Calling Line Identification (CLI) authentication – a potential approach to detecting and blocking spoofed numbers

ukcta_publicPolicy papers

June 2023:

UKCTA Response to Ofcom

Introduction

  1. This submission is made by the UK Competitive Telecommunications Association (UKCTA). UKCTA is a trade association promoting the interests of fixed line telecommunications companies competing against BT as well as each other, in the residential and business markets. Its role is to develop and promote the interest of its members to Ofcom and the Government. Details of membership can be found at www.ukcta.org.uk. Its members serve millions of UK consumers.
  2. UKCTA welcomes Ofcom’s consultation on Calling Line Identification (CLI) Authentication – a potential approach to detecting and blocking spoofed numbers. UKCTA recognises the importance of regulation in this area and is pleased to be able respond to this consultation. Ofcom continues to work with its members and other stakeholders to aggressively combat scams.
  3. UKCTA sees this consultation as the first part of a significant consultation process enabling Ofcom and communications providers (“CPs”) to work together to develop an effective and robust solution against number spoofing. Scam calls and texts are a major source of fraud across the world. The UK has the opportunity to learn from the implementation of STIR/SHAKEN, know-your-customer, robocall traceback, and other techniques in the US, Canada and from other jurisdictions where alternative methods have been implemented to protect consumers.

Call authentication and STIR/SHAKEN is not the solution

  1. To combat the rise of call spoofing, illegal robocalls, and fraud, policy makers around the world are carefully looking for the most effective solutions. Only two countries in the world, the US and Canada, have implemented STIR/SHAKEN, with a third, France, under development. Policy makers in countries such as Australia and Singapore are opting for other measures to resolve these issues, taking into consideration the relief and benefits granted to consumers, and the proportionality of the costs and complexities of implementation.
  2. STIR/SHAKEN is a technology that has proven to be useful for the elevation of trust in good calls, but implementing this technology does not stop spoofed or fraudulent calls. There is no current technology that will substitute for aggressive enforcement against the bad actors, originating scam or fraudulent calls.
  3. Some international solutions have been implemented recently and there is no data yet about efficiency and effectiveness. Experience has proven that STIR/SHAKEN offers some utility, but it has not been the panacea it was promised to be. Without civil and criminal enforcement against bad actors, no amount of call authentication or labelling technology will deter their efforts, but rather it will just present the fraudsters with a new tech puzzle to solve around.
  4. The technology needed to implement call labelling and authentication is improving at a breakneck speed year on year. As a result, there are more options and paths for stopping telephone fraud than when STIR/SHAKEN was first adopted. Proceeding incrementally and in a more technology-neutral way will allow UK stakeholders to benefit from learnings STIR/SHAKEN that have proved to be ineffective.

Ofcom should allow time for the recently implemented regulatory measures to take effect and evaluate the impact of those actions before adding further regulatory interventions

  1. Ofcom recently strengthened the rules requiring telecoms providers to detect and block spoofed numbers where possible. Ofcom published related guidance and a separate good practice guide to help prevent scammers accessing valid phone numbers. It is necessary to first evaluate the effects of these measures, of which some only came into effect in May 2023, before moving to any further measures such as CLI authentication.
  2. The evaluation of existing measures and initiatives should be based on the longer term and should factor in other countries’ real-life experience with these measures. An intrusive and costly mandate to introduce CLI authentication cannot be based on the assumption that current measures and initiatives are likely to be insufficient in tackling the problem of number spoofing. It must be based on an empirical, in-depth evaluation of current measures and initiatives. It is not clear at this stage that current measures will not be successful, and it is too early to reassess the case for CLI authentication.
  3. UKCTA would like to emphasise that Ofcom (with industry support) are at the beginning stages of this process, and we would expect further development of proposals and more consultations as there are many issues that we are not yet in a position to meaningfully assess. More information, consultations, and thought is needed before the case for CLI Authentication is proven, and if it is necessary, before a robust CLI Authentication process could be implemented.

IP migration and the need for technology neutrality

  1. Migration to IP is essential to long-term success. As the US’s experience implementing STIR/SHAKEN has demonstrated, any technology-specific call authentication solution will be very challenging to implement until the IP transition is further along.
  2. A more technology-neutral approach to call authentication requirements will better serve the long-term interests of all parties in the ecosystem. Technology in this space evolves extremely quickly. In the time since STIR/SHAKEN became mandatory in some parts of the world, new tech alternatives are already emerging that outpace STIR/SHAKEN capabilities.
  3. Before mandating a massive investment in STIR/SHAKEN or other CLI authentication technology that risks stranding the UK in the past, the regulator should leverage lessons learned from regulators in other countries that have implemented STIR/SHAKEN and evaluate whether there are better technology alternatives now available for call labelling and authentication, such as Rich Call Data.

The CLI Authentication Administrator

  1. We are reassured that Ofcom proposes the sensible approach of there being a single CLI Authentication Administrator for the UK (we note that the SHAKEN model adopts an additional layer of complexity by there being multiple certification authorities – the potential addition of this competition may be justifiable in a market the size of the US, but it is unlikely to be so in the UK). We are, however, dismayed that, whilst Ofcom identifies the need for this key role, it proposes that industry takes the lead.  This is incompatible with Ofcom’s role as the UK national numbering administrator, and if Ofcom wishes to see attestation of numbering data, then we believe it must take an appropriate role in the deployment of the solution to ensure it technically works.
  2. For example:
    • How could an operator-owned Authentication Administrator know who to distribute certificates to, when only Ofcom knows the correct details for each numbering range holder?
    • In the case of a dispute about the identity of the originator, a complainant may claim the Authentication Administrator is acting anti-competitively. UKCTA members do not want to be in the role of policing the identity of competitors, indeed, we believe this would be inappropriate for the market.
  3. If Ofcom seriously wants to implement STIR/SHAKEN in the UK, then Ofcom must play its part and act as the Authentication Administrator, being the central agency for associating certification data with originating networks. An alternative would be to consider outsourcing this function to the Office for Telecoms Adjudication; however, we again note that this is not an industry function.

Impact on different providers – small VOIP CPs and international enterprise

  1. If the UK wants to remain a hub for international business and investment, the UK model should be technology-neutral, and flexible so that it does not stifle innovation; to ensure they minimize disruptions to legitimate business use cases for enterprise customers, such as international call centres and conferencing solutions. We are glad to see that these have been considered to some degree in Ofcom’s paper, but we believe more analysis needs to be undertaken.
  2. Prescriptive national call blocking mandates for incoming international call, this would completely ban legitimate use cases for CLI presentation, such as use cases for international call centres and conferencing. This would impair advanced communications solutions that benefit UK businesses and consumers alike.
  3. Ofcom also needs to consider the impacts of such regulation on different types of providers. For example, if a country mandate STIR/SHAKEN without taking into consideration the specificities of VoIP service providers to enterprise customers, the disproportionate investments in equipment and technology may drive some enterprise providers out of business and increase the barriers of entry for new providers. This would result in less competition in the market and less options for enterprise customers.
  4. Further, if STIR/SHAKEN or CLI authentication is mandated, small providers would face a costly and resource-intensive mandate to implement such an intervention, without commensurate benefit. This would also stifle innovation and disadvantage small businesses by placing a significant barrier to entry to the enterprise voice market, leaving business customers with fewer choices of providers of advanced VoIP services. For niche VoIP providers serving selected corporate customers, investments to implement STIR/SHAKEN technology could be a disproportionate requirement to the level of revenues generated by such services.
  5. This consultation effectively forewarns of significant cost with CLI Authentication that would be borne by the telecoms industry generally – scams are ‘major crime’, and Ofcom acknowledges the economic damage – what support is available from other sectors and regulatory or enforcement bodies? Is it appropriate to apply such financial burden on one solution that is not a catch-all, when it could be assigned to a variety of other initiatives that require less technical implementation.
  6. When considering the cost of implementation of STIR/SHAKEN or CLI authentication, it is worth noting that the money industry will be required to spend to develop this may be better spent protecting consumers through tried and tested means. The cost involved is likely to be disproportionate by comparison to the results and prevents industry from using that money to protect consumers in other ways that are perhaps more reliable and cost effective.

Alternatives options are available e.g. traceback, enforcement, and international collaboration.

  1. Numbering Database is a measure that would be beneficial for reasons beyond CLI Authentication (for the reasons Ofcom have already ascribed to it in point 7.19 of the consultation). Additionally, for the scenario where the originating and terminating networks have a direct relationship, a database, in itself, could mitigate the need for ‘attestation’ as the terminating network could check whether the upstream originating network is correct for the number. However, creation of a numbering database would be expensive and time consuming, so UKCTA members are split as to whether the exercise would be worthwhile.
  2. Ofcom should also be looking at the source of the issue. Tracebacks and robust enforcement measures must be the foundation of such efforts. Policymakers and regulators should work together with industry to implement traceback mechanisms to improve visibility into which services are being used by bad actors, a successful example is the U.S. Industry Traceback Group, tracebacks.org.
  3. Call tracing is vital. Authentication is best at helping identify and trust/elevate good calls. STIR/SHAKEN has not proven to be an effective method of identifying bad calls. Without enforcement it is just more information in a database somewhere. There is no current technology that can solve this problem on its own because scammers solve around it. This technology must be paired with real-world civil, criminal, financial, and contractual liability for the harm caused by scams. The daily nuisance of robocalls means many people no longer answer the phone when it rings or they do not know the caller, and that loss of trust in our communications systems is a very real harm. There must be prosecution of not just the high value scams but the nuisance-makers too, to send a strong message of deterrence. Tracebacks and enforcement should come first.
  4. To paraphrase the FCC in the US, flexibility is necessary to adapt to changing calling patterns, and to avoid giving the “playbook” to bad actors, so an outcomes-based approach should be the foundation of regulatory action. As a first step, tracebacks should be used to identify and aggressively prosecute originators of scam calls. Then leave room for diverse and rapidly evolving technologies in how those calls are detected.
  5. Further, no single sectoral regulator alone can solve the problem. We support international collaboration among regulators and service providers to establish the foundation for an international ecosystem and we encourage all service providers to implement strong know your customer and robocall mitigation programs.
  6. Other industry sectors also have a role to play. We propose that Ofcom establishes a cross-sector working group (including CPs; impacted sectors such as banking and service providers; and enforcement agencies) to agree what measures should be introduced that would have the greatest impact on reducing scam calls and SMS.
  7. Above all, greater consumer awareness is key to minimising the impact of scams perpetrated over the telecoms network. This can most effectively be achieved by all parties involved, including regulators, playing their part to ensure consumers can recognise scam behaviour.

Conclusion

  1. More consideration is needed. Technology is quickly evolving, technology may not be compatible with STIR/SHAKEN or CLI Authentication, we are still waiting to see the full impact of STIR/SHAKEN, STIR/SHAKEN does not achieve all the objectives it intends to, we are not yet in a position to foresee all the potential negative impacts of STIR/SHAKEN and we are waiting to see the impact of regulatory measures already in place. STIR/SHAKEN or CLI Authentication may not be the best solutions.
  2. There are smaller, more cost-effective, more technology compatible measures that can be implemented and more that can be done within our current system before implementing STIR/SHAKEN or CLI Authentication.
  3. In any event more information, more consultations and more discussions are needed before the case for CLI Authentication is proven, and if it is necessary, before this is implemented.