By every measure available, robocalls and spam phone calls have reached epidemic levels. Unwanted calls are by far the largest source of consumer complaints to the FTC, up to 7.1 million in 2017 versus 5.3 million in 2016. YouMail estimated that there were 3.4 billion robocalls placed in April of 2018, up from 2.5 billion in April of 2017. Phone-verification service Truecaller reports that while in 2014 the average American received 15 spam phone calls a month, by 2018 the average American was getting slammed with 23 spam phone calls a month.
It’s the reason I never pick up my phone if someone isn’t in my contact list, and why you probably don’t either. On an average day, I get more spam phone calls than legitimate calls, and it’s been that way for years at this point.
The Telephone Consumer Protection Act of 1991 ostensibly should protect against these calls, but rapid advances in technology have quickly outstripped what Congress could imagine 27 years ago. The FCC has declared war on robocall spam, forming a “Robocall Strike Force” in 2016, and on May 11 of this year, the FCC hit a robocaller named Adrian Abramovich, who made over 96 million robocalls, with a fine of $120 million, the largest ever levied by the FCC. But with 111 million robocalls being placed every day, Abramovich is just a drop in the ocean. Fines and FCC regulation aren’t going to solve this problem. Cheap and easy-to-use technology is to blame for the rising flood of robocalls in the U.S. — so it will likely be technology that stops it.
Phone spam skyrocketed thanks to two things. The first is the rise of the Voice over Internet Protocol (VoIP), a series of standards that allow users of services like Skype or Google Voice to call someone halfway around the world for nearly nothing. It’s been a major boon, drastically lowering the cost for people around the world to communicate, but it also means that open-source software can let a single computer hooked up to the web make thousands of calls an hour. Buy a dozen dirt-cheap PCs, and you can easily place hundreds of thousands of calls an hour, from anywhere in the world to anywhere in the world.
The second is the easy ability of anyone to “spoof” a phone number. Spoofing is the technique of faking the number that shows up on your phone’s caller ID. There can be legitimate reasons to spoof a phone number — a dentist’s office calling to make sure you’re coming in for a checkup may want to make sure it always shows up as the same outbound number, even if someone from a specific extension is making the call. But spoofing, by and large, is used by spammers and scammers to fake you out. “Neighbor spoofing,” a relatively new technique, mimics target telephone numbers’ area codes and local exchange numbers — this is why in the past year or so, you’ve suddenly been hit with a tremendous number of calls from phone numbers nearly identical to yours. (In my case, I’ve gotten a spam phone call from my own telephone number.) In more nefarious hands, spoofing can be used to mimic your bank, the IRS, your electric company, or any other organization where you might be inclined to divulge financial details.
Almost no one wants to end VoIP. But spoofing phone numbers? That could be stopped — and since mid-2015, a consortium of engineers from phone carriers and others in the telecom industry have worked on a way to do exactly that, worried that spam phone calls could eventually endanger the whole system. “We’re getting to the point where nobody trusts the phone network,” says Jim McEachern, principal technologist at the Alliance for Telecommunications Industry Solutions (ATIS.) “When they stop trusting the phone network, they stop using it.”
The solution: the STIR (Secure Telephone Identity Revisited) and SHAKEN (Signature-based Handling of Asserted information using toKENs) standards. The idea: make it so every phone has a certificate of authenticity attached to it — a kind of digital signature — that allows you to once again trust your caller ID.
The (greatly) simplified way this would work: Someone would place an outbound call. That call would contain a certificate verifying that the call is indeed coming from the number it claims to be coming from. The phone call is passed along to the incoming carrier (e.g., AT&T), which would then check the certificates public key against a heavily encrypted private key. A policy administrator, run by the telecom industry with oversight from the FCC, would be in charge of handing out certificates and making sure everything is on the level.
For people with passing knowledge of how the modern web works, the STIR/SHAKEN authentication schema may seem familiar. The vast majority of sites you visit on the modern web use SSL certificates, and web browsers like Chrome will increasingly warn you away if a website’s certification seems hinky. The matching of a public key against a private one is the foundation of modern cryptography like PGP. “The telephone network we have now is laughably nonsecure,” says Jim Dalton, CEO of TransNexus, a software firm dedicated to fighting telecom fraud. “This is applying the lessons of data networks to telephone networks.”
STIR/SHAKEN has spent the last year or so running in a test-bed environment overseen by ATIS. Companies are currently testing out their networks, software, and infrastructure on STIR/SHAKEN, with small federations of phone companies all agreeing to trust one another’s certificates — a system that doesn’t easily scale. For this system to work, carriers on both sides of a phone call need to be involved. Verizon has stated that it plans to begin to implement STIR/SHAKEN in parts of its network this year, with a bigger rollout scheduled for 2019. Other carriers, per McEachern, will likely follow suit.
So what does it look like when your phone starts to buzz with an incoming call in a world where STIR/SHAKEN is in place? “It’s still a matter for debate,” says McEachern. “There isn’t consensus for what should be done. Work is still proceeding irrespective of that.”
One option would be for your phone to display something like a verification check mark on every inbound call that has an authentication certificate, affirming that if you’re getting a call from the IRS, it is indeed the IRS. This wouldn’t immediately stop the plague of robocalls, but it would at least allow you to pick up the phone with confidence.
Another option: Most of the major carriers are already using back-end analytics tools to build out spam and block lists, but these are hamstrung by the fact that they can only really rely on the incoming phone number, which is easily spoofed. A world with STIR/SHAKEN provides much more information about the point of origin, and allows for a spam-blocking system with much greater insight and accuracy. Instead of seeing whether a call is verified or not, you may simply stop getting most of the spoofed robocalls that litter your missed-calls list today.
A world with STIR/SHAKEN won’t be a telephonic utopia. Legacy systems like older landlines and rural phone systems wouldn’t be able to take advantage (though they could start cribbing from the spam and blocking lists used by other carriers). Legitimate VoIP users on services like Skype or Google Voice may need to jump through a few extra hoops to verify that they are who they say they are. As it’s currently envisioned, STIR/SHAKEN will only work in the U.S., and robocalls and phone spam are at this point a global problem. And STIR/SHAKEN will also add some overhead to phone companies, a cost that phone companies may pass along to customers.
It’s also entirely possible that phone spammers will simply change up tactics. Right now, many overseas call centers utilize VoIP calling, but route all of that activity through a private branch exchange (PBX) based in the United States — meaning it appears as a phone call originating in the U.S. While STIR/SHAKEN would mean that robocalls originating from suspect PBX operators would start to get marked as spam, right now it’s relatively easy to simply set up shop all over again. The hope is that an industry-led regulatory body is nimble enough to catch spammers as they adapt, and update standards accordingly.
And it doesn’t mean that you’ll never get an unwanted phone call ever again. “The fact that a phone number is verified doesn’t mean it’s a good call,” says McEachern. “Dr. Evil could get a verified phone number. You still don’t want a call from Dr. Evil.”
Right now, our phones are rapidly becoming like the spam-stuffed email in-boxes of an earlier internet era. But Bayesian spam-filtering and other techniques began to evolve for email in-boxes, allowing for spam to be shunted off into spam folders. The key insight that defeated email spam was that it would be nearly impossible to stop email spammers; it was too cheap to send out emails and too easy to set up shop nearly anywhere in the world and reach millions of people. But it was possible to make it so that the average person never saw that spam. As spam stopped showing up in in-boxes, it stopped bringing in as much money, and email spam overall went on the decline.
The STIR/SHAKEN authentication uses the same strategy. There is a whole cottage industry set up to support phone spam, employing people around the globe. But eliminate the ability for spammers to impersonate any phone number at will, and the economics stop making as much sense — and you can once again start picking up your phone when it rings.
