval between calls is increase. Let's say something like after 5k calls per month you must wait 5 seconds between calls, with the interval increasing.

Full disclosure, I worked at a telco for 4 years, but didn't do a lot with basic telephony.

The problem with both those suggestions is that it's trivial to fake the "from" phone number, as evidenced by the number of spam calls that share my area code and exchange numbers.

(Last time I setup asterisk with a T1, this was also trivial, but that was like a decade and a half back. I couldn't tell you how to fake your number today.. it's just clear that it's easy for the scammers to do.)

The first problem we need to solve is to make it hard to fake your number.

It's easy to fake the "caller-ID" field, but this doesn't fake the ANI: If it did, you could call 1-900 numbers and bill the White House.

You're right about there being a lot of little legacy problems though; The issue I see is that the carriers aren't on the hook for it: They've made it so cheap to call someone these scammers simply need to find people whose time is worth less than mine.

Hm, thanks. looks like you are right.

It's going nothing to do with the "from" number, get in at the carrier level. Who are they buying their connectivity from? Implement it there.

I dont have "a number", Im a VoIP provider with thousands of clients, pinky promise!

"your number" doesnt exist, my clients port their existing numbers thru my system, so I just let them pass those for convenience, all automated!

Are you saying my customer doesnt own the same area and prefix number as you, receiver of a spam call from India? Bad bad customer, must've been a glitch/fraud, I promise to take care of it.

> my clients port their existing numbers thru my system, so I just let them pass those for convenience, all automated!

Absolutely. And that's where you apply my rate limits / bond suggestions.

I agree there’s a lot the carriers could be accomplishing in flagging “inauthentic” behavior of network participants, the root cause of SS7’s lack of authentication and encryption will remain and the problem will fester. Yes, carriers are definitely on the hook for making things better too.

That said, the decisions in Apple's client side software are atrocious for the considerations of 2019.

Aside: No idea why my post went from #1 on HN to the third page in under 30 minutes, I thought we were having a fruitful discussion here

I used to work in the mobile space for 7 years and i'm still amazed nobody has proposed and monetized a solution to SS7 being unfit for purpose. The reason it's not happened is nobody wants to spend money on even talking about the fix, never mind implementing it.

The sheer number of scammers and nation state actors that have taken advantage of this is mind-blowing, but we still use SMS as a 2FA.

If we have telephony providers responsible for these breaches the problem will disappear in 6 months.

I worry you're missing my point!

It's not "spending money on the fix"... it's "killing our largest revenue stream"!

Wasn't missing your point, we're on the same page, hence my point about personal responsibility being the solution.

It's anologous to the web but that is on the way of being fixed - csrf, cors etc.

Thanks for posting! If I had to guess, the post dropped down because it tripped the flame war sensor, which I understand to be based on a ratio of comments/upvotes. When this happens inadvertently (not a true flame war), you can email the mods (hn@ycombinator.com) and ask them to look into it. They're very responsive!

I’d be happy to have a SPF like framework for calls.

The phone number blocks are allocated to companies, and it should be trivial to ensure the incoming call comes from the legitimate holder of the block.

Add an authorized user api so you can still use your number in outgoing calls with Skype etc.

After number faking is fixed, I can safely ignore all calls from foreign countries and weird area codes.

I thought about a similar system but based on cryptography.

The telecoms regulators for each country would act as a CA and have their root key capable of signing anything for that particular country code, and phones would have all of them in their trust store (it could be all managed by the GSMA or something).

They would in turn issue certificates to any telecoms company that has number ranges allocated - those certs allow signing of calls for any of the number ranges the cert is for, as well as signing further certs. The telecoms company will in turn issue certificates for their customers for their assigned number only. It could be placed on the SIM card or distributed by email (perfect security isn’t needed here - “good enough” is all that’s required).

When a phone places a call it signs it with its certificate and the current date & time (to avoid replay attacks), and any equipment in the call path can verify the chain of trust all the way back to a trusted CA before relaying the call.

As the user still holds the end certificate, legitimate caller ID spoofing is still possible by them, but not anyone else.

> I can safely ignore all calls from foreign countries and weird area codes

Most of the real phone calls I get (my insurance company, my phone company ) that aren't from know contacts are from weird area codes. I like the authorised user idea though, especially if legit companies adhere to it.

I've gotten them from the same area code and exchange as my mobile. It all depends on whether they can get a number they can use that will look reasonable to sufficient numbers of people to get them to pick up.

How do you handle number portability?

We figured out how to move domains from provider to another while still maintaining SPF. I'm sure we can figure out something similar for this.

Ah, the classic “I’m sure somebody will figure out how to fix my flawed proposal”. That’s how messed like this come to be.

>at this point these scam phone calls may be nearing the majority of the phone calls placed in the USA, so it's going to be a huge financial disruption to the carriers when they have to give up their game.

That's a shortsighted perspective. phone numbers will only survive if they solve the spam problem.

Many people don't pick up from unknown numbers anymore. It's just a matter of time before legitimate people stop trying to call as no one responds anyway.

>This is only partly true. Technologically the solution is difficult, but it's easy from the social side as carriers can blacklist the smaller carriers that allow this fraud to take place.

So, the MAPS RBL (and most of the following dns-based blacklists) did this for spam; and it helped a lot - I mean, I think it's the primary reason that ISPs don't actively serve spammers (spammers as defined by the RBL)

On the other hand, it didn't solve the problem; if your mailbox isn't behind serious spamfilters, an address that has been on the internet for any period of time still gets hundreds of spam mails a day.

Why hasn't there been a class action against carriers for failing to do anything about this problem?

Which law or contact term have the carriers broken?

Not sure. But they provide a service called Caller ID that purports to identity callers but can be trivially spoofed by people scamming their customers. Moreover, caller ID used to actually work (IE couldn't be trivially spoofed), so customers might have a reasonable expectation that it still does work. It's the telco's responsibility to present accurate caller information to customers.

Caller ID could always be trivially spoofed. It's just that most scammers didn't previously bother to do it. Telcos currently have no legal responsibility to present accurate caller information to customers. That would require a new law.

We could start by adding one.

AFAIK, it's still the case that I can't block everything but numbers in my contacts, right? That's all I'm asking, and it can't be that hard. Add that simple feature that should have been there ten years ago and the problem is solved for me.

Yes, this, exactly. It's mind-boggling you can't do this. (You can kind of, sort of approximate it w/ do-not-disturb mode, but turns off other notifications too, unfortunately. It needs to just be a separate option. I have zero interest in picking up calls from non-contacts in real-time.)

There are Android apps that block calls from non-contact numbers. Including open-source apps on GitHub. Maybe there are such apps for iOS also? It baffles me that this functionality isn't built-in.

edit: Nevermind I can block non-contact calls in Do Not Disturb mode in the LG phone I'm using: https://i.imgur.com/ZcRSXlK.png Maybe iOS DnD has this too?

This solution would require using the phone in DND mode at all times. It's not ideal since you might actually want to use DND.

You can do this, just set your phone to Do Not Disturb and then set it to "allow calls from my contacts"

I've seen that, but doesn't it take SMS/iMessages with it? IOW, I won't be notified of messages no matter who sends it? Regardless, it's just phone calls I want to block, I don't get enough spam SMS to care about who is sending it.

I guess I'm going to have to fiddle around with when the wife gets home and gather some empirical evidence.

> I've seen that, but doesn't it take SMS/iMessages with it?

Indeed it does, which makes it a non-solution for me. I apparently have the same desire you do - an option for voice calls to go direct to voicemail unless they are in my favorites list, without having to use the more general Do Not Disturb mode.

On Samsung phones you can allow texts from noon contact numbers even if you are blocking calls. You also can allow any alarms through.

This is only partially true on iOS. It doesn't take into account when you're using the phone, then it just lets everything through. Which is SUPPERRRRR annoying.

That’s one of the options you can flip in the settings.

Oh cool that seems new? I turned it on.

I go a step further and turn off all notifications. I’ll just periodically check the Phone app to see if anyone called & call back.

Unfortunately, they can just call you from one of your contacts... it's not like a zillion apps haven't already grabbed that information (from one source or another). Alternately, your name (reverse lookup) and your parents names and phone numbers are easily found.

The amount of scam callers able to do this is approximately zero.

And here you go... calling from a contact for a phishing attack.


I think you mean the number willing to do it. Anyone with access to the internet can do it. It just raises the cost above zero.

> I can't block everything but numbers in my contacts, right?

I use an app called Should I Answer? which has that feature. It also uses a crowd-sourced database to know what numbers to block, if you want that instead.

yes, just send non-contacts directly to voicemail. then i might actually answer my phone once in awhile.

Buy a silent ringtone and set it as your default. Then assign a ringtone to the contacts you want to come through. Now all calls are silent except those you specify.

only an apple use can come up with idea about buying "silent". :D

Apple won't do this because they don't want to field a million support requests from angry users about missing calls when they turn this on and forget about it.

Fwiw, Android actually does do this. When the phone is unlocked, calls show up as a banner. In addition, they added that new call screening option, I've been using it and so far it has worked fairly well. Also, there is some built-in call filtering and third party apps as well, though I have mostly been able to rely on the built-in filtering.

Does iOS really not have any options for filtering? I swear last time I had an iPhone (running iOS9) there was Something... but then again, I was jailbroken.

It's a bit funny that we got full web browsers on phones before proper call filtering.

(Disclaimer: I work for Google but not on phones.)

iOS has had the ability to block certain numbers for a while. iOS 11 adds IdentityLookup, a framework for blocking unwanted calls and messages.

i was jailbroken made me think of i was heartbroken :-)

Excellent, I'll add this to the article. No idea why my post went from #1 on HN to the third page in under 30 minutes, I thought we were having a fruitful discussion here

Not sure if this has been mentioned but Android's DnD mode allows granular settings including blocking non-contact calls: https://i.imgur.com/ZcRSXlK.png

I actually would like a regulatory solution for this.

Mandate a way for me to say whether incoming calls were spam. Require my phone company to pay me money every time I get spammed. Allow my phone company to, at their option, proactively block calls from specific upstreams and/or pass the charge to the specific upstreams.

Now from those incentives, the fines will naturally follow the upstreams to the source of the spam, and provide motivation for them to clean their acts up. Voila! (And if telephone companies decide that they need a more secure protocol to make spamming harder, that's up to them.)

In germany robocalls are illegal and the caller can get a huge fine.

Another terrible solution from German lawmakers that stifles innovation!

Instead of figuring out a more measured approach they just made them all illegal :(

In your first sentence I thought you were being sarcastic. A little weird, I didn't know German government jokes were a thing, but OK.

In your second sentence I realised you weren't. Wow. If this is "innovation", then let it be stifled with all speed.

Sounds like a 100x better solution than the US where I literally receive spam multiple times per day as phone calls. Why don't you go innovate on something useful?

The US situation is also not ideal...but there is also solution in the middle

There is no need for a solution in the middle. Whatever sort of robocall "innovation" you have in mind, the world is better off without it.

Yet you failed to have described one.

There's as much need for a "measured approach" for unsolicited marketing calls as there is for fighting polio. That is, both need to be eradicated from the face of the Earth.

”I actually would like a regulatory solution for this.”

The UK has a solution. It does actually work, mostly:


It doesn't work, and i'm in the UK too. Bad actors simply ditch their LTD Co when they eventually get a small fine and some use it as a whitelist of active numbers to use. IIRC there was an idea about making directors of companies who flout this personally responsible, I wonder if this happened?

It works great. I get about 2 calls a year now, and just saying "I'm on the no-call registry" makes them hang up really fast.

Then the fine/punishment needs to be much harsher right? If it's a slap on the wrist then of course it's not gonna work

The USA has a similar solution. See https://www.donotcall.gov/ for details. Until fairly recently, it also worked pretty well. And still does for legitimate companies doing phone solicitation. (Excepting political parties, because they are exempt from the law.)

However spoofers who know that they won't be tracked back to the source don't care about do not call lists.

It doesn’t work. Only honest callers would follow this. In addition, looking up a number in there is paid which is less than ideal. The service itself is already an inconvenience to its “target market” (aka telemarketers or robocallers) so at least you should make it as easy as possible to use it.

I actually worked on a lawful telemarketing operation a few years back (don’t ask - desperate times called for desperate measures) and paying for TPS lookups was both a surprise and a huge problem.

The only reason it seems like it works is because the US is a much juicier market for the scammers so most don’t bother with the UK, but I still see people occasionally getting tech support scams or similar so clearly there’s nothing actually preventing them from spamming the UK - for now it’s just that the US is a bigger fish.

> I actually would like a regulatory solution for this.

That's actually the only way to go. Adding support for apps to screen your calls, block unknown number or some other feature that requires an action from the user only benefits those who understand the technology and know that it's available. It leaves those most susceptible to fraudulent calls as the only target for scammers.

People often forget that those with limited technological understanding, such as the elderly, may need society to step in an actually solve the problems, rather than plastering over them with even more tech.

This really is the only way to root out the problem. The carrier networks have to hold the upstream VOIP providers accountable, so the VOIP providers hold their customers who create random spoofed phone numbers accountable.

Busybody morality police would abuse this to deprive people of their freedom of telephone. Hard no

Here in Germany - and I believe most of Europe - these calls are illegal and that works perfectly. I have never gotten a robocall on my life and am still free to phone around as much as I want.

(Not sure how exactly they are regulated. If they're illegal by themselves or if it's a side-effect from the ban on signing contracts via phone)

This is a really good idea in theory but my understanding is that a lot of these calls come in from spoofed numbers. So if you're the unlucky person whose number the spammers choose to spoof that day you're already in for a giant headache - getting your phone number blocked would add insult to injury.

The point is to target the spoofing process directly. The incentives should cause VoIP solutions that generate spoofed calls to get kicked out of the phone system.

Yes, this would cause false positives. However it is my belief that the general harm from false positives would be less than from current negatives, and that, given incentives, the phone companies should be able to figure it out.

When the client of the robocaller who wants to sell something is fined then there are soon no more orders for robocaller.

And if you implement that, then you'll get the blackhat approach of paying the robocaller to advertise your competitor's product.

I would love to be able to block all numbers coming from my area code and the first 3 digits of my number.. all my robo calls come from a number that looks just like mine.

There is an app on the Apple App Store called Exchange Blocker, it automatically blocks all calls from your area code and first 3 digits. I use it, and it works great so far

Or send to Google Assistant screening. It's the best feature ever but they need to open it up to rules for automation (i.e. all unknown numbers from XXX area code).

The last thing I want to give google is access to all of my phone call data. I just want to reduce my footprint with that company.

Audio, transcript, and other call screen data is stored locally on your phone, not sent to Google or anywhere else: https://support.google.com/phoneapp/answer/9094888

It really is a nice little feature.

There's also the Google call spam reporting.

I don't want to send all my calls to google

Call Screening is done locally on the phone, the call audio and transcripts are not sent to Google.

They need to make the audio available to the user. Their text to speech engine never maages to get a decent transcript figured out. That or people are just yelling gibberish into the phone when I screen them. Until I can review the call audio I'll never know.

I very much want to believe this. But I can't. This is a sad state of affairs.

Have you tried Hiya? That works for me...it’s called “Neighbor Scam Protection”.

That would be a problem for me as plenty of people I know have the same first six digits as they were allocated to Verizon Wireless about 20 years ago.

You could have an exception for people in your contact list.

I just switched to Hiya from Nomorobo and the premium version allows for this, referred to as the "neighbor scam". It's worked really well, between my number and Gvoice I was getting 50 of these calls a week.

Mind saying a bit more about making this switch? I use Hiya now and am open to something better. You seem happy with the move?

I'd used Nomorobo since inception but found more calls getting through, mostly neighbor scams. Went looking for a new call blocker and they are all similar. Hiya had built in support for neighbor scam which was a huge percentage of my inbound spam. It's worked as well as Nomorobo plus it blocks neighbor spam, so I'm ahead at the moment.


I use an app called WideProtect. It's not free, but it's also not a subscription. It lets you do exactly what you describe.

As a side note, CallKit on iOS doesn't support wildcard blocking, so WideProtect literally adds all the possible numbers within your specified range to the blocking database. This doesn't impact performance as far as I can tell (maybe calls ring another 100ms after they would normally), but there seems to be a delay of a few minutes after installing for it to show up as a block extension under Settings.

Hear hear. An interesting corner case is when the call is from your exact number.

I wonder if the keepers of the POTS (plain old telephone system) can start putting in safeguards to curtail the ability to fake your source phone number. I get that there are myriad instances where this is above board and even necessary, but nobody's proposing any changes.

Ajit Pai recently announced the FCC is pushing carriers towards this type of system.


> "Under the SHAKEN/STIR framework, calls traveling through interconnected phone networks would be 'signed' as legitimate by originating carriers and validated by other carriers before reaching consumers," Pai's press release explained. "The framework digitally validates the handoff of phone calls passing through the complex web of networks, allowing the phone company of the consumer receiving the call to verify that a call is from the person supposedly making it."

I use an app called Should I Answer? It uses crowd sourcing to collect robocalling numbers. My phone doesn't even ring for most of the robocalls now, and the ones it misses, I can add to their database so others won't get them.

How does the database work, when it’s just your own number with the last two digits different?

I've literally been robocalled from my own number before. I don't think this would work

Depends on the carrier. Proper equipment should be like “WTF? This is obviously spoofed” and reject the call but then again the entire telco industry is fucked up.

back in the 2000s, you used to be able to get into most peoples' voicemail by calling someone's phone with it's spoofed number. Lots of people didn't use voicemail passwords.

"I would love to be able to block all numbers coming from my area code and the first 3 digits of my number."

Very easy with Twilio. As I mentioned elsewhere in this HN thread, I ported my number to Twilio about 18mos ago and use-cases like this are quick and easy to implement.

In fact, I have noticed the same behavior (spam calls coming from the same NPA+prefix as my number) and I might just implement that this evening ...

Certainly the native OS should support this. But I n case you are not aware, third party apps such as Hiya will do this exact thing.

That's a nice heuristic for some folks but it's a big failure on rural phone numbers. My neighbors and half the businesses I interact with all have numbers in the same prefix as my land line. For cellular numbers, you're basically talking about blocking 1000 random other cell phones in your city.

There’s a free app called Hiya that does this

That sounds very useful. But with one exception. As tempting as it may be, my ex should still be able to call me.

More recent robocalls that I've been getting have had the same area code and a slightly different prefix. More difficult to ignore. I assume it's just as easy to fake these numbers as others.

There are apps that do exactly that, e.g. NumberShield for iOS. Blocking calls from numbers with the same first six digit as mine has substantially reduced the amount of robocalls I receive.

The most common scam call I’ve been getting for the last month is my mobile number on the caller ID, saying they are my carrier and that my account has been locked.

In The Netherlands we have a "no-call register" for companies (https://business.gov.nl/regulation/telesales/#article-do-not...)

I never get robocalls. It's nice to live in a country that believes in smart regulation!

We have the same system in the US (the Do Not Call registry) but it’s ineffective because Caller ID can easily be spoofed and these organizations are out of US jurisdiction. Seems more of a technical limitation than a policy one.

Yep. And live in UK and have never received a single spam call. I don't understand why it's such a large problem in US.

You’re just lucky. I was too. Then my number got on some spam list and now I’m receiving a few calls a month (which is still something many Americans would consider great, I’m sure) - from random locations all over Europe. The spammer is effectively unreachable by local regulations.

In belgium there is something similar: https://www.dncm.be/nl/

"do not call me" or previous: "bel me niet lijst" and when someone violates the list. You can submit it here: https://meldpunt.belgie.be/meldpunt/

The downside of this is that it won't prevent companies from collecting your data; it just prevents them from calling you.

I've always found registering in a database to object to database registrations that I didn't consent to a rather curious concept. If they call me, then at least I know who's brokering my data? I resisted signing up for the no-call register for a long time.

For example, this is how I know that TNT/PostNL has sold my data to the post code lottery after I used their post forwarding service (you pay for the service, but they will still sell your data; at least, they did back in ~2011).

I once had an extended fight with a charity (hartstichting) where they gave me all sorts of abuse after I insisted they tell me where they got my phone number from. They were offended that I could possibly object to a charity collecting my personal data from mysterious sources (I never found out where they got it from, I gave up pursuing after a while).

Eventually I caved it as I grew exasperated and signed up. Now I live abroad and miss stuff like this :-( I got far too many calls when I lived in the UK (including one at 9am on Sunday; I was not especially kind to this person), and in New Zealand they will cram my post box so full of junk mail in just 2-3 days that I can no longer receive any mail :-(

There is GDPR now in Europe, this should fix that :) - if you live in the EU of course.

The challenge there is that you don't know which companies actually have your information.

Related information should be acquirable, eg. source of information

Most spam calls in the US originate overseas (India) and ignore US regulation such as do-not-call registries.

Same, never hade any problems where I live. Not all problems are technological.

In my country we have the same but the registry asks for ID and a lot of personal information. I'd rather not give so much to the government.

...the government hands out the ID, so they already have that information. What personal information are they asking about though?

The government doesn't know my phone number. I think.

The eventual fix will be adopting ATIS SHAKEN and STIR protocols, which is, very roughly, signed caller ID. The FCC is now demanding it of carriers:

https://docs.fcc.gov/public/attachments/DOC-354933A1.pdf (Background and open letters to carriers: https://www.fcc.gov/document/chairman-pai-demands-industry-a...)

How it works, short version: https://transnexus.com/blog/2017/stop-spoofed-robocalls-with...

How it works, long version: http://www.atis.org/01_resources/whitepapers/#shaken-studies (find in page for “SHAKEN” and “Caller ID”)

Apologies for not reading through these links, but does this fix just the caller-id issue, or the routing issue - i.e. routing an SMS to a bad actor?

Just caller ID, and even then it seems like it’s between service providers only - you have to trust your carrier to validate signatures and reject bad/missing ones.

robocalls are illegal in germany. They are called unerlaubte Telefonwerbung and one energy company got fined with 140.000 euros.


FTA: After the E wie Einfach GmbH had found agencies for the advertising measures, obviously no more control took place. Therefore the E.ON daughter is occupied now with a fine of 140.000 euro. Because as a client of the call actions it must guarantee the adherence to the legal principles. This includes above all that in each individual case an explicit consent of the consumers is present. The client is responsible for this, even if the telephone calls are carried out by subcontractors. However, the decision of the Federal Network Agency is not yet legally binding: the electricity supplier can appeal the fine in court.

Translated with www.DeepL.com/Translator


> unerlaubte Telefonwerbung

"Illegal phone advertising" for those do not speak German.

I have no idea what a robocall is but I would LOVE a simple notification banner for when someone calls. I rarely get calls these days but when I do, it’s a major annoyance if I’m doing something on my phone. It’s time calls are relegated to the same level of urgency as WhatsApp messages and emails.

I just gotta say it's funny that receiving a phone call on your phone is a major annoyance these days.

I know what you mean but it wasn't funny when I was recording my kid at his first birthday party and got interrupted by a robocall just seconds before he cut the cake. From that day, I've learned to put the phone on DND mode before recording anything memorable.

What I don’t understand is why Apple isn’t fixing this.

It’s simple - it’s broken UI, Android has done it, people want it, it doesn’t help in any way, so why keep it? I mean why? Hell, if you really want to keep it, give an option to disable it.

Add this to the list of reasons why advertising is a cancer on society. Without robocalls and telemarketers, calls wouldn't be an annoyance.

(Though I agree that they should be relegated to the level of notifications now. Smartphones are computers. Imagine if Skype call would lock you out of whatever you're doing on your desktop.)

To me it’s more like a device which can also make calls with an app.

Number 1 reason why I still jailbreak.

do you iive outside the U.S.?

I like in the UK and get maybe 5 robocalls a year. I'm not at all cautious about giving out my phone number and I've had the same number for at least 10 years.

Why is this such a problem in America but not elsewhere?

I'm not an expert, but I would guess that regulation around these kinds of `nuisance` calls is tighter outside the U.S. We (in the U.S.) have a National Do Not Call Registry[0] but I don't know how strong the enforcement of violations is. With scammers, I think much of the problem is that they're using VoIP and other technologies that make it difficult to pin down exactly who is making the calls, and from where.

[0] https://www.donotcall.gov

i am guessing that robocalls go after specific demographics. so people in more popular groups get more calls than others

I think there is less intelligence in the system than that. I get a lot of robocalls in Spanish, a language I do not know. (and other than living in California, there's not a lot about me that would suggest I know Spanish?) I mean, it is a small portion of my robocalls, but it's still several a week, when I answer unknown numbers.

But, I get a lot of robocalls; 3 calls a day is light. So clearly, some people get more calls than others, I'm just saying, I don't think the filtering criteria is particularly smart.

that, or the source data is not very good. maybe you got a phone number used by a person of spanish origin before.

that's sort of what I was getting at? I mean, I think that we have the same problem we have with spam; it's so cheap to send it that it doesn't really matter that only a tiny fraction of those who receive the spam might actually be credible targets; but it's so cheap that it doesn't really matter.

It's not. Robocalls are one of those things that really upsets a small subset of people either because they are overly sensitive to robocalls or that they are a member of that unlucky subset that does receive a very high amount. Like most things in the social media era, the grievances of a very vocal minority appear to be a larger group than they actually are.

For example, the title of the article tells us that robocalls are "killing us".

> Robocalls are one of those things that really upsets a small subset of people either because they are overly sensitive to robocalls or that they are a member of that unlucky subset that does receive a very high amount.

And you never get Robocalls?

Between my cell and landline, I get 5 to 10 "robocalls" a day. Recently I started getting them in the wee hours of the morning. They outnumber legitimate calls about 30:1. Very many show up with a Caller ID with a spoofed local area-code and prefix.

I noticed a big uptick when I was dumb enough to buy a domain without paying the privacy fee.

I live it the US, had my number for 10+ years and actually have not gotten a Robocall once.

And I have shared my number in a lot of places

I’m in Finland. I get about 2-3 telemarketing calls a month which I quickly end and add the number as a spam contact.

T-Mobile has a feature that uses the Caller ID to display “Scam Likely”...which is a great stopgap measure and doesn’t cost me extra.

Still doesn't solve the core problem here. The whole screen being taken over. It's super annoying when on a google meet call or similar to have the call essentially cut you off.

That got me thinking. I haven't seen that message in a while, but I've moved from regular android to AOSP. I wonder if that scam likely CID needs some google play support ?

google play has plenty of apps that keep track of robocalls via third party solutions. truecaller is an app i used when i was in india getting inundated by robocalls.

Right, I meant google play services. AOSP phone app, while quite similar to the stock google phone app, doesn't include this feature.

one step further, on tmobile you can block all scam likely calls from ever reaching your phone.

google for the instructions how

Because my phone number is not from where I actually live and most of these robocallers fake a number from your local exchange, seeing a number that looks like mine pop up basically tells me right away it’s a robocall since nobody calls me from that exchange. Whole thing is still incredibly annoying though and problem is getting worse.

I never get robocalls in Europe - what's different here? Why does USA have this huge problem with spam calls and most of Europe doesn't? Is spam blocking on OS level really the right approach to fix this problem?

> Why does USA have this huge problem with spam calls and most of Europe doesn't?

Presumably because (1) it's much easier to find English speakers in countries where most robocalls actually originate, and (2) the same model can scale to 320M recipients with very little marginal effort.

Surely in Germany robocallers woul call people in German.

That was the point of the parent poster. Why bother with german and other much less common languages when you could just target a de facto global language that both your victims as well as those responsible for those scams know?

As an Android user, I'm kind of shocked that the iPhone doesn't do this, and I'll say that the banner UI is decently better. Though I'm not going to lie, I still think we can do better, and I wouldn't doubt that Apple would just opt for the next generation UI instead of following Android's suit.

Sometimes I wonder what subtle differences there are between the two ecosystems, as I've never really gotten into Apple products before, with the exception of a few earlier iPods. Does anyone have confirmed differences that the other side might not understand?

We don't have this problem in Singapore.


We have this do not call list. Once added, calls, texts, etc, drop to like nothing. Infact I cannot remember the last time I had a call... I get the occasional text message but it's mostly shops telling me to use my store points before a certain date. A reminder.

Or NZ. I think I maybe get a spam call maybe once a year, or less. I haven't changed my phone number for the last 16 years, so I'm sure I'm on all the lists I could be on at this point. Why is this a problem in the US and not elsewhere?

We have one of those in the US, but most (99%) of the automated calls I receive are not from legitimate enterprises.

Also the US is a much larger target, it's 300 million people that are almost guaranteed to speak English. Targeting countries like Denmark, The Netherlands or other countries where you'd basically need hire native speaker it's financially viable (That's not to say that the problem doesn't exist in these countries, just at a much smaller scale).

Singapore speaks English as a first language.

Sounds like the problem is to do with not honoring the do not call list and no punishment for those who don't honor it. Here companies are fined if they call people who are on the list.

My solution to robocalls is to answer them and then be totally silent. After a few seconds, they disconnect.

The number of robocalls I receive has plummeted since I started doing this. I receive hardly any these days. My theory is that due to silent answers, the autodialers eventually mark the number as bad, or as a machine-answered number. I have no proof of this, though.

However, your number is still being sold and resold, so every time a new scammer opens shop you start to get calls again.

I answer and have fun pretending that I’m a lunatic. I generally get hung up on within a minute, and at least that minute is a bit of fun.

I do this sometimes too. It seems like an ethical way to have somewhat the same sort of fun as old-fashioned crank calls.

I've always done something similar, it's been supported on every cell phone I've owned (flip-phones and Android phones): Instead of answering or declining, tap the volume key. That mutes the ringer but lets it keep ringing on the remote end. So from their perspective no one picks up, and it doesn't annoy you.

I can't tell if it would have the same effect as your method though, since I've done it for so long, but I only get like 1 scam call on my cell every 3-4 months (and it's usually one forwarded from my work phone). My desk phone at work, which I have to answer and haven't tried this with, gets one call every couple of weeks.

My solution is to play along with the pitch, taking as long as possible with my answers, until they ask for my credit card number. Then I make up 15 digits, making sure to mess up a couple times along the way.

Then I ask whether they have a do not call list.

I'll have to try that out. I've been noticing that most of the calls I was getting were from the same spammy place. I found out if I listen till the end they often have an option to be removed from their list. "Press 2 to be removed", if only it was always 2 that would be too easy. I hate listening to the entire ad but I have been getting a lot less since I've been hanging in there and asking to be removed.

It is a coincidence. Legitimate operations are not spoofing their numbers in the first place, whereas spoofers have shown themselves to be dishonest by spoofing.

So you are not being removed from any spam lists using this method. Not only do they have zero incentive to remove you, they have also received a reliable indication that a human answers your phone.

My solution is to let Google spam filter them. It does a good job and I report every call that manages to get through. Haven't picked one up in months now.

True, I do the same too. I take the call, mute my phone and keep it as long as the other person wants it. Spam has reduced, one call in the last 3 weeks. It could also be that the spammers are holidaying.

They are definitely holidaying. As soon as the new year starts up expect them to be firing on all cylinders.

I just say 'Yes' after each question. Robo-caller puts me through to human where I continue to say Yes. Eventually they cotton on and hang up.

Hopefully they will blacklist me and no longer annoy me.

Apple provides a fix: get an Apple Watch and make your phone silent. Then you get a notification on your watch which you can suppress by placing your hand over it.

I make this comment in jest because obviously this is a very user-unfriendly "solution" unless you planned to buy an apple watch for some other reason. However I do use this feature.

As for the post's comment that dismissing the call leaks info: I don't know what the predictive dialers have any understanding of this -- if you simply refuse to answer it's simply a disconnect. I also doubt they keep stats on calls that go to vmail, if you accidentally do that or if you refuse to answer.

I have an apple watch... it doesn't solve the problem that if I answer a call that is not from a contact, it is 9/10ths spam, so I simply don't answer calls not on my contact list, and thus sometimes miss important calls from businesses that don't text.

I have heard this suggested in all seriousness.

I'm from Poland and while I never experienced a robocall, I have to deal with telemarketers every now and then because someone somewhere shared my number against my will and while in theory the caller is obligated to disclosure how my number landed in its company database, they're often hanging up in second they're asked or pulling the "it was randomly selected" bullshit, and recently, after GDPR they're giving premium-rated phone numbers claiming that's how you can exclude your number from database which obviously doesn't work.

While singing contract for fiber connection, I had to repeat few times that I want to opt-out almost losing nerves talking with agent saying that I'm really not interested having telemarketers clogging my phone even if that means I'll miss a chance to win something - because that's how she tried to advertise that. I could either allow those calls for 5 PLN less on my bill or opt-out for same amount added to it and I did choose the latter.

Anyway, there are sites and apps which are trying to "rate" calling numbers and warn other people - most of the times they do good job.

The other problem is with using third party navigational apps. While driving the phone app takes up the whole screen completely obscuring the directions. My wife constantly rejects calls because of this and I can’t talk to her!

You can switch apps while in a call.

Hurtling down the interstate at 70+ mph and I also tend to mash the big red button when I get a call and need my direction.

Doing so could be hazardous. The act of double clicking the home button and then choosing the correct app from several other open apps would take your attention off the next turn and off the road.

Also when you take a video and someone calls it ends the video recording - even if you don't decide to answer. So you have to put your phone into airplane mode, which sucks because if you lost your phone before remembering to turn it off then find my iPhone wouldn't work... I wish there was some sort of option to not disturb while doing video... Something you could toggle on and off.

Get a better 'Phone' app. It's replaceable, and many have truly silent modes for some callers only which won't interrupt anything you're doing.

I would like to see this solved via a little regulation and tech industry cooperation that basically discards the entire phone system.

Problems that need solving

* Robocalls

* Companies using SMS for 2FA

* Companies still using phone numbers as part of my ID all. I'd much prefer companies contact me first via email/secure-text (whatsapp/line/messenger/...) and only later via secure voip

I feel like Google/Apple/Microsoft/Facebook whoever should basically design a new standard to replace the phone system and the government should then mandate that companies must support it (no more asking for phone numbers)

I'm sure there are lots of issues. I don't want one id to reach me, like email I want multiple IDs and if you want to know the ID I give you is me then send me a confirmation (I can crypto-sign it if need be)

I'm sure it's easier said than done but it does seem like it's getting to the point phone numbers are basically as useless as fax machines. Most people call me via Line, Hangouts, FB, Facetime, etc.. No one calls via phone number

> And disrupt they do, at a massive scale. Several billion fake calls are received each month in the US. Reports show this is a global problem, with Brazilians averaging 37 spam calls per month. Actually, I’m getting a robocall as I type this very sentence, my second today.

Is there a reason this isn't as prevalent in the UK? I get maybe 2 calls a month like this. Are robocallers in the UK more likely to get in trouble maybe? Putting this on Apple isn't addressing the core of the problem.

I would love:

Auto-hang up on any call from someone who's number I don't have saved. Just give me a notification immediately thereafter. If it's someone I should know, I'll either have their number saved, or be expecting it. I don't want to be bothered otherwise.

This, and many, many other interesting use-cases is quite simple if you port your number to Twilio and create your own carrier inside their service.

I did this about 18 months ago and love the results. I manipulate and use the telephone network in many useful and interesting ways, all programatically, through twilio.

It’s not clear to me why Apple can’t have a Mark as Spam button for calls. Once you hit a critical mass from independent iPhones you simply block that number.

They’re spoofing the numbers so that would likely cause apple to blacklist numbers belonging to innocent people.

A lot of them aren’t.

Since the phone companies are too busy trying to build content empires rather than working to improve their core competencies, it's time for Apple to step up the call-blocking experience at the OS level.

The addition of a call-blocking API was a very good first step, but the time is fast arriving when robust blocking patterns will be table stakes similar to what basic email spam filtering is today.

I'd give it a year before they buy someone like Hiya.

Or we could actually fix the problem and make the do-not-call list laws much stronger and put some enforcement behind them.

> I would love to be able to block all numbers coming from my area code and the first 3 digits of my number.. all my robo calls come from a number that looks just like mine

Somewhat humorously, this has destroyed my ability to receive phone calls from my home town. I instinctively hang up and block.

Check out Google's call screening feature available on their Pixel phones https://support.google.com/phoneapp/answer/9118387?hl=en

That's nice for keeping marketeers out, but meanwhile you're sharing all your info with the largest advertiser on the planet ...

No it doesn't:


> Call Screen doesn't save to your Google Account, your Google Assistant Activity page, or to Web and App Activity.

This annoyance is three-fold when a call from your iPhone also takes over your iPad screen and rings on your MacBook.

Indeed, which points out another UI problem: as far as I can tell there's no way to link the Mac/ipad calling to your phone (so it'll use the phone network to make a call) without enabling ringing on incoming calls. Thus I simply disabled this otherwise quite useful feature.

I turned off the feature that shows calls on my MacBook because of this. It's nice that the UI shows "Scam Likely" as the caller, but maybe give me an option to filter out those calls entirely? Let them go to voicemail or something... who is answering the phone when the caller is unknown and identified by the UI as "Scam Likely"?

That's a T-Mobile feature, not an Apple feature, and you can change your settings to block the calls instead of just ID'ing them.


Awesome, thanks. I enabled it. That should cut down on at least ~40% of the junk calls I get.

Yes! I would even go so far as to say if the caller isn't in my phonebook let them go to voicemail. Or at least give me the option in settings. If I don't know who's calling they're getting my voicemail 100% of the time.

Elsewhere in the replies it was suggested that you put your phone on Do Not Disturb and configure it to allow calls from your contacts to get through. That might be a hacky solution?

Just in case - you can turn this option off.

I agree it is the worst.

imo the best way to combat this is to answer the call and waste as much of the scammers time as possible. Call spamming only scales because most people ignore or hangup immediately. If you waste 30seconds of a scammers time thats 30 more people they cant call. And that 30 seconds costs THEM money. I just answer say “hi” to start the recording and leave the phone on my desk until they hangup. Perhaps i dont completely understand the backend but if more people wasted the scammers time it would quickly become too expensive for them to continue.

How much is your time worth vs the robocallers ?

When I was getting robocalls a while back, I started saying "hi" and letting them talk, then I'd put the phone on mute and continue whatever I was doing. The calls stopped a few weeks after that. Usually this would take about 10 seconds of my time, and about 90 seconds of theirs, per call.

I'm pretty sure that over the long term, it costs me less time as it made the problem completely go away.

Things that I'd tried before that, that didn't work, include: immediately hanging up, politely and no-so-politely asking them not to call back.

So the garbage dump we call a USPS mailbox doesn't rise to the same level of concern for some reason still?

The USPS mailbox can be consumed asynchronously.

Isn’t it possible to opt out of a lot of bulk mail anyway? Bulk mail can never be as bad as online spam since it’s much more expensive to mail and easier to trace a sender.

It's effectively the same as opting out of these robo calls, there's a FTC list for both and yet it has zero effect. I also get 99.9% junk mail, so it's easy to lose actual mail in the pile.

USPS gets paid to deliver spam... why would they want to stop it? actually, they even give cheaper rates to the spammers because they spam so much...

Isn't it the same for telcos and telemarketers/robocalls?

I’ve never been woken at 4am by a spam mailer delivered by USPS

I have a suggestion. If you receive robocalls from legit companies, I think you can try to sue them. I read an article about this at https://www.whycall.me/news/consumer-wins-massive-229500-rob.... If those robocalls are coming from scammers, then you could just ignore those calls. There's no way we can stop them, anyway.

About a year ago I put my phone on DND and have left it on ever since. My wife and the kids school are in my favorites so they can get through. If I have to make business calls I will initiate the call or just remember to turn it off if I get a calendar reminder for an incoming call. Maybe it will bite me in the ass at some point but it has been really nice to feel like I actually have some control of my phone again.

Same here. I also changed my outgoing voicemail message to say that I don't pick up unknown numbers so if you're a real person, leave a voicemail or text me. The voicemail transcription feature on my iphone is rudimentary but works well enough to see at a glance if a voicemail is a sales call or robocall.

Yea, it's funny how the fear of missing out makes people put up with so much bullshit in their lives. I don't use Facebook, I don't use Twitter, I don't deal with robocalls. I am not missing out on anything other than the high price of not missing out.

Just let me have a phone where only my contacts get to ring it.

For those like doctor offices and others who need to reach you make them go to voicemail.

Honestly it blows my mind when I’m with someone who answers their phone when it rings with an unknown number. I have literally never done that, save for a handful of occasions where I’m expecting a call. It’s hard to imagine a scenario where it would be someone you would want to talk to.

Apple added hooks a while back so that 3rd party apps can interject into the call process, and I've been using https://hiya.com to do that and block scam calls.

I have it set to disregard suspected scam/fraud calls, so they never ring my phone.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact