Rebekah Johnson: Welcome to Tuesday Talks, a live discussion series where we bring truth and shed light across the brand, identity and communications industry. I'm Rebekah Johnson, Founder and CEO of Numeracle, and I'll be cohosting today's session with Keith Buell, General Counsel & Head of Global Public Policy at Numeracle. Welcome to the podcast for the first time, Keith!
Keith Buell: Hi, Rebekah. Thanks for having me.
Rebekah Johnson: I appreciate you joining us on this journey of protecting consumers from fraudulent robocalls while protecting the calls that they want. I'm pretty sure that we will have you as a guest again this, so this should not be a one-time event, especially as regulations seem to be kicking up in other countries and we continue to have more in the US. This is a really interesting topic. So, for today's topic, it's actually one I've been anticipating for a while. As other countries organize around how to protect consumers from fraudulent traffic, it is expected that the regulators or lawmakers will look to the US. and how we've tried to implement consumer protections for voice. So, Keith, before we get into what is going on in the UK for our audience, let's start with some background for Ofcom and the FCC and how they're implementing consumer protection measures. If you could, just give a little background first on who's Ofcom and how does that relate to what we're doing in the US?
Keith Buell: Ofcom is the UK version of the FCC. They've got a similar mandate. Actually, their mandate is wider. They regulate the postal system and that sort of thing, but for our purposes, they do what the FCC does. They're a little bit insulated from the political process, just like the FCC is in the US. Not directly under the control of the Prime Minister, just as the FCC is not directly under the control of the President.
Rebekah Johnson: Okay, so I'm not sure if this was coincidental, but Ofcom and the FCC both issued publications related to consumer protection measures for the voice channel. I think it's important to note that I believe the FCC is on the 8th Report and Order, in which it is finally inquiring about identity and the effects of call labeling on legal entities. I looked at Ofcom's publication, which is kind of a first step in this space, similar to what we refer to as a Notice of Inquiry, in which Ofcom is seeking input and comments from the industry regarding calling line identification authentication. And that will oftentimes be referred to as CLI for short. The next step is likely to be another consultation in which Ofcom will propose rules and then do another round of seeking additional feedback. Would you provide just a quick overview of the FCC's 8th Report in Order and the Ofcom's publication specific to consumer protections?
Keith Buell: What Ofcom is doing, like you said, is similar to a Notice of Inquiry. It's starting the brainstorm, the discussion process, around what they might do. And what they're doing is basically STIR/SHAKEN. They don't use that word as often as we do in the US, but they're deploying a similar technology, or planning to deploy a similar technology. They would have the originating carrier sign the call and the terminating carrier authenticate the call, which is what we are doing here in the US. Ofcom has waited, though, they're a few years behind us in their deadlines. The reason they've done that, or at least one reason, is that Ofcom is waiting for the IP transition to happen in the UK, which is supposed to happen by 2025. The lack of a full IP network in the US has been one of the hardest things for regulators and the industry here to deal with, as the FCC has generated kind of a patchwork of exceptions and alternatives to STIR/SHAKEN, to take into account small rural carriers that can't afford to upgrade or other carriers that choose not to upgrade for whatever reason. We've got that patchwork that is making it so that a lot of calls are still unsigned despite a mandate that went into effect two years ago.
Rebekah Johnson: And last year the FCC required the gateway providers... So, is that part of that patchwork that you were mentioning? It's targeting little chunks and sections?
Keith Buell: Yeah, the gateway provider mandate goes into effect at the end of June, so we're hoping to see that that has further narrowed the holes in the network. A lot of the illegal calls come in from overseas, so the gateway providers will be required to sign those calls as the first point of entry into the US. Hopefully, that will have a good effect because right now there's a very low percentage of call signing in the US. Despite the fact that we're almost two years into the mandate. I've seen estimates that it's about in the 25% range. Most of those are wireless to wireless calls, which is really not where the authentication, the STIR/SHAKEN is most needed. It's the business or any sort of enterprise outbound calling operation to what are now mostly wireless end users. I was formerly working at the FCC and just as recently as a few months ago, my desk phone, which is a VoIP phone calling my personal cell phone right in my hand, next to me was not a signed call. There's some intermediate provider somewhere in there that either dropped it or had an exception or chose not to sign for whatever reason. Until those calls are signed or it's SIP end-to-end, we're going to have those holes. Ofcom is smartly waiting for the full transition to occur before they even start this process.
Rebekah Johnson: I find it interesting the FCC basically required a standard before the infrastructure could support it and then perhaps Ofcom is requiring an infrastructure update before requiring a standard. So, what was the thinking behind that decision?
Keith Buell: I think it's smart. Plus, they've seen what has worked and what hasn't worked here in the US. I think more, sadly to say, has not worked. Despite all the efforts put into STIR/SHAKEN, I think it's a good backbone and foundation for these technologies, but it's not the entire solution. It's left places for participants that are really not helping the situation here. While I'm sympathetic to small and originating terminating carriers that don't have the money to install STIR/SHAKEN here in the US, I don't see a place for an exception for intermediate carriers. If you want to get in the middle of a phone call, you should be fully IP and implement STIR/SHAKEN. The UK is not going to have that problem because they're waiting for the full IP transition to happen.
Rebekah Johnson: So, that could potentially be a delay. I will say, like in the US, there were multiple different deadlines for which providers had to implement STIR/SHAKEN or basically upgrade their infrastructure. Like you said, it was a patchwork. That might be something to watch-- what are the comments that are going to come back to Ofcom? Is there pushback on IP? Although you said there are no exceptions, someone's going to lobby for them. That's how it usually works. That could end up being an interesting delay to implementing the CLI (Call Line Authentication) framework, another word for STIR/SHAKEN, in the UK. There's going to be this intermediate period that they'll have to go through which isn't too dissimilar from the US. It's still a bit of a challenge of law, standard, infrastructure, and then we're going to get into that last piece-- what data is going to be transferred through this update? So, it'll definitely be one to watch. I do feel like there is a lesson or perhaps a warning that needs to be shared with Ofcom, and I would like to know your thoughts. I have my own, but I would like to hear yours.
Keith Buell: I think the big warning is, STIR/SHAKEN is a great technology for the middle third of a telephone call, from the originating carrier to the terminating carrier. What it doesn't do is go back before the originating carrier to the complex web of BPOs, different providers involved in the call path, or call centers. I think that is one misstep that the industry as a whole took, and I certainly took in the past, was assuming that at the start of a call, it was a one-to-run relationship where a business customer says, "I need a call center with 100 seats. I'm going to buy phone service from Carrier X. They're going to issue my phone number, sign my calls, and they will go downstream with my caller ID on it." And that's just not the way it works. These companies hire call centers that have service for multiple carriers and they might bring preexisting phone numbers assigned by another carrier and go through several least-cost routers along the way. So, by the time it gets to the first carrier that signed the call, there's a mishmash before that that nobody really knew or understood from the terminating carrier side. That is something that I think hamstrings us to this day because STIR/SHAKEN was built around an assumption that the call origination process would be similar. On the terminating side, especially on an Apple device, we don't have any indication of whether the call is signed and verified by STIR/SHAKEN. We get that after the fact in the form of a checkmark in our call log. What I would like to see is: identify the originating caller all the way back to the brand behind the call, which may not be the company that owns the phone number, that owns the phone lines, that bought the service, all the way to my hand when the call rings, not after the fact. I want to know that this company placed the call, they placed their identity on the call, and I know that with certainty when I answer that call.
Rebekah Johnson: It honestly feels a little deja vu for me since this is actually how Numeracle got started. I don't know if it's the cart before the horse here, but there was a deployment of analytics before IP, before STIR/SHAKEN. Although we see from Ofcom that, it looks like, "Hey, we're going to require the IP infrastructure first before STIR/SHAKEN." Yay, glad you did that, but what's already proceeding out and being deployed is the analytics. That's what I was kind of getting back to-- there might be these delays with deploying an IP infrastructure and there's going to be this pressure from a regulatory side to please the people and actually show the progress that we're stomping the bad guys. And the easy little band-aid to put on that is to implement some analytics. In reading the publication from Ofcom, we can see that that's already started. There have been analytics, the same ones that are deployed in the US are being deployed at the terminating service provider/ terminating carrier level. It's just going to be the same problems again. We're going to have an identity issue while we're trying to block the bad calls, we're going to be blocking the good calls. I know that you have a lot of background experience in that too, and maybe this is part of that warning to give to Ofcom about what their future is going to look like. And we will pull this podcast up, give me about six months, and then I think we're going to have some data around how there are some real negative impacts to legal calls through these strategies.
Keith Buell: I think the analytics have really-- their time has come and should have gone by now. They were the best option we had six or seven years ago before STIR/SHAKEN, when people were fed up with robocalls and the carriers felt like they had to do something, the FCC was pressuring them to do something. So, the analytics stepped in, and each of the three, formerly four, now three, major wireless carriers hired an analytics company to do call analysis and to do some blocking and labeling before the calls got there. That was the best technology we had at the time but I'd see failures in the analytics because they are really guessing at what is going on with the call and not applying objective information from earlier in the call chain. They're starting to use STIR/SHAKEN in that, and I think that's a good thing. Taking a step back, the role of the analytics is really unique in the history of telecom in the United States. For over 100 years, the FCC and its predecessor regulator said the call must go through, complete the call, don't interfere with the call. There have been instances in the past where carriers have squabbled about money and call routing. The FCC said, "I don't care, call completes, you guys can fight after the fact." What they did here is allow the carriers to insert the analytics into the call path. I mean, they're not technically in the call routing, but their decision-making affects how a call is presented and displayed, and blocked. The FCC said a few years ago that we are not going to regulate the analytics, we're going to rely on their good faith efforts to do their best because robocalls are so bad and so out of control, we throw up our arms and we're going to allow them into the call path. It's really a unique situation that the FCC delegated authority to these analytics companies with no oversight whatsoever. One thing that I find surprising, maybe I shouldn't find it surprising, but upsetting about the draft order that came out last week that will be voted on in May, is the FCC is saying we are going to require analytics. Not just allow, but require analytics, which is saying that for 3000 voice providers in America, they must buy the product of one of these three companies that I think has not been successful in their mission. The FCC, part of their order that they released is going to be a notice of inquiry to discuss labeling, but that's one step further removed from actually doing a rulemaking. That's really two orders into the future if they even touch that subject.
Rebekah Johnson: What I think is interesting, and it's frustrating because in both the FCC and Ofcom publications-- I don't want to say Congress, at least over here at the US because we have the TRACED Act, which gave the FCC authority to implement some caller authentication identification framework-- the word "identity" and “identification" comes up in both of these orders, publications, whatever word you want to use, yet zero, absolutely nothing, is discussed regarding what identity looks like? To your point, STIR/SHAKEN, let's call it what it is. It's an endpoint to an endpoint for delivery of data. Garbage data, good data. That is not a requirement. It's just a transfer of information from an origination point, don't drop the data as we play hot potato, pass it along to the terminating service provider. There's no place where the FCC has identified the Know Your Customer (KYC) concepts. We should get down to the entity behind the calls because news shocker, Keith, this might be the first time the world is learning that the bad guys hide by not providing their identity. This is the first place you're hearing about it. I don't even understand this. And this is one of the challenges that Numeracle, our company, is actually having. Now this is on the messaging side, but it could apply to voice. There is this company that seems to have the data of all of our employees and loves to send text messages to all of our employees as though they're coming from me. Now, because I'm very integrated into this network, I can actually perform my own tracebacks. I can actually get down to the company that is facilitating the delivery of these calls, and they know exactly who the entity is. All we get back is, "Sorry, I shut off that company..." Where is your due diligence for knowing who's getting onto the network? All we're doing is a whack-a-mole approach to this, and these are companies that have implemented STIR/SHAKEN. We're missing the identity element, and I get really frustrated that Ofcom came out with CLI and "identification" is actually in the acronym, but yet there's no conversation around the identity of the entity who's delivering the call. Put your stamp on your communications. It shouldn't just be the originating service provider that has to put their stamp on the call or the text. It should be the end entity that actually is making the decision of what number it wants to call and what message it wants to deliver. I know you and I have had these conversations and you have thoughts on that as well.
Keith Buell: I think identity is what the analytics are missing right now. We might have a customer with 1000 phone numbers, and in any given week, 50 are labeled as spam. The next week it might be a different 50. The analytics are looking at it through a view of the world from five years ago. They're looking for traffic spikes as being indicative of bad behavior. I think we know from our own experience, and I confirmed this with an operation that runs something akin to a honeypot where they analyze incoming calls, the fraud calls these days are being spread very thin across a large number of phone numbers. When the analytics say "this is spam because of a spike in call volume on one particular number," that's the opposite of what they should be looking for. Nor do they associate all of the company's phone numbers together. In my view, a company, if they're compliant, their calls should not be labeled as spam. If they happen to use a lot of calls on this number today and a lot of calls on that number tomorrow-- if we know who they are and that they are legally compliant, the analytics shouldn't be jumping in and guessing and labeling that's very harmful to a business just based on their guess. Similarly, if we know a company is bad, all their calls should be labeled as spam, not just the ones that happen to make a high call volume that week. The analytics are using an obsolete view of the world to be doing this and really not looking at identity. The analytics engines will sell a bypass to this. They will sell branded calling. They recognize that a spam label is detrimental to a call, that nobody picks up a call labeled as spam, and that they will sell a product to guarantee, well not guarantee, sometimes they won't override a spam determination, but facilitate the delivery of a call with a logo or a verified caller name on that to avoid their own labeling of spam. The fox guarding the hen house.
Rebekah Johnson: Yeah, and I think that's that's another one of the warnings to give to Ofcom. With regards to allowing any entity, and this isn't just targeted at one, it's just like you said, these solutions had an appropriate time and an appropriate place. It's been almost a decade and we need to move towards informed solutions where identity is accepted. That's basically my warning to Ofcom: very quickly, very quickly on the heels of allowing carriers to block or label calls as spam to the terminating consumer, there should be a way for entities, such as NHS, to be able to associate its identity to its numbers, though there might be some fluctuations and spikes in the delivery of calls. We also saw this with COVID-related calls. Numeracle had to quickly implement a critical call registry because the COVID traceback calls were getting labeled as spam. It's broken. It's broken and we need to fix it. It's a very simple fix with identity. Accept that identity from the entities. We do this with consumers, we accept their identity, it gets verified, validated, you get a card, you get issued something and that gains you access to jobs.. purchases... flying, right? We have to take the same approach to the voice channel. My fear is if we continue to delay acknowledging that we have an identity problem, as we continue to deploy solutions for messaging, solutions for email, and solutions for social without identity, we're just going to be destroying communication channels. In fact, we're making it a lot easier for fraudulent traffic to be delivered across it because they can dodge and weave way faster than we can innovate to block it.
Keith Buell: I think another difference between a legal caller and an illegal or unwanted caller-- I've never liked the term "unwanted." I don't know what calls you want, you don't know what calls I want-- but a lot of the calls being labeled as spam are callers that come forward and say this is who I am. Here's my name, here's my address, here's my credentials, you verified me. This is my type of business, here's my TCPA compliance plan, here's, if they're a debt collector, my FDCPA compliance plan, and these are the phone numbers I use. That's the exact opposite of what the illegal callers are doing, where they hop from carrier to carrier phone number to phone number, they spoof caller ID, they don't want to use the same phone numbers time and time again, certainly not phone numbers that are linked to them or assigned to them. We've really gotten into a bad situation where the good callers emulate the bad callers emulate the good callers, and the analytics are left guessing in the dark and getting it wrong quite a bit. And I think they underestimate the harm it has to a real business. Someone that we work with, our CFO, got a call from a local Home Depot store. Not a call center, but a store in the DC area, and it was labeled as spam. It was his contractor calling to arrange payment. That Home Depot number was labeled as spam for at least a week. I haven't checked on it in the last few days. The analytics engine that did it, we had some back and forth with them and they said, "Oh, there was a spike in call volumes at the end of March." We are a month later-- that Home Depot-- I can't imagine the effects on their business if every time they try to make an outbound call, it comes up as spam. The idea that we deal with erroneous spam labeling by putting the phone number into our contacts list is just kind of a joke of an answer in my point of view. I don't put the phone number in my contacts of every store or business I've ever dealt with; maybe my doctor's office is about the only one. If I need to call Home Depot, I just Google Home Depot and the phone number. If I get a call from them today, it's probably going to say spam on it.
Rebekah Johnson: I think what we're doing here is we're putting the onus on the consumer and the business to solve the problem. Then we can just have these kinds of middlemen going, "I implemented STIR/SHAKEN and I'm not regulated, you can't tell me what to do, just do whatever." Someone's just looking to check off a list and go, "Well, I met the requirements that were put upon me. Therefore, we are good to go." It's Ofcom, wake up. That is not going to fix it. We're going to be having this conversation after you've implemented all these rules and regulations and fraud is still happening. It's like, come on, let's grow up a little bit. Let's expand our view beyond telco and understand that fraud happens and the way to fight fraud is with identity. The banks have done it. Let's learn some lessons and bring them over to this side. I'm going to say one last thing before we go to a question. The severity of why we need to address this right now is the introduction of AI. I am based in DC. There is so much activity, I know probably not just within the US, but regulators looking at how we put some controls around artificial intelligence. Because guess what, Keith? We are losing. We, the humans, are losing the ability to distinguish between what's real and what's not with the advancement of AI. AI has already made its way into the voice channel for fraud. We have voice simulation scams where these fraudulent actors will get the voice of your child. It will be screaming. It will be yelling for help. And then they get on the phone and say, I've got your child and you need to pay $50,000 to get your child back. I'm over it. Stop saying that your analytics work. It is your responsibility, if you're going to play a role in this ecosystem to stop fraud, that you tirelessly and relentlessly find ways to identify good actors and identify the bad actors. And number one, we should not even be allowing the bad actors onto this network. That's the level of frustration where I'm at now. I would love to invite others to join me in on this. This is not about keeping board members happy with revenue numbers. This is a responsibility. If you want to play in this space, then this has to be a calling for you. Otherwise, please step out of the way because all you're doing is disrupting those who can actually innovate and solve this problem. I live in fear of the damage. This is what I'm closing at. We will cause-- we, as those who are working in this space to try to stop fraudulent activities-- we will cause more harm to the consumer when we don't get this right than any fraudulent actor would ever do to a consumer. We really can cause more harm and we need to wake up to that. I think we have a question, Sarah, if you want to join us.
Sarah Blantz: We do! We have one question in the queue. Very well said, by the way. I was very entranced by that. Our question today is, how much easier is the UK STIR/SHAKEN implementation made by waiting until full IP transition?
Rebekah Johnson: Keith, I'll let you take that one.
Keith Buell: It doesn't make it easier for any individual carrier. Well, it does. There are solutions out there, they can purchase it, integrate it into their systems, it's all already been done in every switch in America, or a lot of the switches. So, the kinks have been worked out a little bit and they definitely have an advantage in waiting. In terms of implementation, the real advantage is that it'll actually work from end to end without the little gaps in the system that we talked about earlier. Whether a company can't get a STIR/SHAKEN token, or chooses not to, or has an exemption of some sort, the UK presumably won't have that problem. So, the calls that are signed will make it all the way to the end, and we just don't see that here in the US right now.
Rebekah Johnson: All right, so I would like to thank all of you for joining us for another episode of Tuesday Talks. Our next live episode will be Tuesday, May 23, and it will be hosted by Numeracle's VP of Trust Solutions, everybody loves her, Sarah Delphey, with a special returning guest, Frank Pettinato, the CEO of Avantive Solutions. Together, they'll discuss the masterclasses that they taught together at the 2023 Call & Contact Center Expo on improving end-to-end outreach strategies, utilizing an identity management platform, and implementing a number of reputation solutions featuring some dialing practices as well. And we hope to see you there!