Calling nuisance calls fraud is both dangerous and sneaky.
TL;DR – if you want to address nuisance calls (and by extension scrotitude via telephone calls), you can do so today with the Simwood Potato and its Wilkinator (more on that below); you just have to be willing. Oh, and Ofcom were perhaps short-sighted by limiting KYC to number suballocations to businesses, instead of extending to all number allocations and interconnections.
A few years ago, if you were talking about fraud in the context of telecoms, you’d be talking about PBX hacking, short-stopping, international revenue share and the like. Add a few more years, and you’d be talking crocodile clips in street cabinets to use your neighbour’s line for long-distance calls.
Those were fun days. I gave lectures at law enforcement conferences. I have one of the last letters signed by Boris Johnson as Foreign Secretary before he became Prime Minister pledging assistance due to the outgoing payments from compromised handsets going to places like Palestine and Sudan and almost certainly not for the hacker to buy medical supplies for the vulnerable.
At some point in recent times, the word “fraud” has shifted meaning in the same context to encompass the use of our networks as a vehicle to commit scrotitude, rather than monetising our networks directly in a criminal manner.
This is dangerous on two key counts.
Firstly, it allows legacy networks to suggest they have had some form of control or provenance over nuisance calls through previous “initiatives” to tackle PBX fraud. Even if they did (and for many, that is doubtful), there is not a significant read across the two criminal enterprises.
I will concede there are some commonalities with the analysis of calling patterns and the moral hazard of a communications provider profiting from scrotitude, but that’s where the similarities begin and end. Your best network in defending against a PBX hack is not necessarily the best line of defence for your grandma getting told she has a virus on her computer by “Microsoft”. Indeed, those that have had “fraud guarantees” in the past appear prominently in some of the lists Simon has recently blogged about.
For Simwood, those defences against PBX hacking, etc (what I would say to be true fraud in the context of our industry) is just a hygiene factor. They have been there for years. Often, the only relevance of those controls is reviewing technical debt and keeping them up to date (unlike some, we continually invest in our network and systems). It’s like the cutlery in a restaurant; part of the basic background you don’t appreciate unless it’s not there.
Nuisance calls, a phrase I do not like, are an entirely different kettle of fish. Why don’t I like it? Well, a call from my ex-wife is a nuisance, but it is not illegal. The tax man calling me to check something on my last filing is a nuisance, but is actually essential (here in Canada, CRA agents exercise initiative and deal with stuff by a quick 2 minute call – HMRC, take note, no-one wants to receive crummy letters on that paper stock you use).
Illegal calls are the problem – calls which are a vector for fraudsters to pretend to be Barclays and con your granny out of her savings. Marketing calls made without the appropriate consent also fall into this category, as do (by a stretch of the term “illegal” in the context of breaking regulation) calls with malformed CLI headers, etc.
Secondly, I think calling the calls “fraud” also undermines one of the most sacrosanct principles of our industry, and one we share with Royal Mail and Maesrk et al. equally – that of the mere conduit.
Debate about the status of retained EU law aside, as that is simply a modern codification of a centuries-old principle – mere conduit is the carriage of something in good faith from A to B without liability accruing to the courier for the contents of the package. Package can be anything in this context – a shipping container, an envelope, a parcel, the media payload of a telephone call – the crux remains the same.
Mere conduit is not carte blanche. If you’re a postie and you foster retired drug sniffer dogs and one goes nuts in the back of your van while fixated on a specific parcel, the defence starts to fall away. If you’re collecting a shipping container from Pablo Escobar, eyebrows might be raised (except, seemingly, if you’re TD Bank or HSBC – that’s a different story), but the principle of carriage in good faith is universal.
By using the term “fraud”, we are putting the industry on the backfoot in defending its conduct. I do not recall anyone blaming TNT Post for their role in various fraud vectors (I can’t say Royal Mail as an example because of the shocking Horizon scandal), so what’s with the self-flagellation of our sector?
This is a remarkable industry that is genuinely the underpinning infrastructure of the global village. Billions of people a day can connect seamlessly and ubiquitously to conduct business, catch up with family, woo their loved ones, organise adventures and more. In the same way, TD Bank and HSBC facilitate (when not annoying governments and regulators) exactly those same exercises that are valuable to society by moving cash from A to B.
Where we have problems is where we are allowing bad actors into this ecosystem. Ofcom introduced guidance about knowing the identity of those to whom you suballocate numbers and their use cases. This was slightly shortsighted as it applied only to business-to-business transactions. Of course, no criminal in history has ever, on his or her own account, purchased a PAYG SIM as a consumer to engage in scrotitude (note: sarcasm), but it was a valuable start.
It is equally shortsighted that the KYC/Use Case process does not look at the underlying reason for making calls beyond that when the PECS allocates the telephone number. As ever, without providing a Haynes Manual to bypass our controls, I can say that Simwood’s controls do look at CPS, ASR, ACD and other metrics to determine whether we onboard a prospective customer, or continue with some we have when we review their account, regardless of whether we are allocating numbers.
Further, recent upgrades to our network look at things like call recipient behaviour to incoming calls to determine the risk around a given traffic stream. All that, and much more.
As I have previously said, this is a matter of willingness to want to defend our industry, and society, against bad actors. Central databases, traceback, etc, which will require regulatory intervention (already signalled not to be forthcoming) are years away. Any network can consume the Simwood Potato and the Wilkinator (those who know, know) within, to screen their traffic the same way we do, today.
TD Bank and HSBC both found out the hard way about lax controls (or specifically, their shareholders did). We do not want an industry whereby telecommunications providers become liable for the payload of the media they carry, as some call for.
While it would take Parliament some time to unravel the mere conduct defence and the legal precedent underscoring it, standing in front of the tide of consumer sentiment expecting a white-elephant of a central database to do anything is worse than King Canute’s legendary stunt.
Let’s not give them reason to; steps can be taken today by those willing to, and preserving one of the fundamental tenants of our industry is critical.
P.S For those that don’t know, the Wilkinator is an homage to Perry Wilks of BT; some of the inspiration for recent work by Simwood came from a desire to automate some of the checks we understand he and his team do manually..
