In this show we discuss the issues surrounding automated nuisance calls and the methods that could be used to help phone users identify who is calling them before they accept the call. The guests are: Professor Feng Hao of the University of Warwick, a recipient of a research grant into call authentication who has also given expert testimony to UK parliamentary committees; Pierce Gorman, whose 30 years of service in the network engineering teams of Sprint and T-Mobile US led to his playing a leading role in the implementation of STIR/SHAKEN; and Sathvik Prasad, Research Assistant at North Carolina State University, where he was a leading member of the team that conducted an award-winning study of robocalls.
Topical news items are also debated by the show’s three regular presenters, industry analyst Ed Finegold, senior risk executive Lee Scargall, and the Editor of Commsrisk, Eric Priezkalns.
Transcript (auto-generated)
Hi, this is the Communications Risk Show and I'm your host, Eric Priezkalns. Every Wednesday, we talk to risk experts from around the world of electronic communications and we broadcast live so you can also join the conversation, submitting questions and observations as we go along. To ask a question, just type into the window immediately beneath the live stream on our website at tv.commsrisk.com. Messages are anonymous, so include your name if you want me to read it out. We also stream live on LinkedIn. Feel free to leave a comment over there. A member of our team will pass them along and I will try to read out as many of your comments and questions as time permits. I am hoping and expecting there will be plenty of feedback to the show because it is such a big topic we're going to cover today. Today, we're going to have not one, not two, but three expert guests to debate the issues surrounding nuisance robo calls and the use of call authentication technologies to stop them. Joining us later will be Professor Feng Hao of the University of Warwick, a recipient of a research grant into call authentication, who has also given expert testimony on this subject to parliamentary committees in the UK. Pierce Gorman, whose 34 years of service and network engineering teams are Sprint and T-Mobile US, led to his playing a leading role in the implementation of stir-shaking in the United States and Sattvic Prasad, research assistant at North Carolina State University, where he was a leading member of the team that conducted an award-winning study of robo calls. But first, allow me to introduce our regular co-presenters, Ed Finegold and Lee Scargall. Ed joins us from Chicago, where he's an author, analyst and strategic advisor to tech and telecoms businesses. And Lee comes to us from Bahrain. He travels the world as an executive and consultant who has managed the risks of com providers in the Middle East, Europe, Caribbean and Asia. Welcome Lee. Welcome Ed. Now, normally the three of us spend times chatting about recent news stories concerning risks for coms providers and their customers. But the problem of illegal robo calls and scam calls causes so much annoyance. And the amount now being spent by telcos in some countries in terms of tackling them is now so enormous. It's fair to say that there's probably no subject in telecoms risk management that is commandeering as large a budget as call authentication is commandeering now. So let's warm the audience up by setting the scene. Ed, just the other week, I saw that FCC chair Jessica Rosenworcel was given an interview by CBS News about robo calls. You see, it's such mainstream stuff, even CBS News is covering it. The questions, however, sadly, were very soft indeed. The interview was clearly just feeding lines that had already been provided by the FCC instead of asking genuinely taxing questions. Nusense robo calls clearly concern the public, but judging the public's perception is difficult. I'd like you, Ed, to give your score out of 10 for the following. Firstly, the public's perception of how well the FCC is tackling robo call and your perception of how well the FCC is tackling robo calls. OK, so first of all, let me just start out by saying that I'm really wound up about this topic like I know a lot of people are, and I'm feeling it right now. The blood is pumping. I have a workout, you know, a boxing workout after the show, and I'm worried I'm going to be out of gas after this one, so bear with me. Yeah, so here's the story. I think on the FCC side, in terms of the public, it seems to me, if you watch enough YouTube videos, you might get the sense that if you wouldn't ask the general public how they thought the FCC was doing on robo calls, the most frequent answer would probably be, who's the FCC? That's part of it. But I did go and ask a friend of mine who knows who the FCC is, just randomly what he thought about this, and this is a person who's not in this community. He is a master developer, but he's not a security person specifically, right? And the response that came back was pretty straightforward. It was, you know, geez, my mom gets 10 of those texts or calls a day. It's annoying. It's out of control. And honestly, I don't know who's succeeding with these scams. So I thought that that was actually a really interesting response. I realize it's one person and it's anecdotal, but I felt like it kind of reflects, you know, like a broader sense of, you know, this is a problem. I'm getting, you know, inured to living with it. It's an annoyance. I don't necessarily tag anybody to do anything about it or not. It's just another bullet I have to dodge, which may go back to the who's the FCC, right? Does anyone even realize that anyone's responsible for dealing with robo calling? It might be an overarching question. So then for someone like me, who I'm a former regulatory reporter, you asked me, what do I, how do I think they're doing? I'm going to very generously give the FCC a five and I'll tell you why I'm gonna give them a five. Okay. I'm giving them a five because they acknowledge that there's a problem. Okay. And they have taken steps to try to address it. If I have a fair critique of that approach without just shredding stir shaken, which we've done, and then we have plenty more time to do if we want, I think I would say that even if stir shaken worked perfectly, it's still only one element of defense. And this is an issue, I think that needs a combination of layered defense and enforcement, if you really want to solve it. And that's just coming from me, that's from coming, you know, talking to the experts in this community about this very issue. But again, so FCC, I think about a five, then only because they've made it a, an issue that's in the public that people should pay attention to. Okay, thank you for that five out of tennis. I agree with you. That is a generous five out of 10. Now, Lee, it's still a failing grid. Now, Lee, it's tempting to always talk about the USA in this context, but it's important not to talk about the USA in this context solely because, well, even if you were trying to tackle colors within just within one country, that'd be pointless because there's international phone calls too. So you can't solve problems just in one country in isolation. You worked in telecoms risk management all over the world, Lee. Can you ever remember an occasion when a single national regulator was so determined to dictate how every country tackles a telecoms crime and the way that the FCC is currently seeking to dictate how telcos and regulators around the world deal with illegal robo calls? Just before I deal with that question, Eric, I just want to say that I wholeheartedly agree with what Ed said there. It has to be a layered approach. There's no silver bullet to this, right? So I completely agree with what Ed was saying there. To get back to your question, the short answer is no, I don't, right? Now, regulators, they tend to be assertive in their home territories, right? And they impose it. They don't really impose it on other countries, right? So that's pretty unusual what's going on here. But also for me, it's a little hard to understand this because when I look at the numbers and I see this month on month, they're just not coming down, right? Instead, the numbers are going up. So I think there's some kind of a political agenda, which has seemed to be like the pushing for this particular solution, which to me, it doesn't really appear to be effective at reducing robo calling. But I guess we're going to find out more later on with the guests. Well, we've got three great guests to talk about the technology and the alternatives we can follow as well. But I think you're absolutely right. And on the money that this is a very unusual situation. But the key thing is, if there had been dramatic improvement in the results in the United States of America, we wouldn't be debating this now. We won't be debating this now because it would be just a matter of fact that others would follow the approach being taken in the USA. It's the poor results being delivered for American consumers, which now opens up the space for revisiting the debate that probably should have had more options considering the first place. But that's just my opinion. Let's take a short break. Here's a message from our serious sponsors, Blue Jump. Are you launching new network services? There's no better way to check they're working correctly than using real network devices to do all the things that your customers do, including streaming films using Facebook or making a satellite call. Using the latest test devices means you can also check new 5g network deployments and the use of eSIMs on your network. Do you need to assure roaming usage and costs? Roaming revenues are picked up following the pandemic, but telcos cannot afford to be relaxed about losing income if customers are unable to use their services whilst abroad. So check they get those services by auditing where they're provided at key locations. Are you concerned that tariffs are not always applied correctly to all types of usage? Daily heartbeat tests would support rating assurance and give you continuity of comfort whenever there is a network service update. Are you interested in validating the interconnect routes used for polls terminating on your network? The proliferation of VoIP services means it's never been more important for telcos to ensure traffic is routed correctly and termination fees are levied as they should, protecting you from SIM box refiling and OTT bypass. Originating tests from other countries means if they terminate on your network, you can use a risk-based approach that covers the most important routes and gives you real-time insights into fraud, but without tipping off any fraudsters as to what you're doing. Whatever your goal, testing will tell you if you're on track and when it comes to testing network services, there's no better partner than the team of specialists at Blue Gem. There's so much that can be achieved by implementing testing strategies that include test calls and other test events over your networks, but purchasing your own dedicated infrastructure to create all sorts of network events from lots of different locations will be prohibitively expensive. That's why the smart approach is to ask Blue Gem to use their global deployment of test probes on your behalf. Blue Gem test network services on behalf of telcos, governments, and software companies. They use real phone devices that do all the things that people do with phones, creating real customer journeys. So reach out to Blue Gem to learn more. Their URL? B-L-U-G-E-M dot com. Blue Gem. Right, returns to the theme of the show here, guys, which is nuisance robocalls. Lee, the UK comms regulator Ofcom has instigated a consultation on whether the UK should implement a copy of the stir-shaken anti-speaving technology devised in the USA as a means to reduce robocalls. There are only three countries that have already committed to using stir-shaken and making it mandatory for their telcos. The USA, Canada, and France. And frankly, nobody would be following their lead if the decision was based solely on the results delivered so far in those countries. Many more countries implemented other kinds of countermeasures for scam calls and spam robocalls, but you wouldn't know that from Ofcom's consultation documents, which tell readers about the three countries that have adopted stir-shaken and the alternative road taken by just two other countries, Finland and Germany, commenting about them that no data is yet available to assess the relative effectiveness of these regulatory approaches. And to some extent, that's true, although one could also say no data is yet available to assess the effectiveness of regulatory approaches in the USA, Canada, and France. So for some reason, they don't mention that. Now, Germany is essentially taking a version of the steps that's already been taken in the UK, and which Ofcom says has been successful, though they provide no numerical analysis, no data to back their assertion it's successful. So Lee, long-winded question, but hopefully one that sets you up nicely here. Speaking as a Brit who has worked in fraud management around the world, and is currently working with Middle Eastern regulators and telcos on anti-scam initiatives, can you speculate on the reasons why Britain's regulator is seemingly completely ignorant of all the other countries that have used all these other methods? You talk about the layers, all the other layers that could be implemented, all the other choices available. Can you speculate as to why they're ignoring the work that's been very successfully done in countries like Australia, the methods being used in several Middle Eastern countries, for example? Do you think it's because the UK regulator is too lazy, too cheap to employ impartial consultants like you, or have they just chosen, consciously chosen to ignore alternatives to US strategy? Well, they seem to be quite selective in choosing the solutions which they're trying to push forward. But so I actually, look, I believe Ofcom are fully aware of the alternative solutions out there. But as I said earlier, I think there's a wider political agenda here, not just from the US, but also from the UK as well. Because there's some very cost effective solutions out there that have been implemented, and they're obviously been overlooked by Ofcom. So I guess only they know the answer, Eric. But in my opinion, if you want a global standard for robo calling, then it should be agreed at the global level first by everyone. And I think there's still time to do that before everybody starts going off down these rabbit holes. Well, I mean, I'd come back straight at you and say, USA, Canada, France, if UK follows in their footsteps, that's four out of the G7 countries, four of the big economies in the world on the same track. That's what it looks like to me, I get suspicious that first for no particular obvious reason, the same plan is not being pushed aggressively throughout the whole of the countries that on the North American numbering plan, of which there are very many countries on the North American numbering plan, which are not currently seen to have any plans whatsoever to adopt, stir shaken, or follow the US approach. And yet I would have thought be a much more logical choice to start with. Because surely, if you're worried about scam traffic, you should be worried about calls from places where people are poor, because where people are poor, that's where you cite call centers that scam people. So is this is this already now being stitched up at the highest level? Is this really about an extension of US defense policy here, translating to the cybersecurity realm? Well, I think so. Because I mean, those five countries that you mentioned there, Eric, they are part of the G7. But it's also they're all part of the Five Eyes community. Good point. Now, Ed, should the FCC be stepping back and spending more time looking at alternatives implemented in other countries? I know they're horribly leading questions, but they're still fun anyway. Since I mean, the FCC approach, I'm not hearing anything about them learning from other countries, I see a lot of bipartisan signed signed agreements, that there's going to be exchange of information, but nothing that anybody else ever seems to do ever seems to alter the FCC's approach. Are they making a fundamental mistake by refusing to take notice of others? Or do you think they actually are taking notice and choosing to ignore it because it's inconvenient? Yeah, I mean, I have sort of two cheeky answers to this that aren't meant to be cheeky, they're actually meant to be serious. But we do try to have fun on the show a little bit on what can be an intense topic. So one is, you know, in thinking about what Lee was just saying, you know, about picking up stir shaken and then replicating that across the G7. And that being an extension of defense policy, Eric, you mentioned and what that means that it becomes this, you know, the obvious analogy is the red herring, right, that then gets replicated here is what it feels like. What I actually came into before the show before I thought red herring on this discussion was that it reminds me of the rabbit and Monty pythons Holy Grail. If you remember that when they build a big rabbit and the enemy drain the French dragon inside the castle, but nobody's inside of it, and then just throw it back over the wall at them and, you know, tell them to get lost. And to me, that's what stir shaken feels like. And now we're making more rabbits. You know, Lee mentioned the rabbit hole. So that's one thing. So but for that reason, right? So yeah, I mean, I think the second cheeky answer other than yes, there should be more is, maybe I'm wrong, but I don't think I've seen a FCC sponsored symposium, you know, with a hackathon that brings all the best minds in robo calling or anti robo calling technology together to really get after this problem. Have we seen that kind of a symposium happen? Well, there is Yes, there was. There was, to be fair, though, again, you know, my question to you is about an international context. So there was an FCC FTC joint symposium in the USA. But if you look at who attended that symposium in the USA, and this is like maybe four years ago now, forgive me if I've got the exact date wrong. But if you look at who attended that symposium, well, who attends a symposium like that? It's not a wide cross section of professionals from around the industry. It's not the international partners you need to be working with. It's American businesses seeing an opportunity to sell some technology. And I've got representatives of those businesses, too, right, Eric, it's very canned. And that way, those symposiums that are sort of FCC led, in my experience can be very canned. The opposite of what we see in big international tech symposiums that do result in good collaboration, what have you. So it's just like a fundamentally different approach that I think is lacking to what's, you know, really a largely technical problem. And so then I sense you're asking for kind of cultural change we've never seen before. We've never seen this kind of like culture of genuine dialogue that involves I mean, we talk about layers a lot. Okay, but you know, let's focus on the layers a lot. We have things we have institutions where people can talk to each other. So engineering, when it comes to engineering, there are places where engineers can come together and talk to each other. But we need something that's not just international for one kind of professional, you need something that's international for a multidisciplinary approach, if you're talking about a layered strategy, because there will be some professionals suited to solving to addressing some of the layers, and they won't have the right skill set to work on and give the right answer. So you need pains me to say it, you do need lawyers in the room. But you also I think really, we've missed out, we haven't had enough anti fraud professionals. And when I think about the UK consultation, it seems almost to me like a replication of mistakes made in the USA, where the anti fraud professionals are simply not included in the dialogue and not included in the conversation. And yet they should be central, because they're the ones who best understand what scammers what criminals do, and the way in which they will adapt to change and anticipate and the anti fraud professional is the best at anticipation. So you know, the whack a mole analogy, I find that tiresome, I find it tiresome, because we're not trying to anticipate what the criminals are going to do next. We just go, oh, well, they're always change. Oh, well, we do you, you do your best, but you can't do it. And come on, this is pathetic. We're talking about billions of dollars impact on the economy about crime that's very serious and causes a lot of harm for a lot of people. And yet people just go, well, it's like this fairground game whack a mole, we try our best, but sometimes we miss Oh, God's sakes. Anyway, let's have another ad break before I get any crazier. Let me take this opportunity to talk about the symmetry prison fact of the week, an interesting fact supplied by the team at symmetry solutions, and their prison fraud intelligence service. This week's fact relates to the team at symmetry and the work that they do. Over the course of 2022, they identified over 11,800,000 phone numbers advertised for sale to fraudsters. That's an average of 32,455 new phone numbers offered for sale to fraudsters each and every day. As of today, the prison voice database contains 11,268,462 phone numbers currently associated with voice frauds. And their SMS database contains 2,577,395 numbers associated with messaging fraud. You might want to keep the scale of that finding in mind next time you see a hot list of fraud numbers that includes no more than a few dozen ranges. Now learn more about symmetry prison service prison services at their website symmetry solutions.co.uk. So back to the chat again here, guys, apologies if I'm going on a rant because we need to get these guests on because they're the real experts here. But before we bring them on, my question to both of you is inflation of traffic inevitably going to become a universal problem? Now we've talked about floods of robo calls and robo texts and part of a more general trend of networks carrying ever increasing volumes of traffic, artificial inflation of traffic also occurs because the way machines are being used to generate traffic, fraud managers and traditional telcos be familiar with the age old problem of artificial inflation of traffic. But then it usually involves somebody creating a revenue stream by stimulating calls towards the destination they control doing so in a way that increases their income, often without paying for the origination of that traffic. And a few weeks ago, we had Tim Biddle of Cinch on the show. And he discussed the more recent but extremely serious variation of the theme where messaging traffic is artificially generated by bots, which create bogus internet profiles and then sims stimulate the sending of SMS messages. And the same issue is now come up again with Spotify, the music streaming service. They removed tens of thousands of songs from their platform after they were warned of suspicious activity by one of the big music businesses, Universal Music. And here's the quirk. All the songs that were removed were created by people who simply typed a few words into a platform called Boomi, which uses AI to generate a new song that matches the description the user provided. Boomi's homepage even encourages users by saying, submit your songs to streaming platforms and get paid when people listen. And even more recently, online advertising measurement business Double Verify reports a significant rise in the fraudulent inflation of video advert impressions on connected TVs with unprotected ad campaigns serving 11.2% of all their traffic being fraudulent. Lee, are human institutions failing to see and anticipate these analogous network crimes that occur because of the way networks work and the way users are incentivized to terminate traffic on those networks? Are we failing to see analogy because we keep looking at every problem in isolation rather than looking at the whole? Yeah, well, I think if you're going to create a certain type of behavior, then it's all about how do you reward that person, right? So if your payment model is based around the number of minutes or the number of downloads, the number of impressions, and people are going to try and game the system, right? So when new products and services are launched, right, especially those with new payment models, then you really need to consider the ways which could drive that fraudulent behavior. Now, funnily enough, this actually came up in conversation yesterday. So we were looking at ways as to how do we kind of incentivize customers to report spam, SMS spam messages to 7726. There was somebody in the room, they actually suggested, why don't we give away three minutes or three GBs for each new spam message that's reported, right? So, and this actually started off a fierce debate because then it's like we thought, well, hang on, would people actually abuse the system here to create more spam messages, right, just to get three minutes? So you've really got to be careful about that. But, you know, you're right in what you said there. You said this is an age-old problem. And I'll just go back to an old World War II story. So when Japan, when they invaded Burma, they had a rat problem. It was quite well known, this rat problem. And they wanted to promote some kind of like public hygiene. So they gave everybody a rat trap. And if you wanted to pass around Yangon, then you had to have this token. Each rat was worth a token. So if you wanted to pass around, you had to have this token. Now, some people actually realized the business opportunity here that if they bred the rats, they could actually sell them to the people who actually don't buy them, right? So again, you just have to, it's just an old story. Keep it lighthearted, yeah. I see the point there. I mean, for me, it does seem as though we're always surprised that this happens. Oh, who could have thought Spotify might have been abused? Who might have thought that an advert on a connected TV might be abused? It's just the same thing over and over again. And we're not really learning. We're not doing enough cross-fertilization of ideas. Everybody's sat in their silo solving a problem independently each time. Anyway, Ed, I want to bring you in on this one here, because I want you to like be giving us some stick here because I'm a European, right? Okay. And I think this is time for the Americans to give the Europeans some stick. Now, the big European telcos want to effectively scrap the part of net neutrality, which stops them billing tech firms like Netflix and Google for the extent to which content stimulates demand for network traffic. Firms like Vodafone are the ones saying they can't afford network upgrades like 5G, unless the big US tech firms are forced to pay towards them. Shouldn't we question whether telcos should first be doing more to deal with the artificial inflation of traffic before they start moaning about the demands being placed upon them? You know, it's interesting that you attach these two subjects together, and I understand the logic. I just would tend to think that the folks arguing this from the telco side would never even bother to go there in the sense that when I first started reading stories about sort of this, like you're saying, unwinding of net neutrality that's going on, it just read to me more like payback. Hey, it's payback time. And then my next reaction was that it's too late and it's a very lazy way to go about things. And it's honestly, it's frustrating to spend a lot of time as a researcher, you know, over the last 20 years watching the telecom industry miss a lot of opportunities and do a lot of things to pay anything but forward. And I certainly saw a lot of that in 1996 around, you know, telecom deregulation in the US and the way that was manipulated, which I've talked about before on the show. So to see it, it's kind of the same old bag of tricks to like, don't make me do anything new or interesting. Let me manipulate the playing field. And as long as like, you know, in this Texas Hold'em game, I keep sitting next to the dealer, right? That's fine with me. I just need to keep my position. And that's what it feels like to me. So, you know, should they be held to account to reduce artificial traffic? I kind of think they should anyway. But I like your counter argument. I always come at it from the other side and making arguments like, well, I can't afford to carry your traffic because there's too much traffic. I'd say, well, okay, cut out all the artificial stuff and then come back and talk to me again. And so 60 days from now, we'll have another conversation. As a rule of thumb, I would just assume 10% of all traffic is unnecessary. And it could be stripped out if you are making the effort to strip out unnecessary traffic. But we don't strip it out because somebody is making money off that 10% of traffic and they don't want to lose that traffic because it's profitable for them. And so as a result, we go around in a circle where we say, well, we haven't got enough money to put into capital expenditure to support the networks for all this traffic. So we're just going around and around chasing ourself in terms of capital costs and operating revenues. It's something that I think, Eric, is human nature in the sense that like, even in something innocuous, like if you work in corporate marketing and you've had to go in and do like a full web traffic and SEO audit, you know, on your web properties for the corporation, right, and go in and you produce these reports and you dig down into something, you know, like Google Webmaster Tools, you know, those kinds of things. And you look at the real details of where your traffic's coming from and what are the session links look like and where are the originations and all those details. And you very quickly realize that half or more of your traffic is all just bots. So these little, you know, senseless sessions. And then you say, uh-oh, I have to report upstairs. Which number do I report? Do I report reality because I want to talk about the quality of like leads I'm generating or am I talking about volume because people like big numbers, right? So you automatically end up in a compromised argument in any one of these channels when it comes to, you know, the fact that there's just always artificially inflated traffic. And what is it? If you don't do the hard work to look at what it is and you leave it there, yeah, I'm with you. It's kind of like you're doing your math with the wrong denominator, right? People want the artificially inflated traffic until they don't want to. They can't have their cake and eat it. Anyway, let's have a lighthearted segment. We always have two minutes of lighthearted segment right in the middle of our show, courtesy of Geoffrey Ross and our fantastic sponsors, One Ridge. As ever, Geoffrey takes us on a trip around the world where he sees the world through the services we get in our phone. And this week Geoffrey is going to be taking us a relatively short trip for him down south, south of the Texan border to his neighbors in Mexico. Producer James, roll VT. Hey everyone, from One Route, I'm Geoffrey Ross and this is The World in Your Phone. Hablemos de Mexico. Let's talk about Mexico. Mexico is an extraordinary country that has so much to offer across its many cities and remote areas. With a vibrant culture, world-class food and colorful celebrations, there are so many great things to learn about this North American gem. But did you know that in late 2022 China United Network Communications Group, known as China Unicom for short, received a 30-year permit from the Federal Telecommunications Institute to operate in Mexico, marking a significant milestone in its global expansion. Now how did this state-owned company, one of the largest telcos in China, secure its permit and what does this mean for Mexico's telecom industry? Well, be sure to read our blog about this next month at oneroutegroup.com. Mexico has one of the largest and most vibrant Dia de los Muertos celebrations. Also, Mexico supports around 10-12% of the world's biodiversity, making it one of the world's largest natural diverse countries. I found it interesting that Mexico is home to one of the six cradles of civilization and the Mexican silver peso was the first global currency. It was used in Spain, the Caribbean and Southeast Asia. In fact, these silver coins are the famous pieces of eight that you hear in pirate stories. Be sure to tune in and subscribe to our YouTube channel and catch up on the One Route Roundup, where we spotlight individuals and companies making a positive difference in the telecom industry. One more fun fact, no one knows what Mexico means. No one can agree on the etymology. Some people say it means the place where the God of War lives, and others say it means at the navel of the moon. But quite honestly, nobody knows the truth. And on that note, Eric, back to you and more of the communications risk show. Cheers. Thank you, Jeffrey. And now let's introduce today's guests. Feng Hao is the professor of security engineering at the University of Warwick. It's quite likely that you already own a device which relies upon one of the cryptographic authentication protocols that Feng has previously developed. Recently, he's been working on an approach to call authentication that would be simple to implement because it avoids the need for the public key infrastructure demanded by techniques like stir shaken. His research into a new kind of core authentication is supported by a million pound public grant here in the UK. Pierce Gorman is a distinguished member of the technical staff at Numerical, experts in identity management. He spent over three decades leading network engineering efforts of Sprint and T-Mobile US. So he played a leading role in the implementation of stir shaken in the USA, and is one of the four leaders on the topic of core authentication at the Alliance for telecommunications industry solutions ATIS, the US Association responsible for the shaken standards. And finally, Sathvik Prasad, research assistant at North Carolina State University, where he was a leading member of the team that conducted an award-winning study of robo calls. It's a pleasure to have you on the show. Sathvik, I kept your introduction deliberately short compared to everybody else. Not because you don't have an impressive bio because your research is really out there and ahead of everybody else's research in this understanding of robo calls as a result of the fantastic work you've done with honeypots and with being able to analyze the semantics, the content of the messages. Let's open the conversation with you sharing your understanding of the problem of robo calls with the audience based on this amazing research you've done. Now the audience watching the show already knows there's a lot of illegal robo calls. So we don't need to reiterate that. But could you please succinctly summarize for the audience some of the key specific takeaways from your research and how you conducted that research? Yeah, thanks for having me on the show. I'm Sathvik. I'm a researcher at North Carolina State University. I'm part of a bigger research group led by Dr. Brad Reeves. But the focus of my research is developing systems and techniques that can characterize robo calls in the US. So as part of this research, we run a telephony honeypot, which is a fancy way of saying we control a bunch of phone numbers. And through this lens, we can see how this robo calling ecosystem is evolving over time. And we've been collecting a bunch of data over the past three to four years. So as part of that, we publish our findings in peer reviewed conferences, mostly security conferences. So the first paper in this line of work was around how can we aggregate calls, robo call audio recordings that are very similar to each other, using a language agnostic technique to identify robo calling campaigns. So we were able to uncover some student loan campaigns and a bunch of social security campaigns and see how they how they operate. And we labeled a lot of these campaigns by listening to the audio recording. So I've been listening to a lot of robo calls over time. And in a more recent work, we have developed systems that can automatically label these campaigns, right, and be happy to talk more about that. But in that in that work, we were able to see how the social security scams have evolved over time and how tech support scammers are moving away from the good old Windows based tech support to, you know, maybe Amazon impersonating Amazon and other well known companies, and how much do they try to scam some of these victims. We were also able to see how COVID impacted some of these scammers and some of these scam operations. And what was the impact of the political landscape, the 2020 presidential election in on the broader robo calling ecosystem? Yeah, so that's, it's a lot of things, but that broadly kind of summarizes the work we have done, and maybe it gives you some idea of the questions that we hope to answer through our work. Well, yeah, I'm pleased audience do send in your questions, because we've got the experts really on on on the show right now. Now, it's like you've been a bit modest, because we've learned some amazing things as a result of your research. So your research was language neutral. So you learned about the level of the frequency with which people who are resident in the United States of America are receiving scam calls in other languages. So targeting people who speak Spanish targeting people who speak Mandarin Chinese, and obviously, you can't necessarily get that from anecdotal data, because people may not understand the messages, whereas your technique was able to do that. You also, as I say, I think it was someone along the lines of 5% of all the robo calls people receive were actually politically related robo calls. So maybe legal, because in the US, there's an exemption that allows robo calls from political campaigns to call people, but there was a large portion of calls there that would be irreducible. Thinking about the distinction between legal and illegal calls. There's a lot of confusion around that topic, these things get must together in lots of ways, because it's so hard to distinguish between them. Because what's legal or what's illegal comes down to what's actually being said a lot of the time, and whether someone has permission to make the call that's being made. Can you tell us a little bit about how you would choose to tackle the problem, or what could be done to get better measures of how many illegal calls they are, as opposed to legal calls? Absolutely, and I think that's a great question, and an important one. I would like to build this mental model comparing email spam classification, although this is not apples to apple comparison, but it's intuitive to think that an email classification system will have access to the whole email body and a bunch of headers. If you build a technology to a phone call, you will have a bunch of headers that is the metadata or the signaling information and then actual audio, which is the voice call. When you're inspecting a call, carriers don't really have access to the actual audio content to make this distinction between a legal or an illegal call. So all they have is they're looking at the metadata information. But I think over the past few years, there are a lot of other stakeholders in this robocalling ecosystem, mainly building defenses to protect people from illegal robocalls. And some of them run honeypots, something similar to what we do, which gives us control of a phone number which we own, and we also have access to call recordings. So typically, if you transcribe those recordings, you have 30 to 40 seconds or about a minute worth of audio. And sometimes it's obvious to flag a call if it's illegal, like if it's impersonating a government agency or a well-known tech company, and they have a very sketchy way of saying something. So that's obvious. And then there are some useful calls. For example, if you're receiving a robocall about a weather alert or a missing child notification, right? So those are really useful robocalls as well. But then there are a bunch of calls that fall in this gray area. And it's extremely hard to build automated systems that can classify them as either legal or illegal. So we explored some of, we ran into some of these challenges when we were doing our research. And yeah, that's one of the biggest challenges. And I think it's also something that's overlooked that carriers don't have access to the call data, and they're sometimes expected to make this distinction between legal and illegal calls. Well, yeah, I think you're not doing yourself all justice, Sadhbir, because we talk about you doing research work here. And I think you've already developed methods that should be implemented at scale. So for example, so Lee mentioned layers, okay? Very rarely, but correct me if I'm wrong, because you mentioned honeypots here, very rarely do I hear about people actually implementing a honeypot just to understand the scale of the problem. And surely with the technology you're developing now at North Carolina State University, if you had a honeypot in place, you'd have a great source of intelligence about the source of crime, because you'd see what numbers are being used. So if the idea is to trick somebody to calling back that number, well, you'd see the number that's being used. If the message though, is what needs to be heard, listened to. So for example, you've developed a technique where if somebody speaks a phone number in the message with the idea of encouraging someone to call back that number, you'd be able to extract that phone number. We don't need to wait for a member of the public to report something here. We don't need to wait for a trace back to take place. We've got some intelligence that could be implemented. I'm not hearing, correct me if I'm wrong, I'm not hearing about anybody using these techniques as part of a layered strategy. And surely there's some potential here for replicating what you've done at a research level with your very large honeypot and just implementing this as a strategic form of defense in every country. Absolutely. And I think it opens up a broader discussion about bringing insights from different fields, right? So areas of speech processing and transcription have improved so much that we were able to reliably extract these numbers and the numbers that are spoken during a call and we call them callback numbers. And if you're running an operation and you're asking your target victims to call back a particular number, it's very likely that you own those numbers. So that was the intuition. And yeah, so these are, I think more broadly, we are exploring these approaches now that there are a bunch of places or a bunch of entities that are harnessing insights from running honeypots. And that's what I hope we want to do through our research, like nudge those new ideas and hopefully there'll be adoption. And we are also working to make some parts of our work open source so that people can use it and build on top of it. And yeah, let's hope other countries perhaps emulate your research and implement honeypots because obviously you've gathered data a lot on the robo calls and nuisance robo calls, scam calls that Americans are receiving in America. But I want to talk now just a little bit about the international perspective too, with you Sathvik. Now, a lot has been said by people working for the FCC and the like saying that the bad calls that are being spoofed, they look like they originate in the USA, but actually they originate outside of the USA. A lot of focus on putting the blame on international carriers on telcos elsewhere in the world. And quite often, let's be frank, although it may not be always said explicitly, the implication is pointing towards call centres that are full of scammers based in India. Can you comment on the proportion of unwanted calls that originate outside of the USA versus inside the USA? Can you also comment on the reasons why the US is seemingly incapable or unwilling to emulate methods that focus on blocking the inbound international calls using a more simple principle like knowing the routing information so that if an international call has come in presented as a US phone number, well, you don't need to do a lot of analysis, you don't need to listen to the call, you know immediately there's something suspicious. Any thoughts on that international side of the problem? Sure. So let me try to answer the question about where these calls are coming from, right? And to reliably get that data, it's extremely expensive. By expensive, I mean it's resource intensive, time consuming, and we have seen a lot of progress in how tracebacks work now. So I was looking at the annual report that the industry traceback group publishes every year and from December 2020, 2022, the report says about 50% of the carriers that had a traceback for an illegal call were from the US. And there was a long tail of carriers from all sorts of countries and a bunch of them were from developing countries. So it's less about either or, and I think if you think like a person who's trying to protect people from adversaries, bad folks are everywhere. They're not geographically isolated, right? So that's, and when we're building defenses, I think having that at the back of my mind, a back of our mind is also important. Secondly, about handling spoofing and blocking calls that potentially spoofed. With my limited experience of working with some of the fraud teams, I think a lot of time and effort goes in within those fraud teams in big telecom carriers that really care about the traffic that they carry to identify and block obviously spoofed traffic, right? So that could be through do not originate lists or other means. But it's also important to remember that these operations are really sophisticated. They have a lot of time invested in these and they really want to make money and thrive, right? So once they figure out a way to start getting their calls into the network, and this ties back to our discussion about it's very hard to determine if the call is legal or not, right? So it just blends in with all sorts of traffic and as carriers or as other entities, it's hard to find and flag those calls and selectively block them. Remember we want really high reliability and we don't want to block useful phone calls and important phone calls. So I think it's really hard to find that balance. It is hard. But Feng Hao, who's also on the call, I'm going to bring you into the conversation now, is a guy who is working on a rather different approach towards addressing this problem. Now usually, if you do a webcast about this topic, STIR/SHAKENwill get it. We'll be talking about Sturcation during the show too. But usually, all that happens is you go on to a certain STIR/SHAKENsolution, a few comments about there's no silver bullets, and then you're not really exploring enough of the alternatives that are out there. So Feng, I really think it's important that I bring you into this conversation. I'm very conscious that we've got an international audience for this show too. And that audience may not be aware of the work that you're doing. And in fact, the work that, you know, to some extent other researchers around the world have explored along a similar line of thinking here in terms of what might be done to authenticate calls. Could you please explain succinctly to this international audience that are watching now the alternative authentication method that you have developed and why you believe it's superior to Sturshakin? Thanks Eric for inviting me. So this call ID authentication is a problem we have been focusing on for the past two years. There are some technical details, but I want to explain the intuition. So in the real life, when you receive a phone call with a display phone number, for example, the phone number may be from a bank, how do you know this number is genuine? You can't verify it because the number can be spoofed. The best you can do is to hang up and call back that number. So that guarantees you talk to the real, the genuine caller. So our solution follows a similar kind of intuition, but instead of calling back manually, we use software to call back the number and do the challenge response protocol. So the whole process verification is based on challenge response. We send a challenge to the displayed phone number. And if that is a genuine phone number or the caller owns that number, then we should be able to get a response. And by checking the response, we can conclude whether the caller actually owns that number. So that is, that is intuition for this, for this, this alternative authentication protocol is based on challenge and response. So how does this compare with Sturshakin? There are many differences, but the fundamental difference is actually in the principle of design. So that concerns about the definition of this trusted third party. What is a trusted third party? To common people, trusted third party is a party you trust, but in the security community, it has almost the opposite meaning. The classic definition of a trusted third party, according to professor Ross Anderson from Cambridge University is a third party who can break your security policy. It may sound counterintuitive, but that actually captures the essence of a trusted third party. Whenever you have a security problem and they try to solve this problem by introducing a trusted third party, a party you fully and unconditionally trust, then you introduce an even bigger problem. Then how do you manage that trusted third party? In fact, there are the very big part of this whole security research program is motivated to remove or avoid it or avoid this trusted third party. So let's also motivate our research by using the challenge response. We don't involve any trusted third party. So authentication is strictly between the two users or two providers in the telecommunication system. But for STIR/SHAKENis the design principle of STIR/SHAKENexactly is based on introducing a trusted third party. So the idea in Sturshakin just for the benefits of audience, the idea is quite simple. So you use digital signature. For every phone call, you attach a digital signature to prove authenticity. In this solution, signing a digital signature is quite easy. The problem is verifying the signature. To verify the signature, you need an infrastructure because you need to verify the signature against a chain of certificates. And the loot of that certificate is managed by this certificate authority or CA. And this CA is a trusted third party. So CA has to be trusted by everyone. And this is global system. So implies that CA need to be trusted by every telecommunication provider in the world. Then the question is, who is going to be the CA? Who is going to be the loot of trust? So in the US, FCC has chosen a few American companies as a loot of the trust. And they can do that by regulation. The mandate is that every company in the, every telecommunication company in the US must trust this CA as a loot of the trust. But this spoofing is an international problem. It's very difficult to enforce this across borders. Because across borders, you need to have this CA to trust, to be trusted by other countries. And then you have the problem. So this loot of the trust appointed by FCC, will that be trusted by the Chinese government? Very unlikely. And similarly, if China going to implement Stern and Shaken, they choose a few Chinese telecommunication companies as a loot of the trust. But will that be accepted by FCC? Very, it's not realistic. So that is where you get stuck. You bring this trust to the party. Everyone want to be the loot of the trust. But then you have, you stuck with a situation that this doesn't scare. So this is it in a nutshell, in terms of applying this internationally. It's one thing, we tend to talk about Stern, Shaken, like it's just a technology you can just drop on the country. But even if you drop the technology on the country, unless there's some cross border agreement about trust, so that a call that is signed in one country will be accepted as trustworthy in another country, you don't have an international solution, even if by both countries have implemented Stern-Shaken. So we have right now a situation where France, because of the political manoeuvres above the telecoms industry, will be implementing Stern-Shaken. But nobody knows whether there'll be any kind of interworking between France and the USA. And if there's no interworking, then you haven't solved the problem of call that's gone from France to USA. And of course, that's just one pairing of countries. You actually need to solve this problem for every pairing of countries. And nobody's really clear on the way forward for that. Now, correct me if I'm wrong here, please help me to again understand your approach. If I understand your approach correctly, Feng, if I say had a friend, and I have the right software on my phone, and my friend has the right software on their phone, no matter where they went in the world with their phone, because it's really about the software executing an exchange of keys, if you like, at the start of a call, this would work internationally, because it doesn't matter what's in between. It doesn't matter. There's no other third party in the trust relationship. It doesn't matter what any telco does, because this is something that I can independently choose to do with my friend. And your model is to develop and make this technology as cost effective and as efficient as possible, so that this could be then globalized and used globally. Am I right? Am I understanding of what you're proposing? Yeah, absolutely. You're right. I mean, the key challenge here is to walk across borders. So this challenge response is a generic protocol that can walk across borders. But the interesting thing here is that actually, we don't require cross border agreement for this solution to work. It's actually sufficient to implement this solution within the country. And why is that? Just follow up on your previous talk, you mentioned that to address a scamming attack, we need to understand what scammers do. A lot of scamming phone calls, actually the scammers call from overseas providers, voice over IP providers, because they can easily change all the caller ID. But they almost always spoof a number that is local, local number, local is a low, is a number local to your area or local owned by a local government, for example, HMRC or police station or important local number in the country. So for the challenge response, you see this displayed number as a local number, all you need to do is to challenge that local number to see if you can get a response. So that challenge response can be implemented within the country. And as that is sufficient, a directed address the main source of the scamming attack. That's brilliant. I mean, because it makes me realize that, of course, if you say had somebody, I mean, this has come up a lot, tax officers, for example, is a great example that comes up a lot. We see that in Sathvik's research to that, you know, impersonating government agencies. So if you have the technology in place, well, what you'd be doing is that you'd be doing the call back to a tax office in the UK or in the USA, wherever, and they'd be saying, nope, that call isn't from us. So that should be a very efficient way of replay, you know, removing a lot of the scams from the ecosystem very quickly, if I understand it correctly. Yeah, that's precisely true. Okay, thank you so much. I really thought we'll come back to you in a little bit later in the conversation and full power to you for the work. Now, Piers, I'm conscious you've been patiently waiting. You are a very good man to me because you spend many an hour explaining to me the intricacies of stir-shaken and how it can be approved. So again, I appreciate your patience. You've been intimately involved in the development and rollout of stir-shaken in the USA. But you also talk very openly about what it does well and what doesn't work so well with stir-shaken. If I asked you to pick out two key strengths and two key weaknesses of stir-shaken, which would you pick on, Piers? Well, before I answer that, I'm going to make a comment about honeypots and fangs work. So the honeypots are common in the carrier space. I know that at least two of the three, probably all three of the major wireless carriers in the US operate honeypots and use them to gather information to help them improve their anti-robe calling analytics. And there are other companies outside of that. You may be familiar with David Frankel's at DX. He offers a thing that he calls R-Raptor. Probably would make a good show if you had him walk through that honeypot based system. On the work that Fang is doing, I like what he's describing. I would say that my assumption is that the challenge response is calling that doesn't necessarily require anybody to answer the phone and talk. So there's going to be a challenge response application operating on the phones. That means there's got to be signaling. If it's on your... It could be mobile phones. The mobile phones would have to have the software loaded. So there is work that would have to be done. And then for wireline originations or wireline spoof numbers, there would have to be work there, probably done by the carrier to provide a response instead of the actual person at the call number. Anyway, back to the strengths and weaknesses. Strengths is easy and fun. Weaknesses, there's too many. But I'll just say that the two favorite strengths are that STIR/SHAKEN establishes a working foundation for doing call authentication. And that's a major accomplishment. And to defend the FCC a little bit, I'll mention that they had a law that was written by Congress that said, you have to go out and you have to go put this into the network. So they did it. The work that went on, there was also an FCC Robocall Strike Force, lots of people invited to talk. There were industry experts. That was in 2016. One of the working groups was a call authentication working group where we talked about STIR/SHAKEN. And one of the comments that I made was, if you want the carriers to implement this technology, which is complex and brittle, you're probably going to need a mandate because I don't obviously see how we can monetize this. So if we don't have a mandate, I don't know that you'll get a voluntary implementation. And that might be a problem for Brazil as well. The second thing, the major strength that I like is the way that, and this is funny because it goes to Fang's comment about trusted third party, and I agree with everything that he said, but since STIR/SHAKEN is based on a trusted third party, the way that the certificates are issued between a policy administrator that registers and vets the service provider, the service provider themselves, and the certification authority, there are cryptographic tokens that operate in that environment to make sure that only vetted verified identities get the certificates they need. And I see we're out of time, so. No, we're not out of time. We've got another half hour, Piers. Oh, okay, good. Well, then I'll talk for the rest of the half hour. We're good. The weaknesses, the number one weakness in my mind on STIR/SHAKEN was the reliance or the dependence on the telephone number as the source of identity. I think a telephone number is a horrible source of identity. When you go to a customs officer or a transportation, whatever, the TSA, when you're trying to get onto an airplane, they don't ever ask you for your telephone number. That's not the source of identity that they're looking for. They want something that's more reliable, something with a picture, something that's issued by a government. So trying to use the telephone number as the source of identity is just miserable, and so that's a major weakness in my mind. The second weakness that I decided I wanted to tell you about is that using the trusted third parties to issue those certificates, I don't like the restriction that makes those certificates only available to direct access to those certificates to service providers and toll-free number administrators that we call rest boards or responsible organizations. I think that similar to the Brazil example that the authentication ought to happen from the telemarketers themselves, both the legal ones so that their calls can be protected and the illegal ones so that we can see their identity in the call and have that information to understand over time that you're causing illegal calls and label the calls or perhaps block the calls. I'm not a big fan of blocking, but at least labeling. And also turn them over into enforcement. That identity information, the whole idea behind Stursh-Faken was to get identity information in the call so that you could know where those calls came from and you could address the issue of originating illegal calls. Yeah. So I'll just say that's the second weakness is that the certificates are only constrained to service providers and rest boards and it should not be that way. Now there is a thing called delegate certificates that can be given to service providers, but that's a whole nother mess. It would take another 30 minutes to go through why that's got problems. So I'm going to say that that second weakness is that there isn't direct access to certificates that are on the same level as a service provider certificate with the exception that enterprises, agencies, people that are not service providers should not do shaken signatures. They should do, I think, rich call data signatures. And so I'll, I'll stop there. I think you have more questions. So, Oh, there's, there's so much we're going to be talking about. That's why we're, that's why we're running the show extra long today with three great guests. We needed to allow more time to hear all the opinions here and forgive me when I hear your wonderful insights, Pierce, the word that comes to my mind more than any other when stir shaken is discussed, it's not the kinds of things that people tend to want to talk about with stir shaken. I hear the word bureaucracy. That's the thought in my mind is that we have this, you know, it's not just that it's complex and so that it is a big drain of resources to oversee this infrastructure. And that's why I like what, what Frank says in comparison, because I know, I appreciate you're going to point out technical issues and technical drawbacks, whatever. And that's true, but what he offers in comparison is so simple in comparison to what stir shaken is. And I think that's why, and that's why I want to bring Leah here because you've already started also mentioning the Brazil example of this Brazilian variant that we now have a digital signature. So Lee, you're a fraud expert. You deal with the anti-scam side of things in the countries where you work around the world. I think though that there's a fundamental problem here, and I hope that this show is addressing it. There's a fundamental problem here, which is that most people in your shoes, working for telcos around the world, they're not receiving any advice, any guidance, any alternative points of view. Really the only thing that they're getting read from is the script from the laws that are passed in the USA. As if, if you put something into law somewhere, then the technology that follows as a result of that law is the right technology. And it's not just technology. The method is the right method. Are you surprised? Are you aware of what's going on in places like Brazil, when Pierce talks about putting the emphasis on the telemarketers applying the signature, which is a very radically different way, but I find a very attractive way different. Are you familiar with the possibility of just using the handsets themselves, having a callback process? To what extent does the fraud managers and specialists in this field even get any awareness of these topics in other countries? Yeah, I mean, that's a very good question, Eric. I mean, robocalling isn't a big issue for us in the Middle East. It does go on, but it's not to the scale of what it is in the US or Brazil. Now, to be honest, I don't know much about Stershaken because it doesn't impact me, although it's likely to impact me at some point in the future. So my question to Pierce would be, you know, I'm over in the Middle East, what would I need to do to get, you know, to get a call into the US, which has a certain certificate? What are the type of things which I would have to do to achieve that? Well, it's a good question. And I just want to say that I really liked a number of things that Fang said, and this I'm going to get to an answer here. One of them is he said he doesn't like the trusted third party concept. And he mentioned that the trusted third party that's used for Stershaken call authentication is a certification authority or in the US we have, I think there's 10 now certification authorities. And he mentioned that a call into the Mideast, the Mideast service providers would have to have access to the root level certificates of each of those 10 certification authorities. And they would have to agree that they were a trusted third party and that they would verify calls based on a certificate chain, a certificate path that led up to those certification authorities. And he said that that could be a problem. He gave the example of China and US. And he is 100% correct. And I'll tell you, Fang, what you said almost word for word was actually repeated in a working group of the FCC called the Call Authentication Trust Anchor Working Group. The very first time that group was put together, it's had three iterations, was to talk about the STI framing, the Secure Telephone Identity Framework, and how that should be based on a framework of governance authority, policy administrator, certification authorities. And what you said came up in those series of meetings. And the comment that I use, because there's a term that was used for it, this was a problem for the web as well, is they call those untrusted trusted third parties rogue certification authorities. And so what was built to fix that is what I call a good old boys club. So in the US at least, we have what's called the CA slash browser form. Sometimes it's just called the CAB form for short. And that is the major developers of browser application software getting with the major certification authorities and agreeing on whose root level certificates will be trusted and loaded into those browsers. And so his problem that he described is exactly correct. And that is going to be a problem if we continue down this path for international stir shaken. He's 100% correct. And I'll be talking about both sides of my face when I say I said the second weakness I wanted to talk about was this lack of certificates being able to be given to telemarketers, especially so that they could authenticate their own calls. Ideally, we would find a way to get away from certificates. And so I've been focusing time at the ATIS, you mentioned ATIS before, their Enterprise Identity Distributed Ledger Technology Working Group, it's a mouthful, the EIDLT, where the focus there, the chair Ian Deacon has spent a lot of time going over the work from the World Wide Web Consortium, the W3C, on how to develop verifiable credentials, verifiable presentations, based on the concepts of self sovereign identity. And what I liked about Feng's challenge response mechanism is that fits perfectly with the concept of mutual authentication. And I do think that that's an eventual... That has to be a goal of the work that we're doing with call authentication, whether it's based on stir shaken, or it's based on verifiable credentials, however we go about this. Now, I lean towards verifiable credentials. I would like to get away from X.509 security certificates, but it's an established entrenched system at this point. And it's the law in two out of the three countries, Canada adopted it on... The regulator adopted it on their own, but in France, in the US, there were laws that required the regulators and the service providers to implement the technology. So to answer Lee's question, what you would have to do is have a certification authority in the Mideast that was accepted by the service providers in the US, and they would have to issue certificates to those service providers. And so when the call came over, they would have the root level certificate of the Mideast certification authority loaded into the verification server, and they would be able to verify the call and give it the green check mark. Sounds implosible. Sorry. Just one follow up question there. Technically, would we need to do anything technically? You mentioned work with the certification providers. Is there anything technically that we would have to do? Ask the question again. I don't think I understood it. So you mentioned that it's about this certification process, but actually, is there anything technically we would have to implement, say, at the signaling level on our side? Oh, yes, absolutely. There is a whole bunch of standards written by ATIS and by the IETF STIR working groups, that's why it's called STIR-Shaken, that describe the technical details associated with applying a call signature. Basically, STIR tells you, here's the format of a signature, and the signature is a, if you're familiar with the term, JSON web token. And then the certificates that carry the public key that could verify the signature is the other part you would need to do. So the standards tell you to develop and deploy what's called an authentication server, and it's built for SIP. It looks at the SIP invite, the information within the SIP invite, picks out a few fields, the from, the to. There are some other fields that get created for the signature. And there are multiple different kinds of signatures. The one that we normally talk about is the Shaken signature, and that's for a service provider to service provider call. There are also, I won't go into all the different kinds of signature types. The signatures, they have a name, it's called a personal assertion token, and they call it a passport for short. So you'd have to learn the different passports, decide which ones you wanted to use. If you're really going to use Shaken, you create the Shaken signature in a passport, you drop it into a SIP identity header in the SIP invite, and you send it on its way. And within that identity header, there is a URL that tells you where to go download the X.509 security certificate chain so that you can verify the signature that's in the passport, in the JSON web token. Did I answer your question? Yes, it did, but I've just got one last very quick question. So it's looking like... Hey, Lee, if you want free consulting, you can do it offline. I think I got to time you out here, Lee. I'm glad you're enjoying the topic, but I think you're getting some free consulting here for yourself guys. Look, Piers, I want to jump in here and ask you another question because I'm getting the impression that you're very interested in what's sometimes called international Shaken, Piers. An international Shaken for the want of a better description is how do you get people like Lee signed up to do this in another country to the cause of being authenticated from country to country? Keep it simple, please. Has progress on international Shaken gone as expected? That's a good question. And I'm going to tell you, I think it's actually gone better than what I personally expected. I did not anticipate that Canada on its own would just decide it wanted stir shaken. They actually issued their mandate ahead of the US law and the FCC mandates. So those Canadians were... And they weren't goofing around, right? They just went right after it. So that was interesting. I also didn't anticipate that France would adopt stir shaken. So I think from the perspective of not really anticipating anybody else would look... I kind of assumed that the technologists would look at it and go, I see what you're doing here. I see that it's an experiment. I think we'll wait and see how your experiment goes. But that's not how it went. And part of that was because the FCC did take a very active role in trying to promote international stir shaken. So they did go talk to their regulatory counterparts in other countries. Let me jump in there, Pierce. Let me ask a more precise question. Given the years of effort that's gone into stir shaken, is the number of calls that are occurring between countries that have a signature that is being authenticated at the termination, is that number in line with your expectations? That is a very specific question. France is in the middle of getting it up and going. So the only other country you can talk about is Canada. And Canada is authenticating calls that it sends into the United States. I shouldn't say Canada. I'll say Canada service providers that support stir shaken and use voice over IP, because not all of the communications is voice over IP. A lot of it is still TDM. They are sending calls into the U.S. that are signed and that are verified with certificates that were issued by the certification authorities that have been authorized within Canada. And that's two right now. One of them is Trans Union, better known as New Star. And then the other one is Sansay. And it was originally just New Star. When I left T-Mobile a year ago, we were not verifying those calls. And some of that has to do with for one thing, T-Mobile is methodical about how they implemented their stir shaken stuff. They didn't just throw it in there and say it should be good to go. Let's see how things roll. They worked with each of the major service providers to set up testing ahead of time, tested the technology, got comfortable with it, felt good with it, and then rolled it out into production. They wanted to follow that same process with Canadian service providers. And they may have done it in the year in between. But as of last year, no, those calls were not getting verified. Another part of it, though, was that this goes back to the complication of all the certification authorities and the agreements between the governance authorities that control the certification authorities that Feng talked about. The policy administrator in the U.S. keeps a store of all of the root certificates for all the approved certification authorities. And the PA is responsible for authorizing those certification authorities. So the certification authorities have to submit what's called certification practice statements. Those are looked at by a policy management administrator within the policy authority. And then it's even passed over in the U.S. anyway to the governance authority technical committee. So there's a lot of work that goes into whether or not those certification authorities are okay. I'm getting a sense of a lot of work. I'm not getting a sense of a lot of clarity on how many calls are being signed and checked. Fair enough. I don't know the answer. I no longer have a front row seat. I don't work for T-Mobile anymore, so I don't know. Is it a lot? Is it some? Surely, if they're being authenticated, we're now in a situation where a Canadian business could say, here's bad calls coming from an American telco and vice versa. Are we in that situation where that's not currently possible? It's possible. I just don't think it's very common. I assume it is not common. But this is the future we're heading towards though. That's the point is that we're going to be in a future where it will be possible for one party in one country to literally point the finger and say, that country over there, there's a telco and that country's regulator isn't stopping them. But we're going to be aware that they're pushing bad traffic. So we're going to pick them out. I think that's the aspect of stir shaking that we sometimes lose when we talk about the technology and being at the stage of rollout. But actually, it's about what you do as a result of stir shaking that's going to reduce the number of spam calls and illegal calls. Feng, I want to bring you in here now. Now you have a research grant. It's roughly a million pounds for the work that you've been doing into your research. I know that you have been working as fast and as hard as you can to develop a rigorous technology that stands up to scrutiny from your peers in the academic community and also working with telcos to make sure that it works. Are you frustrated that the UK's communications regulator Ofcom has seemingly ignored your work by issuing a consultation on how to authenticate calls, which made no mention of your approach at all, despite the fact that you have been to the British Parliament and told them about the motives of your work? That's a very interesting question. Do I feel frustrated? To be honest, no. I'm in the academia long enough that we learn to be patient. The research takes time and this is quite a complex problem. We started looking at this problem about two years ago. You need to have a good understanding of the problem but also looking at the existing solutions to convince ourselves that we need a better solution or the existing solutions don't work as expected. When you have a solution or intuition, but also you need to make sure that your solution is actually feasible and to do that you need to do implementation or prototyping. We have done that on the existing telecommunication systems, SIP system, SS7 system. We also implemented prototypes on mobile phones, nanoline phones and SIP phones to do all the experiments and get the performance measurement. Then we write a paper and we still hope that this paper is going to pass the peer review process. That is a standard practice in our community because you never know that you got everything right or you missed something. That peer review process is really important but also takes time. I'm happy to say that our paper has got favorable comments from our peer researchers in the community. The paper is going to be published soon and we are going to make a free copy of the paper available in the next few days. All this takes time and this off-com consultation is quite recent. I think the timing is perfect. Currently, the off-com they propose Stern-Shaken as only solution. However, based on our research, up two years research now we are more comfortable to say Stern-Shaken is not the only solution. We actually have alternatives, alternatives that potentially are far more cost effective than Stern-Shaken, an alternative that doesn't really introduce a trusted third party. Of course, as academic researcher, we work the research under our own constraints. So in our research, we do prototyping by updating software on the end user's phones because we don't have access to the telecommunication system. But as Piers very rightly pointed out that the best way to implement this is actually in the telecommunication cloud. Actually, we have recently done that in collaboration with UK based company called Chucor. The company is specialized on nuisance cause. So they have access to the telecommunication cloud and we have done a prototype between two mobile phones to the challenge response between the two gateways in the cloud. So challenge response is actually performed in the cloud. That is a lot faster than doing on the end phones. Still, we have a few seconds delay, but that is only because this is a preliminary implementation and we are working on reducing the delay because for challenge response, all you need to send the challenge is only four digit number. So in principle, this can be done at the speed of light when you send this across IP network. So potentially, this challenge response can be completed in a very fast manner, so potentially under one second. And then if that is the case, then the whole solution can be practical. So this is work we are working on. And yeah, we show that actually alternatives do exist and we want to urge Ofcom to consider alternatives because there's not just one stone shaken. And you don't have to introduce a trusted set of party to solve this problem. I think you make a case very well. I think I'm frustrated on your behalf, even if you're not frustrated, perhaps being an academic, you're used to the vicissitudes of having your research examined by others and the pace of progress. For me, I'm frustrated because of the thought that a lot of money could be spent on implementing one approach. And then it's very hard to go backtrack and then implement a second approach. So if your approach is as beneficial, as successful, as efficient as you think it is, but maybe needs a little bit more time to come to realisation, it will be a shame to be down one path and not be able to reverse back and look at your approach again. So for me, my worry is that because as Piers has pointed out, progress has been made with stir shaken in the USA, Canada even across international cause, there might be a more elegant solution we might ignore. But I'll finish up with a question for Sattvic, if that's okay with everybody, I'm conscious of time, we're very near the end of the show now. So Sattvic, just a couple of minutes for you. But I think this is a vital question that kind of like caps off everything we've said today. Again, thinking about regulators here, their tendency to look at the big picture of harm that they're addressing, and not always break out the detail of the benefits of the solutions that they mandate on the industry. And going back to the problem of distinguishing between a legal call and an illegal call and all the rest of it. If I was to give you, as one of the foremost researchers in this area, an unlimited budget, don't go crazy, but on a limited budget, okay. And I said to you, how would you measure, measure with a degree of confidence and accuracy, the amount of harm being caused by illegal robo calls in the USA or another country, and then could measure whether that harm was going up or down over time? How would you go about doing that? Great question. I think more broadly, we constantly see changes in these ecosystems, right? And especially when there are good and bad actors, that's common. And when you talk about measuring, something we observed in our own research was how some of these really bad operations are extremely targeted now, because the barrier to entry, even to clone voice or synthesize voice is becoming so low, that it makes sense to be more targeted instead of targeting a broad range of population, right? So if I have a lot of budget, I think, you know, what, what I would focus on is building better techniques and systems that will empower the stakeholders that are on the good side of things, right? Because there are so many things that are happening that enables cameras to continue operating, and we don't have those resources to keep up with them. So this is what are the other elements of that silver bullet that, you know, that doesn't exist, right? So it could be tapping into the advances in applied machine learning or natural language processing, and bringing that diverse views into the telco ecosystem, right? How can we build tools that are reliable, practical, and have high accuracy? And how can we deploy that and share the things that we can extract with other stakeholders? So these are like broad visions, I would say. And I think some of the work that we are exploring is in that direction, where we distill insights from audio recordings and do that reliably. And that can be shared with other entities, right? And you can analyze millions of robocalls using some of the work that we have done. So I hope, as a community, trying to protect phone users from these really bad and annoying robocalls, we inch more towards that direction. Well, I think we're going to continue the conversation after this show has ended, Satvit, because I can certainly see ways that we might work together in future on that particular point. But we're running out of time. I'm very, very sorry. Thank you so much, all three of my guests. I would have loved to have given you more time to talk to this audience. But I think you've certainly given the audience that we have for this show plenty of food for thought. And I hope that that is some sense of pleasure that you've been able to engage the interest of the audience around the world. I'm sure there'll be lots of follow-up calls. And if not, Lee Scargall will be wanting free consulting from all of you in the immediate future. There's a bottomless pit of work that he'll give you for free if nobody else. So thank you, everybody, for being on the show. We're out of time. Ed, Lee and I will return next Wednesday for the final episode in the current season when there will be interviews with two separate guests, Sarah Delphey, Vice President for Trust Solutions at Numerical and previously Director of Abuse and Risk Operations at Bandwidth. Sarah's going to talk to us about Know Your Customer Checks and the Challenge of Managing Identity. And Andrew Wong, COO of fintech business, SORAMITSU, will be discussing sharing intelligence relating to scams. He'll be live on Wednesday, 7th June at 4pm UK, 6pm Saudi, 10am US Central. Why not save the show to your diary by clicking on the link in the Communications Risk Show webpage. Our next Wednesday's episode will be the last stream of this season, but not the last of the Communications Risk Show, as we are already lining up guests for our next season, which begins on Wednesday, August 23rd. We'll be back at the same time, back on consecutive Wednesdays, 15 consecutive Wednesdays starting Wednesday, August 23rd. So now would be a great time to subscribe to our schedule of upcoming broadcasts. So when you have your holidays and you come back from your holidays, you're not wondering to yourself when is the show back on or who the guests are. They'll be uploaded to your diary automatically. Thanks again to today's guests, Professor Feng Hao of the University of Warwick, Pierce Gorman, distinguished member of the Technical Staff at Numerical and Sathvik Prasad, researcher at North Carolina State University. Thanks also to my co-presenters, Ed Finegold and Lee Scargall for putting up with my obviously leading questions and deflecting them as best as they can. And to the hardworking producers of this show, James Greenley and Matthew Carter. That's all for episode 12 of the Communications Risk Show. I'm Eric Priezkalns. Remember to visit the Communications Risk Show website, tv.commsrisk.com for recordings of every past show. Keep reading commsrisk.com for the latest news and opinion about risks in the commerce industry. And go to the Risk and Assurance Group, riskandassurancegroup.org for access to RAGs free services and content, including the RAG Fraud blockchain and RAGs risk catalogs. Thanks for watching today. We'll see you next Wednesday.