On STIR/SHAKEN, Ofcom nailed it. On spoofing….?

Peter Farmer

11th March 2024

By Peter Farmer

By now, you’ll be aware of a Statement issued by our regulator, the Office of Communications, that kicked any form of STIR/SHAKEN or CLI Authentication in the UK into the long grass. By Johnny Wilkinson. With a tail wind. 

Firstly, we hate spoofed calls, we call those that defraud vulnerable old ladies ‘scrotes’ on this blog (and worse in the office) and we know our industry needs to do more to tackle these issues. For our part, we already offer all our customers a Do-Not-Originate list filtering service, we implemented Ofcom’s KYC on sub-allocations earlier than we needed to, we do the right thing with surcharges – i.e. we block scammy calls per the regulations instead of monetising them like our peers – and are working on current initiatives to further refine the defence against the scrotes. 

As one of the few domestic carriers in both the UK and US markets, we have some unique insight into the CLI Authentication debate. 

Our main concern, and reason for taking a stance against the ‘Murican flavour of CLI Authentication is that the A/B/C attestation model of STIR/SHAKEN drastically favours the large incumbents that sell direct, to the detriment of innovators like our customers. 

If you’re Starbucks, or Boeing, you’ll want your calls signed ‘A’, the Gold Standard, the pinnacle, which means the signing network at the PSTN interface knows you and the number and has added their John Hancock to say the same in the signalling. If you’re reselling, the best you can hope for is a ‘B’ and if the chain is longer, it’ll be a ‘C’. We already see the competitive distortions this causes and the major networks haven’t yet gotten around to blocking signatures they don’t like. Would AT&T et al block ‘C’s to ‘protect consumers from unknown call origins’ further cement their oligopolistic dominance at the expense of a vibrant and innovative channel of niche operators? You’d hope not and that the FCC would be all over this protecting competition, but the general feeling is that the US rules are made deliberately complex to deter new entrants, so you’ll (especially AT&T’s legal team) forgive us when we question the underlying motives.

Of course, it doesn’t help your suspicious thinking when Microsoft And Chums club together to lobby Ofcom into adopting STIR/SHAKEN and are pushing it as a global standard, cheerleaded by a gaggle of self-interested vendors. While there are obviously economic benefits in terms of vendor costs where there are global standards, one does not normally see a coalition of goliaths worried about the unit price of firmware in an SBC line card.

Could it possibly be that the 800lb gorillas in the technical space have spotted that an ABC attestation regime favours them, and have deployed their immense lobbying apparatus? 

Our thoughts on the risk to competition have been made clear to Ofcom in past discussions around CLI Authentication, and we were heartened to see this position also advanced by UK trade associations like CCUK, even against a backdrop of some schools of thought which think central databases are a panacea to fix any and all problems. 

Ofcom have dodged the competition issues in their short statement; they only needed to look at cost, roaming and internationally originated calls to conclude the cost/benefit was not there and knock-off early (as a recent viral parody video might suggest), but we are grateful for the conclusion.

But, that doesn’t prevent our Grandma’s from being targeted by scrotes. The problem of spoofing remains, only we’re free to tackle it in a more refined way that does not undermine some of the underlying tenants’ competition in our industry. There is more work to be done in relation to abuses of our networks, over and above recent (welcome and important, but nonetheless minor) tinkering with guidance on CLI blocking at the international gateway

Unfortunately, Newton’s first law is as correct in telephony as it is in physics. If you take a draconian approach to spoofing, you start to interfere with all those important use cases, like shared service centres for a conglomerate of NHS Trusts confirming appointments. If you block all calls at the international gateway with a UK number, you prevent international operators from offering the cheapest rate in your LCR, or stop your roaming gap-year teenager checking in from Laos. And the British public is not known for understanding nuance; our support team will be shouted at whether they lean on the rock or the hard place (and indeed they were when we were one of the first to introduce full GC C6.6 compliance). 

There are two needed approaches in our view. Firstly, in order to run a community television station for the crofters on the Mull of Nowhere, Outer Hebridies, one needs to have, in advance, a broadcast licence – that licence has a ‘fit and proper person test’ embedded in it. However, if you want to run a Public Electronic Communications Network, you do not even need to bother letting the regulator know you exist until your turnover exceeds £5m. Any scrote with Freeswitch on a virtual machine can call itself a carrier and inject whatever it likes into signalling. This cannot be correct, and now the UK is free from the shackles of the European Union’s legal framework which actively promotes such light-touch regulation, we have a chance to change things and put some measures in place to filter, up front, bad actors (without materially affecting competition). 

Secondly, STIR is the baby in the bath water. A STIR-like form of signature to identify who set the PAID and FROM in a given call is not a bad idea; it dramatically shortens the amount of time to do call tracing and would go a long way to ensuring that spoofing malfeasance is driven offshore. Identifying, securely, the network which sets a signalling field is a low-cost way, without risk to competition, to keep UK providers honest. Until the Ofcom statement on CLI Authentication, this is where I believed the UK would end up by around 2027.

Unfortunately, that leads us to the second part. Ofcom have taken no public enforcement action against spoofers in its history. As at June 2021 it had admitted to having taken no informal action either. No amount of STIR/SHAKEN/RATTLE or ROLL will address issues if there are no consequences for scrotitude. 

It’s no good having the school rules pinned to the Ofcom website, while the Headmaster wanders off leaving the kids in the playground to govern themselves. And that’s where we have seen some success in reductions of bad actions in the US market; the FCC has been getting increasingly heavy handed in areas outside of simple CLI authentication.

P.S A lot of credit has gone to Ofcom for the global cancellation of STIR/SHAKEN, including some quite spectacular headlines, but we should note that the Irish regulator, Comreg, had tee’d this position up quite ably a few months prior to Ofcom.

Related posts