I. INTRODUCTION AND EXECUTIVE SUMMARY
1. This Report is submitted to Congress by the Chairman of the Federal Communications Commission (FCC or Commission), pursuant to the Truth in Caller ID Act of 2009 (Truth in Caller ID Act). The Truth in Caller ID Act prohibits the spoofing of caller identification information with the intent to defraud, cause harm, or wrongfully obtain anything of value. Fraudulent and harmful spoofing has become increasingly widespread, with serious economic and public safety consequences. The Truth in Caller ID Act, which was signed into law by President Obama on December 22, 2010, directs the Commission to adopt implementing rules and “report to Congress whether additional legislation is necessary to prohibit the provision of inaccurate caller identification information in technologies that are successor or replacement technologies to telecommunications services or IP-enabled voice service.” The Commission issued rules implementing the Truth in Caller ID Act on June 22, 2011.
2. In furtherance of its obligation to adopt rules implementing the Truth in Caller ID Act, the Commission issued a Notice of Proposed Rulemaking on March 9, 2011, seeking comment on proposed rules. To assist in the preparation of this Report, the Commission also sought comment on what “technologies parties anticipate will be successor or replacement technologies to telecommunications services or IP-enabled voice services,” and on the “provision of inaccurate caller identification information with respect to such technologies.” The Report discusses areas identified by commenters where the statute and the Commission’s implementing rules may fall short of protecting consumers from caller identification spoofing done with the intent to defraud, cause harm, or wrongfully obtain anything of value. Looking forward, the Report discusses several newer types of communications services including, for example, text messaging and social media, and identifies issues that may arise with the potential to deceive consumers by providing inaccurate identification information in conjunction with such services.
3. This Report is organized as follows: This Part I provides an introduction to and executive summary of the Report. Part II reviews the technological evolution of caller identification information manipulation. Part III describes the application of the Commission’s rules implementing the Truth in Caller ID Act, and addresses caller identification manipulation using voice call technologies that remain uncovered by the Commission’s rules implementing the Truth in Caller ID Act. Part IV examines caller ID aspects of technologies underlying current trends in communications. Finally, Part V provides legislative recommendations to tighten the current prohibitions on malicious caller ID spoofing and to address identification spoofing in new and emerging communication services. Legislative recommendations include clarifying the scope of the Truth in Caller ID Act to include (1) persons outside the United States, (2) the use of IP-enabled voice services that are not covered under the Commission’s current definition of interconnected Voice over Internet Protocol (VoIP) service, (3) appropriate authority over third-party spoofing services, and (4) SMS-based text messaging services.
A. Caller ID Services
4. A Caller ID service permits the recipient of an incoming call to determine the telephone number of the calling party and, in some cases, a name associated with the number before answering the call. Network technologies and interconnection arrangements that have been deployed in recent years to provide new communications services make it easier to manipulate information identifying the caller on an incoming call. The accompanying growth of caller ID manipulation, or spoofing, has brought with it increased concerns about security, privacy, and other consumer harms. Congress took a major step towards addressing malicious caller ID spoofing by enacting the Truth in Caller ID Act of 2009, which prohibits anyone in the United States from knowingly causing any caller identification service to transmit misleading or inaccurate caller ID information with the intent to defraud, cause harm, or wrongfully obtain anything of value.
5. The history of today’s Caller ID service goes back to the early 1980s. Caller ID service became a practical local service offering in that era when local exchange carriers (LECs) began adopting Signaling System No.7 (SS7) signaling techniques to route and manage telephone calls. As shown in Figure 1, SS7 techniques place digital signaling information on a transmission channel separate from the audio voice communications channel. Audio voice communication traditionally has been transmitted using switched time-division multiplexing (TDM) technology. SS7 signaling enabled providers to represent and transfer the Calling Party Number (CPN) information that is used for Caller ID services across multiple carriers in addition to transmitting and switching the audio voice communication. The CPN information used in SS7 was generally not changeable by the calling party. The CPN information for residential users was mainly under the control of the caller’s LEC. Business users with Private Branch Exchange (PBX) facilities often had some ability to change their CPN information, but such changes were usually applied consistently to all outgoing calls rather than varying on a call-by-call basis.
Figure 1. Managing Calling with Signaling System 7
6. In the 1990s, the Commission adopted rules to address interstate Caller ID and other CPN-based services. Under the Commission’s rules, common carriers that use SS7 generally must transport the CPN on interstate calls to interconnecting carriers. In addition, a calling party can request that his or her calling number and name be blocked, i.e., not revealed to the called party. This can be done on a touch-tone telephone by pressing *67 before entering the destination phone number. Carriers using SS7 or any service based on SS7 call set-up functionality are required to recognize and honor calling parties’ privacy requests. As a result, on a call-by-call basis, most callers have the ability to block a call recipient from seeing the caller’s telephone number or name. Whether the CPN and other caller identification information are revealed to the called party generally depends on whether the called party receives Caller ID service from his or her service provider and, if so, whether the calling party has requested privacy. This basic framework reflects the Commission’s balancing of the benefits of Caller ID service with the privacy issues raised by this and other CPN services.
7. When the Commission first adopted its rules relating to CPN, Caller ID service was still relatively new. The Commission did not require the adoption of SS7 techniques, although over time most telecommunications carriers in the United States did adopt SS7 and, consequently, Caller ID and other services based on the CPN became commonplace. Because the terminating provider often had no direct relationship with the person placing a call, that terminating provider generally had no way to verify whether the caller identification information it received was accurate. Nevertheless, because the CPN was under the control of the originating LEC or a corporate PBX, and was transmitted using SS7 signaling techniques end-to-end, it was generally considered information that could be trusted by the receiver. As carriers and other entities have begun migrating to Internet Protocol (IP) networks to carry both voice and signaling, however, new signaling techniques have emerged. Interconnected VoIP providers, for example, often use the industry-standard Session Initiation Protocol (SIP) signaling techniques, rather than SS7. These new technologies, in conjunction with other marketplace developments, have lessened the overall accuracy and reliability of caller identification information.
B. Interconnected VoIP Services
8. In general, the low cost and widespread availability of VoIP technologies and services have increased the control that calling parties can exercise over the information transmitted with their phone calls. Some interconnected VoIP services, such as those provided by many cable system operators, are designed to work in the same manner for end-user customers as a LEC service; in those cases, the caller is unable to modify the CPN. However, other Internet-based voice services, including many provided as third-party applications used in connection with broadband services, allow the calling party to make a call appear to come from another phone number. For example, users of some Internet-based voice services can specify and validate their mobile phone number as the CPN, allowing them to originate outgoing calls from the Internet to the Public Switched Telephone Network (PSTN) and receive incoming calls over the PSTN to their cell phone. More sophisticated users can download free open-source software to a conventional personal computer that enables that computer to function as an IP-based PBX or a VoIP gateway. The user then can originate calls with spoofed Caller ID information and transfer those calls from the Internet to the PSTN through a VoIP call termination service.
C. Third-Party Spoofing Services
9. Less technologically-sophisticated users of either traditional telephone services or interconnected VoIP services can easily spoof their caller ID by purchasing or otherwise obtaining caller ID spoofing services from third parties. Indeed, such caller ID spoofing services openly advertise their services on the Web, and some sell prepaid cards providing a certain number of minutes of spoofing services through retail stores. These services may offer additional options, such as the ability to record the call or even to digitally disguise the caller’s voice. Businesses also use third-party services for manipulating CPNs. Some businesses with large call centers, such as telemarketers and debt collectors, employ companies that provide call management services, including the ability to alter caller identification information. Such companies often substitute a number with the same area code as the called party’s area code to increase the likelihood that the called party will answer.
10. Figure 2, below, illustrates the popular technique of using a third-party caller ID spoofing service offered to the public to spoof the phone number displayed by the called party’s Caller ID service. In the example depicted in Figure 2, the caller has already created an account with a caller ID spoofing service or purchased a prepaid calling card, and has a personal identification number (PIN) he uses to access the spoofing service. In order to make a call with a spoofed caller ID, the caller dials the spoofing service’s toll free number and, when connected to the spoofing service, the caller enters his PIN, the telephone number he wants to call, and the number he wants to have displayed by the called party’s Caller ID service (the “substitute number”). The spoofing service forwards the call to the telephone number specified by the caller and forwards the “substitute number” as the CPN. As a result, the called party’s Caller ID service displays the substitute number as the caller ID.
Figure 2. Operation of Third-Party Spoofing Service
11. Some third-party spoofing services may caution against fraudulent or illegal use of their services or take steps to prevent certain types of spoofing. For example, some third-party spoofing services block calls to certain numbers or prevent the user from specifying certain high-profile numbers as the substitute CPN (e.g., the phone number of the White House switchboard). In general, however, the operator of the third-party spoofing service is not aware of the intent of a user of the spoofing service or whether the user has any valid right to use the substitute number entered. Often the substitute number will have been assigned to another telephone service customer who has neither authorized nor been made aware of its use as a substitute number. The telephone service customer whose number is used as the substitute number without his knowledge may therefore become the victim of consequences that are at best annoying and at worst significantly costly and harmful. For example, one commenter received 24 subpoenas and experienced overloaded trunks in connection with one of its phone numbers that was substituted as the CPN number that appeared on Caller ID devices on hundreds of thousands of calls.
12. A caller ID spoofing service such as that shown in Figure 2 can be directly connected to the PSTN with a conventional trunk connection that supports multiple voice circuits, in the same manner as a traditional (i.e., non-IP-based) business PBX. However, it is more typical for the spoofing service to be connected to the publicly-accessible Internet only. Calls to and from the service are routed over the Internet between the spoofing service and a VoIP call termination provider that serves as a gateway for transferring calls between the Internet and the PSTN. In this more common, Internet-based spoofing service configuration, a call may come from the TDM-based PSTN, be passed through a VoIP call termination provider gateway and delivered to a spoofing service where it is bridged to a call with a new CPN, and returned via a VoIP call termination provider for connection back to a TDM-based called party on the PSTN.
D. Caller Name Database Seeding
13. Many Caller ID services are able to display a name associated with the CPN, in addition to displaying the CPN itself. Unlike the CPN, the name associated with the CPN is not transmitted by the originating carrier or provider. Instead, the terminating provider offering the Caller ID service uses the CPN to retrieve the name associated with the CPN from a Caller Name (CNAM) database. CNAM databases link CPNs to the individuals and entities to whom the numbers have been assigned. Some terminating providers maintain their own CNAM database and others purchase CNAM database services from third-party providers that aggregate the listing information from a variety of sources. Typically this aggregation is done with real-time information feeds and may involve a chain of feeds through several layers of providers and resellers.
14. Although many CNAM database service providers deal with trusted sources and take pride in the accuracy of their information, standards vary and it is possible for bad actors to intentionally link phone numbers they control to misleading names in systems feeding some CNAM database services. When that number is later used as the CPN on calls, the misleading caller name listing will be displayed if the corrupted CNAM database is queried. For example, as part of an identity theft scheme aimed at collecting consumers’ bank account numbers, a fraud artist might arrange to associate the name, or a variation of a name, of a well-known bank with the phone number controlled by the fraud artist. Thus, the CPN that is displayed on the consumer’s Caller ID device may be accurate, but because the name is intentionally misleading, the call recipient may be fooled into thinking that the call is from his or her bank, and provide account information and other sensitive personally identifiable information when asked.
E. Emergency Calling
15. An important type of caller identification service involves emergency calls to 9-1-1 services. As a general matter, calls that are placed to emergency services by dialing 9-1-1 are not highly vulnerable to spoofing. Emergency 9-1-1 calls do not rely on the CPN information used by Caller ID services described above either for routing or for retrieving the caller’s location information. Instead, emergency 9-1-1 calling relies on a second number in the SS7 call setup information, generally referred to as the Automatic Number Identification (ANI). Although the CPN and the ANI will typically be the same for residential, 9-1-1 calls are routed much differently from ordinary calls. Although interconnected VoIP technology allows the ANI to be manipulated as easily as the CPN, it is in general difficult to get a call from the Internet with a spoofed ANI properly routed to a Public Safety Answering Point (PSAP) over the current Wireline E911 Network.
16. A malicious actor can, however, spoof a call directly to other phone lines operated by emergency service providers, such as a police department or fire department administration number. This case of emergency services being vulnerable to caller ID spoofing is particularly important in the small remaining areas of the United States where subscribers cannot reach emergency services by dialing 9-1-1 because the local telephone switching equipment does not recognize and handle the 9-1-1 dial sequence. In those few localities, the PSAPs may rely on the PSTN and consumer-grade Caller ID service described above, and thus may be subjected to the same caller ID spoofing associated with that service.
III. TRUTH IN CALLER ID ACT
A. Implementing the Truth in Caller ID Act
17. As noted above, on December 22, 2010, President Barack Obama signed into law the Truth in Caller ID Act, which prohibits the intentionally harmful or fraudulent spoofing of caller identification information and gives the Commission the authority to seek substantial penalties from those who violate the Truth in Caller ID Act. The Truth in Caller ID Act requires the Commission to issue implementing regulations within six months of the law’s enactment and, as also noted previously, directs the Commission to submit this Report to Congress by the same date.
18. On June 22, 2011, the Commission issued rules implementing the Truth in Caller ID Act. These rules reflect Congress’s directive to prohibit caller ID spoofing done with the intent to defraud, cause harm, or wrongfully obtain anything of value by adding a section to the Commission’s rules governing CPN services, and by enhancing the Commission’s forfeiture rules. The additions to the Commission’s CPN rules are modeled on the Truth in Caller ID Act’s prohibition against engaging in caller ID spoofing with fraudulent or harmful intent. The amendments to the Commission’s forfeiture rules implement the forfeiture penalties and forfeiture process provided for in the Truth in Caller ID Act.
19. The Truth in Caller ID Act’s prohibition is directed at spoofing “in connection with any telecommunications service or IP-enabled voice service.” Therefore, the Commission’s rules define “caller identification service” and “caller identification information” in a manner that applies to calls using both types of service. Under the Commission’s rules, the person or entity prohibited from knowingly causing transmission or display of inaccurate or misleading caller identification is the same person or entity that must be acting with intent to defraud, cause harm, or wrongfully obtain anything of value.
20. The rules address displaying inaccurate caller identification information, in addition to transmitting it, to make clear that even if no substitute CPN is transmitted between providers, it is a violation for a person or entity to knowingly cause a device that displays caller identification information to display inaccurate or misleading information with the intent to defraud, cause harm, or wrongfully obtain anything of value. This would include, for example, seeding a Caller Name database with a misleading listing name for the CPN used.
21. Although the Truth in Caller ID Act specifies that “IP-Enabled Voice Service” has the “meaning given that term by section 9.3 of the Commission’s regulations (47 C.F.R. 9.3),” the precise term used in 47 C.F.R. § 9.3 is “interconnected VoIP service.” Hence, the Commission’s rules implementing the Truth in Caller ID Act use the term “interconnected VoIP service” and specify that it has the same meaning given that term in 47 C.F.R. § 9.3. Although “telecommunications service” is defined by the Communications Act to mean the offering of telecommunications to the public for a fee, there is no such commercial requirement for interconnected VoIP service. Therefore, an entity that self-provisions a VoIP service that interconnects with the PSTN in a manner that meets the criteria of section 9.3 is covered by the Truth in Caller ID Act.
22. The term “Caller Identification Service” in the Truth in Caller ID Act explicitly includes “automatic number identification services.” The Commission rules define “caller identification service” to mean “any service or device designed to provide the user of the service or device with the telephone number of, or other information regarding the origination of, a call made using a telecommunications service or interconnected VoIP service.” The Commission clarified that by including billing number information in the definition of “information regarding the origination,” it effectively includes within the definition of “caller identification service” any service or device designed to provide the user with any form of the calling party’s billing number, including charge number, ANI, or pseudo-ANI.
23. In the Commission’s rulemaking proceeding, the Commission noted that some third-party spoofing service providers also offer separate services with the ability to unmask a CPN that the caller has affirmatively indicated should not be displayed. This unmasking is accomplished by reversing the privacy indicator initially set in accordance with the caller’s privacy preference, and could be considered the “provision of inaccurate caller identification information” addressed by this Report. The Commission did not, however, receive public comment sufficient to enact rules concerning the intentional unmasking of caller identification information.
B. Issues Raised by Commenters
24. As a result of the Commission’s implementation of the Truth in Caller ID Act, the Commission’s rules now address many of the vulnerabilities to caller ID spoofing used to defraud, cause harm, or wrongfully obtain anything of value as described in the Background section for current telecommunications voice services and interconnected VoIP voice services. However, stakeholders have identified several ways in which the Truth in Caller ID Act could be strengthened to improve protections against malicious caller ID spoofing. We discuss these in the sections that follow.
1. Malicious Spoofing Done from Outside the United States
25. The prohibition in the Truth in Caller ID Act against harmful or fraudulent caller ID spoofing applies to “any person within the United States” (emphasis added). However, as at least one stakeholder in the FCC’s proceeding has noted, spoofing also originates from people and entities operating outside the United States who may not be deterred or prevented from spoofing by the Commission’s rules. Indeed, caller ID spoofing directed at the United States by people and entities operating outside the country can cause great harm.
2. Voice Services That Are Not “Telecommunications Services” or “Interconnected VoIP Services”
26. The Commission’s rules implementing the Truth in Caller ID Act apply to spoofing done in connection with switched voice communications that qualify as “telecommunications service” or “interconnected VoIP service.” However, a significant and growing amount of voice communications traffic today does not fall into either category. An important category is Internet-only non-interconnected VoIP service that enables users to engage in two-way voice conversations over the publicly-accessible Internet without interconnecting to the PSTN. In at least one instance, the Commission has declared such a service to be an information service and thus not subject to the Commission’s rules governing CPN services. Several commenters recommended ways in which the Commission should broaden the scope of its rules to include non-interconnected VoIP services.
27. We note that the record does not demonstrate that caller ID spoofing concerns with consumer-grade, Internet-only non-interconnected VoIP services have risen to the same level as with interconnected VoIP services. The user of an Internet-only non-interconnected VoIP service typically establishes a contact list of the parties whom she will be calling and from whom she will accept calls. An affirmative acceptance of a text-based request message by that party confirms permission to do so. In this manner the universe of potential callers is greatly reduced, often to just friends and family. Optional real-time video capability likely further reduces the effectiveness of caller identification spoofing on Internet-based non-interconnected VoIP in instances where the personal account of an accepted contact might have been compromised.
28. There is a closely related category of VoIP service, however, that does facilitate caller ID manipulation on calls to subscribers of telecommunications services and IP-enabled services. This category includes one-way interconnected VoIP services, which are Internet based services that support the ability to place calls to end users of telecommunications services and interconnected VoIP services, but not to receive calls from those end users. This class of service does not qualify as an interconnected VoIP service, as currently defined in the Commission’s rules, because it does not permit “users generally to receive calls that originate on the public switched telephone network and to terminate calls to the public switched telephone network.” Because the device used by a subscriber to this class of service to originate calls is typically not assigned a telephone number, if a substitute CPN is provided by the subscriber it must necessarily be that of some other device or a non-working number.
29. Most recently, non-interconnected VoIP services have become available that allow direct, Internet-based global communications among enterprise customers that have their own VoIP-based corporate networks. Typically such services assume the intervening network is untrustworthy and rely on sophisticated end-to-end authentication techniques to ensure the identity of the parties involved. We are not aware of caller ID spoofing concerns with these business-grade, non-interconnected VoIP services.
3. Third-Party Spoofing Services
30. Callers can easily engage in Caller ID spoofing by making use of one of the numerous third-party providers of caller ID spoofing services. Third-party spoofing services can facilitate lawful instances of caller ID manipulation as well as unlawful caller ID manipulation. The Truth in Caller ID Act does not impose specific requirements on third-party spoofing services and, therefore, the Commission did not impose additional obligations on third-party spoofing services or VoIP call termination services at this time. Some commenters recommended that third-party services should be held liable for knowingly facilitating malicious conduct, and others recommended that the Commission impose obligations on third-party spoofing service including, for example, giving prominent notice concerning the Truth in Caller ID Act provisions, verifying the right to use a substitute CPN, and keeping records on customers and their service use. The Commission clearly stated in the Caller ID Act Order that the decision not to impose additional obligations on third party caller ID spoofers in no way immunizes a third-party service provider from its obligation to comply with the Act.
31. The Department of Justice (“DOJ”) filed comments with the Commission describing spoofing services as a “hotbed of illegal activity that permit criminals to more effectively harm, harass, and defraud the public.” In an effort to reduce the use of third-party spoofing services for criminal activities and make it easier for law enforcement to track criminals that use caller ID spoofing services, DOJ asked the Commission to consider requiring spoofing providers to place a verification call to establish that callers have authority over the telephone numbers they seek to use. If callers cannot verify their right to use a particular phone number or elect not to participate in verification, DOJ’s proposal would permit them to choose from a list of telephone numbers controlled by the spoofing provider, if the provider maintains such a number pool. Alternatively, DOJ suggested that the Commission develop a technological solution that would enable call recipients to determine that a call has been spoofed and would enable law enforcement to trace spoofed calls back to the spoofing provider.
32. The Commission shares DOJ’s concerns about the abuse of spoofing services by criminals and the law enforcement challenge of locating and prosecuting criminals who abuse caller ID spoofing due to the anonymity provided by the caller ID spoofing services. In adopting rules to implement the Truth in Caller ID Act, the Commission recognized that requiring caller ID spoofing services to verify that users have the authority to use a substitute number would likely reduce the use of caller ID spoofing to further criminal schemes and could simplify law enforcement efforts to determine who is behind a caller ID spoofing scheme. At the same time, the Commission concluded that in crafting the Truth in Caller ID Act, Congress intended to balance the drawbacks of malicious caller ID spoofing against the benefits provided by legitimate caller ID spoofing. The Act prohibits spoofing providers, like all other persons and entities in the United States, from knowingly spoofing caller ID with malicious intent. But the Act does not impose additional obligations on providers of caller ID spoofing services. Based on its understanding of Congress’s intent, the Commission did not impose additional obligations on third-party spoofing providers.
IV. SUCCESSOR AND REPLACEMENT TECHNOLOGIES
A. Continued Migration to IP-enabled Voice and Voice with Video Technology
33. As suggested by Congress’ attention to both telecommunications services and IP-enabled voice services with caller identification features, the two categories are closely coupled in terms of the voice service presented to the end user. IP-enabled voice technology is very much a successor to the TDM-based voice telecommunications technology, and worthy of continued attention in this context. It is estimated that over a quarter of the traditionally TDM-based voice telecommunication network has already been transitioned to IP-based technology, including more than half of the traffic exchanged among carriers in the core of the network (i.e., inter-exchange traffic). It is further estimated that by 2014 this number will increase from one quarter to as much as 60 percent as the technology transformation from TDM-based voice to IP continues to extend from the network core out to more and more end users.
34. This trend suggests that as increasing numbers of current users of telecommunications services switch to VoIP-based services, they will have additional flexibility to manage their CPNs. We also expect non-interconnected VoIP services to continue to grow, especially for international calling. The largest non-interconnected VoIP provider, Skype, estimates that its non-interconnected VoIP voice minutes worldwide increased by 68 percent from 2009 to 2010 to 190 billion minutes. By one estimate, about half of that 2010 traffic, 96 billion minutes, was international calling. It is further estimated that Skype’s international traffic volume grew by 39 billion minutes in 2010, more than twice the volume gain achieved by all telephone companies in the world combined.
B. Text Messaging
35. Text messaging based on Short Message Service (SMS) technology is as vulnerable to caller ID spoofing as voice telecommunications service and IP-enabled voice service. This is particularly relevant as the average monthly use of text messaging per subscriber has been increasing, while mobile voice usage has been declining. Some of the third-party services that provide caller ID spoofing of voice calls also provide text messaging spoofing services. Text-message spoofing services are provided on web pages on which the sender enters the mobile phone number of the party to whom the text is to be sent, and a substitute mobile phone number from which it will appear that the text message was sent. Many mobile service providers also offer similar websites at which anyone can send text messages to the provider’s subscribers. The “source” information is entered manually by the sender, with no verification of the sender’s authority to use the number.
36. Additionally, many mobile service providers offer email gateways from the Internet so that email sent to a phone number at the provider’s email domain address is directly delivered to that phone. The source address of email is easily spoofed by using readily available and free text messaging websites, which provides another way to mislead the recipient of a text message.
C. Video Calling Using Telephone Numbers
37. Text communication, including text messaging and Internet-based chat, has long been an essential form of communications for the deaf and hard of hearing. In recent years, text-based communication among the deaf has been succeeded by Internet-based video communications that allow deaf and hard-of-hearing persons to communicate using sign language. In addition to providing interpreter-based relay calling between deaf and hearing persons, Internet-based Video Relay Service (VRS) providers and the Commission’s Internet-based Telecommunications Relay Service (TRS) Numbering Directory support direct video calling between deaf users over the Internet using 10-digit phone numbers. Commission rules specifically governing TRS facilities subject those using SS7 technology to the Commission’s CPN rules, and require the transfer of calling party identifying information such as the 10-digit number assigned to a deaf or hard-of-hearing VRS user’s Internet-based video terminal. Accurate CPN is important for logging missed calls and for call-back purposes, but because the two-way communication using sign language is by nature face-to-face, deceptive caller ID practices do not appear to be a major consumer issue in this form of exclusively Internet-based video communications.
D. Social Media
38. Social networking technology can be regarded as an important successor to telecommunications and IP-enabled voice technologies, especially for communications among social acquaintances who have previously relied on voice calling to keep in touch. It is estimated that as of December 2010 almost 70 percent of mobile service subscribers in the U.S. were using text messaging, and this number was growing at an annual rate of about 8 percent. By comparison, the number of mobile subscribers using social networking as of December 2010 is estimated to have been about 25 percent, and was growing at an annual rate of about 56 percent. Similarly, the number of minutes spent on Facebook was estimated to reach about 42.1 billion minutes for the month of August 2010, and can be compared with approximately 187 billion minutes of mobile voice communications for the same month.
39. As with the user of an Internet-only non-interconnected VoIP service, the social network user typically establishes a contact list of the parties with whom she will be communicating, including an affirmative acceptance confirming permission to do so. In this manner the universe of potential parties in contact with any single user can, in theory, be restricted to personal acquaintances. In practice, however, many users are not so selective and, because spoofed user accounts are not uncommon, identification deception is not uncommon either.
40. Major social network providers offer users means by which to readily report identification spoofing to the social network service provider. Telecommunications services in particular lack corresponding easily-accessed tools and, unlike social network providers that can unilaterally block reported offenders they believe to be in violation of their Acceptable Use Policies, telecommunications providers’ ability to take similar action is more limited because of their common carrier obligations.
E. Next Generation 9-1-1
41. Today’s emergency 9-1-1 voice calls are largely protected from spoofing harm by the technological artifacts of the Wireline E911 Network. However, these protections will gradually diminish as the TDM-based technology of the Wireline E911 Network is replaced by IP-based network technology in the Next Generation 9-1-1 network (NG9-1-1). This migration should greatly increase the varieties and capabilities of communication with PSAPs, but the IP-based technology of the publicly accessible Internet on which NG9-1-1 is based brings with it many of the same vulnerabilities to caller identification spoofing associated with today’s consumer-grade interconnected VoIP services.
42. Given the popularity and ubiquity of SMS text messaging, enabling text message access to emergency services may be one of the first steps in moving beyond a voice-only emergency calling framework. SMS, however, has many limitations that will need to be addressed if it is to become a reliable means for emergency communications. Not the least among these is the vulnerability of SMS text messaging technology to caller identification spoofing as described above.
F. Caller Identification Technologies
43. The ability to easily manipulate caller identification information is largely a product of the transition of voice telephony from a closed system based on TDM and SS7 technology to an open system based on IP and, typically, SIP technology; by one estimate as much as 60 percent of PSTN calling will be based on IP technology by 2014. Industry-consensus solutions for authenticating caller identification information in IP-based signaling have been defined but are not deployed. They generally rely on proven cryptographic techniques similar to those used to authenticate web sites and email messages. Given the current mechanisms by which telephone numbers are allocated to and managed by an identifiable set of carriers, service providers, and resellers, the processes and cryptographic infrastructure on which these solutions rely should be within the realm of practicability at a service provider level (i.e., rather than at the end-user level).
44. Although this approach would not preclude all caller ID spoofing, it would enable a terminating provider to identify calling party information which had not been altered and to which the originating provider had been allocated the rights (or had been delegated the rights in turn), such as the calling party’s number. In other words, the terminating provider would be able to identify calls for which the calling party information had not been spoofed with a very high degree of certainty. Such a determination would be useful for Caller ID service purposes and particularly valuable for law enforcement and public safety purposes.
45. Technology relying exclusively on the analysis of audio at the receiving end of a call is also a possible tool to help determine the provenance of a call. For example, it appears possible through a combination of signal processing and machine learning to determine the traversal of calls through different networks (e.g., cellular, then VoIP, then PSTN), and to distinguish calls made from specific service providers. Such technologies could provide particularly useful tools for tracing back calls laundered through various networks for which the caller identification had been manipulated.
V. RECOMMENDATIONS FOR CONSIDERATION BY CONGRESS
A. Consider Expanding the Truth in Caller ID Act
46. With the Truth in Caller ID Act, Congress took an important step toward re-securing the integrity of the telephone number as a reliable identifier of a call’s origin. We recommend additional steps that can be taken toward this end as the TDM technology on which telecommunications service is widely based is increasingly supplanted by VoIP technology, and as text messaging continues to supplement and replace voice communications.
• Recommendation 1: Congress should consider broadening the scope of the Truth in Caller ID Act to include a prohibition on caller ID spoofing directed at people in the United States by persons outside the United States.
47. Caller ID spoofing directed at persons within the United States by people and entities operating outside the country can cause great harm, but such people and entities are not covered by the Truth in Caller ID Act. In the past, Congress has recognized the need to expand the Commission’s consumer protection authority to address entities outside the U.S. that direct their actions to the U.S. For example, as part of the CAN SPAM Act of 2003, Congress amended section 227(b) of the Act, which deals with auto dialing, prerecorded calls, and junk faxes, to cover any persons within the United States, or any person outside the United States if the recipient is within the United States. Previously that section only applied to any person within the United States.
• Recommendation 2: Congress should consider providing guidance whether it intended additional IP-enabled voice services, such as VoIP services that enable callers only to make outgoing calls to users of telecommunications and interconnected VoIP services, to be brought within the scope of the Truth in Caller ID Act.
48. As explained above, the Truth in Caller ID Act applies to interconnected VoIP services as defined in section 9.3 of the Commission’s rules, “as those regulations may be amended by the Commission from time to time.” The Commission thus has a specific delegation of authority to amend its definition of interconnected VoIP services so that the scope of the Truth in Caller ID Act would include one-way interconnected VoIP services, even though such one-way interconnected VoIP services are not currently covered. As explained above, such services can be used as readily as telecommunications services and (two-way) interconnected VoIP services to spoof Caller ID. Indeed, several commenters recommended that the scope of the Act should be interpreted to reach services not currently within the Commission’s definition of interconnected VoIP services—a view the Commission did not adopt. Because expansion of the reach of the Truth in Caller ID Act to one-way interconnected VoIP services via a revision to Rule 9.3 would be a significant change, as to which Congress has not provided any specific indication of its intent, Congress may want to consider providing guidance whether it intends for the Truth in Caller ID Act to apply to calls made with such additional IP-enabled voice services.
• Recommendation 3: Congress should consider giving the Commission appropriate authority to regulate third-party spoofing services.
49. As explained above, third-party spoofing services make it easy for anyone to spoof Caller ID for legal or illegal purposes. Granting the Commission additional specific authority over third-party providers of spoofing services may aid the Commission in enforcing its rules and promulgating additional rules to implement the Truth in Caller ID Act. As discussed above, DOJ recommended that the Commission require third-party spoofing providers to verify that a user has authority to use the telephone number the user is seeking to have substituted for the user’s calling number. DOJ’s proposal would make it far easier for law enforcement to identify those actors who use third party spoofing services for fraudulent or other harmful purposes and permit caller ID spoofing for some legitimate purposes. In light of the serious and weighty concerns identified by DOJ involving law enforcement’s need to track criminals who use third party caller ID spoofing services, we recommend that Congress revisit the Truth in Caller ID Act’s apparent acceptance in some instances of the practice of spoofing phone numbers that the caller lacks authority to use, including granting the Commission appropriate authority to adopt rules preventing third-party spoofing providers from allowing unauthorized use of substitute phone numbers.
• Recommendation 4: Congress should consider modifying the Truth in Caller ID Act to explicitly state that text messaging is covered by the scope of the Truth in Caller ID Act.
50. We have observed that the use of SMS-based text messaging service is growing faster than cellular voice service and is subject to many of the same caller identification manipulation vulnerabilities as voice calling.
B. Monitor New and Emerging Communications Services
51. Once the Commission’s rules are in force, Congress and the Commission will have the opportunity to determine whether the current rules are sufficient to deter malicious caller ID manipulation in conjunction with telecommunications services and interconnected VoIP services. Congress and the Commission should monitor industry efforts to deploy existing industry-consensus solutions for authenticating caller identity, including the caller party’s number, in IP-based communications services, with a particular eye toward identifying those aspects for which regulation may be required to prevent misuse or abuse.