It might seem odd to north americans, but I never received a single robo call my entire life.
I received one spam call in the last 10 years, and the guy exused himself when I told him what he is doing is illegal.
This feels a bit like “weapon laws won’t solve anything” and “social healthcare can’t ever work”. So either Europe is living in an weird strand of alternate reality, or maybe some problems _are_ solvable if you really want to.
It's a regulation problem, not a technical one. In Germany --and probably in other EU countries--, the telco must make sure that a caller is authorized to use a certain number as origin. STIR just shifts that responsibility to some other entity.
If a call originates from an untrusted network, you remove the number or indicate that it is user-provided and probably fake. It would help if phones would properly display the difference (P-Asserted-Id present or not).
In the US, voice time is rarely metered for domestic calls. Even discount providers offer unlimited domestic calling. The only case where you see metered calls is for pre-paid SIMs, which aren't very popular here, because you can get unlimited talk & text for $25/month.
Isn't that the case everywhere? The caller pays for the call, the recipient doesn't? Where are you? My grandma has a prepaid SIM that I call and she never pays anything, just a small amount every few months to keep the number alive.
The US had a situation where the following happened
1. They issued all their phone numbers according to a geographic system, the North American Numbering Plan. Most cities would have one prefix, some larger ones gradually needed two or more, but basically you can tell from a number if the call is local.
2. Calls to local numbers were cheap or free, because routing a call on a circuit a few miles costs essentially nothing. Just spread the cost over all subscribers, it's fine.
3. Mobile telephones exist. NANP is full. How do we number these new phones? Let's give them local numbers wherever you're buying the phone.
4. Oh, but calls for a mobile cost more. Do we make everybody pay extra for the small fraction with mobiles? No. Can we charge callers for calling a mobile? They'd have no way to know they're getting charged because the numbers are local! OK, so let's charge _mobile owners_ when they receive a call.
5. Then everybody buys a mobile phone.
The end state is always the same, everybody eats the cost of maintaining a network and calls are basically free. But the way they got there was different from most countries.
I remember when staying with relatives when I was younger and calling long distance home for a minute to tell my mom to call my back on her cell so the family could talk for cheaper. I'd wait around until it was late enough in the evening that nighttime rates for her cell were cheaper than the long distance rate.
Not one I would be aware of. The problems the German network has, has more to do with coverage, monopolisation and the state selling frequency bands for far too much money on dubious auctions.
But this has not much to do with the phenomenon that spam is pretty much nonexistent compared to the US
Europe has stricter regulations. When I worked in a company 8 years ago that were sending sms to customers with text like - your order is ready, please come pick up, etc. And we used company name instead of number as sms allowed that, only 8 letters but was enough for us, but around that time we suddenly weren't able to do that anymore and company we used to send sms through said that some laws were passed and we must use one of the numbers registered to us and that's it.
I think that explains why it is much harder to do robocalls in some parts of europe at least.
You opened this up to a larger discussion - but you are essentially correct. These problems aren't really problems if you decide to act. However, at least in the U.S., acting seems to cost money.
Well in the US the people responsible for the brazen robocalling can simply hire lobbyists to convince congress it is bad to limit robocalls. So our entire system is a bit broken at the moment when we have a terrible congress and a president who appoints questionable leaders (see the guy who he put in charge of the FCC ending Net Neutrality)
That thing effectively meant that you couldn't propose an actual solution to the SPAM problem that was fair for everybody, open source, etc. Instead Gmail went ahead and made one that is secret and hugely benefit them, people went to gmail because it actually worked, and yet some it is still linked to and considered a good thing.
I get plenty of spam in my Gmail inbox. Their filtering isn’t magic or perfect.
Worse, Gmail’s spam filter generates tons of false positives, and these are often the messages I want most: password resets, legit balance alerts from my bank.
1) The FCC is threatening all kinds of hell for service providers that don't implement shaken/stir. AFAIK all the major US carriers are already committed to implement it.
2) Robocalling is probably not net profitable for the carriers. Much of it originates from abroad and much of it is associated with other kinds of fraud. Never mind the secondary impacts due to users deciding not to get phone lines if they are just going to receive spam.
> But then again, email spam has been solved for the most part
Only if you use one of the big email providers or if you pay to route it via some antispam system. If you don't and play around with e.g. Postfix and spamassassin then you'll notice more than enough spam.
If you use Postfix and CRM114 (http://crm114.sourceforge.net/) you can achieve equivalent or better spam filtering than the "big email providers".
I get maybe 1 spam every six months that leaks through. I simply add it to the crm114 filter as "this should be spam" and then no spam again for another six months or so.
This clearly wasn't designed by telephony people. It's very web-like. The authentication info is bigger than the call data required to set up a call.
Mostly this is for VOIP. Telcos with TDM or CDMA transmission have serious backwards compatibility problems. Ones who peer only with SS7 have problems but those can probably be overcome.
One big problem is that there are off-brand telcos who specialize in services for call centers. "The Dialer Hardware is being hosted in our premises at Los Angeles - USA, where we have our own switch and termination facility with over 100 Carriers. We also have a redundant switch in New York connected to LA through a fat Fibre pipe."[1] Do those guys get to sign calls? Or what?
> The authentication info is bigger than the call data required to set up a call.
That's not a counter-argument, it's a cop out. SSL negotiation uses more bandwidth than a vanilla HTTP GET request too, but sometimes a secure channel is more important than preserving bandwidth.
> Telcos with TDM or CDMA transmission have serious backwards compatibility problems.
More cop outs. In order to resolve problems, you have to make changes. You can't show up to the solutions meeting and proclaim that a problem can't be solved because "the old system doesn't work that way." Sometimes you must abandon the legacy systems to solve new problems.
One of the current problems is a ban on robocalls exists (for calls to cell phones without consent, at least), as does a ban on IRS scam calls, Microsoft scam calls etc, but the bans can't be enforced because when a victim complains there's no way to trace the guilty party. After all, the caller ID was faked.
So the call signing doesn't have to be "a body that will block all robocalls and scams" it only has to be "a body that can be sued and fined". You rotate certificates weekly and issue a certificate to any company willing to make a deposit of $X against possible fines. Then adjust $X until robocalls and scam calls with fake caller IDs stop happening.
Of course, even if that stopped robocalls/scam calls with faked caller ID, profitable scams and robocalls would be able to use burner cell phones. So it's not a perfect solution by any means.
Instead of all these fancy technical counter-measures I think this really ought to be a matter of the law. Why not ban cold calls, like in Germany? Is there anyone on this planet who actually enjoys constant advertisement and harassment on their phone?
>According to Sec. 7 (2) UWG; telephone calls to consumers for sales purposes are illegal if the calling company is not in possession of an explicit and effective declaration of consent by the consumer. If the call is made to another business, it is sufficient to prove presumptive consent.
The worst phone spam is already illegal in the US. The problem is, in the current system, it's impossible to figure out who's doing it. That's one of the things STIR/SHAKEN is supposed to fix.
Law enforcement doesn’t seem to work then. On my German phone I received one (!) Spam call in 10 years, and that was a human who didn’t knew about the law and excused himself when I told him about it.
Sometimes I have the feeling that people in the US just accept a lot of what happens in their nation as unchangeable in a quite fatalistic way. Problems that are literally solved in nearly every other nation are frequently painted as unsolvable. Does this have to do with the role of the state?
Public services (including law enforcement) are starved for resources by conservative (small government) politicians who can then say "see, government doesn't work, why should they get all this money" and proceed to reduce funding further.
This leads to the populace accepting that "government doesn't work" and that "taxes are too high."
This cycle has been going on for about 40 years now.
It appears it may be ending with the rise of "leftist" politicians like Bernie Sanders gaining some traction.
It also leads to terrible things like civil asset forfeiture which literally turns police officers into highway bandits. (But it's ok, they only steal from the bad guys).
Is the situation any better in guaranteed blue states? California seems like a perfect example of government overreach and wasteful spending that enables the exact same abuse that supposedly only greedy capitalists engage in.
The idea that you espouse in that California exhibits government overreach and wasteful spending is exactly what I'm talking about.
California has been extremely budget constrained ever since the Prop 13 passed in 1978. They've been fighting against that ever since. Your very words shout this ingrained bias. "wasteful spending" and "government overreach"... I think you mean "provide services" and "regulation."
I lived a great deal of my life in California and now live in Germany. The difference in people's relationship with the government and taxes is palpable.
No, it has to do with powerful minorities who lobby the government to veto majorities against their interests.
For instance, the telecom companies and the call center companies both have powerful lobbies. They are in favor of the end customers bearing the burden of unwanted calls rather than cutting their revenues.
It's really not. Not for the operator / law enforcement anyway. 1. Ask operator where that call came from. 2. If it's another operator, go back to 1. 3. You got the end user.
They already have to have accounting/audit for billing purposes anyway.
> The problem is, in the current system, it's impossible to figure out who's doing it.
No, the problem is who is responsible for paying the fines. If the terminating carrier were responsible for paying robocall fines, this problem would be solved overnight.
But for some reason, the American people can't stomach this solution because we have a obsession with perfection in justice. The counter argument is, "The carrier isn't the one who is making the robocalls!" My POV is, that doesn't matter.
Unless carriers are obliged to participate in creating a network that supports compliance, law enforcement will always hit a brick wall when attempting to enforce existing laws. Carriers have been given _years_ to solve this problem, and in 2019 we're pitched STIR/SHAKEN... Seriously?
Make the problem more expensive than complacency and it will get solved.
Carriers know who is originating the call by the bill-to-number. There is reciprocal compensation, rural terminating, and other fees the carriers pay each other to terminate calls. Only customers don't know.
Carriers don't want to fix the issue because they make money on it. More calls increases revenue. They also started selling services to block the robocalls like ATT Call Protect.
A little trick that will work for "geeks" but won't scale is:
- My personal phone number is in a remote area code, of a sparsely populated state, from where I don't know anybody.
- Any phone calls that come from this area code are blocked (well, actually, they have a silent ring tone.)
This gets rid of about 90% of the spam/robocalls because these days, 90% of them spoof a local areacode/exchange.
Of course, if everyone did this, they'd stop doing it. But it works for now and makes my personal cell phone useful. I did have to do some finagling to get my carrier (T-Mobile) to give me a phone with an area-code of a different state.
I don't have a lot of faith that STIR/SHAKEN will help in any real way. They'll just have to rent numbers from people who don't care about the law, and/or registered with bogus information so it won't be worth anyone's while to find them.
I've noticed in the past year or two that spammers have begun using area codes from the handful of friends & family I receive the most calls from, and not just my own area code. It stands out because at least a couple of those area codes aren't from major metropolitan areas.
I don't use social media like Facebook or Twitter, but most likely an app on my phone or others' phones sold my contact info. I try to avoid installing third-party apps. Since I began using smart phones, I could count the number on two hands. But it only takes one bad app, and there are plenty out there.
I don't doubt telco call logs are available on the black market, but apps are the simplest and most likely vector.
I'm rather skeptical of going after Google and other big tech companies for anti-trust violations. The web is a big place. But it's much easier to distinguish Google's control of Android and the Android app market, both from a technical and legal perspective. And Google has deliberately made it difficult to limit app data access. I remember the brief period where Android by default provided a prompt of requested permissions and the ability to uncheck them before installing. They removed it because few people made use of it, few apps worked correctly without all their requested permissions, and most importantly Google was no longer worried about privacy concerns hindering Android adoption. But with the current attention being given to data privacy I believe the public is finally prepared to make effective use of such a capability. But now Google has even less incentive to provide such a simple and transparent opt-out prompt, so fat chance they'll bring it back without being legally forced. Tripe fat chance they'll make any of those permissions opt-in.
That's a tried-and-true technique for getting into a person's voicemail mailbox, if you don't have a password set. For years, until carriers started forcing people to set passwords, this is how a lot of phone messages were obtained by unscrupulous tabloid reporters, etc.
How did you set the ring tone for this entire prefix? I’ve been looking for some easy way to do this on iOS, I also have a phone number from an area code + prefix where I don’t know anyone and all calls from there are spam.
Several people have asked about the management of certificates for this solution. There is indeed a seperate certificate management body created called the Secure Telephone Identity Governance Authority (https://sites.atis.org/insights/secure-telephone-identity-go...).
The Governance Authority will define policies on how certificates are to be issued.
Any old certificate from a web CA won't be accepted by the system.
For what it's worth, mostly private CAs are garbage. Bad at the crypto parts, bad at the identity problem, bad at their own security. Just pretty bad.
It doesn't really matter, because mostly bad guys don't see the CA as the weak point, if anything what is remarkable about the Web PKI is that we did a good enough job elsewhere that actual bad guys sometimes try to attack the Web PKI. Not often, but it happens at all.
It's like finding out you did a good enough job securing your home that an actual burglar picked your front door lock! Yes, the burglar still got in because of course no door look is effective against somebody who knows what they're doing and has plenty of time to try - but still, apparently you actually did a good enough job that they weren't able to just climb in through a side window or force open a patio door. Go you.
If STIR/SHAKEN turns out to have the CA function as its weak point then everybody involved should clap themselves on the back for an extraordinarily good job.
Most telemarketing and scammer calls originate from UK, Norway and Sweden here. I used to ignore foreign numbers completely, but being on-call nowadays and having customers abroad prevents such easy countermeasures.
Sounds like a nice improvement. It appears to be a web of trust scenario, where you trust anyone else who is verified. Eventually I'm sure some spammer will break through into the circle. I hope that if there is some spammer penetration (so much money here it's inevitable) every phone company should be able to track back where that last phone call came from and block them then.
I kinda wonder about that. Both the "semi legit" and "full on spam" calls I get just aren't credible. It's hard to imagine anyone falling for it. Or, I'll press "1" to hear their BS pitch, and go on hold forever.
It's so cheap to do, that I suspect there's an endless queue of people trying to make money, but failing. But "failing" costs them almost nothing.
So, maybe raising the cost of doing it will kill off the amateurs.
It may be intentionally unbelievable - see the Microsoft Research paper about "Nigerian prince" email scams:
By sending an email that repels all but the most gullible the scammer gets the most promising marks to self-select, and tilts the true to false positive ratio in his favor.
SIP over TLS (which uses SRTP) is great, but as soon as it hits a vendor downstream that doesn't support it, it immediately gets trans-coded into plain-ole-SIP and is just as insecure as any other VoIP call. This is not a solution by any means, because it assumes that the entire call path is TLS-enabled, which, in my experience, is impossible on the public telephony network.
Well I am referring to the use of client certificates for identity.
You might not need to have SRTP in the middle of a big telecom network, like one that handles millions of calls per day, just at the edges where you interconnect with others.
I’ve noticed two main things about the many robocalls/spamcalls I’ve received (my carrier actually has spam blocking, and I haven’t received very many since activating it)
1. Most calls I receive from numbers not in my contact list are spam. They also usually just call once, whereas if it’s a legit call that I was expecting, but neglected to pick up, they’ll call again within a few minutes.
2. I’ll get robocalls from one area code at a time. I remember getting calls from 772 one week, 727 the next, 643 a few days later, etc.
Obviously it won’t crush spam entirely, but I can imagine that fixing even just these two things would filter out a boatload if spam from reaching consumers.
Oh, and calls from “Scam Likely” should never reach my phone to begin with.
I do the following: I never give my real phone number to anybody other than people I directly know. Everybody else gets my Google Voice number, which is set up to directly go into voicemail without ever ringing. As far as I can tell, I receive 2-3 robocalls a day, so GV just blackholes them for me. Every now and then someone leaves a voicemail, and I read that, but it's very rare that a robocall leaves a voicemail because Google call screener requires them to enter a number to do so.
Hopefully this CA process will have a better threat model - that is, one in which they're prepared for state-level malicious actors such as DarkMatter.
Since I saw the URL https://certificates.clearip.com in the link, went to that URL and it offers a ClearIP root certificate. ClearIP being a product from the company who wrote this blog.
I wouldn't be entirely surprised if the carriers themselves were acting as the root CA for their given calls. There's no reason to tie it to the CAs on the Internet.
