CLI Authentication: Central database boringness abounds (again!)

Simon Woodhead

Simon Woodhead

23rd June 2023

By Simon Woodhead

TL;DR CLI authentication has some risks, some seriously acute risks for our customers, so don’t let the naive and self-interested of the industry distract you from addressing those first with talk of some utopian (and ill defined) central database. 

Have you ever played buzz-word bingo? It’s a great way to inject some fun into corporate retreats or long seminars. The basic premise is that each delegate has a bingo card with a random assortment of certain phrases or words on it, and marks it off when a speaker utters those terms. 

If we were to play in telecommunications today, or for that matter in the last 20 years, every bingo card would feature “central database.” A central database, or variant terms, would be the veritable Pidgey (for the Pokemon Go players out there) of such a game. Pops up all the time, and no-one is entirely sure what it’s for or does. 

Ofcom are consulting upon CLI authentication currently, deciding whether to start exploring what the US and Canadians have already tried to do with STIR/SHAKEN and whatever the French are about to do (other than wear hi-viz and tip over their cars). This has caused the term “central database” to be bandied about like the Little Red Book in a sixth-form common room. 

Frankly, it’s as exhausting as it is distracting. 

Any credible operator can tell you if they can port any given number, because they have done their PNIs and PDIs and exchange files with their counterparties regularly, including on numbers hosted by those counterparties which are not issued in their own name (BT IPEX aside!). Granted, a central database could make some of the detective work around where a number sits easier, but if the answer isn’t with someone you have a porting agreement with (which, because said number isn’t able to be on a PNI/PDI) then it’s somewhat moot. 

Knowing which network is serving a number is only one of the many problems with the UK’s porting process. Abuses of validation, taking 2 years to get a porting agreement, some operators being perpetually so behind they don’t even validate a port request before the requested export date, split blocks, and the entire gamut of issues experienced by Vicky and her team here, and their opposite numbers in our customers, are not solved by a central database. Some symptoms may be relieved. A little. But it is not a magic cure in and of itself. 

Direct routing of ported traffic can be done today, bilaterally. There is nothing stopping TalkTalk and Sky saying “hey, all these numbers you’ve ported from BT, I’ll route them to you directly, if you do the same.” In fact, this has been successfully trialled between two major operators in the past. A central database may facilitate that, but it is not a prerequisite and there is no regulation or anything stopping it today. We’ve had an API for years which allows (validated) operators to pull live numbers on our network for the purposes of direct routing.

It’s not as if any of this is difficult. I could knock up a “central database” in an evening on a Raspberry PI. Most of the information for the two use cases I mention exists, be it the Ofcom number allocations table, BT’s Calypso database (for 999), Magenta systems etc. To deliver much of the “panacea,” we are not even reinventing the wheel. 

Could it be that there is no business case for one? If there truly was, in our highly competitive market, then surely one would have sprung up from the many failed industry and regulator led initiatives in the past. Why do we need a 2000 page pronouncement from Ofcom, which, by definition, will require there to be a positive cost benefit analysis for such a venture?

But, there’s a passing bandwagon and of course “central database” is the cry from the naive. That passing bandwagon has a lot more baggage on it that needs grappling with before we discuss central databases or anything else. Fixing porting may well require a central database in the mix, but you don’t fix porting with just a central database. Variants of CLI authentication do not need a central database either, especially if quick and reliable call traceback is the goal. That simply needs a reliable way to inject a signature into call signalling. 

Variants of CLI authentication require attestation, and  we know from our carrier operations in the USA, where we are a CLEC in 21 states, that attestation drives consolidation and oligopolisation. In the UK’s diverse telecommunications ecosystem, one has to be very careful about an environment that incentivises businesses to sign with one of the small handful of large operators, just to get their calls connected. 

There’s also a risk of overblocking – a kebab shop owner’s livelihood on the line because an algorithm is deciding whether or not the drunk regular can place an order. Worse, a parent could be stuck on the side of the road, with an undriveable Tesla due to bodged warranty work and a refusal by Tesla to assist, and unable to alert their child’s school to them not being able to collect them. [Sorry, personal true story there which may side-track me repeatedly in future. Don’t ever buy one!]

These are real world problems and serious issues to be grappled with, that can present an existential threat to our industry, but, don’t worry, apparently a central database will solve it all. 

Carts are ahead of horses, tails are wagging dogs, sausages are being thrown on a BBQ before the charcoals are grey. It’s all the wrong way around; a solution looking for a problem. 

Ofcom have (rightly) adduced significant evidence of harm due to fraud and spoofing. The correct approach is to ascertain the minimum intervention to produce the best result (some might call that a cost benefit analysis). The policy outcome then determines the technology. A form of central authority, registry, database, [insert other word here] may be the answer, but let’s understand what is needed first. Enforcement of the rules and easy call origination tracing is an effective option, with evidence saying it is from other countries, and it does not require any form of database.

Our response to the Consultation will be published by Ofcom in due course; we may link to it here in a few weeks, but it wouldn’t be fair for us to socialise it to the industry until the addressee has read it. Suffice to say, we have said what we allude to above, in more detail, and have not pulled too many punches. But we have also called out one important point…

How many elderly people have been defrauded because Ofcom didn’t enforce the existing rules about invalid CLI, and instead allowed operators to surcharge calls in the sleazy money grab we have been critical of, rather than blocking them as they were obligated to do, and we did years ago? 

Before the industry spends millions on the white elephant adopted across the pond, we respectfully suggest that question needs answering first. A teacher can’t write some rules on the whiteboard and expect the class to behave while they nip out for a smoke – nor should Ofcom expect the General Conditions to be magically adhered to by those with a significant incentive to break them. The surcharges for invalid CLI are up to 728x Ofcom’s price cap on landline calls and 455x their price cap on mobile calls before adding in profiteering by every scrote in the middle.

And that is where the sixth-form common room analogy was apt. Marx and Mao may read like a utopian dream, but the reality is far more dangerous and nuanced.

Related posts