The US Federal Communications Commission (FCC) has issued yet another Further Notice of Proposed Rulemaking (FNPRM) to tackle the epidemic of impersonation frauds committed via voice calls. This is the ninth FNPRM in this series. There has been a lot of discussion on social media about the contents of the new FNPRM in the few days since it was issued. Most have applauded the ways it is meant to ‘plug the gaps’ in the framework created by the existing anti-scam strategy and the eight previous FNPRMs. Other commentators have only concentrated on the parts where they consciously confuse their desire to make money from selling technology and collecting fees with sincere attempts to protect the public from harm. In contrast, this article will focus on the one part of the FNPRM that will potentially see the USA copying a cheap control that has massively reduced the number of fraudulent calls received in Europe, India and the Middle East.
The blocking of inbound international calls that spoof a domestic number has been a smashing success in all the places that have tried it, but has been furiously resisted by American lobbyists. Since demanding the implementation of STIR/SHAKEN at an estimated total cost of half a billion dollars, these lobbyists have insisted that the USA lacks the competence to implement a version of European Communications Committee (ECC) Recommendation 23(03). Regular readers will not need reminding that the adoption of ECC Recommendation 23(03) by Europe’s regulators is responsible for a dramatic fall in the number of scam calls received by Europeans. They may also recall that other countries, such as India, have independently arrived at similar controls that also prevent scam calls from crossing their borders. The mind boggles at how American engineers could so overestimate their ability to make STIR/SHAKEN workable — a technology that still leaves a large proportion of calls completely unprotected from spoofing despite it being written into US law in 2019 — yet also believe themselves unable to replicate techniques that Arabs, Europeans and Indians have implemented with much less fuss over a much shorter period. But perhaps I am being unfair to American engineers because there are signs that they are only allowed to say what corporate moneymen allow them to say.
The relevant section of the FNPRM begins:
We propose to require providers to identify calls that originate from outside of the United States to transmit that information over the entire call path, and to transmit to consumer handsets an indicator that the call originated from outside of the United States whenever they know or have a reasonable basis to know that a call originated from outside of the United States. Specifically, we propose to require gateway providers to mark calls that originate from outside of the United States, intermediate providers to transmit that information to downstream providers, and the terminating voice service provider to transmit to consumers’ handsets an indicator that a call originated outside of the United States when they know or have reason to know that a call originated from outside of the United States, such as when a call has been marked as having originated outside of the United States by an gateway provider. We seek comment on this proposal. We also seek comment on what steps gateway providers, non-gateway intermediate providers, and terminating voice service providers would need to take to implement this proposal, if adopted.
That seems like a sensible first step to me. It is also important because it shows the tide is turning against the US telecom industry’s most outrageous liars. It was only in March that former FCC lawyer and current industry shill Josh Bercu, SVP of Policy at USTelecom and boss of their Industry Traceback Consortium (ITG), misled a hearing of the California State Senate’s Banking and Financial Institutions Committee when he answered one of their questions.
State Senator Tim Grayson: Mr. Bercu, is there a possible, is there a way currently through technology where we can notify people that a call or a text is being, is originated from overseas?
Josh Bercu: It would be great, but unfortunately there really isn’t a way because the provider, your provider doesn’t know that that call or text originates from overseas, and that’s for a few different reasons, just the way the network works.
The recording of that conversation can be found here. I am grateful to another one of the participants in that hearing for tipping me off about Bercu’s testimony.
Bercu regularly promotes US business abroad so I doubt even he would pretend he was unaware of the success that other countries have attained by stopping inbound international calls that present a domestic number or by preventing the spoofed domestic number from being presented to the recipient. Bercu could have explained to State Senator Grayson how other countries protect the public from spoofed international calls but he immediately digressed into waffle about how difficult his job is, as if the primary goal of a scam reduction policy should be to make life easier for overpaid apparatchiks. This is sadly consistent with Bercu’s track record of misleading audiences when that is the easiest way to exaggerate how well US telcos are tackling scams. I have explained elsewhere how Bercu presented a bogus statistic about the reduction of scam calls when he spoke to the US Congress. Bercu also misled the audience at the 2024 NICC Open Forum held in London when I confronted him over the increasing number of gaps in the data provided to the FCC by his traceback group.
As with so many other American lobbyists, Bercu’s antipathy to controls on inbound international calls while he simultaneously demands foreign countries do more to protect Americans is due to the profits that come from telemarketing call centers situated in foreign countries. American businesses use foreign call centers to an extent that is incomprehensible for most other nationalities. They all present US domestic numbers when they are spamming American consumers. However, there are now some US politicians who have grown impatient with the practice of bombarding Americans with calls from abroad. The change in political mood prompted by President Trump’s trade wars meant it was inevitable that the politicians appointed to run the FCC would also relax their opposition to controls on inbound international calls, even if these calls are paid for by US businesses that prefer to use cheap foreign labor. One telltale sign of the FCC’s history of prioritizing business profits over the good of the American people comes in this segment of the FNPRM.
We seek comment on the impact, if any, on the ability of voice service providers to implement our proposals for calls that originate from outside of the United States but that legitimately spoof a North American Numbering Plan (NANP) number, such as when a domestic business has offshored call center operations and chooses to present a domestic NANP number as the originating number or for consumers to call back.
The prospect of blocking inbound international calls arises in this paragraph.
We further propose to require voice service providers that use reasonable analytics to block calls to include whether a call originated from outside of the United States as a factor in their analytics. We seek comment on this proposal. We seek comment on what steps providers would need to take to include this information in their analytics and whether this requirement would further protect consumers against scam robocalls originating outside of the United States.
This is a poor way to think about how to protect the American public. Many Americans have relatives that live elsewhere. Relying on algorithms that give preference to calls from some countries over other countries will likely deliver racist outcomes. The FCC is showing a bias for ‘reasonable’ analytics because it is stuck in a loop of reinforcing previous decisions that have only delivered the desultory reduction in scams seen so far. That bias is also apparent when they worry about the negative impact that successfully reducing scam calls from foreign originators would have on the sales of STIR/SHAKEN.
What other tools could we use to help identify the sources of foreign-originated calls? For instance, could we implement a chain of agreements requirement whereby gateway providers accept traffic only from foreign providers that agree to cooperate with traceback requests and that, in turn, only accept calls from providers that agree to the same conditions? How many providers upstream of the gateway provider could such a requirement effectively reach? Similarly, how can we promote implementation of STIR/SHAKEN or other interoperable call authentication solutions in other countries and to achieve cross-border authentication?
This paragraph reveals the extent to which US industry shills are divorced from reality. The implication is that if China refuses to facilitate a one-way mechanism for the US government to punish Chinese telcos, then nobody in China will be able to call the USA. Neither the FCC nor its billion-dollar business cronies have the political heft to do something that would make Trump’s trade tariffs appear like a minor inconvenience by comparison.
It is also telling that years of FCC lobbying of other countries has not only failed to deliver the anticipated worldwide adoption of STIR/SHAKEN, but that they can think of no better plan than to ask the lobbyists who previously boasted that STIR/SHAKEN was bound to be adopted globally for fresh advice on how to make STIR/SHAKEN popular around the world. One way would involve restoring some of the USA’s reputation by persuading lobbyists not to spread so many blatant lies about STIR/SHAKEN. And the easiest way to promote STIR/SHAKEN abroad would involve making it effective in the USA first, but that is not a problem anybody in the USA currently knows how to solve.
There is a paradox in US telco lobbyists blaming foreigners for scam calls while bitterly opposing controls to block inbound international calls that spoof US phone numbers. It would be comical if it was not doing so much harm to the American public. However, at long last, the new FNPRM has asked the US telecoms industry to explain its opposition to a control that should have been implemented long before a single cent was wasted on STIR/SHAKEN.
Should we prohibit spoofing of United States telephone numbers on calls that originate from outside of the United States? Does the practice mislead consumers about a call’s origin? Does it make consumers more susceptible to unlawful calls involving spoofing, such as by increasing their trust in calls that originate from outside of the United States? How many calls that originate from outside of the United States spoof a United States telephone number? Of those, how many are unlawfully spoofed? Do calls that originate from outside of the United States and spoof a United States number carry a greater risk of being unlawful, such as being a scam, than calls that originate from within the United States and spoof a United States number? What is the magnitude of that risk?
But even when the FCC asks the right questions about protecting consumers, they soon revert to worrying about business interests instead.
If we were to prohibit spoofing of United States numbers for calls that originate from outside of the United States, what, if any, changes would be required to existing technical standards, such as STIR/SHAKEN or RCD? How would such a prohibition impact businesses that have offshored certain operations, including call centers?
However, Trump’s impact on the Republican Party does mean there is now a different way to view business interests.
Would this prohibition encourage businesses to invest in the United States or return jobs to the United States?
These are such important decisions for protecting Americans from scams, and for potentially reconfiguring business relationships that span international borders, that it is truly remarkable that so few American commentators have even mentioned these paragraphs in the FNPRM. They have chosen to place their emphasis elsewhere. Their bias is revealed by their lack of interest in controls to block scam calls originating outside the USA, despite other countries enjoying spectacular results as a consequence of targeting calls that spoof a domestic phone number.
To review all the other proposals in this FNPRM would be too much for a single article. I need more time to digest proposals to change the information presented to recipients of calls that originated within the USA, and to understand how this information might be verified in practice. The main problem with STIR/SHAKEN is that it applies ‘authentication’ signatures to calls when nobody has checked who actually made the call! Better checks on the identity of callers within the USA need to be implemented before the application of any technologies that are supposed to relay information about the caller to the recipient. The curse of garbage in, garbage out has ruined STIR/SHAKEN and could have a similar impact on some of the controls proposed in this new FNPRM. However, to get a quick reading of the quality of those proposals, I asked an expert with extensive knowledge of the history of the FCC’s rules on these topics to share their thoughts on the new FNPRM. The expert spoke on condition of anonymity because of the potential consequences of opposing the big businesses that currently drive US policy, but the summary was that the USA “needs much more than a fucking FNPRM” to sort out the mess with the way phone numbers are currently abused.
Per this expert’s analysis, the root cause of failure is that the USA keeps trying to shore up trust in phone calls by shoring up the reliability of phone numbers. Trying to restore trust by validating phone numbers is already a lost cause because of the way US phone numbers have been allocated to, then sold by a plethora of unregulated businesses. As the expert pointed out, “poisoned number assignments” that result from a lack of any audit trail have given rise to a situation where we “don’t know where these numbers came from”. It is too late to try to validate who has the rights to many phone numbers in actual use.
Pouring resources into checking the reputation associated with each phone number is a tempting prospect for big ugly businesses like Somos and iconectiv which already generate substantial revenues by selling ‘number intelligence’. That is why so much of the commentary surrounding this FNPRM is about the new business opportunities that can arise by having yet more data sloshing through databases that use phone numbers for the key. But as the expert told me, “telephone numbers are a wonderful abstraction for reaching somebody but not for proving who you are”. To link a person’s identity to a phone number in order to prevent crime is “way more work than is necessary, and it’s not trustworthy in the end anyway”.
Given the track record of individuals like Josh Bercu, we should also ask if the US industry has the personnel with the integrity needed to clean up its numbering system, even if they could think of a methodical way to accomplish this Herculean task. Seeing Bercu’s presence as a fake expert on many anti-scam committees in the USA and beyond is a reminder that appointees are chosen because of their political and business connections, not because they have succeeded at reducing scams or because they care about people.
All hope is not lost. There is a potential solution to the problems created by a loss of trust in phone numbers. We can start again, by creating new trustworthy systems from scratch. This will be easier than trying to redeem systems that have already been corrupted. It is early days for the GSMA’s working group on Open Verifiable Calling, but it offers the prospect of phone calls exchanging data about the identity of the caller which is independent of the phone number they used. As per the terms of the project, the goal of Open Verifiable Calling is to tackle impersonation fraud…
…by embedding cryptographic proof of caller identity, brand rights, and caller intent directly into every call. Whether local or international, fixed-line or mobile, human or AI-assisted, recipients can know who is calling and why — and verify it in real time.
This GSMA-led collaboration invites carriers, technology vendors and regulators to work together on a framework to prove a live, cross-border implementation of verifiable calling.
The GSMA’s project involves some very promising technology. The mixture of European and American businesses involved in this working group also appreciate the need for processes that complement and integrate with the technology, such as the need for vetting processes so that data associated with an organization or a person can genuinely be trusted to represent that organization or person. However, the GSMA and the businesses supporting the work on Open Verifiable Calling need to show they can deliver before the FCC’s position becomes even more entrenched. The FCC and its business cronies now represent the leading obstacle to a workable solution to impersonation fraud across international borders.
The FCC is only now considering the potential for an American version of ECC Recommendation 23(03) because American anti-scam experts from the finance sector have been pushing back against the lobbyists employed by the telecoms sector. It would be unreasonable to expect individuals from a different sector to be able to counter all the misinformation that telco lobbyists spread about the way the telecoms sector works (or fails to work) in practice. However, they can compare the results attained in different places and question why a method that has proven successful somewhere is not replicated somewhere else. The sooner the GSMA project demonstrates the effectiveness of Open Verifiable Calling, the sooner the global industry can move beyond the parochial interests of the communications businesses that have made a mess of protecting the American public so far.
You can read the new FNPRM here.
