CallerID Spoofing to be Made Illegal

MadJo writes "US Congress has just approved a bill that will make it illegal to spoof CallerID. From the bill: 'The amount of the forfeiture penalty (...) shall not exceed $10,000 for each violation, or 3 times that amount for each day of a continuing violation, except that the amount assessed for any continuing violation shall not exceed a total of $1,000,000 for any single act or failure to act.'"

Interesting

[Travoltus]

That's a law that should be more proactive than reactive.

How about an additional law that makes telephone companies responsible for allowing caller ID spoofing to happen?

Or is that too difficult to prevent?

Re:Interesting

[pete-classic]

Allowing subscriber lines to set caller ID data is a feature, not a bug.

-Peter

Re:Interesting

[smartr]

If slashdot's comments and moderation can be abused, how is that a bug? Some features are inherently prone to different forms of abuse, and there is no magical way to completely solve the problem without removing the feature. I do not have faith in the idea that features can always have a perfect solution. If there was not a mistake in how something should function, it is not a bug. One could make improvements to make abuses harder, but this would be an improvement on the system - not a bug fix.

Re:Interesting

[Grendel70]

Feature: (n) - A bug with seniority.

Simple question

[TubeSteak]

When the police/people see the incoming phone records, will it show the spoofed number or the real number?

Re:Simple question

[Dun+Malg]

When the police/people see the incoming phone records, will it show the spoofed number or the real number? Police and the phone company use the ANI system (Automatic Number Identification). This is the system that tracks your billing. You do not have any say in what this system records as far as Name, Number, etc. Caller ID is a separate and unrelated system. Caller ID information is usually set by the originating switch--- essentially the point where the call turns from analog to digital. If you get all your lines piped into your office via a T1, then you are in control of the device that sets the Caller ID name and number and can set it whatever you like.

A campaign

[ringokamens]

There's a campaign going on at Binary Freedom right now that some of you may be interested in.
http://binaryfreedom.info/node/163
Basically, there are several arguments against this law

1. It doesn't do anything
Criminals will still make calls and spoof, so it won't stop fraud. Police can already track down spoofers with the same amount of non-spoofers who are using their phones for illegal purposes.

2. It costs money
We're gonna have to spend money to catch spoofers.

3. Jurisdiction
If the phone companies want to stop spoofing, they should design a secure system instead of relying on the congressional police

4. Privacy
It strips privacy that is gained by spoofing.

5. Legitimate use
It has legitimate uses such as for telecommuters who want the name when they make business calls to be the company's. Or how about a business that has several people using one phone line? They might want the sales associate's name to appear, which would be done through spoofing.

Fact of the matter is, this gains us nothing. If I can write a fake name on a letter and mail it, why can't I do the same with my phone?

Re:A campaign

I work for Congress, but not on this issue. But I can correct some misinformation.

1. You're right. We shouldn't make murder illegal either.

2. See number 1. The question is whether the money spent on this law is worth the societal good of making it easier to prosecute scammers.

3. The phone companies don't have an incentive to stop scamming. Congress does (they're occasionally responsible to voters.)

4. It doesn't stop you from not allowing the number to show up at all. It just stops you from faking it.

5. It was specifically written to exempt these uses, since Congressional offices, for example, have the public number show up when people call out from them, rather than individual extensions.

Re:A campaign

[Khaed]

I'm not so much worried about criminals, but I don't think this bill addresses what I want it to:

I'm sick of companies calling and their damn name not showing up, for whatever reason. "Tollfree number" (well no shit, other than collect, when do I get charged for receiving calls?) or "Unknown Caller"

Some of them are bill collectors. Who want someone that isn't here, and don't seem to want to believe that no, that person isn't here, and isn't going to be, so stop calling me. But either way, if they can't identify themselves, they shouldn't be calling my damn number. Which is why I disagree with #4 on your list.

If you're calling my house, I have every right to know who you are. Can you seriously come up with a legitimate situation where you should be able to call me and me not be able to see who you are before I answer the phone?

I barely answer unless I recognize the number anyway, because of a massive amount of wrong numbers. And some of the numbers these idiots are trying to dial aren't even close.

I agree with #3, however, in regards to #2, the cost of it will just be passed on to you one way or another. #5 I can see, but I've never had a business call me and use a sales associate's name.

#1 is a silly argument. Making rape illegal hasn't stopped it, either. You can make the case that no law is ever going to stop any crime. However, it makes it so that if you do it and get caught, you can be punished.

Re:A campaign

[gujo-odori]

WRT point 5, what the bill outlaws is "to transmit misleading or inaccurate caller ID information." If a company has its PBX configured so that it sends a salesperson's name rather than the company's name when she makes a call, I think a lawyer would have no problem deflecting an attempt to prosecute. After all, the name displayed *was* the name of the person making the call, so none of the information was false or misleading.

For the person who wondered if having his caller ID say "Harry Potter" could get him in trouble, it sounds like it could, although in practical terms I think someone would have to actually complain about that for him to get in trouble. I think how this law will be used in practice is for "piling on" charges when arresting scammers on other charges. The more you can charge them with, the more expensive it is for them to defend it and the more jail time and fines you can get on them.

Still, as others have suggested, I believe congress is approaching this from the wrong angle. It is certainly possible for the Telcos to solve this problem by preventing spoofing in the first place, but they don't because they have no incentive to do so. They also have some disincentive to do so: there are people who want to spoof, for good reasons or bad, and these people are telco customers. If the major telcos all blocked spoofing, they'd take their business to someone who didn't. However, congress can give telcos incentive to block spoofing by requiring them to do so and levying hefty fines if they don't.

They'll whine, sure. Companies that don't want to do something always whine. Look at the auto industry. Going back to the first legislation requiring emission controls, and later, CAFE imposing mileage standards, there was much lobbying, whining, wringing of hands, wailing, gnashing of teeth, and protestations that it was too difficult, to expensive, or both. Yet, lo and behold, they've done a pretty fine job of meeting these requirements. In doing so, they illustrated very well the difference between "can't' and "don't want to." The telcos would be no different. They'd gripe about it, but they'd get it done.

Re:A campaign

[Achromatic1978]

"Can I have your mailing address?"

Certified mail:

In reference to your repeated attempts to find Person X on phone number X, consider yourself formally informed that this person has no connection with this number, and further, that this number is a cellular service for which an uninvolved third party is billed for each call from your business. Accordingly, you are instructed to cease and desist calling this number in relation to this matter, or I reserve the right to take action on the grounds that these calls are civil harassment, and to seek redress through appropriate channels for costs and damages incurred in dealing with this matter."

Congress isn't allowed to do this...

[SonicSpike]

According to the Constitution in Article 1, Section 8, Congress isn't allowed to regulate communications. Therefore this is unconstitutional.

That's kinda funny...

[sokoban]

Well, around here the police department spoofs their caller ID info. Any time you get a call from anyone at the police station downtown, it only shows four zeros as the caller ID. It is different from when it says ID unavailable.

Okay, what about calling cards?

[xerxesVII]

My parents insist on using a calling card. When they call me, what comes up in my caller ID is the city where whatever bank they got sorted through is located. For instance, my caller ID will show some 1-800 number and say "MONTGOMERY, AL" or some such city. Would this fall under spoofing?

Fines in America - just can't figure it out

[Bombula]

I don't get why in America we can't figure out that fines only work when the penalty is commensurate with the infraction. If you want fines to work, you have to do what they do in Scandinavian countries - charge a percentage of your income. What is a $500 parking ticket for a billionaire? But $500 will ruin your life if you work for minimum wage. It's not fair, it's not just, and it doesn't work.

Fines for corporations should certainly have a minimum value, but they should have NO upper ceiling. When companies like Microsoft or Phillip Morris or ExxonMobil are fined $200 million dollars - as most of them have been - they don't even blink. It's completely useless. The law in America in this regard is completely idiotic in this regard.

Re:Fines in America - just can't figure it out

[profplump]

So fines against people don't have a minimum but fines against companies do? What if your $1M minimum fine puts 10 people out of work because the company goes under? Either using a sliding scale or don't; let's not make up silly rules based on angst against "evil corporations".

Re:Does this mean...

[Harmonious+Botch]

Does this mean I won't be able to call my ex girlfriend up at 3am with a phone number she doesn't recognize, and proceed to breathe heavily into the phone? We gotcha covered. Post her number and the friendly folks here at slashdot will do it for you.

All For It

[Bios_Hakr]

Good, now I'll stop getting cold calls from "caller unknown". If my phone displays "caller unknown", I just made $10k.

Actually, nothing happened

[gruntled]

So I'm actually reading the legislative action on this bill (through Thomas, provided by the link), and it doesn't appear as though there's been any kind of a vote on this. Am I, you know, missing something? Or does somebody not understand that a bill actually has to be voted on by each full chamber (both the House and the Senate) in an identical format, before it can be said that "Congress" has approved anything?

Upside-down.

[node+3]

Leave it to Slashdot to predictably label fraud as a "feature" and laws designed to prevent it "nannystate".

Re:Upside-down.

[aztektum]

That's the damn thing. Last I checked we already had laws against fraud. So why make a law specifically towards something like this? I can understand the disabilities act, but really, go after spoofers for fraud and if the penalty isn't high enough ADJUST the penalty for fraud across the board. We're making every damn little thing a frickin' crime in this country anymore.

Re:Upside-down.

[SpaceLifeForm]

The reason they make a law like this is to
limit the liability. It's a fixed amount.

That is the number one reason laws have no teeth,
they have fixed monetary penalties, that are
really no penalty to big business. They are
just a cost of doing business to the business.

Re:Upside-down.

[node+3]

Last I checked we already had laws against fraud. So why make a law specifically towards something like this? Because one size does not fit all.

Should impersonating a police officer, identity theft, false advertising and passing fake checks all have the same punishment? These are all, at the base, fraud. Could they even reasonably fit under one singular law?

We're making every damn little thing a frickin' crime in this country anymore. Here's the thing, the general term "fraud" is not illegal. Only specific forms of fraud. For example, claiming you can bench 200 lbs when you can barely press half that is not illegal. So, instead of just making "fraud" illegal, laws target specific types, and they *define* those specific types. Caller ID spoofing probably doesn't fall into any existing category of fraud, so this form of fraud can be presently engaged in with impunity.

So what choices are there? Basically, they are to expand an existing law to cover Caller ID spoofing, create a new law, or ignore it altogether. Ergo this story.

Re:Upside-down.

[node+3]

Yup, and its not fraud. Lying and fraud are NOT synonymous. Yes, they are. You can't stop at the first definition in your dictionary. Fraud does not require financial gain as a component (even if it's usually the case, and is part of the first definition in your dictionary).

Ummm... yes? Impersonating a cop gives you power over others you don't deserve. That's a very different crime than stealing someone's identity, or committing bank fraud, which are financial, and those two have very different effects on two very different targets. If you think these should all be equally punished, you are a sociopath.

You claim that the secondary crime should be the differentiator. I say merely *impersonating* a cop should be illegal, not just as some generic "fraud", but because it's an attempt to gain general power one doesn't have the right to, even if no other crime is committed. Merely stealing an identity, even if you don't commit any other crime, should be illegal, and have a different punishment, and writing a bad check should be illegal as well, etc.

In any case, any law which makes a tool illegal rather than bad actions performed with the tool is a bad law. Then you have no problem whatsoever with your neighbor (not necessarily your existing neighbor, but any neighbor you may ever have, by choice or not) owning a nuclear bomb? Sarin gas? Or someone keeping dynamite in an apartment building?

The fact is, some tools *should* be illegal or severely restricted. Your sentiment goes too far, it goes from cases where it's true (in general, outlawing a tool *is* foolish), and applies it too broadly (to say outlawing a tool is *always* bad).

That's because caller id spoofing ISN'T fraud it is a harmless deception. If you use that deception to illicit an unfair gain then you have committed fraud and would have committed a criminal act without this law. Are you certain of that? Laws are specific things (they have to be), and if Caller ID spoofing does not fall under a current law, then it *won't* necessarily be illegal, even if it is fraud (the money kind you seem to think is the only kind).

For example, calls pretending to be from the DNC, which are really from the RNC (this happened during the 2004 election, although I do not know if Caller ID spoofing was involved) had nothing to do, directly (i.e., legally) with money, and instead had to do with political influence.

Is that harmless?

Re:How will they enforce this?

There are several services out there that will do this real-time before you even answer the call. Like PDXUSA, they compare the ANI with the ID of the carrier originating the call, and the CID to see if they are consistent, then the CID display on your phone will indicate the CID, the ANI, and indicate if the CID is legit or not.

The whole thing is absurd

[StealthyRoid]

It's a stupid bill for four reasons:

1. It's a solution without a problem. The actual impact of caller ID spoofing is almost nil, while it's a valuable learning tool for many people just getting started with phones. The only argument I can see for it is that it makes reporting violators of the Do Not Call list. However a.) that's not a big enough benefit to justify any but the smallest trade off and b.) the Do Not Call list is stupid, and its impact should be achieved via implementation of blacklists by phone carriers. The government shouldn't be acting unless there's a serious matter at hand, nor should it engage in yet another unConstitutional regulation.
2. It's too open-ended.

   `(4) REPORT- Not later than 6 months after the enactment of this subsection, the Commission shall report to Congress whether additional legislation is necessary to prohibit the provision of inaccurate caller identification information in technologies that are successor or replacement technologies to telecommunications service or IP-enabled voice service.
   ...
   `(A) CALLER IDENTIFICATION INFORMATION- The term `caller identification information' means information provided by a caller identification service regarding the telephone number of, or other information regarding the origination of, a call made using a telecommunications service or IP-enabled voice service.

   Why not apply this to IP-spoofed or proxy'd Ventrilio/TeamSpeak/etc... conversation? This only increases the Constitutional argument against this amendment, because even if you buy the absurd assertion that the commerce clause gives the USFG power over anything that even remotely involves interstate commerce, where's the commerce in a private Teamspeak server? It also increases the chances of abuse by law enforcement, like the kids above.
3. The bill doesn't just restrict malicious spoofing, like making a threatening phone call look like it's coming from inside the house, it restricts simply playful spoofing, like ordering a pizza for I.P. Freely and making it look like comes from the local police precinct. Nor does it make a distinction between spoofed info that represents someone else's information accurately, and displaying non-existent information like '555-555-1212'. There's no reason the government should be spending my tax dollars on something as asinine as this. Osama bin Laden isn't calling up the White House and asking for Prince Albert in a Can while spoofing his CID to say "SUCK IT DRY".
4. The fines are absurdly out of proportion with any _potential harm_ presented by caller ID spoofers. What incentive does the USFG or the states (which the bill empowers to act on these matters) have to NOT go after 14 year old kids for $10k a pop? None. But nobody will think that at first, until the first few kids get busted, and are we really OK with _anyone_ being jacked by something this stupid?

Nice

[rantingkitten]

I sort of hope it passes, for selfish reasons. I direct the support department at a VoIP provider and I cannot tell you how tired I am of people's endless, nonstop whining about their caller ID, and how they want it changed, and why can't I make it look like they're calling from somewhere else... on and on and on. This will give me a convenient excuse to tell them to shut up.

On a slightly more serious note, though, it's amusing to note why the bill is being introduced. Senator Stevens was blithering about how it's important because people rely on caller ID for "critical information". I cannot imagine what could possibly be considered "critical" about caller ID information, particularly considering what a half-assed hack the entire system is anyway and the lack of any real standards. Please note that caller ID is entirely different from ANI (automated number identification).

Caller ID is a fine example of a semi-convenient feature that people took and ran away with. The general population now sees Caller ID as the Oracle at Delphi, infallable and impossible to live without, and go absolutely apeshit if it's wrong (which is quite often, believe it or not). I guess people just don't understand the technology, but to "rely" on caller ID information is ludicrous.

I remember about fifteen years ago, maybe a bit more, when Caller ID was virtually unheard of, and the Bells were just starting to roll it out to homes. My parents got the little box from Radio Shack, signed up with the service, and my friends and I would rush over to the ID box with childish glee every time the phone rang, cause hey! How cool is this, man!

But in the end that's all we thought about it. It was a cool little novelty. That people take it so seriously now baffles me.

We used to deal with the phone ringing and not knowing who it was in advance with the following method: a) answer the phone, b) don't answer the phone, or c) let them leave a message and get back to them if we feel like it.

Somehow, though, what I don't remember is that the pre-Caller ID era was some kind of a Dark Ages where nobody got anything done.

But you'll never convince the public of this.

Re:Does this mean...

[prockcore]

Nah, the real number is 202-456-1414 her name is Laura.

Re:Does this mean...

[cerberusss]

Don't call this number, everyone! It's not his ex-girlfriend, it's his mother!

Re:DEATH TO "UNKNOWN CALLER"

[Lumpy]

I block it just fine on verizon.

I have all phone lines and voip lines going into a asterisk server. if you dont have a real caller Id string and are not on my blacklist your call goes through.

It's quite easy to block UNKNOWN CALLER. and cheap too. a asterisc pots card is $29.00 on ebay and an asterisk server is pretty much free. (P-III 500 is more than enough horsepower) all you need is a voip phone handset or adapter to go to regular phone ($19.00 ebay sipura spa-2000)

Way better than any answering machine you can buy, I can block anything I want, I can force unknown callers to a special mailbox that states " I do not answer unknown calls" or better yet a 30 minute "hello? hello? I cant hear you. wait a second. can you hear me now? hello? can you speak louder? I can kind of hear you now, what was that?"

wasting a telemarketers time is a wonderful thing. when they get that you are honey potting them to waste their time they add your number to the do not call list on their own.