2018-09-04

New CLI rules are a bad idea

OFCOM have come up with some new rules on Calling Line Identity. Neil Brown has done a nice article on it (here).

One aspect is good! It is that the service to show CLI has to be free now. I like that part.

However. The other aspect is on various moves to try and make CLI more reliable. This is seems to make sense as junk callers often use invalid CLIs these days, e.g. 025 numbers.

But OFCOM have gone way further, insisting that CLIs should be valid and dialable, i.e. in service and can be used to make a return call. Now this is huge. There are loads of reasons you may not be able to make a return call :-
  • Number is not valid / in service (what OFCOM want to catch)
  • Incoming call barring (a valid service which currently does not stop CLI being sent)
  • Incoming call diversion (to numbers that are not valid, etc, etc)
  • Incoming call where caller is calling withheld and withheld is blocked (ACR)
  • Incoming call where the called party has used some call refusal / blocking service
  • Incoming call to a phone system which is able to reject the call (e.g. ISDN, SIP, etc).
  • Incoming call that the called party rejects (e.g. to a mobile and press red/cancel button)
  • Incoming call that the called party simply chooses not to answer
All of these are (or were) valid services to stop someone making a return call. However, taking OFCOM strictly at their word, if any of these are in place as a service (such as incoming call barring) then the calling telco should not send CLI or possible not allow the original call, because the CLI is not one that can be used to make a return call!

It is also unclear why OFCOM decided to go this far. There seems to be some merit in expecting some basic validation, maybe, but even that may have problems. That can be done in various ways, but if considering international numbers you suddenly present the telcos with the job of maintaining lists of all valid number allocation blocks for the whole world, a complex tasks, or relying on some 3rd party to do that, placing them in a position of power if they decide not to include some block of numbers in the CLI allow list and hence not allow calls. It creates lots of scope for consumer problems, which already exists with new number blocks not routing to their destination - now we face a separate hell of new number blocks unable to route outgoing calls as the block is not in CLI allow lists.

But, even if we have that, we have already seen junk callers go from withheld to invalid prefixes. They will now simply move to valid number blocks and there will be ways to get those in to the phone network I am sure. This will create something called back-scatter. Oddly I have already seen these where junk callers are using invalid numbers as I have some 0200 numbers (which would normally count as invalid), and I suddenly started getting calls from people saying I had called them trying to sell them something. It was not pleasant, not matter how much I tried to explain (and I knew what must have happened). I had to turn off one of my numbers for this. Now consider what happens when junk callers move to using real numbers that belong to innocent victims. This will be bad.

One reason calls will get in is that a telco / carrier cannot easily verify the CLIs of calls. We are a small telco and we will be able to send any CLI we choose, not just from our number blocks. (Obviously we are strict with our customers and follow rules) But the reason we can send any numbers is (a) presentation numbers and (b) forwarded calls. If a call comes in to us from telco A and we forward at our customer's request on to a number which we send via telco B, then telco B has to trust we are sending a sensible CLI even though not one of our numbers or a call they see coming in to us.

So junk callers need to make calls from the OFCOM press office direct line CLI as much as possible, that way OFCOM will understand the issue of back scatter. [OK that is an illustration, and I am not actually trying to incite people to do that].

If anything, better education that CLIs can, and are, spoofed, would help. It is just the same with email addresses. (educating police on this fact is a good idea too!)

Sorry OFCOM, I think you have massively missed the mark here, and could cause legitimate services like incoming call barring to impact CLI for no reason, and cause back-scatter on junk calls, whilst not actually addressing the real problem.

18 comments:

  1. In my experience, the problem with non-diallable CLIs is that they tend to originate offshore. From my scanning of the OFCOM regs, the rules only apply to calls originating in the UK. I can't see that it applies to transit calls.

    Secondly, what's to stop a nefarious person just using someone else's CLI on their dodgy outbound calls? Many customers have agreements with their providers that they can present any CLI. Few people get to see the Network Number (As I customer I certainly don't) so tracing those dodgy calls will require work from the Telcos - something which in my experience they just don't want to do.

    ReplyDelete
    Replies
    1. They should make it so that scammy little companies actually cannot spoof their caller ID. Sure, big companies might need to do it and they could get special dispensation. But shame on the phone companies that allow spammers to spoof their caller UK.

      Delete
    2. I guess it depends on what you mean by "spoof". Getting your VoIP provider to support presentation numbers for ranges you are authorised to use is pretty useful, and I wouldn't pick a VoIP provider that didn't offer this — but giving me the ability to send any CLI I want is unnecessary. (And all it took was a piece of paper :))

      Delete
  2. The regulation states that for international calls the obligation to validate the CLI is the first carrier at which the call reaches the UK telephony network.
    What point is that exactly. What if the call comes in from an international DID provider over SIP to a UK carrier and then they forward it via SIP to someone else who then routes it to the BT network. Which carrier is supposed to check and how are they supposed to know they should be validating it?

    These regulations are rather late and pointless already. When BT started blocking calls from invalid UK ranges the spammers switched to calling from valid but unallocated numbers. That happened months ago so the new regulations will have zero impact on spam calls.

    ReplyDelete
    Replies
    1. I think these companies just spoof their caller ID and put in any old number anyway. I often get "International calls" from UK numbers. Invariably, when I answer it, I'm invited to partake in a Green Energy Funding Deal. The system is hopelessly insecure and has no checks or balances in it whatsoever. If it did, then I wouldn't get 6-10 calls a day from the Green Energy Deal.

      Delete
  3. I sit here reading this and the line rings. Caller ID from Estonia.

    "Good morning, Mr xxxxx. This is Catherine, calling you from Ofcom Telecom about your landline."

    That's a new one. Claim to be calling from OFCOM.

    ReplyDelete
    Replies
    1. "Hah, silly scammer, we know Ofcom would never be so proactive."

      Delete
    2. I'm sure they're very proactive at efficiently managing what I expect is likely to be a highly desirable pension scheme for their staff. But proactive at dealing with PPI scams from numbers with spoofed caller IDs? Not so sure. Then again, maybe it's not their remit, I don't really know much about telecoms.

      Delete
  4. In this day and age, consumers should be able to expect so much more than an easily-spoofed random number appearing on their handset when someone calls.

    I for one would like a complete digital profile, showing the name of the caller, their company if applicable, and other details such as web address and what they do etc. Maybe even a profile photo or company logo, that sort of thing - i.e. really consumer friendly. Then I could make an informed decision whether to take the call.

    If phone companies don't up their game and move on from a lumbering legacy infrastructure where people don't know whether "Withheld" means the hospital or their boss calling or whether it's a PPI or Green Energy Deal scammer, it won't be long before phone calls are replaced with people calling each other via services such as WhatsApp and FaceBook. Indeed, when I call my friends nowadays, I automatically place the call via WhatsApp rather than picking up the landline because Internet connectivity is ubiquitous. Furthermore, I like to think of them as "Bob" or "Alice" and not "+44 7944 xxx xxx". Who in this day and age wants to remember long numbers any more than they want to remember an IP address for their favourite website.

    Yes, technology is a great thing. Things have come a long way since the days of Alexander Graham Bell. And together we can stamp out PPI and Green Energy Deal spam.

    ReplyDelete
    Replies
    1. And who validates this information...?

      Delete
    2. Good point, I'm not sure how this would work. Could we rely on the 'wisdom of crowds'? For instance, if somebody tries to add me as a friend on Facebook, I can quickly tell if they are a spammer. They usually have really spammy looking photos, a name I don't recognise, 0 common friends with me, bad reviews, that sort of thing. In fact, I usually don't even need to look at their profile to know they're a spammer, I can tell just from the name and the timing of the request. Maybe there could be some sort of system whereby if somebody gets blocked more than 10 times and 25% of the time they try to contact someone, the phone company suspends their account.

      Somehow, just somehow, we need to tackle Spam. Together we can crack it.

      Delete
    3. In fact, having just spent the last 30 seconds reviewing about 25 street signs, maybe there could be a Captcha facility like this excellent blog of RevK's has, to occasionally check that a caller isn't a spammer/robot.

      Delete
    4. Easy enough with an IVR in asterisk, but I suspect many spammers would stop if they hit any IVR, let alone had to enter a combination of digits?

      Delete
    5. Now there's a good practical solution!

      Delete
  5. What's the 0200 range actually for? I know 020 is London, but I'm sure I've seen an 0200 number being used for number presentation to the 999 system somewhere...

    ReplyDelete
    Replies
    1. I've seen a couple of 020 0xxx... calls. I just assumed they were spammers as the '0' range can't be used unless it's always prefixed. I can often spot spammers by subtle number variations but most people can't. So although keep on making people aware of the possibility of phone spamming is good, virtually all of them have no means of identifying possible spammers from the CLI.
      Reverse directory lookup would be really useful, and I do see that sometimes on mobile phone calls (legit sales droids usually) from numbers not in my contact list. I wonder how it works - some automagical Google thingy?

      Delete
  6. More than 25% and more than 10 people would block the phone number of a legitimate High Court Sheriff collecting court ordered debts. This idea doesn't work.

    ReplyDelete
    Replies
    1. We must find a solution to the blight of Spam. There is too much Spam these days.

      Delete

Comments are moderated purely to filter out obvious spam, but it means they may not show immediately.