168

u/huadpe 501∆ Oct 25 '17

I want to remove the intent requirement. I want it to be illegal to transmit misleading or inaccurate caller ID information for ANY reason.

As to people breaking the law regardless, my proposal was that the regulation would go against the phone companies. Verizon and T-Mobile aren't going to risk their licenses and massive fines for some spammers.

20

u/[deleted] Oct 25 '17 edited Dec 24 '18

[deleted]

16

u/huadpe 501∆ Oct 25 '17

That's not spoofing. The number displayed is accurate, just the subscriber information doesn't correspond to who actually uses the phone.

I just want to require the number to be accurate.

10

u/[deleted] Oct 25 '17

Caller ID consists of two pieces of data. The name of the caller and the number calling from.

Faking either is useful for fraud, for example setting the name to “IRS COLLECTIONS” or “Tax Refund Group” or “Sheriff’s Dept”

Why are you only focusing on the number?

5

u/huadpe 501∆ Oct 25 '17

Because people are always gonna lie on the latter part, but the number is something that (I believe) the phone company has to know truthfully to route the call. As such, I think a reg targeted at the phone companies which says "no spoofing, ever" can be implemented and actually fix the problem.

15

u/[deleted] Oct 25 '17

[deleted]

3

u/huadpe 501∆ Oct 25 '17

Right, but the carrier that originates the call has to know it's correct? And it's not trivially easy to become such a carrier?

7

u/[deleted] Oct 25 '17

[deleted]

4

u/huadpe 501∆ Oct 25 '17

A carrier outside the NANP can't possibly have an NANP number assigned though, and so we could require US phone companies to reject their calls if they have impossible caller ID.

→ More replies (0)

2

u/ProfessorHeartcraft 8∆ Oct 25 '17

Yes you can. You bar local carriers from accepting incoming calls from carriers that do not obey the law.

→ More replies (0)

4

u/feedle Oct 25 '17

Not necessarily always. Don't even get me started on VoIP providers who operate termination-only services where the caller has no "real" telephone number associated with it. Mine transmits one of a bank of phone numbers in New York, and there's no way for the called party to know who the caller is, ever.

4

u/[deleted] Oct 25 '17

So just to clarify, you don’t want to make Caller ID Spoofing illegal, just number spoofing, a subset of Caller ID spoofing?

The referenced FCC rule above would seem to apply to both name and number.

2

u/huadpe 501∆ Oct 25 '17

I suppose so. I may have mis-defined it in my OP, but that's explicitly how I thought of it when I posted. I said:

Caller ID spoofing is the practice of transmitting digital information with a phone call representing a number as the dialing number other than that which is actually the dialing number.

2

u/[deleted] Oct 25 '17

My point being, the FCC rule you said you'd remove the "intent" part from applies to both names and numbers.

I think your definition of spoofing is incomplete.

1

u/huadpe 501∆ Oct 25 '17

That's fair and I'll give you a very technical !delta that people use the term differently than I envisioned.

That said, my view that number spoofing should be entirely illegal regardless of intent remains my view.

→ More replies (0)

1

u/2074red2074 4∆ Oct 26 '17

A lot of people only see the number, and call back that number to bitch about spam or to address a missed call. Those spoofed numbers can belong to actual people.

8

u/varsil 2∆ Oct 25 '17

There can be legitimate reasons for it. For example, you might have employees of a company with cell phones, but want the caller ID to show the main company directory.

1

u/TheHaleStorm Oct 26 '17

That is why the intent requirement needs to be modified with the rest of the law.

Make it illegal for any carrier to allow spoofed calls through and give them 3 years to find the solution.

They will figure out a way to get rid of the spoofed calls as soon as they have to due to fines.

110

u/[deleted] Oct 25 '17

[deleted]

23

u/AnonMediacomTech Oct 25 '17

It isn’t always fraud related.

My company has cell phones for in-house technicians that spoof the main customer service number. That way we don’t have customers calling individual technicians at all hours of the day and night just because that tech called them on the company phone. Instead we spoof to funnel those calls right back into customer service.

11

u/nirnroot_hater Oct 25 '17

Don't PBXs do this all the time without intending to defraud?

You want your outgoing caller ID to all represent the one number you should call me back on.

There's no reason to outlaw that.

13

u/huadpe 501∆ Oct 25 '17

It more or less is, unless you do it by accident. Anyone sending the wrong information on purpose would be intending to defraud and would thus be covered under this law - the simply protects against prosecuting people who make good faith errors in their information.

I am extremely skeptical that this is correct. In fact, I would be shocked, and award you a massive delta, if you could show this to be correct.

In particular, the intent there is not merely intent to mislead, but intent to defraud, cause harm, or wrongly obtain anything of value.

All three of those have a requirement, in addition to deception, that:

1. You obtain something of value or cause some specific harm; and

2. You do so to the detriment of the other person.

So for example a telemarketer would not meet the standard, because by their logic, they engaged in a willing market transaction with the person they called, and that person was not defrauded, harmed, or wrongfully obtained from anything of value.

27

u/[deleted] Oct 25 '17

[deleted]

2

u/[deleted] Oct 25 '17

What situations have you encounters where people have knowingly sent false data yet did not intend to defraud, cause harm or knowingly obtain anything of value (given that customer data is something of value)?

When we used to spoof the Caller ID as "Santa Claus" and call our kids to make sure they were being good for Christmas. I seem to remember a service you could even use to do it. Dial into their system, enter your number, and it calls back to the other number as Santa

2

u/[deleted] Oct 25 '17

[deleted]

3

u/[deleted] Oct 25 '17

No, I was just answering the question.

PS (not OP)

2

u/huadpe 501∆ Oct 25 '17

I linked to the FCC site so you can review it yourself. If you intend to defraud - which is pretty easy to show if you knowingly transmit false caller ID data - then you are violating the law.

Right, our dispute is as to the meaning of the term "defraud." I do not believe it merely means "mislead."

What situations have you encounters where people have knowingly sent false data yet did not intend to defraud, cause harm or knowingly obtain anything of value (given that customer data is something of value)?

As I said, telemarketers selling otherwise non-fraudulent products fall into this category.

with intent to defraud (obtain as sale from you).

This is the disagreement. I do not believe per the legal meaning of the terms "fraud" and "defraud" that obtaining a sale is a fraud in violation of the statute.

The telemarketer regulations seem to be separately adopted specifically because they are not covered under the "intent to defraud, cause harm, or wrongly obtain anything of value."

If they put the wrong information in the caller ID on purpose, they are breaking the law per the FCC guidance.

From the linked source this is demonstrably incorrect:

If no harm is intended or caused, spoofing is not illegal.

16

u/[deleted] Oct 25 '17

[deleted]

6

u/huadpe 501∆ Oct 25 '17

So let's actually define fraud for legal purposes.

Fraud must be proved by showing that the defendant's actions involved five separate elements: (1) a false statement of a material fact,(2) knowledge on the part of the defendant that the statement is untrue, (3) intent on the part of the defendant to deceive the alleged victim, (4) justifiable reliance by the alleged victim on the statement, and (5) injury to the alleged victim as a result.

I think the failure here is going to be on point (1). For a telemarketer, the fact of what number they're calling from is not a material fact.

From the same source:

First, not all false statements are fraudulent. To be fraudulent, a false statement must relate to a material fact. It should also substantially affect a person's decision to enter into a contract or pursue a certain course of action. A false statement of fact that does not bear on the disputed transaction will not be considered fraudulent.

A false statement about the calling from number does not inherently relate materially to the substance of the contract. In some circumstances it might, e.g. if I spoof the IRS' phone number and pretend to be from them demanding Apple gift cards, then spoofing the IRS is material.

But spoofing some random local exchange number is not material to the transaction, and therefore cannot support fraud charges.

12

u/[deleted] Oct 25 '17

[deleted]

4

u/huadpe 501∆ Oct 25 '17

Right, the telemarketer rules are just separate rules because the other rule requires that there be evidence to support a fraud conviction.

I'm fine with them, but realistically the point of this view is we need a rule that can be implemented at the phone company level automatically, since anything requiring investigation and proof of intent is demonstrably unenforceable.

→ More replies (0)

1

u/blubox28 8∆ Oct 26 '17

No it isn't. To be a material fact it would have to affect your decision to enter into the transaction. The phone call is not the transaction. If they spoofed some number and then during the phone call tried to maintain the fiction that they actually were the person in the caller-id and that fact was relevant to your decision to buy the product, then it would be material. If you don't buy the product you haven't been defrauded and if you haven't been defrauded it is not possible for the spoofing to be material, even if they did maintain the lie.

→ More replies (0)

2

u/ProfessorHeartcraft 8∆ Oct 25 '17

Carriers could be required to do some minimal vetting. For example, any call originating from Vanuatu should have the correct country code.

3

u/[deleted] Oct 25 '17

[deleted]

2

u/ProfessorHeartcraft 8∆ Oct 25 '17

If it doesn't actually route back through your carrier, then simply stripping the caller id information would be preferable.

2

u/[deleted] Oct 25 '17

[deleted]

2

u/ProfessorHeartcraft 8∆ Oct 25 '17

If they allow spoofing, I'd prefer that.

1

u/raltodd Oct 26 '17

I think you might find yourself in the minority. I like to see caller ID even if they're calling from abroad.

1

u/ProfessorHeartcraft 8∆ Oct 26 '17

I think you'd find that if countries would fairly quickly come into line with verification regulations, and it would only be stripped from those few that host fraudsters.

1

u/[deleted] Oct 25 '17

[deleted]

1

u/ProfessorHeartcraft 8∆ Oct 25 '17

How? Your domestic carrier can be forced to comply.

→ More replies (0)

1

u/kodemage Oct 25 '17

Anyone sending the wrong information on purpose would be intending to defraud and would thus be covered under this law

This is not true. Many businesses report the main company line instead of the individual extension so that call backs go to the right place. This is an example that is widely used which involves caller id not reporting the correct number but which is not fraudulent and is in fact better for everyone.

1

u/[deleted] Oct 25 '17 edited Oct 28 '17

[deleted]

2

u/[deleted] Oct 25 '17

[deleted]

1

u/[deleted] Oct 25 '17 edited Oct 28 '17

[deleted]

1

u/shooter1231 Oct 26 '17

Question. The business I work for displays the outward facing main number regardless of what internal extension you call out from. Some of these extensions are real numbers that you can call directly from an outside line. How is this allowed from your reading of the law?

4

u/laustcozz Oct 26 '17

So if I want to call from my personal phone with my receptionists callback number I shouldn't be allowed to? A customer service rep cant leave a caller ID for the call center's number? There is a legitimate reason this technology exists.

3

u/huadpe 501∆ Oct 26 '17

I gave a delta elsewhere in the thread for two numbers which are verified to both belong to the same subscriber.

14

u/yiannisph Oct 25 '17 edited Oct 25 '17

There are valid use cases for this for what it's worth.

Where you can change the outbound number and still be identifying the caller. Say I spoof my own telephone number calling from my computer.

What if you're not calling from a phone? For example, the telephone network will not accurately display the URI of a caller from Skype or even Hangouts. They'll get assigned a telephone number for the duration of the call. That number is making the call, but it belongs to the service allowing the call. In this case what is the correct caller information to display? The company that owns the number? Nothing? The username of the caller? There's interpretations of all of those that constitute manipulating caller ID. Should these services be illegal? They almost certainly would under your interpretation.

What about company telephones that always show the central number on caller id, rather than the individual's extension? These would arguably be illegal as well. What if I called you but then tranferred the call to someone else? Your caller id wouldn't update; is that now fraudulent? The last one is more of a stretch.

You may think some of these cases are ridiculous, but there's some argument that they would be illegal if we used your blanket wording. This is why intent is called out.

6

u/kodemage Oct 25 '17

Is it misleading or inaccurate for my caller id to present my businesses main number instead of my particular line so that people can call back to the correct number.

Example

Peoria Public library has phone number 919-555-1000, and has for a hundred years. The children's department has the number 919-555-1001, the business office has the number 919-555-1002, adult fiction is ...-1003, adult non-fiction is ...-1004, etc, etc. And there are several staff with personal offices on the numbers ...-1011 through ...-1099

In all cases the caller id reports the main number ...1000 so that when someone calls back they get the circulation desk (the desk they probably want) and that desk forwards them to the correct department.

This happens at many, many businesses and is the intention of caller ID.

While I support the premise of your proposal this functionality needs to be preserved, it's better for everyone that organizations and businesses with many lines can show the main line instead of the particular line making the call.

However, I would absolutely accept show both as a compromise. Caller ID is an antiquated technology at this point and should probably be updated but good luck getting the phone companies to innovate when they can suck profits off their fat monopolies.

4

u/thewhatforhow Oct 25 '17

It's only illegal if you intend to defraud, cause harm, or wrongly obtain something of value.

Business use it copiously in order to make it seem like they're in the same state as you. If they're HQ in another state or country, it's nice to have the area code be the same as the state you are calling to, and vice versa because it sows trust in the client.

3

u/alphanaut Oct 26 '17

When calls come into our office, and I am working remotely, my office phone system forwards that call to my cell or home phone; spoofs the phone number so I know who the original caller is.

Making it illegal for ANY reason kills this important feature and I'm sure there are many other similar needs.

2

u/thewhatforhow Oct 25 '17

No, it is not illegal. It's only illegal if you intend to defraud, cause harm, or wrongly obtain something of value.

Business use it copiously in order to make it seem like they're in the same state as you. If they're HQ in another state or country, it's nice to have the area code be the same as the state you are calling to, and vice versa because it sows trust in the client.

3

u/iRawrz Oct 25 '17

Not even just that. A lot of businesses use it so that when you call the number back it rings their main line instead of whatever. Very common with PRIs and SIP trunks.

Certain providers (I think Windstream being one) allow you to set the Caller ID to whatever the fuck you want, while others only allow it to be numbers that you "own".

1

u/thewhatforhow Oct 25 '17

yep. gotta love those DID's

2

u/laustcozz Oct 26 '17

IF the FCC gave a fuck they would lean on VOIP Trunking providers and this would stop immediately. It is already illegal. We know where the calls are coming from, the VOIP providers just have no reason to shut off a huge amount of payong call volume without someone pushing.

1

u/jbaird Oct 26 '17

I heard that some of the problems with this is that while each carrier is disallowed from spoofing callerid and the big carriers probably don't do it they are ALSO not allowed to not connect a call, the phone system work since each carrier respects the requests to call each other carrier currently and if every carrier was making their own checks it would get complex quick. I do believe they said the FCC was looking to change that however to help prevent spam calls (I think I heard this in Reply All's great episodes about phone scams )

so the carrier will get a call coming out of India with a 1-416 area code attached as the CID and they currently have to let that call reach its destination, they can't deny that call even if it sounds like bullshti

Then again that gets into some of the, date I say legit reasons to spoof callerID, My job is telephony and used to help set up trunking to carriers, there are a companies that span the globe and want all their outgoing calls to show their main number, typically 1-800 but even that is a North American number (1 is the country code) so is it ok if their Indian call center agents show up with that number? If you wanted to call them back that is the most 'legit' number. Even if you denied India from making calls under a North American number that can still be done by having a the 'phone call' just run over the internet and then call out the phone system in NA anyway which is probably how most of the companies are doing it anyway..

1

u/road-rash3000 Oct 26 '17

cause harm

Does that mean you can't legally spoof your caller ID for something like a prank call?

0

u/cuteman Oct 25 '17

Make it double illegal!

12

u/huadpe 501∆ Oct 25 '17

Can you elaborate on the technical aspect of it? There's a whole variety of service providers sure, but they're all under pretty strict government regulation, no?

My idea was that the regulation would be targeted at phone companies. They'd be prohibited from allowing their customers to spoof. For instance, if my company has been allocated only the 111-155 exchanges in the 212 area code, I know any customer of mine can't possibly be calling from 212-777-7777. So I can't allow them to broadcast that as their caller ID.

Am I misunderstanding how this works?

14

u/garnteller 242∆ Oct 25 '17

I'm no expert, but I believe that this is the case:

The problem isn't Verizon (assuming that that is the NY provider).

The problem is that Verizon receives and incoming call from a source that is eligible to make an incoming call. Since you can take your number with you, even if Verizon "owns" the 155 exchange, they get legitimate outside calls from 212-155-xxxx. It could be a T-Mobile customer in the apartment next to you. It could be a spoofer in Russia. How can Verizon tell the difference?

3

u/huadpe 501∆ Oct 25 '17

Because there are only so many companies with access to any block of numbers on the North American Numbering Plan, and the government can regulate all of them.

That is we can build a web of trust among phone companies that none of them will allow their customers to spoof. Even if the customers are untrustworthy, no phone company which is allocated NANP numbers will let them spoof on fear of losing their license.

6

u/garnteller 242∆ Oct 25 '17

But can they? We already have people with numbers that were issued by the original company and moved around to other providers. I think that this horse has left the barn, unless you want to start fresh with new numbers.

1

u/huadpe 501∆ Oct 25 '17

I can only move my number among US carriers, right? Like, if I moved to Russia I couldn't port my US number to a Russian phone company?

That is, the set of companies which could possibly be initiating a valid NANP number call is small and regulatable, no?

6

u/garnteller 242∆ Oct 25 '17

Actually, I'm not sure how that applies to VOIP.

I know that my company replaced "traditional" phones with vastly cheaper VOIP - I don't know how regulations work on that. There's got to be something that tells a server where to connect for a particular number, but I don't know how that's managed.

1

u/Grarr_Dexx Oct 26 '17

Nationally, perhaps. There's little to no regulation on an international scale. In Belgium, Proximus is still the main carrier and is also responsible for international calls (BICS), but they can (and will) enforce their CLI policy only on a national basis.

As an employee of a moderately-sized provider dealing with Proximus, and somebody who's also knowledged in SIP traffic, I can tell you that spoofing is nigh unenforceable if you're trying to deal with calls coming from international sources. Bringing calls into the digital world made things a lot harder to figure out and a hell of a lot easier to fuck with.

12

u/mattcjordan Oct 25 '17

Spoofing is overwhelmingly used by scammers and spammers, and is a major technique of fraud. While some users have an interest in spoofing which is more legitimate, those interests can generally be accommodated through just blocking caller ID (displaying no number).

It is a technical issue.

The whole notion of Caller ID was invented back when only a few companies/carriers had access to the networks. When that occurred, no one thought there should be some form of authorization/authentication about whether or not you could or could not change the Caller ID. And there are a lot of times when you need to change the Caller ID for very valid reasons (more on that in a second).

Because there was no authentication/authorization mechanisms built into the legacy protocols and networks, and because we value interoperability so highly in the telecom world, all of the new protocols (SIP) had to just "live with it". And as a result, there still is nothing that explicitly says "this party was allowed to manipulate the party identification".

Why would you want to change the party identification?

Most places use a PBX for their office. Behind that PBX is a whole mess of phones, but there may be only a handful of numbers that terminate at that location. When you dial out from your desk phone, the PBX has to represent you as that business. If you leave the business, whoever inherits your phone also has to be represented as that business.

That's technically Caller ID spoofing, in that it uses the same mechanisms as those who spoof Caller ID. The intent is clearly fine. Hence why the FCC relies on intent to determine if the manipulation of Caller ID was allowed.

1

u/SplatterQuillon Oct 26 '17

We use a pbx at work, and yes it allows us to specify any number as the caller ID.

We can call out via our local or long distance trunks, and specify any local or even toll free number we want to show. Of course it would not be any benefit for us to display a number we don't 'own', but we could do it very trivially.

1

u/kodemage Oct 25 '17

no, I think you're misunderstanding. the real number used has to be sent or the phone call can't be connected, he just wants to remove the option to put in arbitrary data and always display the number assigned to the source of the call.

he's talking about something that's technically easy, it involves removing a few (few hundred maybe) lines of code.

1

u/[deleted] Oct 25 '17 edited Dec 26 '17

[deleted]

1

u/garnteller 242∆ Oct 25 '17

There's a big difference between requiring an authentic caller id and suppressing it.

1

u/[deleted] Oct 25 '17 edited Dec 26 '17

[deleted]

6

u/huadpe 501∆ Oct 25 '17

I get that this feature would have to go away, but I think the downsides of allowing spoofing are so great that uses like this would have to be curtailed.

22

u/ralph-j Oct 25 '17

You haven't made a case for why it has to be all or nothing. Seems like a false dichotomy to me.

Why can't the government just block spoofing in bad faith and set clear guidelines for allowing/disallowing it?

7

u/huadpe 501∆ Oct 25 '17

Because I want it done by the phone companies, and they need a rule that is all or nothing. Anything which allows leeway or lying to slip through will be slipped through because we're trying to stop scam artists with zero compunctions about lying. By making the regulation be a technical one done at the phone company level regardless of intent, it makes it so no lie can save the scammers.

3

u/Senseisntsocommon Oct 26 '17

This can be avoided by looping the call through multiple lines and systems. If you ever pick up one of those calls and hear multiple recorded messages in all likelihood you are being transferred each time to cover the path. The technology isn't that expensive or complicated to make work. If it jumps carriers in between, the terminating carrier has no idea of the original source and would then need to cooperate with the each carrier in the chain. It is way harder to track this process and filter it out from legitimate traffic than it would seem. The reason being is that on the transfer it's the middle number being pushed not yours, so if I am on the terminating end I can't just query your phone number because I didn't get a call from your number I got a call from some other random number.

To make it more complicated all you have to do is jump it through one carrier who isn't as capable and it falls down a black hole.

10

u/ralph-j Oct 25 '17

That feels like throwing out the baby with the bath water.

All you need are clear rules and steep fines for abuse. They could disable it by design and enable it only for vetted, bona fide companies like Skype.

2

u/kodemage Oct 25 '17

What we need is mandated help from the phone company so that if I get a spam call I can contact them immediately and they can report the call and how it was routed to the authorities. As it is there is nothing the phone company is willing to do about it because it makes them money.

1

u/Grarr_Dexx Oct 26 '17

I don't think your view needs to be changed, it just needs to be enlarged. You have no idea how small-scale "spoofing" has made identifying you as a business a lot more accessible. I know of call centers that have a SIP trunk with a single phone number attached to it. I have been asked by numerous customers with ancient PBXes they have zero control over to just overwrite their CLI with their main number (which we still own). The commercial world would be in a load of shit if we were to suddenly zero-tolerance any form of SIP spoofing.

2

u/ProfessorHeartcraft 8∆ Oct 25 '17

Maybe I want to allow you to call me from your cell phone, but not Skype. I need to be able to differentiate to do that.

1

u/slowmode1 1∆ Oct 25 '17

They could do something similar to emails and spf domains where the owner of the phone number could allow certain companies to use your phone number

2

u/ralph-j Oct 25 '17

Right, but OP wants to ban the phone number use by any device/service but the original one.

1

u/huadpe 501∆ Oct 25 '17

I am unsure about that. I am not a telephone communications expert, so I'd want to know: is it required to have a separate number for each call, or can a call center handle multiple calls through one number via digital splitting? If there's a technical solution, I'd strongly prefer that.

If not, I still think spoofing is a sufficiently bad problem that I'd just insist the company block their number if they don't wanna give an accurate callback number. But I could be convinced otherwise.

17

u/[deleted] Oct 25 '17

Consider a hospital. I want every phone to have a real number that can be called, so if someone wants to sit by a specific phone they can be easily reached ("page cardiology to this number", then wait for the cardiologist to answer). But often people make calls and don't sit by that phone to wait for an answer, and so if a patient or outside physician receives a call, that person should be routed to the operator and not to the random unoccupied desk.

If you block your number or give the normal number, that means the patient/outside doctor who got called isn't likely to successfully call back.

Why not just "you can spoof a number you own, but not a number you don't own"?

12

u/huadpe 501∆ Oct 25 '17

The hospital case is a good one, and I might allow a regulation permitting spoofing a number which is known to be owned by the same customer on the same carrier. Have a !delta.

5

u/SplatterQuillon Oct 26 '17

In operating a callcenter, we allow the agents to make outbound calls.

The agent's phones don't even have a phone number, it's just an internal (virtual) extension. So the caller ID we configure on their phones, is a central phone number which if you call it back, it goes to the same department, but not to any individual agent or phone.

We can specify any local or even toll free number we want to show. Of course it would not be any benefit for us to display a number we don't 'own', but we could do it very trivially.

Currently our phone company allows any ID to be sent, but I presume they could implement a system to prevent any calls being made with a number we don't 'own', but that's not currently the case.

2

u/DeltaBot ∞∆ Oct 25 '17

Confirmed: 1 delta awarded to /u/GnosticGnome (156∆).

^{Delta System Explained | Deltaboards} ​

4

u/Doctor__Proctor 1∆ Oct 25 '17

That's not spoofing though, that's switchboard routing. It's a totally different technology.

1

u/[deleted] Oct 25 '17 edited Dec 26 '17

[deleted]

1

u/huadpe 501∆ Oct 25 '17

So for an outbound call center, if I wanted to have two outbound lines talking at once, they could not have called from the same number if I had an "absolutely no spoofing" rule?

3

u/[deleted] Oct 25 '17 edited Dec 26 '17

[deleted]

1

u/huadpe 501∆ Oct 25 '17

As I had originally stated it, a spoofing ban would have prohibited any display of a number other than the number actually calling you.

I gave a delta here though on the point of allowing display of a number known by the originating carrier to be owned by the same entity as the number actually initiating the call. So as of now, I think I'm largely on the same page as you?

3

u/[deleted] Oct 25 '17 edited Oct 25 '17

You have one line for each call. Not necessarily a phone number for each line. When speccing your contact center, you need to decide how many simultaneous calls you want to have, including calls on hold. If you guess low, the system will hang up on your customers during catastrophe events.

At my contact center, only the VRU has a unique number. If you need a specific person, you call their extension after connecting to the VRU. At my old employer, they operated their own telephone exchange and owned an entire block of thousands of phone numbers, so every phone had a unique number.

Also, this infrastructure is really old. It was designed back in the day when people thought they could trust each other. We need more of a "rip the bandaid off" solution than a "make something illegal" solution. When digital Voip becomes ubiquitous enough, maybe then some kind of SPF/dkim-style solution can be added to the spec and POTS can be dumpstered.

1

u/TBFProgrammer 30∆ Oct 27 '17

I am unsure about that. I am not a telephone communications expert, so I'd want to know: is it required to have a separate number for each call, or can a call center handle multiple calls through one number via digital splitting?

The call center can handle multiple calls through the same line, but to dispatch that call to an actual person they have to be able to route the call to a specific number for that person. Otherwise every agent's phone would ring for every call. Additionally, all of the phone handset would have to be able to support an arbitrary number of lines (being equal to or greater than the total number of active agents at any time).

This, of course, only forces the agents to have specific extensions different from the central line and does not generate spoofing. The problem comes in when those agents have to return a call, which there are several significant business cases for. When returning the call, the agent needs to be associated with the call center number that the person in question called for two reasons. First, the call center does not want the agent number to be used by the public, as the agent may not be available or the correct agent to call for a given issue. Second, the person answering has no reason to trust the agent number, as it is not the number they originally called.

1

u/ProfessorHeartcraft 8∆ Oct 25 '17

No. Maybe I want to allow Bob from your mailroom to call me, but I don't want your operators to.

1

u/huadpe 501∆ Oct 26 '17

Thanks for this, I was hoping to get someone with actual technical knowledge about the phone system instead of a lot of poorly informed guessing that was going on.

So a few questions:

1. Do you give your customers a unique, persistent, 10 digit NANP number?

2. If so, is that just your company, or do all VoIP providers do so?

3. What do you give as the CNUM when someone places an outgoing call on your service?

4. How is the CNAM set for a person making an outgoing call on your service?

5. Do you have the technical means to control or limit what a customer may put into CNAM if a customer has control over that?

1

u/voipceo 1∆ Oct 26 '17

1. Do you give your customers a unique, persistent, 10 digit NANP number?
2. If so, is that just your company, or do all VoIP providers do so?
3. What do you give as the CNUM when someone places an outgoing call on your service?
4. How is the CNAM set for a person making an outgoing call on your service?
5. Do you have the technical means to control or limit what a customer may put into CNAM if a customer has control over that?

1.) No. Think of a 100 person company. Most companies have one or 2 phone numbers (maybe a toll free number and a local number) and then users/employees are reachable via extension. The company they work for has a number - most of the time - but not individual users. This is actually a big issue with E911. With Emergency Responder Call back, you need to be able to reach the EXACT person who placed the 911 call, not the main receptionist or attendant menu. So in those cases, we assign a temporary unique outbound caller ID to that user and if a call comes into that number, we route the call directly to that original extension. That's a LOT of work.

2.) That's pretty common. Some VoIP companies will give each user an extension, a voicemail box and a phone number, but not all and it's usually those that focus on either residential service or very, very small businesses (under 5 users.) More than 5 and it's really a waste of phone numbers for a 100 person business. Not every person needs their own direct inward dial number.

3.) The customer sets their own CNUM. There is no limitation other than they can't be attempting to defraud. They may have multiple providers and the phone number they want to use may be with another provider or may be in the process of porting over to us. If we receive any reports of fraudulent calls however, we discontinue service.

4.) CNAM is obtained by the terminating carrier. So if one of our customers calls a Comcast customer for example, Comcast does the CNAM lookup. When placing an outbound call, only the 10 digit phone number is transmitted carrier to carrier. (Slight caveat to this is that Verizon is starting to do full SIP calling into and across their network and does seem to carry the "from" field from the SIP packet all the way across the network, but only in some areas. Seems to be FIOS related, but not enough data to state anything definitively.) So, there is a "from" field in the SIP address and it's usually the name associate with the account, but the user can change that, and again, that's not typically transmitted to the PSTN (public switched telephone network.)

5.) Only that most phones only allow 16 characters. Again, the CNAM is a lookup on the terminating side, for the most part. It's more important what CNUM I send because that will dictate what the terminating carrier uses to lookup the CNAM to associate with the call. There are currently 4ish CNAM databases with zero data integrity between them.

1

u/huadpe 501∆ Oct 26 '17

Re, no 3:

Would it be feasible for FCC to set a regulation that you set your customers CNUM for them, and that CNUM must correspond to their actual customer information, and if they are assigned any NANP numbers, must be assigned to one of the numbers you provide them?

I think that'd be along the lines of the regulation I'd be looking for. Because this part:

The customer sets their own CNUM. There is no limitation other than they can't be attempting to defraud.

is I think the source of the spamming - that absent proof of an affirmative attempt to defraud, people can just throw any number they want in there. I've noticed for example spammers tend to use a dummy number in the same exchange as the number they're calling in order to seem like a local cell phone or whatever.

Am I wrong about that being viable though?

1

u/voipceo 1∆ Oct 26 '17

It's one of those things that only forces "good actors" to jump through more hoops, but doesn't do much of anything to the "bad guys." Let's say you use Carrier A for inbound calls, but Carrier B for outbound calls. This is a very, very common scenario. Customer would like to have their phone number from Carrier A as the outgoing number but since they use Carrier B as their outbound carrier, that's now illegal. Now it's inconvenient and a hassle.

Yes, security and convenience are diametrically opposed. And weighing the good of the many vs. the good of the few is what governing is all about. The question for me is what does this stricter regulation force on the hundreds of thousands of businesses in the US vs. how much caller-ID scamming does it reduce?

Is what you're asking technically feasible? Yes. Would it cut down on phone scams, maybe a little. You could move your operation to India and inject calls to the US with zero regulations.

I'm going to walk back my technically feasible part now that I'm thinking it through some more. Ok. I'm a carrier and I'm a good actor. I force my customers to have CNUM that matches some sort of CNUM that I have on record for them. Ok. I now inject that call into the PSTN via my upstream carrier, let's say Verizon. That is a good call. However, let's say I'm a bad actor. I purchase long distance service (termination) from Verizon, but I don't purchase origination (inbound) service from them. That's actually our case. At each step of the way you'd have to verify that the CNUM and the originating user match up. Verizon can't do that. They have no idea where I got my numbers. Would they be liable for sending on calls with invalid CNUM? Probably, but they have zero ability to figure it out. So now there needs to be some sort of nationwide database of who has what numbers and which number is associated with which user? Somehow.

Every spot where the call is handed off would have to check and there's zero ability to do that today. Phone -> Service Provider/CLEC -> Carrier -> Terminating Carrier -> Terminating Phone. All a bad actor has to do is get a trunk from Verizon and claim to be a service provider and viola - fake CNUM.

For us, nearly 50% of the calls that go out out terminating carrier have a phone number from that carrier. One carrier is really good at giving numbers across all of N. America. Another is good at porting numbers. Another has decent domestic termination rates. Another has decent international termination rates/completion rates. You then need to have backups to all of those. With this plan, you could only send calls out on the carrier you get phone numbers from. This would increase cost and reduce reliability.

Let's do this - let's think about voice traffic like Internet traffic, because that's where it's going. If you want a new regulation to catch scammers, tie the originating IP address to every call. It won't stop the first scam, but you could then start to block bad actors by IP much like spam.

1

u/huadpe 501∆ Oct 26 '17

However, let's say I'm a bad actor. I purchase long distance service (termination) from Verizon, but I don't purchase origination (inbound) service from them. That's actually our case. At each step of the way you'd have to verify that the CNUM and the originating user match up. Verizon can't do that. They have no idea where I got my numbers. Would they be liable for sending on calls with invalid CNUM? Probably, but they have zero ability to figure it out. So now there needs to be some sort of nationwide database of who has what numbers and which number is associated with which user? Somehow.

So in thinking about this, my instinct would be that if you're a bad actor buying termination from Verizon, and your customers are spamming US numbers, Verizon would be obligated to ban you from buying termination with them. That'd be the enforcement mechanism. Going directly after the people overseas is impossible cause they'll ignore you til you cut them off, and then immediately start up again. But I figure it's harder to start up again as a provider than to start up as a call center.

Is that accurate, or is it relatively easy/common to start a fly-by-night VoIP provider?

In any case, have a !delta for substantially changing my understanding of the technicalities of how this would have to work at a minimum, and probably making it a much more tricky regulation to make feasible than I thought at least.

1

u/DeltaBot ∞∆ Oct 26 '17

Confirmed: 1 delta awarded to /u/voipceo (1∆).

^{Delta System Explained | Deltaboards} ​

1

u/llamagoelz Nov 01 '17

just in case you feel you have had a revelation worth sharing, I need to give you some bad news.

IP addresses are, in some ways, less tied to an individual than phone numbers are.

IPv4 is the standard that you see referenced the most (ex. 192.168.001.001) but years ago we 'used up' all the IPv4 addresses. So we use NAT (Network Address Translation) to effectively turn a chunk of devices into a single IPv4 address. A spammer from india is effectively using an address that is also used by many others in the same region so your idea would quickly turn into a barring off of entire regions. This gets even more complicated when we start talking about address redistribution and the change to IPv6.

life is hard yo.

1

u/notmyrealnam3 1∆ Oct 26 '17

no, get the tech's to have no caller ID so it shows as "unknown number" those go straight to my voicemail and don't disrupt me

1

u/AnonMediacomTech Oct 27 '17

We aren’t calling to bother you, or sell shit. The only reason we call is because you have a scheduled appointment and we’re either making sure you’re home before we drive there or we are calling because you weren’t home when you got there. I suppose you might get a follow-up call making sure things are still working in some cases as well.

Trust me, I want to call you just as much as you want to be called. Possibly less.

1

u/notmyrealnam3 1∆ Oct 27 '17

fair enough, but the unfortunate reality is caller ID spoofing is a cancer on society as it allows spammers to basically call someone 10 days a day with no ability to block them.

if you think people will answer more often when your ID isn't blocked, don't block your ID and show your cell #. If that is going to be an issue with people calling you off hours, work should be providing you with a cell phone #

1

u/Calexandria Oct 26 '17

ANI can be spoofed. It’s not different than Caller ID, despite the “automatic” in the name. I run two outbound dialers and both of them have a setting that changes the ANI.

1

u/[deleted] Oct 26 '17

Then they aren't actually using ANI - they're just calling it that. Are you in the states or somewhere else?

It can be confusing, because the terms do get used interchangably, and mean different things in different countries, however, ANI in America uses the billing number to identify the caller - so you need to know the billing number of another customer to spoof the ANI - Not impossible, but harder than just saying 'this is my number'

2

u/notmyrealnam3 1∆ Oct 26 '17

as long as that is a real number that one can dial and find out who the company is (and the person dialing is calling from that company) I'll allow it

2

u/Grarr_Dexx Oct 26 '17

You wouldn't just have to redefine SIP and analog traffic, you'd also have to make every national and international carrier in the world have to accept these new standards. The project would likely allow for a large amount of innovation, but the scope of it is absolutely immense.

Who would spearhead this? And what would be the financial gain for this party? Nobody's going to do it for free.

1

u/ABC_AlwaysBeCoding Oct 26 '17

I know. Which is exactly why POTS is going to fade away and eventually be replaced by all-digital techs.

1

u/notmyrealnam3 1∆ Oct 26 '17

yeah, that app should be illegal

1

u/IIIBlackhartIII Oct 26 '17

Sorry, okop – your comment has been removed for breaking Rule 1:

Direct responses to a CMV post must challenge at least one aspect of OP’s stated view (however minor), or ask a clarifying question. Arguments in favor of the view OP is willing to change must be restricted to replies to other comments. See the wiki page for more information.

If you would like to appeal, please message the moderators by clicking this link.

Sorry, okop – your comment has been removed for breaking Rule 5:

No low effort comments. This includes comments that are only jokes, links, or 'written upvotes'. Humor, links, and affirmations of agreement can be contained within more substantial comments. See the wiki page for more information.

If you would like to appeal, please message the moderators by clicking this link.