Rebekah Johnson: Welcome to Tuesday Talks, a live discussion series where we bring truth and shed light across the brand, identity, and communications industry. I'm Rebekah Johnson, Founder and CEO of Numeracle, and I'll be co-hosting today's session with Anis Jaffer, Chief Product Officer at Numeracle. Anis, it's been so long since we've been on the podcast together. We've had so many awesome guests and had a little bit of a podcast takeover.
Anis Jaffer: It's really exciting to see the podcast take on its own new life. Here we finally are again, joining each other after quite some time. It's good to see you on the podcast, and I'm excited to be back here.
Rebekah Johnson: A funny thing about having Pierce Gorman as a guest host is I appreciate him going through the experience of setting up and preparing for the Tuesday Talks podcast. When I listen to him, I think that guy's really good. How do I get him to work at Numeracle? Then I realize he is at Numeracle, and that's awesome! I am really excited to see the Numeracle team highlighted throughout this podcast to let others see how amazing, intelligent, thoughtful, and passionate the Numeracle team is about truth, digging deep into the technology, and bringing reality to the decision makers so we can make decisions for our own businesses and organizations in order to establish trust. That made me really proud, and I want to take a moment and thank the rest of the Numeracle team for filling in for us.
Speaking of things that I am passionate about, this podcast episode will focus on the robotext NPRM from the FCC. This is something we saw coming. I believe it was in January of this year on one of our podcast episodes that we talked about how Chairwoman Rosenworcel hinted at the problem we have with illegal and unwanted text messages, just like what the FCC saw when trying to stop illegal activity on the voice side. It goes hand in hand that fraudulent actors will exploit the voice channel and messaging channel. We have been laser-focused. By 'we', I mean the FCC, Congress with the TRACED Act, State Attorneys Generals, service providers, carriers, and analytics providers.
There are a lot of players laser-focused on how to stop illegal robocalls. The FCC is at that point now where it's been three years since the TRACED Act, and reply comments are being filed so the FCC can assess how they are doing. Is STIR/SHAKEN achieving what they sought to achieve? If not, they need to go back to Congress and report on what needs to be done. I find it interesting that we have this Notice for Proposed Rulemaking around robotexts, but before I go into it, I want to cover why the FCC is doing this and what the scope of this Proposed Rulemaking is.
I'd also like to unpack some of the challenges this NPRM brings into the market. The call to action for this podcast is for people to file reply comments to the FCC. We need a lot of comments filed on this particular Proposed Rulemaking. Anis, any quick thoughts before we dive in?
Anis Jaffer: From my perspective, I looked at the NPRM, and it seems like it was put together by folks who are not really from the messaging space but who know enough about it. They took a lot from what's happening in the voice channel, so I saw references to implementing call authentication, having a Do Not Call registry, or implementing something similar. It briefly mentioned leveraging STIR/SHAKEN.
The people who put this together have a bit of an understanding of what's going on, especially on the voice side, but they're trying to translate that to the messaging channel. I'm not sure if that's the right approach. That's how I saw it, but again, I am not as familiar with the whole process of how the FCC goes about it. That's where I would like you to relay, in a way that anybody can understand, what it means to go down this path and add some predictions.
Rebekah Johnson: A good question to start with is, why? The people involved all agree on the why. In 2020, The Commission (FCC) received approximately 14,000 consumer complaints about unwanted text messages, representing almost a 146% increase from the complaints before. Unwanted text messages present the same problems as unwanted calls. At least, that's how the FCC views it. They invade consumer privacy, and they are vehicles for consumer fraud and identity theft. The reason why messaging is another avenue for bad actors is because anonymity exists.
Here we are, yet again, where the bad actors know they can commit behind-the-scenes crimes and defraud consumers because you can't identify who they are. I applaud and acknowledged the reasons why we're focused on this, and I'm in alignment with the FCC that something must be done. It doesn't mean that something isn't being done, and that's one of the things that I want to address on this podcast. It's something that we need to report back to the FCC regarding the activities and actions that are occurring today. This brings me to my first point: this really should have been a Notice of Inquiry. I don't think I'm alone on that.
Anis Jaffer: What's the difference? For folks who don't know how to distinguish the two, what's the difference between an NPRM and a Notice of Inquiry?
Rebekah Johnson: An NOI, or a Notice of Inquiry, is an opportunity for the FCC to establish that they're thinking about a Rulemaking in this particular area but need a lot more information before they can propose what rules might be implemented. When you look at the beginning of the NPRM, you'll get an understanding of the foundation from which the proposed rules are coming from.
To your earlier point, it's pulling language from the voice side. STIR/SHAKEN is a standard with a technical solution. That technical solution is based on a particular infrastructure that's used for the voice channel. Messaging, texting, or however you want to call it, is a completely different pathway and a completely different relationship with phone numbers with completely different providers. For instance, in voice, we have gateway providers, and in messaging, we have aggregators. The delivery of the messaging is very different.
Right off the bat, we should absolutely not look at STIR/SHAKEN and pick it up and apply it to messaging. With the one caveat that STIR/SHAKEN does provide a good intro into needing to know something about who's delivering text messages and why and establishing if they have the authority to do so. That's all we're gleaning from it, but you can't take that set of standards and apply attestation levels. We can't apply all those concepts directly to messaging.
Anis Jaffer: Now that the FCC has proposed the NPRM, what's next? What's the current scope that it is touching, and where do they want to go next?
Rebekah Johnson: Now that it is an NPRM, that means they already know what sorts of rules they want to pass, and they've outlined them for us. I'm going to read from the NPRM on the scope and then dissect that. "The FCC proposes to require mobile wireless providers to block texts at the network level that purport to be from invalid, unallocated, or unused numbers and numbers on a Do Not Originate list." That sounds familiar.
It also seeks comments on the "extent to which illegal number spoofing is a problem with regards to text messaging today, and whether there are measures The Commission can take to encourage providers to identify and block texts that appear to come from illegally spoofed numbers." As far as I know, that's not really an issue. The last element is, "in addition, the FCC seeks comment on applying Caller ID authentication standards to text messaging." Here we are back to really talking about STIR/SHAKEN. There are three levels to this.
Let's talk about that first one, it never fails. When we prep for a Tuesday Talks episode, whatever the topic is, something's going to personally happen to one of us that's related to the subject we're discussing. It happened to me today, so I thought, here we go. Let's test out the first proposed rule around invalid, unallocated, and unused numbers. I received a text message today that looked legitimate. It's a ten-digit long code, not a short code. We're going to save breaking that stuff down for another podcast. So I have a ten-digit long code, and I, like every other American, get a lot of deliveries to my house. I received this notice saying, "The USPS (the United States postal service) is having issues delivering your package. Would you please click on this link and give us your updated address?" Of course, I'm going to click on the link, open it up, and it looks just like the US postal service. I click on the tracking number and do a number lookup.
What's the first thing I see? Scam, scam, scam. They were using the same number, and every single one was a scam. So I thought, aha! I wonder if this number is unallocated or invalid. I did a quick lookup, and it turns out that T-Mobile owns it, which didn't surprise me because I'm a T-Mobile customer. Here is where, if we were to apply STIR/SHAKEN and those voice concepts, we would think that it's T-Mobile's number and that T-Mobile originated the call. They should have attested what they know about the entity and then delivered it because they should have known it was being delivered within their network.
But that's not how messaging works. A voice call from T-Mobile will stay within the network and terminate to me if I'm a T-Mobile subscriber. But there's no way for T-Mobile to know that that number is being used for messaging. That is one of the broken parts of messaging, especially with 10DLC. We can't use the concept of allowing carriers to block based on that, or else it will have a negative impact. We need more studies, and we need more research. I don't think there's anything right now that will stop that. The message looked very legit.
Anis Jaffer: Any number, whether it's unallocated or allocated, there are two components. You have the carrier, and you have the alternate carrier for messaging. You could technically have the same number allocated to two different carriers, one for voice and one for messaging. It could have been very much possible that the number that sent the text to you was not even on T-Mobile for the messaging. We don't know that.
Rebekah Johnson: Exactly. It's the same thing in voice too. T-Mobile could issue a telephone number that gets sold or resold and is then used by an enterprise. It's the same problem we have in voice, but the pathway is very different. Aggregators have to play a role, but I don't know what the FCC's authority is on aggregators. They probably don't want regulation or to be brought up underneath an umbrella.
At the FCC, the consumer group is putting out this NPRM. They looked at the voice channel and saw that it worked over there, so why not bring it over here to messaging? That was the first red flag when I was reading it. We need more education on this infrastructure if they're going to pass rules on a technical level because it has to be in line with the technology being used.
Anis Jaffer: It makes sense if you're not familiar with the space that you're coming from the consumer side. You're looking at the problem as a consumer and figuring out what solutions already exist. Since there is something, they figured they'd try and see if they could replicate it for messaging. That could be the background of this.
Let me ask you about the Do Not Originate list. Did they specifically mention that there is a Do Not Originate list for messaging?
Rebekah Johnson: Sort of. There is the concept that a consumer can text 'Stop,' whether that be to a short code, a six or seven-digit number, or a long code, which is a ten-digit number. For whoever's using that particular number, it'll block future messages to that consumer. With my telephone number and example, I'll probably text 'Stop' to that Scam number that I got.
Sometimes the bad guys actually adhere to their own personal opt-out lists, which is really weird. I don't know if this is actually still the case, but in the messaging space, there is a provider who, if they saw a stock come back through their network from a consumer for a particular number, a block would get implemented at that hop, which is a concept from voice terminology. If another message tried to come through, it would say that the consumer opted out, so don't allow future messages to go through. It's the same thing we have in voice right now.
Anis Jaffer: But that still depends on the provider implementing the solution. They're all siloed, and there is no single Do Not Originate list.
Rebekah Johnson: Right. I don't think we should entertain the idea of using an opt-out list or a Do Not Originate list. Let's pause on that because we're forcing Do Not Originate lists to make sense in messaging. Do Not Originate lists on the voice side is an enterprise marketing number and no messages should originate from this particular number. I don't think we have that on the messaging side. Then we have the Do Not Call concept on the voice side, which would be consumers saying I don't ever want to receive text messages. This is where there can be confusion on the messaging side.
These concepts are very specific to voice and we should not bring them over into the messaging channel for that very reason. It's not only what this NPRM is saying, it's what it's not saying. I was shocked that it doesn't say 10DLC, it doesn't say short code, it doesn't refer to the CTIA short code best practices, it doesn't acknowledge the campaign registry, it doesn't acknowledge what AT&T and T-Mobile are doing in order to get identification at the origination side, etc. I don't know if that was intentional, but I want to believe it wasn't. That's where we need more education with the FCC on all the activities that are already in place. These are active, so I expect that we will see comments from aggregators and those working in 10DLC who have been working on this topic for years.
Anis Jaffer: I was just going to ask about the fact that 10DLC was not mentioned and the impact of that. Currently, it's been campaign registries that enterprises are using. That's not even highlighted in the NPRM. For me, that's a miss, whether it was intentional or not.
Rebekah Johnson: I have one last comment before I throw you a curveball question. With all that said, my point is this is a really hard NPRM to respond to because the initial response is about cost. You need to go back and get a deeper understanding of the technology before proposing any rules. That's the biggest challenge when responding to this Notice for Proposed Rulemaking. I'm very fearful that this will plow right on through, and I honestly don't know what in the world we, as an industry, would do to react and respond to this Rulemaking when it's completely void of knowledge on the technology.
Anis Jaffer: The other aspect that it's missing is that it completely ignores the operating systems and device manufacturers.
Rebekah Johnson: Yes, the gatekeepers of what the consumer sees. I don't care what we do in voice or messaging, there are players that are the device operating system providers who have the last say so. I am curious, Anis, what do you think will happen in that space, and what is happening to address this whole fraud?
Anis Jaffer: There's a lot going on, especially with Android devices. Obviously, the two big developers are Apple and Google. They are the major manufacturers of operating systems and mobile devices, so they have their own perspectives on their user experience. They definitely do not want consumers getting spammed or scammed. At the end of the day, they want to make sure they provide the right experience.
With Google, there was a conference in Dublin this past August, I think it was called RCS World. They discussed pushing RCS, which is now available as part of their Messages App. That has been their primary way of getting RCS, especially to clients. In some of the numbers and statistics that were mentioned, the Messages app has grown to 500 million global users. In the last twelve months, they highlighted that they've grown by 50% and expect to top that in the next twelve months, which is tremendous growth if you look at it purely from an Android perspective.
We also know that the carriers in the US, all three major carriers, which are AT&T, Verizon, and T-Mobile, have announced that the Messages App will be an OEM app for all Android phones, which corroborates the information that Google is putting out. They're expecting it to grow even further, so significant growth is still expected. With RCS, they also have Business Messaging where enterprises can leverage and push information.
They have definitely highlighted verified identity to make sure that enterprises are identified when they are pushing or sending messages, the experience of the consumers as Android users, which would mean logos in real-time with rich data content, and spam protection was another highlight that they mentioned, and also receipts for Messages. When you read a message, you get a receipt back to the enterprises. That whole interaction improves the experience, so that's what Google is pushing, and they are trying to get Apple to adopt RCD as well.
I'll talk about a couple of things that they did. There was a marketing event, I think it was called "Get the Message Out," where they were pushing Apple, Twitter, and any social media that they could find and getting them to react to what they wanted to accomplish on the RCS side. I also saw that there's a petition on Change.org that people can sign and again ask, or force, Apple to adopt RCD. That's all happening on the Google side.
Meanwhile, Apple has been pretty much a tight left; we know how Apple is. I think there was an interesting interview where Tim Cook was asked about Apple's reaction to Google's RCD push. He pretty much said that's not a top priority for them because their users have not asked for it. There was even someone who asked a question about their mom being on Android, and he's not able to send messages, to which Tim Cook responded by saying you should just get her on the phone. That's Apple being Apple. I'm not sure if they're completely not working on it. I think they're doing something, they're just not being open about it.
And of relevance to this whole topic is the Digital Markets Act in Europe, which was approved and passed in September of 2022. One of the things highlighted in the Act is interoperator for large messaging platforms. If you need to be able to send messages between Apple, Google, and WhatsApp, having that cross-platform interaction is something they will force the gatekeepers to do. At least, that's how the Act has been proposed. It's supposed to be enforced in March of 2023, so the next five to six months will be interesting.
We could either see an open adoption of this app and have the ability to have cross-platform messages, in which case all the things happening here in the US will also fall in line. I don't see a reason why once you have the cross-platform capabilities, I don't know why it wouldn't be implemented here. That's what's happening in the messaging world, and again, there are a lot of things to watch.
Both Apple and Google are doing things in their own space, but at this point, Google is definitely pushing RCS, and it is helping them that the major carriers in the US have also agreed to push messages as the OEM app, which is going to help further push RCS. With Apple, we have to wait and see whether they're going to adopt or they're going to continue to operate in their own little garden. So we'll see.
Rebekah Johnson: Yet again, I think it comes down to identity and the entry point, not just the terminating side, which is catching the garbage and then sifting through it. Taking that approach is just not going to work. It's not going to work, and we don't have time. But 10DLC really ended up creating vulnerabilities within the ecosystem, and 10DLC was a bit of a reaction to maybe controls on the shortcode side.
I think the industry has created a bit of a mess on its own. In hindsight, we probably could have made some different decisions, but it always comes back to identity. Disclose who you are and what messaging you want to deliver. We can't even visit another country until I disclose who I am. How long am I going to be here? Why am I visiting? Who am I visiting? We have to do this as individuals, and we will have to do the same thing with all forms of communication. Don't expect us to stop at text messaging, as you mentioned.
This will cross over into WhatsApp, social media, and any communication channel at the end of the day. As long as we allow for anonymity, where you can pop up any kind of account in a matter of seconds, we're going to have this problem, and it shouldn't be the receiver of this data who's fully responsible for stopping it.
Anis Jaffer: I agree, and I think all the major providers are taking note of that. You can see verified identity being tried in every one of these instances. We just want to see whether it's going to be one single common identity platform or if it's going to be multiple. I'm assuming it's probably going to be multiple, given how they operate. We'll watch how things shake out.
Rebekah Johnson: And please, no more 1990s retro centralized repositories. On that note, we'd like to thank all of you for joining us today for another episode of Tuesday Talks. Our next live talk session will be on Tuesday, November 8th, hosted by Sarah Delphey, who you heard as a guest in our last episode on the future of STIR/SHAKEN and the importance of identity for communications. We hope to see you there!