FCC Chairman Warns of 'Regulatory Intervention' as He Criticizes Carriers' Anti-Robocall Plans

The Federal Communications Commission will consider "regulatory intervention" if the major telecommunications carriers don't set up a system this year to stop spoofed robocalls, FCC chairman Ajit Pai said Wednesday. "It's time for carriers to implement robust caller ID authentication," Pai said in a statement, noting that some companies have already committed to carrying out protocols, known as the SHAKEN/STIR framework, in 2019. A report adds: Pai sent letters to major wireless carriers in November demanding that they adopt industry-wide frameworks to crackdown on the practice of "spoofing," where robocallers mask a call's origin with a fraudulent number on their caller ID. On Wednesday, the FCC chair followed up with another demand that they implement caller authentication systems this year and a threat over the repercussions if they don't comply. You can read responses from carriers FCC's website.

"Who are you...?"

[TigerPlish]

..."And what have you done with Chairman Pai?"

Re:"Who are you...?"

[apoc.famine]

He's just learning how to better play the game. He can issue regulations. But did he? No. He said he might at some point in the distant future if telecos don't say that they're working on something that they'll implement sometime after that distant future.

"Tell me you're going to do something, and all is well." is vastly different than, "You are hereby ordered to do this, on this timeline, with this punishment if you don't comply. No extensions."

I can see why it's taking so long, though

[93+Escort+Wagon]

After all, they had to devote significant time into coming up with that acronym.

Re:Uh-oh

It annoys the wealthy, so of course he's moving to eliminate it. There's no dissonance.

Finally Ajit Pai does something for consumers

[HalWasRight]

Finally the FCC does something for consumers. I get as many as five robocalls a day with spoofed caller id on the T-Mobile network. The telcos need to secure their networks to stop devaluing the money I pay them. Since consumer complaints haven't gotten any action, at least the FCC is finally doing something. BTW: I got another robocall with spoofed caller ID while typing this ... I wonder if the vmail will be in mandarin, which has been a new development.

Re:Finally Ajit Pai does something for consumers

[AmiMoJo]

I only answer calls from numbers I know now, or if I'm expecting a call from that organization. Disabled voicemail completely. SMS doesn't generate a notification any more.

Don't answer

It's gotten so bad that I no longer answer calls from unknown and random numbers anymore. If they want to talk, leave me a voicemail.

Re:Don't answer

[budsetr]

What is voicemail?

Re:Uh-oh

[110010001000]

I think that Ajit Pai doesn't want me to get the back brace support I need, a vacation to Disneyworld, and help me pay off my student loans!

Re: Uh-oh

Weak ass midterms and hilarious party infighting is a curious idea of ascension. Then again, I suppose crawling into the shit-filled toilet from the sewer is technically ascending.

Re:Uh-oh

[thebryce]

I never really thought about it before, but "robust caller ID authentication" is all of a sudden striking me as an authoritarian choke point that *could* be used to prevent the politically disfavoured from communicating. I get a lot of spam calls so it's annoying. But is that the right solution?

Re:Uh-oh

[bobby]

Resistance was futile. He has been assimilated.

Re:Uh-oh

[pr0fessor]

You forgot pay off your student loans, get a lower interest rate, or extend your cars warranty.

We've been trying to reach you about your cars extended warranty... Yes, can you extend the warranty on my 1969 Chevelle? (it's going to need an entirely new power train soon it's only got like 200k miles on it)
 

Re:Uh-oh

[Sarten-X]

Personally, I'm opposed to the idea that anybody's purely evil. I think people are driven by motivations we just don't understand or don't agree with.

From that perspective, I'll wildly speculate with no evidence or context! That's what Slashdotters do best!

By threatening regulation instead of actually proposing regulation, Pai has actually opened the door for carriers to avoid compliance. They can present timelines pulled from dark and smelly orifices, promising that they'll be compliant sometime in 2083, and Pai can then turn around and issue statements that the FCC is now working "for the people" and "working with carriers to ensure timelines are met". Any further push by the public to accelerate the standards' implementation will just be called political posturing, led by the Deep State to undermine the FCC's authority.

Meanwhile, the big carriers will demand subsidies to implement this new standard, and in the name of system-wide compatibility, they will insist the government adopt (and mandate) another new standard, conveniently authored by several industry insiders, and which relies on a software patent with exorbitant licensing fees, just-so-unfortunately out of reach for a startup carrier's budget.

To be clear, this post is intended to be modded "Funny". Please do not let it be "Insightful". For the sake of all Americans, I hope to be completely wrong.

Re: Uh-oh

[HiThere]

Well...there's also the question of exactly WHAT will get implemented. Just because we're told that a regulation will do something we desire doesn't mean it won't do a lot of things we don't desire, even if it actually does do what we desire. I don't know the SHAKEN/STIR framework, and I certainly haven't analyzed how it works, or in what ways it could be manipulated.

Re:Uh-oh

[140Mandak262Jamuna]

Mod Parent Up, ++ insightful

Re:Uh-oh

[Sarten-X]

...

...Jackass.

Re:Uh-oh

[budsetr]

Wait, are you trying to insinuate that the "wealthy" have their own national phone system completely separate from the rest of us? Staggering. "Hey Bob, new rich guy, yup just hit the 15 million mark. We gotta install all that extra cabling to his house, and plumbing too. Crap! We also have to reprogram another group of servants to never ever ever ever ever ever EVER say a word about any of this. Oh jeez, we also have to train that schmuck on proper Rich Person Telephone Network use. I wonder if anyone let the Rich Person IT department know yet."

Why is number spoofing even possible?

[budsetr]

How are they even spoofing in the first place? Shouldn't we just remove that ability?

Re:Why is number spoofing even possible?

[nerdonamotorcycle]

Same reason a lot of attacks on the Internet are possible: the network was designed and constructed at a time when only trusted parties were connecting to it. It wasn't designed to be secure because at the time it was relatively easy to identify bad actors and disconnect them from the network.

Re:Why is number spoofing even possible?

[Shikaku]

Mostly because businesses now run a VOIP system that translates a bunch of machines into a business account and they need to be able to set their public caller ID as their main business number that can direct your call to who you need and not some random VOIP address of X person trying to call you which might not even be a valid number at all, or just a number of that specific caller in Y department.

The issue has been already solved but in a different format: domain registrars for web addresses with SSL certificates, so a system like that but for phone numbers would be a good start perhaps?

Re:Why is number spoofing even possible?

[Doke]

I tried this when we first got a PRI into our VoIP system. Our provider would only accept caller id numbers in the range they assigned/routed to us over that PRI. I could spoof any of our numbers, but not anyone else's. I don't understand why other providers allow spoofing of numbers that aren't routed to that trunk. Payouts? Graft?

Re:Why is number spoofing even possible?

[coryhamma]

Your provider is taking steps on their own to ensure that their customers are following the rules. Imagine if you are a carrier who often works with multi-state corporations who have a huge number of phone numbers allocated to a global system, this might get unruly pretty quickly, and it would be much easier if you just accepted anything they sent you.

Now imagine that you are an enormous phone company (ILEC) that sells service to many, many smaller phone companies (CLECs), and with number porting, the phone numbers keep changing. It's expensive for the ILECs to keep track of a master list. Therefore, they just let the phone traffic pass without checking caller-ID info. I'm sure there is something in the agreement about the maximum acceptable number of robocalls blah blah blah but it's like a maximum acceptable number of rat turds in your chocolate bar. You would prefer that to be zero telemarketer robocalls.

Maybe these CLECs have some sleazy salespeople who are willing to hook up known offenders to get their sales bonuses. Maybe the CLEC is having trouble paying their bills -- easier to say I'm Sorry for the Robocalls" months/years later than to go out of business. Plus, with the regulations, the ILECs may not be allowed to disconnect the CLECs for sending mass robocalls if there is also real people's phone lines that could get disconnected. They must issue notices and warnings and all that.

Nobody wants grandma's phone to get cut off because her sleazy phone company was allowing telemarketer robocalls through. The fines and investigations put forth by the FCC are clearly not effective. The FCC is a slow moving dinosaur, and when they make a change, there are always unexpected repercussions. Therefore, Ajit is trying to squawk loudly in hopes that the ILECs will at least put some kind of a check system in place.

Re:Why is number spoofing even possible?

[drinkypoo]

It's expensive for the ILECs to keep track of a master list.

How much does it cost to have a database with a few million rows these days?

Re:Why is number spoofing even possible?

[coryhamma]

The database is the cheap part. The Expensive Part is maintaining the records in the database, dealing with conflicts, educating staff on this new system they must now use, ensuring they are not violating any laws with the implementation of the system, etc.

Re:Why is number spoofing even possible?

[green1]

Why do idealistic engineers always fail to account for human nature?

The security aspects of this are not technically difficult in the slightest, and yet instead the system was designed to trust everyone. Imagine designing a large corporate network that way: "I get root, you get root, he gets root, everybody gets root!", and that's also a place where bad actors are easily detected and "disconnected", yet no company would ever allow their admin to do that. Any system that gives full authority to every user WILL be abused, if not now, then later.

Re:Uh-oh

[Ol+Olsoc]

We need a Canadian wall! Made of ice and 100 yards tall! It's the only way to keep the White Walkers out,

Could we make it of Molson?

WHAT WE NEED

[JimSadler]

We need a number number added to our phones which blocks 100% of all charities, appointment setters, and any sales related call . It must carry a serious prison sentence for the person that dials, the room manager and the owners of a business if even one call is made. In other words a total death for all types of phone sales and solicitations is what I seek. Why would I seek that? At 7:20 this morning I was awakened by a stupid call with the Microsoft services scam .This is despite the fact that i have not touched a Microsoft product of any type for over 20 years. Following that i received four more calls trying to send me Medicaid braces before noon. That particular day i received over 12 bullshit phone calls. I now sometimes explode and use the most vile tactics that i can to get rid of these creeps.

Re:WHAT WE NEED

[Obfuscant]

At 7:20 this morning I was awakened by a stupid call with the Microsoft services scam . ... Following that i received four more calls trying to send me Medicaid braces before noon.

And you think a law banning all sales calls would stop that? You think it was a sales call, and that it was made from someone in the US subject to US law?

Wow. No wonder you get so many scam callers. You must be the most naive person on the planet. You're a prime target.

Good start, but far from effective

[markdavis]

Trying to force accurate caller ID is a good START, if it ever happens. However, it will not STOP the calls from occurring. It might help us DEAL with the calls. It might help report calls (if there was a way to do so). But as long as there is no enforcement and no tools for consumers and no criminal penalties, the calls will just keep right on coming. I don't know about you, but having an accurate ID on my home phone does nothing to prevent such calls from: Irritating me. Interrupting me. Waking me up. Forcing me to drop what I am doing to see who is calling. Or having to ignore the ringing and then put up with the 50% chance of then dealing with a spam voicemail I have to then play and erase. Or dealing with those messages when I get home. Similar issues with cell phone, although I have a bit more control on that. It is still no less annoying.

I want a way to press a button and report the call immediately to the police/enforcement agency/whatever, and then after they get X reports they get fined/shutdown/thrown in jail or something like that. If there are no real consequences, nothing will really change much.

Bummer

[gumpish]

The calls which spoof your exchange were easy to spot. Now it will just go back to being numbers I don't recognize from other area codes. Seems criminal that Android doesn't have a standard option to use whitelisting for phone calls and disable alerts for voice mail left by numbers not on the list.

Re:Uh-oh

[dcrisp]

That is a really insightfull view of the situation. I think we need to closely consider this.

Idea for robust caller ID

[mark-t]

First of all, it is important to realize that there can, in fact, be legitimate reasons to spoof a phone number... for example, calling from a direct dial out line for a business, but wanting the main business head office number to show up on the caller ID instead, which might even be located in a different country or state.

So given that, much of the problem becomes how to enable spoofing where it is legitimate, but to not present a spoofed number as the caller when it is not.

A carrier, when receiving a call that is on its own exchange always knows the exact number that is being called from (we will call that phone number A), the number that is being called (we will call that phone number B), and also knows what number the caller is wanting to spoof as (if any, which we will call phone number C). Whether the caller is trying to spoof or not, the carrier for A adds a temporary entry int a local cache that tracks outgoing calls, indicating that it is making a call from A to B. This entry is kept alive only for a minute or two at most before being deleted.

If the caller does not want to spoof, then assume that C = A, and the remainder of this paragraph can be ignored. If the caller wants to spoof, then the following additional steps must be performed. The carrier for A tries to tell the carrier for C that it wants to use that carrier to spoof to spoof, making a call to #B. This request might pass through a number of other carrriers, so let us assume that the carrier for C sees the number that is calling it as X, since it is possible that the carrier for A, or any intermediate carrier might be conspiring to spoof. If the carrier for C allows the number X to be spoofed with C, then the carrier for C will then ask the carrier for X if it is presently making a call from X to B. If it does, then it adds an entry in its own cache that it is making a call from C to B. If the carrier for C does not recognize X as a number it can spoof for, then the request is ignored entirely, and the carrier for C will not do anything. Please note, that if X has been illegitimately spoofed, but X is still legitimately recognized by C as being a number it can spoof for, then the carrier for X as reached by C will not issue any response, so C doesn't have any obligation to add an entry to its table in that case.

Whether or not the caller from A is trying to spoof, the carrier for A concurrently rings the carrier for B. The carrier for B, seeing the number C as being the number claimed to be called from, asks the carrier for C (as seen from B) if it is currently making a call to B. If the answer is yes, then the number shown in call display can be assumed to be valid. If C does not respond, then no number should show up.

This whole verification process should take a few seconds at most, and can happen concurrently with the ringing of the line. A person who answers quickly might not get a verified caller ID until after they have already picked up the phone.

The cached entries, as I said, are temporary, and are individually deleted after being present for a short time (one or two minutes would likely be enough time to be sure that the call is really valid).

This is just something I came up with when I had some spare time and thought about it while I was taking the bus to work one day.... there might still be vulnerabilities, but I wasn't able to find them..

Re:Idea for robust caller ID

[mark-t]

Oh, as a caveat... this could be worked around if the caller spoofed its number as a number on the same exchange as its own, and the caller's carrier was willing to always answer "yes" to any query, but because these calls can be isolated to always being from particular carriers, they should be fairly easy to filter out.

Re:Idea for robust caller ID

[mspohr]

Much simpler (but it will require the telcos to do some WORK) is just require legitimate businesses that want to spoof their legitimate head office number to register the spoofed numbers with the telco. The telco can then certify that the spoofed numbers are legitimate. Telcos could even charge money for this service.

Re:Idea for robust caller ID

[mark-t]

What stops somebody else from using some known head office number as their own spoofed number?

You need some kind of reverse lookup to verify that the call is really coming from where it appears to be, otherwise it can be too easy to spoof.

Re:Idea for robust caller ID

[mspohr]

The local exchange knows the real number originating the call. If that caller wants to spoof a different number, they need to register with the local exchange. If there is no registered spoof number, then no spoofing.

Re:Idea for robust caller ID

[aaarrrgggh]

It gets a lot more complicated when your business works with SIP trunks. Adding/deleting/modifying DIDs can be done pretty much in real time. Traffic also might not be routed to the expected endpoint, although it is still valid.

Re:Idea for robust caller ID

[mark-t]

Okay, that would work... it cuts out the middleman needed for legitimate spoofing.

Re:Idea for robust caller ID

[mark-t]

Yes, that sounds fully sensible: someone calls a (potential) customer, only to have that (potential) customer, when he calls back, land somewhere far away from the caller.

Sarcasm noted.

However, yes... it is fully sensible. There is nothing wrong with a company wanting its 1-800 number to show up instead of some direct-dial line. And if the caller's direct dial-out line might not even be in the same city as the recipient, how would presenting that number be a win for the receiver? The idea of routing a call through that location's own switchboard would only be practical for very small numbers of calls. Ultimately, I'm afraid it would not very scalable to handling commercial call volumes, because it would invariably overload the call centers where the main office is, since all calls would have to be routed through it, and that burden would have to remain for the duration of the entire phone call, as opposed to just a few moments of brief data exchange needed by the system I described.

And note that in the system I described while allowing such spoofing introduces much more complexity (in particular, it requires that the spoofed number exchange, if any different from the caller, the caller's exchange, and the receiver's exchange all support the protocol), it closes virtually all and does not further introduce any additional vulnerabilities to illegitimate spoofing. If the carrier that is directly connected to the caller is still going to allow illegitimate spoofing, then there is nothing that can be done directly, but the only numbers it will be able to spoof are those that would be routed through it if the destination were to call the number that is being presented as the caller. Since the caller cannot actually control that route, the only exchange this could safely be in all cases is going to be a real phone number that is directly connected to the same exchange as the actual caller (since if it is not a real phone number, there is no guarantee that the reverse lookup would pass into the same exchange). This would tend to place a hard cap on the number of phone numbers that could be so spoofed, and they could eventually be easily filtered or blacklisted.

Re:Idea for robust caller ID

[mjwx]

First of all, it is important to realize that there can, in fact, be legitimate reasons to spoof a phone number... for example, calling from a direct dial out line for a business, but wanting the main business head office number to show up on the caller ID instead, which might even be located in a different country or state.

Already sorted in two ways in the UK.

1. We did away with regional number codes years ago, 0141 does not mean the originator is in Glasgow any more. Modern packet switched networks have made this redundant. By modern I mean the one's we've had installed for over 25 years.
2. Businesses do not buy a direct line for every single employee. They install what are called PABX (Private Automatic Branch Exchanges) which means you only need to plug 1 line in (but often will have more). So the person dialling out from that company can easily ID as the company's main number without spoofing.

There is no legitimate case for caller ID spoofing that cannot be solved though another method.

Re:Idea for robust caller ID

[Obfuscant]

which means you only need to plug 1 line in (but often will have more). So the person dialling out from that company can easily ID as the company's main number without spoofing.

As soon as you "plug" a second line into a PBX you have a reason and a need to "spoof". Having a PBX makes it more important to be able to spoof, not less.

There is no legitimate case for caller ID spoofing that cannot be solved though another method.

Most blanket absolute statements are false.

Re:Idea for robust caller ID

[mark-t]

I will agree that ideally we want to a K.I.S.S. approach, but in actuality the solution I suggested has only one extra level of complexity over even a straight reverse lookup approach. This complexity is only required because there are lawful and legitimate uses for spoofing, as I mentioned previously, and that the admittedly much more straightforward approach of just routing through the spoofed exchange would place an additional burden on that exchange because it must manage that connection for the duration of the entire call instead of only for a few moments which would not be scalable to handling commercial call volumes.

Obviously a small mom and pop shop would not have a problem with it, but then the small mom and pop shop isn't going to generally have to be spoofing a number that isn't on their own exchange in the first place. If they are, then then the distant exchange is still going to need to verify that the caller that wants to route through it is coming from where they say are, which requires an additional reverse lookup at that location, and is actually no simpler than the system I described anyways.

The scammers, meanwhile, are left quite high and dry. They cannot forge a number that you cannot call back, since a reverse lookup would fail, and they cannot forge a real number that isn't actually on the exact same directly connected exchange as they are, because otherwise when your exchange does the reverse lookup, it wouldn't get any response from the exchange that it tries to talk to.

Re:Idea for robust caller ID

[mark-t]

I thought it was about the caller ID. And that gets send before the targets phone even rings (and normally accepted only than).

Except you can't route the caller ID any differently than the phone call itself... that would require a complete overhaul of every exchange, not just those at endpoints, and would provide no useful incremental upgrade path. Until at least a majority of exchanges supported it, it would generally be completely useless. You could, as I thought you were suggesting, route the entire call through another exchange, but that's a pretty heavy load for it to carry if many other places from around the country are doing the same thing.

The mechanism I described would only require no more than the caller's exchange, the receiver's exchange, and the spoof number's exchange (if different from the caller) to be enhanced... the effects of it would be felt sooner, thereby incentivizing the necessary cash flow to complete the transition.

[Verification is impossible], without verifiable correct list of who owns - or has the right to use - which phonenumbers

Not at all... you should be, after all, able to *call* that number. If it's not a number you can call, then it shouldn't be treated as genuine.

Essentially, a reverse lookup amounts to basically making a special type of call back to the number that is being claimed... when the special reverse call reaches the final exchange, rather than replying back that the line is busy or passing this call onto an extra line that may be allocated for the phone#, this end-point exchange just looks up info in its cache to see if the caller's phone number is really being called by who they say it is. If the exchange responds with an affirmative, then it can pass on the call display info to the receiver's phone. Entries in the cache can be removed perhaps a minute or two after they are inserted, long enough to allow a call to be completed, but not so long as to cause the cache to fill up or to be unrepresentative of the calls that have recently been placed from that exchange.

And so if, for example, somebody from, say, India wants to spoof some USA number, they will have to control the exchange that governs the USA number they are trying to spoof, because otherwise when your phone does the reverse lookup, the call is going to end up at that USA exchange, and the call isn't going to be found there, meaning it issues no response.

USA exchanges that allowed such spoofing to occur using their own numbers could be flagged quite easily, and being under USA jurisdiction, the companies that maintain them could be penalized or possibly even entirely blacklisted until they are brought into compliance.

Re:Idea for robust caller ID

[mark-t]

I take it you mean that as in "the caller who spoofed a number wants you to be able to reach him (or his principal) again". Thats not quite true. Quite the opposite even.

Spam, regardless of the type, lives by just getting its message across. It doesn't even expect a response.

You misunderstand.... I am suggesting that a caller who spoofs his number and doesn't expect you to be able to potentially call that number back *should* be treated as an unverified caller, exactly as if they had sent no caller ID information at all. If your exchange can't do a reverse lookup on the caller ID info that it gets (which is what the caching mechanism I described would implement), then any claimed caller ID info would be seen as fraudulent.

Again, why that complex ? All the phone exchange "at the border" needs to know is if the the exchange transferring those calls can be trusted. If not he can simply refuse to accept them - until they clean their act up.

The decision to refuse to accept a call that does not contain trustworthy information should be left up to the recipient, not up to some intermediary... and that's why only the recipient's endpoint would technically need to have any upgrades for this to be useful. Besides, intermediary connections have no special way to know if a number that is being claimed is actually what it says it is any more than your own directly connected exchange does. You may as well put the responsibility for verification directly on the endpoints, and take a "no response" scenario to the reverse lookup as if there was no caller ID in the first place. If the caller's endpoint also had it, when a reverse lookup reaches that exact exchange, the reverse lookup succeeds and the caller. In the general case of illegitimate spoofing, if the reverse lookup reaches any other exchange other than that of the actual caller , whether that exchange has been upgraded or not, the number would not be be treated as valid. In the more specific case of legitimate spoofing, the exchange at the number to be spoofed would also be updated, and assuming that the caller's claimed number is recognized as one that the number is allowed to spoof for, this exchange would do the same verification as the recipients endpoint would before it would trust to add an entry into its own cache (since it is this spoofed number's exchange that will be reached when the recipient does its own reverse lookup).

If the caller tried to spoof a number whose own endpoint exchange was not also upgraded, in which it would not be... while if they tried to spoof a number whose own endpoint exchange could not verify that the caller was legitimately allowed to spoof that number (again, via a reverse lookup to make sure that the real caller is who they are claiming to be), then that exchange wouldn't add an entry for that call to its cache.

If you think the entire reverse lookup process I described is the part that is too complex, I'm wondering how, exactly, you think that reverse lookup could otherwise be technically performed? As I said, an exchange has absolutely no independent ability to, on its own, verify that any claimed number that is passing through it, and to which it has no direct connection, is actually coming from where it says it is, so you may as well put the responsibility of verifying the call via reverse lookup at the endpoint, rather than at some intermediary. You need additional complexity just to support the reverse lookup in the first place, and the only reason you might need anything more is to support genuinely legitimate caller ID spoofing. Note that in the system I described it is literally *impossible* for a recipient who has this system installed on their end to get a spoofed number unless the spam caller also directly controls the *endpoint* exchange for the number they are claiming to be calling from. This would place an upper limit on the number of such numbers that a spammer could practically claim t

Re:Idea for robust caller ID

[mark-t]

Your method uses the spoofed number to start the reverse lookup with (as thats the only number you got). As long as that number actually exists, how would the "endpoint" (which actually owns the number) know it was a spoofed number or legitimate one ?

Well, first of all, the endpoint would recognize it as a number that actually belongs to that exchange.

Secondly, when the caller places an outgoing call from an updated exchange, that caller's endpoint adds an entry into its temporary cache that it is making an outgoing call. If or when the reverse lookup happens, the caller's endpoint will see that indeed there is an entry for that number, and respond with an acknowledgement. Entries in this cache are, as I said, removed after being present for a minute or two... long enough to complete a call, but not so long as to be unrepresentative of what calls were recently outgoing from that exchange.

If the caller tries to place a call from a number that is spoofed, however, the reverse lookup wouldn't generally end up at the same exchange as the outgoing call, no entry would be found, and the call could be assumed to contain unverified caller ID information. Without making prior arrangements with whatever endpoint *is* going to be reached when a reverse lookup happens (which would be the case, for example, with legitimate spoofed outgoing calls where the caller wants the company's 1-800 number to show up at the recipient), the would-be spammer is going to be left with very few options for remaining undetected... in the end, they would have to settle for being classified the same as if there were no caller ID at all.

Not quite. I would really like to be able to see who spoofs his number, and who doesn't.

I suppose you can display that a caller has spoofed their number but that number could not be verified, although that might be of limited use, since it won't help you identify who the actual caller is. Effectively, it's the same as if they had not transmitted any caller ID information at all.

And without doing a reverse lookup, there's no way to know if the caller is actually calling you from the number that is being sent as their claimed number... remember, you never can known where the caller is actually from, all you can ever know is the number that they *claim* to be from, because there is no way for an exchange to know whether the originating number is genuine for any call that does not actually begin at that particular exchange (short of doing the same reverse lookup that I described previously, but then why not just do that at the endpoint instead of making each and every exchange do it?)

Every subscriber - company and private persons alike - as well as all phone exchanges - in, but also outside the country - would need to upgrade their equipment to make your idea work.

Perhaps it has evaded your attention that caller ID itself is a fairly recent innovation, and until a significant percentage of the country had been upgraded, a recipient would not tend to receive any caller identification at all.

The idea works just fine before a majority of the country has been upgraded... if the person being called doesn't have an upgraded exchange, then they have no way to verify the caller ID as genuine. If the caller doesn't have an upgraded exchange, then the recipient has no way to verify the caller ID is genuine. This is absolutely no different than the telephone landscape as caller ID itself was being first introduced. Meanwhile, upgraded exchanges that *are* making phone calls to eachother can enjoy the improved verification system, and as more participate, more numbers can be verified.

Which means the "bad actors" only need to relocate to a country which does not want, or simply doesn't have the money to cooperate to continue as if nothing has changed.

And the recipient of calls from such places would see that there is no verified caller ID information in that call, and they could choose to ignore it.

Re:Idea for robust caller ID

[mark-t]

No, actually, you didn't... it seemed to me that you suggested that what I was describing wouldn't work just because the exchange that the number is actually coming from had spoofed the #, so you can't rely on its validity, but in general, that won't actually work because when the reverse lookup is done on the number, it would end up at a *different* exchange than the caller.

Conspiring with another exchange to permit number spoofing would still necessitate that the spammer have complete control over how a call gets routed, to ensure that their spoofed number actually gets routed to that exchange.

Essentially, it become roughly on par with faking an IP address, which works if you aren't expecting any sort of return data, but when a reverse lookup happens, per the protocol I described, any claimed caller ID information can be seen as valid.... or not verified. Yes, it does require a significant percentage of the exchanges to be updated before a significant number of calls will be recognized with the new protocol. but that's absolutely no different than when caller ID was first created.... most exchanges needed to be updated to support it before you would get caller ID info for most calls, even if you had a caller ID box on your phone.

Re:Uh-oh

[Shikaku]

I would bet some hard cash that they use either a whitelist or some program that enables a whitelist because they would be bombarded by sheer quantity otherwise.

Re:Uh-oh

[lgw]

Ah, you're thinking of putting the wall on the Canadian side to keep the US out. Fair enough.

Move To Australia

[labnet]

We implemented a Do Not Call register backed by legislative penalties ages ago and I've never had a robocall on my mobile (cell). .. and there are other benefits...
Universal Healthcare
Never seen a gun in public in 50 years unless it was on a policeman or security guard
Metric!
Proper coffee.
Kangaroos!
Drop Bears...
Rugby... not that costume game you play..
No Ajit Pai
you do have cool rockets though... we don't have rockets...

Re:Move To Australia

[ItsJustAPseudonym]

I'd also give you Victoria Bitter.

Re:Move To Australia

[labnet]

The locals won't even drink that poison... I think we ship it all to the USA

Re: Uh-oh

[sconeu]

The SHAKEN/STIR framework involves sharing Vodka Martinis with the CEOs of various telecoms.

Re:Uh-oh

[Ol+Olsoc]

Ah, you're thinking of putting the wall on the Canadian side to keep the US out. Fair enough.

I knew as soon as I posted it that Molson was a lame choice. If I drink Canadian beer, It's Maudite - even if it comes from Quebec.

How about a wall of Resin IPA from Sixpoint? If you haven't tried that (and like IPA) I highly recommend it: https://sixpoint.com/beers/res...

Doesn't bother me

[p51d007]

Number isn't in my contact list, I just don't answer it. If it IS someone trying to reach me, they will leave a voice mail, and they get added to my contact list. If they don't, they go into my spam blocker. Problem solved.

Re:Doesn't bother me

[bjdevil66]

You've minimized the inconvenience in your case, which is great. With a better system, however, you'd never have had to put in any effort to setting your system up - or be distracted again by future spoofed calls. THAT'S how it should be.

Re:Doesn't bother me

[zaq1xsw2cde9]

Problem with this method is, putting them in your spam blocker is bad for you, not them. They use a random number every time. Since they don't use the same number again anyway, you've just blocked a potential legitimate caller in the future, and not them. Spammer's next call will be from a different number.

Your Problem is not solved. You've created another one for yourself in the future when you meet a new friend, or try to do business with someone else, and they are blocked and you don't even know it.

Will it work as poorly as Do Not Call registry?

Unfortunately whatever they implement will be about as effective as the Do Not Call Registry was.... not at all. The scammers always find a way around rules and they count fines as the price of doing business.

Finally something Pai and I agree on.

[TomBauserman]

If he can come up with an actual plan and not just a bunch of hot air.

When did that "Comments Filter" with tabs appear?

[shanen]

A few minutes ago I noticed the "Comments Filter" below the post button. It has tabs for the primary dimensions of moderation, so (for example) clicking on the "Funny" tab immediately shows the current 2 funny comments on this story.

Is this a new feature? Or have I been blind, and if so, for how long? Now I don't have to waste time with the text searches on "funny"? Fewer annoying false positives (as distinct from actually bad moderation)?

By the way, the "Funny" comment to which this reply is attached is not very funny. At all. But that's just part of the general brokenness of the moderation system.

I still can't get over the possibility that an actual change has occurred. A new feature?

Naw, I must have been blind and just never noticed it. Probably been there for years if not decades.

Re:Uh-oh

[shanen]

Deserves a Funny mod, but I never get any to give.

Re:Uh-oh

[bjdevil66]

Uh-oh. What will Slashdot do now?

Naively wait and hope - for Ajit Pai to push as hard for this as he did to bring down Net Neutrality.

Re:Uh-oh

[DaveSewhuk]

That you need to pay an extra fee to take advantage of. FTFY.

Re:Uh-oh

[Major_Disorder]

We need a Canadian wall! Made of ice and 100 yards tall! It's the only way to keep the White Walkers out,

As a proud Canadian I support the building of a Canadian wall to keep the orange one out of my country.

Re: Uh-oh

[LostMyBeaver]

It affects him directly.

I turned on my American telephone for my upcoming US trip next week. Since I've turned it on, I've signed up for the "Do not call registry" which I'm quite sure does nothing. I've been receiving on average 3-5 phone calls a day from Kissimmee Florida to inform me that my medicare will not cover a hip some surgery if I wait any longer. Every call claims quite forcefully that "This is your last warning" of which I keep hoping it is true... it's not. If I press 2, it should add me to the "Do not call list" and I've pressed it a few times only to be transferred to a sales person. At which time I ask to be removed from the list... and I'm not.

It is quite impressive to see how poor the state of the US is in. Only in India, the UK and the US have I ever seen so many people blatantly trying to take advantage of other people. It's absolutely horrifying that the regulatory committees are unable to control this problem. When an American company calls and American telephone number and the owner of that number contacts the FTC to report a violation, the FTC should be knocking on their door within a week. Instead, the FTC doesn't seem to do anything about it... all the scam calls I've received are long time members of a list of known scammers. It also appears that these people know they are safe. What's worse is that there are people working for these companies who knowingly violate the "Do not call" registry. After all, Robocallers should have access to a database which makes it clear who they can call and who they can't. If these companies violate that, they should be shutdown or fined severely on early offenses and punished with prison on repeat offenses.

I'm very sad to know just how low the people of America have declined to.

Re:Uh-oh

[Uberbah]

Same reason Bernie Madoff went to jail - he stole from the rich. If he had just done what Wells Fargo or Steve Mnuchin did and stole from working stiffs, he'd probably have a job at the White House - under either a Dem or GOP administration.

Re:Uh-oh

[geoscodin]

I got those car warranty calls all the time so I would open by telling them that I had 220,000 miles on my car and THEY started hanging up on ME. On the rare occasion someone stayed on, I would ask them to remove me from their list. I guess it was a good strategy because they never call me anymore.

Re:Uh-oh

[mjwx]

Wait, are you trying to insinuate that the "wealthy" have their own national phone system completely separate from the rest of us? Staggering. "Hey Bob, new rich guy, yup just hit the 15 million mark. We gotta install all that extra cabling to his house, and plumbing too. Crap! We also have to reprogram another group of servants to never ever ever ever ever ever EVER say a word about any of this. Oh jeez, we also have to train that schmuck on proper Rich Person Telephone Network use. I wonder if anyone let the Rich Person IT department know yet."

I get the joke... But some of it is closer to reality than you think.

Rich people do have separate communications networks, maybe not based in wires, in fact a lot of it is person based to ensure that not any idiot can accidentally call the Queen of England (I believe Prince Charles has an exception). Often rich or important people will not have a direct line that doesn't go through at least one form of filter, usually this is a person who redirects or dumps your call but now we've got heuristic programs to filter and VPNs to isolate networks.

Re: Uh-oh

[dwillden]

Funny you blame Americans but invariably when they do manage to track down one of the spam call groups they are operating from overseas. The last big one was based out of India. Yes there is a problem with the US phone system and it should be quite simple to fix. Prohibit number spoofing. The carriers can implement systems to prohibit any call not originating from the claimed number. But for some reason they refuse to do so leaving us subject to this never ending flow of spam phone calls.

And as I stated before, these scams are not originating in the US.

Re:Uh-oh

[dwillden]

Yes we can, for only $1000 per year since the original warranty expired. (payable up front of course). And while you are paying that we also need you to pay for your Taxes or else the Sheriff is standing on your front porch to arrest you.

Re: Uh-oh

[apoc.famine]

The issue is that a ton of companies have moved to VOIP, and/or have a lot of internal numbers but want calls to appear to becoming from the official, published business number so they look legitimate. It's going to be harder to google one of a thousand numbers to see if they are legitimate than one main business line.

Legitimate companies do have some fairly solid reasons to spoof their numbers.The big problem is that instead of putting any sorts of controls on this, the telecos took the cheap, easy way out and just threw up their hands and said, "whatever".

The big companies that want to do this pay the bills. The average residential customer can either accept getting shit on, or not have a phone number.

Ajit Pai just has not sold out yet.

[bussdriver]

Robocallers FAILED to purchase Pai and now they will pay the price.

Don't expect a fully working solution because that likely would upset Pai's owners.

It says something is wrong when officials replace citizen with consumer and it DOES impact thinking to do so. I am NOT a consumer, I am a citizen, a human and not merely a cog in your machine.

Re: Uh-oh

[green1]

Spoofing isn't the problem. Unauthenticated spoofing is the problem. The CID needs to be taken out of the hands of the businesses, and put in to the hands of the telecoms. They can then work with the companies to present the appropriate CID. It would be no problem for a company to register their main number, and say "calls from all these other numbers should appear to come from this one, here's proof we own this one" It's that proof part that we're skipping.

It always surprises me how quickly idealistic engineers design systems that fail to include ANY security/authentication system, and expect that humans will play nice. We know that simply doesn't work, it's been proven repeatedly for pretty much as long as humans have existed. It's not hard to authenticate ownership of the main number, phone it! There's no reason why the end user needs to be able to spoof any number they please without proving first that they own that number.

Re:Isn't Pai supposed to be eeeevil?

[green1]

The summary states that some companies are already in compliance, and he's threatening the others with regulation. That tells me that it should be easy enough to see which companies are paying him. It's the ones who are already in compliance and just want to make sure their competitors are hit with more cost.

Re: Uh-oh

[Immerman]

>But for some reason they refuse to do so leaving us subject to this never ending flow of spam phone calls.
Ask yourself one question: aside from the scammers themselves, who profits from the phone-scam industry?

Re:Uh-oh

[Immerman]

How would the inability to spoof your caller-id information prevent you from communicating with anyone who wanted to hear from you?

Granted, there may be implementation details that could be easily abused for other purposes - can't say I've even glanced at any of the recommended solutions.

Re:Uh-oh

[budsetr]

That sounds suspiciously like a secretary.

Re: Uh-oh

[Ol+Olsoc]

maudite taste like shit try a pit caribou

Fortunately, I have no idea what shit tastes like, and have no intention of learning.

Maudite is a malt heavy, high gravity beer, and a decent example of the genre. I'd be surprised if it actually tastes like feces, but will defer to your experience.

Re:Uh-oh

[mjwx]

That sounds suspiciously like a secretary.

Closer to a PA (Personal Assistant) and that is pretty much it and how it's been done for decades. Rich people would hire people to take their calls, answer the door, et al 24/7. We also call them valets (calling them a butler is incorrect, butlers manage the household staff, a valet sees to his lordship's person).

My experience is in working in state government (in Australia). It's very, very hard to get through to a senator if you're not on his whitelist. Any unidentified number will be dropped or ignored. Public numbers for senators will go to their office where they'll get answered by receptionists (its a legal requirement for any politician in Australia to have a public number... but not for them to answer it personally).

Re:Uh-oh

[BringsApples]

I've read this a few times, and I can only conclude that you're explaining my joke to me.