Slashdot Mirror
US House Passes Ban On Caller ID Spoofing
smarek writes "The 'Truth in Caller ID Act' passed the US House of Representatives on Wednesday. The legislation is trying to outlaw Caller ID spoofing. In some cases, this spoofing has led to individuals giving out information that has led to identity theft. Last year the NYPD discovered over 6,000 victims of Caller ID spoofing, who together lost a total of $15 million. A companion bill has already been passed by the Senate, and the two are on their way to 'informal conference to reconcile any differences.' The bill that results will most likely pass."
PCWorld's coverage notes that callers will still be able to block their information entirely, and that the bill may have negative consequences for legitimate phone-related services, such as Google Voice.
People who steal identities will carry on spoofing caller ID, because they already commit more serious crimes, while users of legitimate services will be inconvenienced. Still, at least the politicians are seen to do something about the problem.
# cat
Damn, my RAM is full of llamas.
And if Congress legislates that in all email messages, the "From:" headers cannot be forged, THAT will stop SPAM. I'm certain of it. Just like this will stop caller ID spoofing.
Clearly, this is the correct solution and will whip those wrascally criminals into shape. There isn't anything this congress can't do!
Last year the NYPD discovered over 6,000 victims of caller ID spoofing, who together lost a total of $15 million.
It's this already called fraud?
People who steal identities will carry on spoofing caller ID, because they already commit more serious crimes, while users of legitimate services will be inconvenienced.
What, you mean criminals won't follow the law? Say it isn't so!
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
Interstate commerce, don't ya know? It's the one sized catch all that works for everything from SPAM to the guy growing pot in the basement for his own personal consumption.
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
People who steal identities will carry on spoofing caller ID, because they already commit more serious crimes, while users of legitimate services will be inconvenienced. Still, at least the politicians are seen to do something about the problem.
If they really wanted to do something about this, they'd discontinue the entire CallerID system and allow regular folks to use ANI as a standard feature. That's the same system used by both toll-free numbers and emergency services like 911. Unlike CallerID, it's out-of-band and cannot be spoofed by the caller alone. It uses the billing data, the same data that the phone company uses to know whom to charge for the call. By comparison CallerID is a joke.
Of course a lot of the ID theft issues would be greatly reduced if people would use a little sense. That would include never giving confidental information to someone who calls you. If you think that's your bank calling about your account, tell them you are going to hang up and call them back at the number they publish in the phone book or your hardcopy account statements. This simple 20-second step would eliminate a great deal of these problems, no politicians required.
It is a miracle that curiosity survives formal education. - Einstein
Gosh, Captain Liberty, I certainly can't think of any way in which regulating fraud committed over the phone might be related to interstate commerce...
(Now, there might well be an argument to be made if the caller-ID spoofer could demonstrate that the spoofed call was strictly intrastate; but I'm guessing that vanishingly few of them are.)
If they really wanted to do something about this, they'd discontinue the entire CallerID system and allow regular folks to use ANI [wikipedia.org] as a standard feature. That's the same system used by both toll-free numbers and emergency services like 911. Unlike CallerID, it's out-of-band and cannot be spoofed by the caller alone. It uses the billing data, the same data that the phone company uses to know whom to charge for the call. By comparison CallerID is a joke.
I've often wondered this myself. I found out the other day that Verizon Wireless has the ability to block numbers from being able to call you or text you. Family member of mine has been getting harassing phone calls. Of course the block is utterly useless because a simple caller-id block (*67 in the US) will defeat it. The phone company provides the service but can't use the ANI information?
They do the same thing with their "mobile to mobile" calling features. If you block your caller id and call someone who is "in network" they will get charged minutes as though it was an out of network call. ANI is not blocked when caller-id is but they are too stupid to use it for their own billing purposes? WTF?
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
\
It really isn't debatable if the intent is to defraud or deceive. If I call you from my phone through google voice, and the caller ID displays my name and my google voice number which, if called, connects to me on whatever phone I can be reached at, where is the deception? Who's being defrauded? What should the number say, Google, Inc.?
Similarly if I'm at work making a business call on a work phone, how can anyone argue displaying the company name and main phone number be deceptive?
This sentence no verb.
You're not preventing the problem, you're adding to the list of offenses you can charge people with while you investigate the actual crime.
I think if you're going to have caller ID you should be able to trust it. At the same time, it would be better to educate people that people can sneak into other people's houses or businesses and legitimately be calling from the phone, but not actually being the trusted person. Or picking up someone's cell phone that doesn't have password-protection. It's not foolproof.
If you want to be safe, you have to do things like ask if you can call the person back at a different time, and ask for a number. If it doesn't match what's on Caller ID then ask why it doesn't match. We should spend more time educating people and less time passing laws, but Congress is not an educational organization - it writes laws. "The politicians" are not doing anything about the problem, only one of three branches is, and all three need to be involved.
Meantime, Congress gave additional powers to law enforcement so they can hold someone longer for questioning. Is that good or bad? Depends. What legitimate need would you have for spoofing? Completely shutting off the ID is still an option, but what use would you have for pretending to be another phone number?
IANAL but I have a lot of experience with telephony and telephony policy. So take this with as many grains of salt as you want.
The key phrase in the House bill is "with the intent to defraud or deceive". There is similar language in Senate bill. There's a lot of reasons to legitimately set your caller ID to something. With ISDN PRI service it's up to the calling party equipment to set the Caller ID. So for something like Google Voice, if they're bridging SIP to the PSTN, you absolutely don't want your caller ID showing up as the trunk identifier or billing number for their equipment. My reading of these bills doesn't outlaw it.
The bills in question are H.R. 1258 and S. 30. I made a comparison document that highlights the differences in each bill the other day. It's located here:
http://dfs.org/comparison.pdf
Using ANI (Billing Number) for all calls would probably be a bad idea. Say you're calling someone you have a business relationship with from your phone at work (technology type doesn't matter here). If billing number was the only thing available, every single call from your company would show up with the same number. Probably your main line that goes to a receptionist. In some situations this is what people want (telemarketers for instance) but in what many view as more legitimate business it would be annoying.
I'd hate it if every time various vendors that I have multiple account managers called my cell phone it just said "AT&T employee" etc. I like knowing who I'm going to be talking to.
Also, this completely ignores some of the other valid reasons for setting a caller ID value that most people outside of the telecom industry probably aren't aware of or care much about. Let's just say it's very useful for testing purposes and it's a great way to send a small amount of data to the entity you're calling if you're not using something like UUI.
They do the same thing with their "mobile to mobile" calling features. If you block your caller id and call someone who is "in network" they will get charged minutes as though it was an out of network call. ANI is not blocked when caller-id is but they are too stupid to use it for their own billing purposes? WTF?
That doesn't sound like stupidity to me... That sounds like profitable evil, in the same vein as the "placing the button that causes your phone to load some crappy WAP page at $.10/KB right next to the button you actually want, and making it impossible to remap/disable". I'm sure that, if people who are out of network were using caller-ID spoofing to appear as "in-network", they'd start using ANI. As long as the net effect of not using ANI means more minutes billed, not fewer, though, why would they change?
After you've told him he does not have your legal permission to contact you, it IS illegal in most states -- it's called "harassment". See this page
I've abandoned my search for truth; now I'm just looking for some useful delusions.
Agreed, CID is crap. Just make the ANI available to the called party, just like it is to law enforcement. And no, I don't think there is any compelling societal interest in allowing anonymous phone calls -- that's what pay phones are for.
I've abandoned my search for truth; now I'm just looking for some useful delusions.
Caller ID is *not* in-band any more than connection routing is.
I have a T1 ISDN link in the U.S. There are 7 dynamic voice trunks on that T1 link. We have a pool of multiple phone numbers.
When the call is being set up, my switch (asterisk) sends out a message indicating the calling number. The contents of this message are taken by our telco's switch at face value, as long as the number is 10 digits long.
This number is recorded in the detailed billing statement we get (for international / overage long distance), but it is not actually used for billing by our telco! Any call going out through our T1 link is billed for by the telco, no matter what garbage is being sent out as the calling number identification.
I can set asterisk to send any number, and that is the number that will be displayed to the called party. I have been experimenting with setting up a local GSM mini-cell to make use of cellphones within the building essentially "free", and obviously if such calls were routed over our ISDN link, the indicated numbers would be those assigned to the cell subscriber, not those of our number pool.
We obviously don't use it for anything nefarious, but I presume that many VoIP trunk providers will do it in the same way. It's somewhat hard for them to really filter the phone numbers on egress, since they may not have full knowledge of all phone numbers assigned to us: for example, we may have an 800 number through another provider that we want to display, or even a bunch of regular numbers via another provider B, that are being routed out via provider A due to -- say -- link loss caused by a backhoe two blocks down the street.
So this is nothing about in-band vs. out-of-band. It is about making the phone system work as you'd expect, vs. making things hard.
The only technical solution would be a realtime database used for egress filtering of calling number identification -- it'd link together all phone numbers assigned to a particular subscriber. And then we again run into problems of what really is a subscriber: suppose you have separate units of a big corporation, that get separately billed for service, and are really considered separate subscribers. Now suppose that for redundancy and continuity of service, the IT/comms people in Unit A and Unit B agree to carry the other unit's data and voice traffic to maintain service in cases of various failures. Now the realtime database needs respond as if both subscribers were one. And so it goes -- it's
not exactly trivial.
Making it illegal to purposefully mislead people is OK in my book.
A successful API design takes a mixture of software design and pedagogy.
That's my problem with it. I don't share the vindictive urge to nail people with as many charges as possible. Instead, I'd rather see fewer criminals.
A law against spoofing CallerID does not make CallerID more trustworthy so long as it's still technically feasible to perform the spoofing. This is for the same reason that the laws against fraud have not made phishing sites go away, the laws against illegal drugs have not prevented people from doing drugs, and the laws concerning gun-control have not made it difficult for criminals to obtain firearms. We just don't want to learn this lesson, but that doesn't make it less true.
That's universally bad. Law enforcement already has a way to hold someone for a good long time: collect enough evidence to charge them with a crime. If there is no such evidence, law enforcement should kindly fuck off. It's that simple. A few criminals who get away with it or are more difficult to catch means absolutely nothing in the face of the kind of threat that unmitigated police power poses to free society. Think of it this way: if criminal activity causes us to become a non-free society because of the ever-increasing expansion of state power, then the criminals have won because they've done the greatest possible damage to our way of life.
It is a miracle that curiosity survives formal education. - Einstein
According to these guys, as written it would not be an issue as the spoofing needs to be done "with the intent to defraud or deceive".
We hope your rules and wisdom choke you / Now we are one in everlasting peace
What legitimate service is there that requires lying about your phone number?
Why is it so hard to only have politicians for a few years, then have them go away?
How are users of legitimate services inconvenienced by not being able to use spoofed caller ID's?
Personally, I think it not only should be illegal but also, it should be the responsibility of the telephone companies to make sure that it is technically impossible, or at least very hard, to call under a false ID.
That companies and people call with anonymous ID is OK. I simply do not pick up the phone when the ID is hidden. But I should be able to trust that if it says number 123456789 is calling me, it really is number 123456789 and not somebody pretending to be 123456789.
If, as you say, there are good reasons for offering a caller ID spoofing service, I should be offered the option of not letting these spoofers call me since there is no one in the entire world that have any kind of legitimate reason nor the right to call me with a spoofed ID.
/.Mattsson - My native language is not English, so please don't whine over linguistic errors. (That's lame anyway...)
As a helpful tip; I went into my phone's options and pointed the WAP gateway to localhost, now attempting to reach that page throws errors, and doesn't bill me :)
You know, I don't really care what the caller wants to display on my phone. It's my phone! If they want to call it, it should be on my terms, not theirs. And my terms are: that I know who the fuck is calling me.
its *57 in most places, no 69. Also, in most cases, this is something you have to request your carrier to enable on your line (its free, but not automatically enabled, since the trace happens every time once enabled and only "saves" the trace then pressed, it has a cost the them on some small level if you're not using it).
Further, *57 traces can not be provided to you, only your local magistrate, which means you need to sue someone to get it, and even then for the real scammers, this is easily overcome.
Further, Vonage, Skype, and most mobile phones do not offer this feature, only land lines.
There is no contest in life for which the unprepared have the advantage.
That practice, not recording each rep's vote, should be illegal.
--
make install -not war
Calls originated over ISDN can send a caller ID number in the out of band signaling channel. The SS7 switching network relays both the ANI and the Caller ID, which are identical for calls from POTS lines (which do not have an out of band signaling path to the local office). The phone company can provide the ANI for a call if there is an allegation of caller ID spoofing. The owner of the ISDN line which originated the call could then be charged for caller ID spoofing. Calls originating outside the U.S. might be harder to investigate.
Caller ID is delivered in band to POTS lines. This might allow the originator to send phony caller ID information inband. However, the speech path forward may not be opened until the call answers, which would make things tricky for the spoofer.
The universe was intelligently designed. Unfortunately God was in a hurry so he coded it in Java.
I am frequently baffled why so many of my jokes are modded "insightful" or "interesting". However, I am even more baffled how this got modded "funny"!
I've abandoned my search for truth; now I'm just looking for some useful delusions.
I am frequently baffled why so many of my jokes are modded "insightful" or "interesting". However, I am even more baffled how this got modded "funny"!
Funny mods are the new Overrated, but they're even more insidious. When you get moderated Funny you don't get any karma. When you get modded with any negative moderation, you lose karma. So moderating a comment funny when you think it will be moderated both positively and negatively is an attempt to steal the poster's karma.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"