Fast, affordable Internet access for all.
Stop the Spoof, Resist the Robocall - Community Broadband Bits Podcast 322
Caller ID spoofing, robocalls, and general spam phone calls are one of the hassles of 21st century life. This week on Community Broadband Bits, Christopher and Richard Shockey of Shockey Consulting talk about how the problem has progressed and what leaders in telecommunications are doing about it.
As we transition from our old telephone system to one that involves session initiation protocol, commonly known as SIP, we create a new frontier for those who are finding ways to misuse the technology. Richard, with decades of experience in Data Communications, Voice over IP Technology, Numbering and Signaling, sits as Chairman of the SIP Forum. The SIP Forum brings together people in the industry to advise, advance, and consult on matters related to IP communications and services that are based on SIP. One of their challenges involves finding ways to improve the problems associated with caller ID spoofing, robocalls, and spam calls that are associated with SIP.
In this conversation, Richard gives us a history lesson. He shares his technical expertise to help explain how market conditions, lack of investment, and the transition to the new technology have created a perfect environment for increased caller ID spoofing, robocalls, and the like. Richard describes the work of the SIP Forum and some of the challenges they’ve faced, which aren’t all technical. They have concrete plans to improve the situation, but rollout isn’t easy or quick. Policy, transparency, and rules are all issues that experts must address as they determine how we move forward.
Learn more about the work of the SIP Forum at their website and sign up for one of their mailing lists to learn more about specific tech issues.
We want your feedback and suggestions for the show-please e-mail us or leave a comment below.
Listen to other episodes here or view all episodes in our index. See other podcasts from the Institute for Local Self-Reliance here.
Thanks to Arne Huseby for the music. The song is Warm Duck Shuffle and is licensed under a Creative Commons Attribution (3.0) license.
Richard Shockey: So you're making a cryptographic assertion that my telephone number is from who I am and that the network itself can double-check that and then provide you with some indicator of some form that in fact, there is a high probability that this call is from the person they're doing an ascertation for.
Lisa Gonzalez: This is episode 322 of the Community Broadband Bits podcast from the Institute for Local Self-Reliance. I'm Lisa Gonzalez. By now, most of us are woefully familiar with spam phone calls, robocalls, and calls that spoof caller IDs. At the very least, they're annoying, disruptive, and make us feel like we've been tricked into answering a call we wouldn't otherwise give the time of day. In this week's podcast, Christopher speaks with a man who's working with others to try to curb these deceptive practices. Richard Shockey of Shockey Consulting has been in the telecommunications and technology business for decades, advising telecom and technology companies and investors, as well as national agencies. He fills many roles, but in recent years he's been on the SIP Forum, an IP communications industry association that engages in numerous activities that promote and advance SIP-based technology. Richard discusses how market conditions, lack of investment, and the transition to new technology has created the right situation in which robocalls and caller ID spoofing is much easier. He also describes a plan of attack to use technology to reverse the trend. He gets into the problems in implementing the approach, such as how to present the technology to end users and how to deal with errors, especially in reporting. Richard also goes on to describe how tackling the rules of adopting the new technology are a significant hurdle that needs to be resolved as we venture through the transition to voice over IP services. Now, here's Christopher with Richard Shockey of Shockey Consulting.
Christopher Mitchell: Welcome to another episode of the Community Broadband Bits podcast. I'm Chris Mitchell with the Institute for Local Self-Reliance up in Minneapolis, Minnesota. Today I'm speaking with Richard Shockey, chairman of the SIP forum and a private telecommunications consultant. Welcome to the show, Richard.
Richard Shockey: Thank you very much, Chris. Pleasure to be here.
Christopher Mitchell: You and I have been interacting for years over email and on these various, um, discussion forums. And I've always thought you had a, you know, very sharp eye and a great wit, which I appreciate, but tell us a little bit of who you are and what you do.
Richard Shockey: Well, I've been involved in the telecommunications industry for most of my professional life. For the last 20 years or so, I've been doing any number of things, regarding telephony: the traditional time-division multiplexing, the classic POTS, and more specifically, voice over IP, which is really what SIP is all about. SIP stands for the Session Initiation Protocol, and it is the protocol of choice for really almost all of the modern real-time voice communications in the United States and frankly, globally as well. I've been involved with that for now over 20 years — first with the Internet Engineering Task Force, engineering the basic idea, and then now as chairman of the SIP Forum, basically advancing the state of the art further and of course dealing with the complications that have arisen because of the use of voice over IP, which is in part of the problem of robocalls and spoofing. You know, as I've said to you and people understand, the issue with robocalls and spoofing from time to time is no good deed goes unpunished.
Christopher Mitchell: Right.
Richard Shockey: And part of the problem is we wanted highly competitive markets in telecommunications, and you know, nowadays we don't think about picking up the phone and calling long distance, internationally, or locally, or anything else like that because we're all basically on one form of flat rate plan or not. And that was possible because of the dramatic reduction in transport costs that Internet protocols gave all of us. But that also opened up a window between the classic telephony protocols and the new IP protocols, and I don't think any of us were ultimately prepared for what was going to happen. And so that boundary between classic telephony, you know, the black phone that some of us still have, and the IP-based technology has created an attack vector that we're slowly but deliberately trying to close.
Christopher Mitchell: And that's something we're going to be talking about in greater depth, is some of these issues of the robocalls, spoofing, and how to get around to fixing it. One of the things that I wanted to just make sure we nail down though is what SIP is. And if I have it right, SIP is sort of that bit of magic that enabled — for me, the first application I was aware of it was Google Voice — the idea of calling a number and you could just keep changing where that number rang and make it a lot easier for one number to reach you wherever you are.
Richard Shockey: Exactly. And the beauty of SIP versus its competitors 20 years ago was [that] it's very simple. You know, years and years ago people would ask me, "Well, why SIP?" and I'd go, "Well, it's ASCII, stupid," — namely that if you actually look at the protocol from an engineering perspective, it's really a text file, like http, where you could literally read in the ASCII file what the session is supposed to be about, namely what audio codecs or video codecs that you want and all of these other kinds of things. So the signaling went from a highly complicated encrypted file across dedicated circuits to essentially just ASCII text going back and forth between endpoints that would establish a session. The classic SIP protocol looks like a trapezoid: one endpoint sends a signal to the other endpoint, they negotiate between themselves, and then the session is fundamentally established. And again, with modern IP protocol, you could do voice, you could do video, you could obviously do text as well, but voice is what's obviously the most prevalent application use for it. So right now, and this is actually the most interesting statistic, about I would say 65 to 70 percent of every single voice call in the United States is utilizing SIP at some particular point in time. So this would be almost all of the mobile operators are using it. A hundred percent of every cable operator uses SIP. And the advanced IP-based landline operators, which would include AT&T with it's U-Verse, Verizon Fios, and CenturyLink-like products, including the advanced rural carriers. I mean, Chattanooga, your membership — they're all basically using SIP at this particular point. It's about 65 to 70 percent of all voice calls utilize SIP in some way, shape or form. There is of course quite a bit of time-division multiplex still out there, but given the fact that carriers are slowly but deliberately replacing that equipment, we're pretty much getting there. So voice over IP is more dominant than I think people realize.
Christopher Mitchell: And then, Richard, one other point of clarification is, what is Shockey's Law? [It's] something that I see referenced from time to time.
Richard Shockey: Shockey's Law is actually pretty simple, which is, in most questions that we have in industry or business or even philosophy, money is the answer — what is the question?
Christopher Mitchell: I think about that frequently. Often people will sort of say, "Well, why exactly is this company doing that?" And inside my head, my first answer will often, you know, sort of come back to that.
Richard Shockey: Well, sure, and especially in communications technology, I mean, why do certain things happen the way they do? And typically it's like, "Oh, well they're going to make more money this way."
Christopher Mitchell: Or at least they perceive that they will.
Richard Shockey: They perceive that they will, and you know, that's an ancillary or a corollary to [the] original Shockey's Law, to a certain extent. So that's something that I, as a consultant and an industry observer, keep in the back of my mind literally all the time, which is, there's a reason things happen the way that they do and it's typically involving money.
Christopher Mitchell: So as we move into this, talking about the robocalls, the spoofing, the challenges that we're facing today, you know, it's worth remembering: I'm very critical of those who would claim we have a lot of competition in the broadband space. And I was criticizing the '96 Telecom Act recently, and Blair Levin looked at me and said, "Well, actually the '96 Telecom Act was really about creating competition for voice and that has been quite successful." Uh, I would have to agree with him on that. And one of the things that we've seen though is that despite the fact that we have a lot of benefits and voice is effectively a free app, more or less, for most of us, you know, there's a lot of problems that are happening that are causing us to use voice less often, such as the spam calls, the robocalls, just those sorts of annoyances that make us less likely to pick up the phone. I think it's something that's really damaged the value of the network.
Richard Shockey: Exactly. And the '96 act, as you correctly pointed out, actually created disincentives for the carriers to invest in the service itself. They wouldn't because the profit margins essentially were eliminated to a certain extent. But then the government itself has certain other issues involving the voice communications service, that it believes they're our primary, and people forget that the voice service is government's primary link to public safety: 9-1-1. And basically the whole public safety establishment to a certain extent is reliant on the voice communications service to actually operate. Even though we're slowly seeing the deployment of 9-1-1 text, you know, if you have a heart attack or you know, you need police or fire or one way or the other, you're going to call 9-1-1, and that depends upon voice.
Christopher Mitchell: For most of us, especially, our ability to convey information is much greater over a voice link than on a tiny keyboard that keeps mangling what we're trying to say.
Richard Shockey: Exactly. And you know, as I've often pointed out to people, especially nowadays, is never put anything into text that you would not want a federal prosecutor to read, which certainly, around here in Washington, DC, which is where I live, is now becoming more popular because again, people, don't look at text files and stuff like that. So there were a clash of market conditions and a lack of investment in the basic idea of real time voice communication, and this transition from classic circuits, which is time-division multiplex, to all IP technologies created essentially a perfect storm. And the perfect storm has created the robocall, caller ID spoofing problem, because now the attack factors are so easy to deal with. And it's like spam was, you know, a decade ago, but the problem was you could deal with spam in the email world because you could ultimately apply what are known as basic filters to the text itself to reduce the problem of a bad email. However, you cannot do that with voice. And we've had to come up with a entirely new way of thinking about this stuff. And so myself — and a lot of engineers, by the way — what happened was we were summoned to a little room here in downtown DC by Henning Schultzrinne, who's the former Chief Technology Officer of the FCC. He's also the father of SIP and a fully tenured professor of electrical engineering and computer science at Columbia University. And he basically said, "Look guys, we got to fix this." Uh, and it's like, okay...
Christopher Mitchell: What was the timeframe on that?
Richard Shockey: Four years ago.
Christopher Mitchell: Okay. So you were summoned to this after these problems had been evident for some time.
Richard Shockey: Yeah, and at that particular point, the commission during the last administration basically said, "Okay, enough is enough." And this began the process by which the engineering community would basically look at the totality of the problem and then attempt to develop a national solution or an international solution to the problem. So we basically looked at, okay, what are we trying to do here? And obviously, we realized that there's no silver bullet, that you're not going to eliminate robocalls or caller ID spoofing from the system — it's just too complicated. But you could suppress the problem to a degree that would recreate confidence in the entire system. There's always going to be bad actors. We all knew that. And you would need some databases that would, say for instance, alert the calling parties about whether or not this has been a reassigned number. You'd need to really look at the North American Numbering Plan, which numbers have been actually assigned versus ones that have not been allocated. You could do a lot of things as well, but one of the things that we began to center on was this idea of call authentication. The concept is that the caller ID, the number, is authenticated by the network itself. And it really came from the IP world, which is there's been problems in Internet land about spoofing IP numbers in the BGP, the border gateway protocol.
Christopher Mitchell: Right, how you'd go from one network to another network. Generally, you sort of rely on people to honestly advertise what networks they're in controll of.
Richard Shockey: Exactly, and so the genesis of what is now known as STIR/SHAKEN really came from these concepts that had been developed in the Internet to secure the border gateway protocol so that when you announced that you were authoritative for a range of IP addresses, that could be authenticated by the numbering authority, which in the United States is ARIN and it's RIPE in Europe and and all the various other authorities...
Christopher Mitchell: [chuckles] Sorry, all kinds of inappropriate jokes come to mind.
Richard Shockey: Yeah, I know. But what it is, is in the hierarchy of IP numbering, it's very similar to that of telephone numbering. You have this authority, which is ultimately IANA, and then goes down through ARIN and RIPE and APNIC and the rest of the five international registries, and then flows through to service providers and ultimately enterprises and individuals so that you could actually route it back and over the Internet. So there is a definitive trail of authority for IP addresses, and what we wanted to do was duplicate that in the telephone numbering world. At least in the United States and in Canada, we had that — we had a true authority in asserting the ownership of a telephone number, and in the United States that apex of authority is in fact the FCC, and it's the CRTC in Canada, et Cetera.
Christopher Mitchell: So I mean, ultimately, the issue is, is that somebody or some computer somewhere is initiating a call and cleaning it is who it is not right. And what you're trying to do is to make sure that when they do that, if they're calling me then my phone, before the call even gets to me perhaps, would say, "Wait a minute. This isn't what it seems."
Richard Shockey: Right, exactly. From a tactical perspective, what you're doing is called resource PKI, resource public key infrastructure. So you're making a cryptographic assertion that my telephone number is from who I am and that the network itself, in this case AT&T or verizon or whomever, can doublecheck that and then ultimately provide you with some visual indicator, or indicator of some form, that in fact there is a high probability that this call is from the person they're doing an ascertation for. So part of the problem that we've had and why this has taken so long is that first of all, you have to put this public key infrastructure in place. And PKI is everywhere in the economy. I mean, it's in your smart meters. You're probably sitting on five PKI certificates literally in your wallet because it's the way the new modern credit cards operate. So the technology was relatively understood, but one of the problems that we're struggling with, even now, is what do we display to the consumer or to the business or whomever about what we think this process is accomplishing. Is it — do we put a big green checkmark, you know, in front of the call when you look at your smart phone? Do we have, like, a yellow caution triangle if we think that you should exercise caution and then maybe a big red stop sign? Or do we look at something like traffic lights? It's these kinds of things. You are rethinking the voice communications service almost fundamentally at that particular point. And the other aspect is, can we actually enhance the call identification service, you know, which is tactically referred to as CNAM, which would be the verbose ASCII name that occasionally shows up on your phone or you know, in some way, shape, or form. I mean, could we add a picture or logo a theme song or something else like that. There actually is a business case for doing it. For instance, American Express or Visa, Mastercard, the banks, one or the other — they really want you to pick up the phone when they suspect that there may be fraud on your account. So they would actually like to display a logo that says this really is from Bank of America and it is authenticated from being from Bank of America. Also UPS, the Postal Service, and FedEx would like to be able to send you authenticated messages that say yes, the package is literally at your doorstep now, and you know, maybe you ought deal with it because of the ongoing problem with porch pirates. The other thing is that hospitals and medical establishment are also very, very interested in figuring out ways to get you to actually answer the phone because the call acceptance rates now are plummeting, and that really bothers a lot of people in the contact center marketplace because they can't get through to consumers because nobody trusts the voice service anymore.
Christopher Mitchell: So I want to move up the stack for a second and talk a little bit more about the people who are making decisions. But before I get there, I want to just do one final piece on that, which is, I think some people might be thinking, well, right now already, if I have an android phone, maybe — I know that my Google Pixel did this, my Nexus did it — you know, it might say spam call and that's based on what others have reported, right? I mean, it's not using this technology that you're talking about. And it's often wrong, it seems to me, because I'll get calls from legitimate spam that are labeled spam, but there'll also be calls from the public television station trying to get me to renew my membership.
Richard Shockey: It's true, and we're sorting through all of the problems, literally as we speak. We have a whole group of new companies that are basically doing data analytics on the phone service, and they're making value judgments about whether or not a call is true or not. And you're beginning to see the problem: false positives. And we certainly saw that in spam in the email world. It is going to take time to sort some of this stuff out, but one of the things that the regulators, the commission, has made it perfectly clear to people is there's got to be a way to report error in the system. I've certainly had this running my own domain, which is you get on a spam list and how do I get off? Because you really don't know that the system is not transparent about error reporting. So one of the things that the FCC and others are emphasizing to those of us in the tactical community is if we start putting these call blocking technologies in place, then there's gotta be some way of reporting error because inevitably there will be an error.
Christopher Mitchell: One of the things that I've had the impression of is that — as I said, I wanted to talk a little bit more about sort of humans and less about the technology as we wrap up — but is that the impression, you've said, we know how to solve this technologically. You're having a challenge in getting people to make it a priority or to implement it or what's happening there? Am I understanding that correctly?
Richard Shockey: Yes, you are. And first of all, you know, carriers are carriers, and this is a technological change. And I have warned the government and the FCC to have realistic expectations. The thing is this is still the voice communications service of the United States, and it takes time to deploy a technology across the board. And I basically — even though we now know pretty much what needs to be done, it's going to take two years to deploy. And that's because the carriers have to provide the supplier community with requirements, and then Nokia or Lucid or or whomever then actually have to build product. Erickson, all of them. That takes them at least a year one way or the other. And once the products are actually built, then they have to go through, you know, a variety of network testing in some way, shape, or form before they can actually be deployed. Then we've got the other complication of trying to get basically Google and Apple to try and support the various pieces of the technology inside the mobile handsets. And then of course there's the enterprise call centers and PBX systems. This stuff takes time. I cannot wave a magic wand and make this thing happen. We've been at this for four years, and we're only now beginning to put the infrastructure in place to make this thing work. And that's probably going to take most of 2019 and 2020 — you know, 2020 — to get everything done. The Canadians are just about where we are. They have actually mandated the deployment of STIR/SHAKEN and all of this technology. The British, who have a real problem, it's going to take much, much longer for them to deal with. So we're there; we know what to do. And even now, however, you can download applications for your smartphone from both AT&T and Verizon and T-Mobile and Sprint, and you'll get some pretty dramatic results pretty darn quickly, but it gets better as we sort of move down the road.
Christopher Mitchell: Do you have any that you recommend?
Richard Shockey: Talk to your, you know, service provider. If you're looking AT&T, they have a downloadable app. I know the folks; there's HIYA that's involved in providing that. Typically the service providers for mobile devices have a recommended app that they're using, and it's best to check with them. I certainly use the one that AT&T recommends — and it's free. They do have some enhanced versions and stuff like that as well. It's pretty good. What we want to do is deal with the traditional landline phones and especially figure out a way to deal with how to alert very vulnerable communities to calls, and by that I mean, you know, elderly, aging people who have been victimized in the past. The problem is dealing with that not just on the smartphone — so that's one thing — but you know the traditional black telephone as well. That's going to be a little bit more complicated. The cable operators, by the way, they've already demonstrated how to display STIR/SHAKEN on the TV set as the inbound call comes in.
Christopher Mitchell: Oh, okay.
Richard Shockey: Yeah, so they're there. I mean, Comcast has developed a pretty slick app for them, and Charter is going to deploy it [and] so is Rogers and Shaw in Canada as well. So there is an enormous amount of creative thinking among the engineering community about how to deal with this. I mean, everybody's pissed and we want a solution, and so we will start to see this stuff deploy on all kinds of devices, you know, in the next 24 months. And I will say one time: the FCC, Chairman Pai, and all the staff down there have been incredibly supportive. I've met with the chairman probably four or five times on this subject alone, and the chairman has made it perfectly clear that this is his number one consumer priority and they'll get it done. And of course Chairman Wheeler in the previous administration, you know, he had the robocall task force, which was very, very supportive. We've been on the case now for quite some time.
Christopher Mitchell: Well, I'm glad to hear that. I'm glad to hear both that there's hope, that we'll see these solutions rolling out in the very near future, but also that this is something that is being taken seriously by both the Democratic and the Republican recent chairs/current chairs of the FCC.
Richard Shockey: In the last administration and this [one], they could not have been more supportive. By the way, there's another — I'm aware of another task force has been put together by the state attorney generals that are asking highly pointed questions about what's being done and what the deployment timelines are. Everybody gets this. I mean, if it wasn't an election cycle, I think there would probably be more hearings on Capitol Hill about it [with the] Senate and House Commerce Committees, also the Senate Committee on Aging, for instance, because again the enormous worry about vulnerable populations and stuff like that. It's slowly but deliberately coming, and again, the thing for community networks as well is part of this is as you move to the broadband platform, you could actually pull all of this stuff in place. It's going to be increasingly difficult for classic time-division multiplexing vendors, you know, with traditional copper infrastructure to deploy any solution at all. I get asked that question constantly: "Well, what about the legacy networks? What about the copper networks?" I'm going, well, I can't do anything.
Christopher Mitchell: Right.
Richard Shockey: You just can't. It's not possible. That's going to put, I think, smaller communities without advanced infrastructure at a substantial disadvantage.
Christopher Mitchell: Right, and I would assume — I mean, it's really often the companies like Frontier, Windstream, you know — they have a lot of customers for whom they have not upgraded to the Internet protocol, IP, technologies. And so in terms of a single entity that's probably gonna be the ones that are harder hit.
Richard Shockey: Exactly. You mentioned the two classics. I mean, when you look at Windstream, Frontier, Consolidated, even Hawaii Telecom for instance, they are substantially — you know, Cincinnati Bell for instance — they are substantially disadvantaged because they've been forced by financial considerations from basically replacing the copper with fiber. And logically, there's very little they can do. It's like, well, what about Aunt Phoebe or grandma? And it's just like, I'm sorry. I cannot deal with it.
Christopher Mitchell: Well, and it's a reminder there's this thing happening called the IP transition at the FCC, which many of us are deeply concerned about because we see it as an opportunity for I would say AT&T — among others, but I think of them as the number one villain in this narrow case — where they seem to be using this as an opportunity to figure out how to reduce their accountability. But this is a very real problem in that we have to get the rules right to make sure that there are incentives to move to the IP infrastructure for the benefits that you've been describing.
Richard Shockey: It's true and that is an endless docket. We all know if I get carrier compensation, it's forever. And unfortunately, there are perverse financial incentives here for the service providers. It is not entirely clear that the way the system has been designed that there is a clear return on invested capital for converting to fiber, in some cases. It took, by the way, over 10 years for Verizon to make Fios a profitable product because the cost of homes passed was huge and the initial equipment that they used was extremely expensive, one way or the other. But you know, certainly where I live in northern Virginia, they've moved down the path pretty quickly. They are rapidly dismantling their copper networks here in Virginia using the 214 orders, and they're boosting their penetration rates above 50 percent quite a bit. But you are right about AT&T. It's just, how do they do it? Is it going to take a new form of investment tax credit to [incentivize] some of these folks? And you know, even in CenturyLink territory, you've now got a sort of strange split in the way they're thinking. On the one hand, you've got the Classic centuryLink territories, which are still copper timedivision multiplexing, but the focus of CenturyLink's intention is really the advanced network that was part of the Level 3 acquisition. So that's changing as well.
Christopher Mitchell: I hope that one of the things that this discussion has led to, is people having a better sense that one, voice is still an essential application and that two, it's going to be working better in the near future for those of us that are on more advanced networks — which is most of us, as you've said — and then three, is that we need to get the rules right to make sure everyone is able to get onto those. But Richard, I really appreciate you taking the time to come on and to share your experiences and how we're doing this and how it's going to happen with us.
Richard Shockey: You're very welcome, Chris.
Lisa Gonzalez: That was Christopher and Richard Shockey from Shockey Consulting and the SIP Forum. They were talking about plans to curb robocalls and caller ID spoof calls. You can learn more about the SIP forum and their work at sipforum.org. We have transcripts for this and other podcasts available at muninetworks.org/broadbandbits. Email us email@example.com with your ideas for the show. Follow Chris on Twitter; his handle is @communitynets. Follow muninetworks.org stories on Twitter; the handle is @muninetworks. You can subscribe to this podcast and the podcast from ILSR, Building Local Power and the Local Energy Rules podcast. Access them wherever you get your podcasts. Don't miss out on our original research. Subscribe to our monthly newsletter at ilsr.org, and while you're there, take a moment to donate. Thanks to Arne Huseby for the song "Warm Duck Shuffle," licensed through Creative Commons, and thanks for listening to episode 322 of the Community Broadband Bits podcast.