Stopping Illegal Robocalls: It’s Complicated

September 18, 2019
Written by
Tim Beyers
Twilion

signal-2019-combat-robocalls

I remember when my family got its first cordless phone. Not being tied to a telephone cord and being able to walk around anywhere in the house and still be able to talk to someone was a panacea – especially for a 12 year old. There was a lot of classified information being exchanged between my friends and I about sports and computer games which could only be shared in the privacy of my bedroom.

It was a liberating feeling to say the least.

It was even more liberating when RIM provided me a Blackberry, email-enabled, pager for my undergraduate engineering final project. Soon after graduation, I got my first cellphone, which was just gaining mainstream adoption. It was used and had a cracked screen - but it didn’t matter. When I started getting called, I loved it. The fact that I could barely read the screen did not detract from the thrill of getting a call.

I think back to those days wistfully, because nowadays – due to illegal robocalls and phone scams – we all feel a sense of dread when the phone rings.

Illegal robocalls and phone scams

As a member of Twilio’s voice and video business unit team, I am on the front lines of developing ways to combat illegal robocalls and phone scams. We strive to bring trust back to receiving a phone call and make it something people actually look forward to again.

Recently, at Twilio’s SIGNAL 2019 event in San Francisco, I made a presentation with my teammate Christer Fahlgren about the various initiatives and solutions being developed by the industry to stop illegal robocalls and phone scams:

In our presentation, we started with a simple, important observation: it’s complicated.

Let’s start with the fact that a lot of computer generated auto-dialed calls are wanted, needed and legal. You might get an automated call with evacuation orders amidst a natural disaster, or a call reminding you of a doctor’s appointment, or a call from the airlines saying that your flight has been delayed or cancelled. These calls, delivering time-sensitive information, are both lawful and solicited. It is important that the call analytic systems used by the service providers who are responsible for labeling and making blocking recommendations, continue to treat these communications with highest reputation.

Unlawful Spoofing

In telephony, there is the ability to falsify the origination of a call by overriding the calling number. This is called spoofing.

There are many legitimate reasons to spoof, such as when a doctor calls their patient using an app on their mobile phone and the call back number corresponds to their office. Also, enterprises often use multiple outbound calling providers for cost and redundancy reasons and provide the calling number as their Contact Center number.

Unfortunately, bad actors are using computers to launch a large volume of calls and exploit the spoofing security hole to impersonate identities. The most common form of unlawful robocalls is neighbor spoofing: when someone uses a number similar to yours (say, it matches the first 6-digits of your phone number). Familiarity breeds trust; criminals are exploiting the trust you put into what you think is a familiar number to get you to answer the phone.

Another very frustrating scenario is when a fraudster hijacks a legitimate number for an illegal robocalling campaign placing thousands of calls. Recipients see a missed call, and call back to the legitimate owner of the number, whose phone starts ringing continuously.

So how do we stop unlawful spoofing?

Meet SHAKEN/STIR

This is where SHAKEN/STIR (Signature-based Handling of Asserted information using toKENs/Secure Telephone Identity Revisited) comes into play, a protocol you may have heard of that has gotten a lot of press coverage lately.

STIR is a protocol developed by the Internet Engineering Task Force (IETF), and SHAKEN, developed by the Alliance for Telecommunications Industry Solutions (ATIS) and the SIP Forum,  specifies how STIR will be transported in SIP “on the wire” and provides implementation guidance for service providers.

Said simply, it tells the recipient of a phone call if the caller has the right to use the calling number by displaying a green checkmark or similar indicator; it’s meant to bring the same feeling of trust you get when you see a lock next to the URL in your Web Browser.

That’s a high level overview, but Christer went into great detail about SHAKEN/STIR starting at the 10:30 mark of our presentation.

Verified Wireless Caller

In SHAKEN/STIR, consumers and businesses are incentivized to be good citizens in telephony because:

  1. It provides near instant traceback of bad actors
  2. Treatment of their future calls is based on the reputation of their past calls (as determined by the call analytics engines used by the wireless and wireline operators)

At the 21:30 mark of our presentation the following calling best practices listed:

  • Use a valid assigned calling number
  • Don’t call unassigned numbers
  • Don’t use the same calling number for multiple calling campaigns
  • Always comply with the federal and state Do Not Call registry, and TCPA guidelines
  • Consumers provide direct feedback to call analytics using apps on their phones

Beyond SHAKEN/STIR

Baseline SHAKEN/STIR addresses the issue of unlawful spoofing, but at Twilio, we’re trying to take things a step further to give the end user even more information.

Near the end of our presentation, Christer and I mentioned that Twilio is developing a new approach to identification when a call arrives to a consumer. With this approach, their phone would not only indicate that a call is verified and legitimate, but would also display the name of the organization that is calling them and why. This approach will also ensure that the calls of our customers reach their audiences.

At SIGNAL 2019, we introduced Verified By Twilio which provides the actionable information consumers need to decide whether to take a call or not.

For example, remember earlier when I mentioned automated calls from airlines alerting you of a delayed or cancelled flight? Right now, that number still shows up as just a number and that’s it. With Verified by Twilio, the image on the phone would look something like this:

Black & White - Version 10.1 - Verify Logo.png

Twilio encourages consumers to download one of the call identification apps – CallApp, Hiya, Robokiller, and YouMail – to start blocking unwanted calls today and to be prepared to receive information when Verified By Twilio is fully available in early 2020.

It is an initiative we hope will be embraced across the industry. We have opened it up to private beta and welcome applications from businesses and organizations - such as carriers and operating systems, in addition to apps - to participate by visiting twilio.com/verified-by-twilio.

Towards trusted communications

A lot of work still needs to be done before we will have rid ourselves of the illegal robocall threat. And to be honest, we may not fully eradicate illegal robocalls entirely, but given enough time and effort, we can mitigate it like we have with email spam.

Our intention is to work with stakeholders across the entire telecommunications industry to restore trust in the phone call and make it something people trust and look forward to again, like we used to.

Tim Beyers is a 15 year veteran in datacom and telecom and is leading the trusted telephony initiative at Twilio. He can be reached at tbeyers [at] twilio.com