Monday, 16 June 2014

Catching junk callers

I posted recently on some annoying junk callers, who, like most now, seem to call with a pre-recorded message and the you press a key to be put through to someone.

These are illegal for two reasons - firstly it seems they do not check the Telephone Preference Service, and secondly because they are calling with a pre-recorded message without agreement from the called party. Both are illegal.

What is interesting is that they are smart enough not to call from withheld numbers now. The latest lot are calling from 0843 numbers, which are somewhat unusual and expensive numbers to call back. They are also calling from different numbers within a large range, presumably to bypass the blocking services offered by some telcos.

So what I did was identify three blocks of numbers that had managed to get calls to me personally (and I am on TPS). In fact they managed to hassle me so many times I got annoyed, hence taking action.

The three blocks so far are 0843960, 0843410, and 0843724. I have made these a "known spammers" list and added a feature to A&A VoIP to allow blocking of such calls. This is default on all unallocated numbers, and was briefly for new numbers.

Now, there have been a couple of queries on this. The lack of transparency of the numbers (as I had not published the list) or the process for getting on the list. No process for how someone appeals to get off the list, and so on.

This is not surprising - and is ironically all of the reasons why we don't block access to some web sites. Being the custodian of the "bad people" list, or even subcontracting that list to someone, is problematic. For email spam, there are well establish software systems for scoring spam that are pretty impartial, and do not generally rely on one source of badness rating.

Even so, I feel these criticisms are valid for the junk callers stuff, and I welcome comments on how to proceed?
  • Should I scrap the idea (apart from my own numbers and unallocated numbers)?
  • Should have per person sets of junk callers to block (hard work, but possible)?
  • Should have some system to crown source junk caller numbers - maybe even a way you press keys on your phone or dial something after the call to mark as a junk caller?
  • Could I automate it at all? These junk callers use a pre-recorded message - could I make a system to hash the first few seconds of the callers voice and look for duplicates? Quick, lets patent* that :-) 
What do people think I should do?

Whatever I do I'd like it to be transparent, optional, and impartial.

For now, this is no longer default for new lines.

What happens to these calls? Well, they get to a pre-recorded answer saying they will be recorded and published and then sending DTMF, and then asking who the calling company is before telling them they are breaking the law and to f-off. The recording then goes to me to vet (they were warned it would be recorded), which I can usually do by looking at the wave form and not even listening to the call - if it is clearly one of these junk callers, I forward to the ICO as a formal complaint asking them to take enforcement action.

Today the ICO responded saying they will keep the complaints on file but were not able to identify the caller. I pointed out that the calls have a CLI which is almost certainly valid as it is expensive / revenue generating and so nobody would fake someone else's expensive CLI. I even provided the number ranges from the OFCOM list for them and asked them to contact those telcos to identify the callers. I can't be sure the CLI is not spoofed, but it seems unlikely.

The plan is to keep sending to the ICO until they do something.

* I know I can't patent an idea I just made public - you don't need to say.

[update] Oddly ICO say they cannot investigate individual calls! Well why the hell not - the law says I can ask them to exercise their enforcement action and I'm going to keep asking them until they do or the law changes. Grrr.

15 comments:

  1. I like it.. I no longer get random 08xx numbers calling me on my mobile.

    Maybe run it like a DNSBL - make sure there's a way to appeal being on the list (which means recording why they were on it in the first place) and maybe a web interface for that.

    Per user is a lot of work, but maybe levels.. 'absolute confirmed spammers' (eg. hit 1000 numbers in under an hour) down to 'probably dodgy' (complained about, listed on whocallsme, etc.)

    ReplyDelete
  2. In my experience, it is usually Ofcom, rather than the ICO, which investigates nuisance calls. The ICO, however, has been very active in the enforcement of the Privacy and Electronic Communications Regulations with respect to spam SMS.

    The ICO does have powers to mandate communications providers to release information, including subscriber information, for the investigation of breaches of the Regulations: Regulation 31A. The ICO makes pretty extensive use of this power in terms of spam SMS, and does have an enforcement team which is reasonably familiar with obtaining subscriber data from CLI.

    Did you make an informal request to the ICO for assistance, or a formal request? If you made an informal request, you might consider either making a formal request under Regulation 32, although it is just a request, with no power to compel the ICO to take action, else you could make a "request for assessment" under s42, Data Protection Act 1998 (presumably on the basis that, since you are on the TPS list, the caller fails to process personal data — your personal phone number — in a lawful manner, and thus fails to comply with the first data protection principle?). Again just personal experience, but the ICO does seem to assess on request, even though, strictly speaking, it is not clear from the statute that this is required.

    Of course, aside from approaching the regulator, you might wish to attempt to identify the telco to which the numbering range has been assigned, and approach them for voluntary disclosure of the subscriber information, citing one of the exemptions — s35, Data Protection Act 1998, for example, asking that this information is released to you (to the extent that it is personal data) to enable you to take legal action yourself, via Regulation 30, PECR. Of course, a communications provider is not required to disclose to you in these circumstances, and it may be prudent for them not to do so (as they would need to be satisfied that the disclosure was "necessary", which is a high threshold, and they are on the hook for wrongful disclosure if they make a wrong decision), but you might get lucky?

    ReplyDelete
  3. The PECR states that "19. (1) A person shall neither transmit, nor instigate the transmission of, communications comprising recorded matter for direct marketing purposes by means of an automated calling system except in the circumstances referred to in paragraph (2)."
    Why the distinction between "transmit" and "instigate the transmission of"?
    Could it be argued that the intent is to make the telco responsible for carrying known dodgy calls? So, if you notify "Smashbox Marketing Ltd" - the owner of the 0843960 block - that you are receiving junk calls from their customer(s) and then go after them for compensation in the event that you continue receiving calls.....
    Just a thought.
    Mind you, if the ICO refuse to do their duty under the law, don't they become a target for compensation claims themselves?

    ReplyDelete
    Replies
    1. The distinction is to stop the case where scummy telco (UK) gives a list of numbers to scummy telco (India) who make the calls - the UK branch is the instigator and still be prosecuted.

      Delete
    2. I understood the "transmit or instigate the transmission of" to be a safeguard against outsourcing becoming a loophole: "It's not me making all those spam calls selling my double glazing, it's PhoneSpamCo, so go and talk to them". Requiring telcos to terminate customers who violate this would be a positive step, though.

      Personally, I would love to have the *option* of this blocking list - or rather, access to the contents, so I could apply it on my own Asterisk server - and the facility to nominate new entries too.

      I think I've mentioned on this very blog that I'd like a UK-wide shortcode for reporting such calls: just dial, say, 17726 after a spam call, and the caller is blocked and reported to ICO/Ofcom for enforcement action. Easy to pick out the most prolific offenders and make an example of them.

      Delete
  4. Ofcom may not wish to identify the caller but they already publish info about which telco issued the 08xx (or whatever) numbers in question, see
    http://www.ofcom.org.uk/static/numbering/index.htm#special

    Anyone sufficiently motivated can go from number to telco name. From there, other things become possible. E.g. someone could report the top 5 spamming telcos to the companies themselves and to Ofcom/ICO once a week.

    E.g.
    0843960 Smashbox Marketing Ltd
    0843410 Recruitment4U Ltd
    0843724 Lanonyx Telecom Ltd

    Now obviously the telco that issued the number may not be the company at fault, but I'm sure the telco wouldn't want their customers abusing the rules, would they, so they'd presumably encourage their customer to start behaving. Or else. Right?


    ReplyDelete
  5. You may like to tweet @Lanonyx to let them know when their customers are misbehaving. They appear to be a legitimate telco.

    ReplyDelete
  6. Asking the telco to take action does not always work. When I had some spammy phone calls and verified the CLI by calling back and getting through to the same people, I contacted the telco in Ofcom's numbering database. They denied they owned the range and said they "don't care what our customers use our lines for".

    ReplyDelete
    Replies
    1. That's still occasionally a problem with hosting providers and spam too.

      Same solution - their entire block goes on the spammers list, Attitudes tend to change after that (of course most people don't use phone number blocking so it may not be quite as effective).

      Delete
  7. It should be quite a simple matter to have an individual database for each caller. It simply does the same look up as it would normally do, for routing purposes, but on a direct hit it routes the call to a nice message and records it. A different message could/would flag a review.

    Yes it's another database to hook up, but should be fairly simple.

    The other bit about auto-reporting via a few keypresses, well, you would know better than us how easy that is, but again, you store it for billing I expect.

    It would be a great extra service - I'd pay £5 a month for it. (Though I'd have to route my existing number somehow)

    ReplyDelete
    Replies
    1. I found myself wondering about this very subject a while ago, and wondered if something similar to ip6tables might lend itself to this, allowing for user-defined rule sets to handle routing of incoming calls, with predefined targets such as ACCEPT, DROP, REJECT, working similarly to ip6tables, additional targets such as forward to another number; matching calls by source telephone number and destination telephone number (where the user has multiple numbers or a block of numbers), day and time of day.
      Why ip6tables; I found myself thinking that a telephone number is longer than an ip4 address, but if coded into IP6 in binary-coded-decimal, would fit nicely, possibly using 'f' for a wildcard; so to reject spam calls from 0843960xxxx the command line might be

      phonetables -A INCOMING -s 44843960ffff -day any -time any -j REJECT
      Of course, using 'f' work a wildcard possibly isn't the cleanest solution, there are probably far better solutions, such as just treating it as a string

      A bit of additional code to allow users to define lists of friends, enemies, etc, and a simple ruleset might then look like:

      FAMILY=(0123456789,01345678901,01456789123)
      WORK=(01344400*,03333400*) # No, I don't work for AAISP
      DRINKERS=(02345678901,03456789012)
      phonetables -A INCOMING -s @FAMILY -j ACCEPT
      # Allow calls from work numbers from 8am to 10pm only
      phonetables -A INCOMING -s @WORK -time 0800:2200 -j ACCEPT
      phonetables -A INCOMING -s @WORK -j VOICEMAIL
      # Reject stuff on AA's spammer list (defined elsewhere)
      # which is of course optional, and users can always add accept
      # rules or define their own additional reject lists
      phonetables -A INCOMING -s @AA-SPAMMER-LIST -j REJECT
      # I'm down the pub on Friday night, redirect drinking mates to mobile
      phonetables -A INCOMING -s @DRINKERS -day 5 -time 1800:2330 --redirect 07123456789
      Add in a nice browser based interface and a bit of back end parsing for sanity, similar to some of the better firewall configuration interfaces on some routers, and presto...

      (and it could then be extended to set flags like record call, record call with warning, play number changed/redirecting message, assorted other flags that seemed like a good idea at the time, etc.)

      It doesn't have to be too simplistic, as your user base is sufficiently technically literate to handle it, and if not, well, there's consultancy fees to be had..

      Delete
  8. Would it not be possible to add a specific sip header for "spam" calls and then let us handle them how we wish? Personally I have my own black list (although not extensive) and I send anything which is on that, or is witheld, to a call routing table, which basically says if you're real and want to talk to me, press 1.
    On the whole this works well, but if it were possible to tap into a bigger / better database, that would be even better!

    ReplyDelete
  9. In playing with Asterisk (Open Source PABX), I stumbled upon a feature where you could play a short tone to all incoming calls. If a human is calling you, they will ignore this, but if it's a dialler of some sort, it will interpret this as an NU tone and hang-up. This is great because only calls that stay on get referred onward by Asterisk.

    ReplyDelete
    Replies
    1. That does not stop them calling other people though! They need fining.

      Delete
    2. Agreed. However, I notice that some are calling from abroad (I know not where), and they are probably beyond such measures as fines. All I get on caller display is "International", so how to deal with these is an altogether more troublesome problem if one doesn't have some kind of technological solution.

      Delete