1. Geneva, Switzerland, 2 June 2014 The UK experience and approach to damage mitigation Huw Saunders, Director, Network Infrastructure, Ofcom Huw.Saunders@Ofcom.gov.uk ITU Workshop on “Caller ID Spoofing” (Geneva, Switzerland, 2 June 2014)

2. Geneva, Switzerland, 2 June 2014 2 Outline Nuisance calls and spoofed CLI – metrics, motives and policy actions Mitigating the risk through regulatory and industry initiatives The role of international collaboration Longer term technical solutions and implementation challenges

3. CLI spoofing and nuisance calls in the UK – the size of the problem 80%+ of UK consumers report regularly receiving “nuisance calls” with some getting 20+ weekly Most such calls have spoofed CLI – either deliberately malformed or using a genuine CLI unconnected with the caller to disguise their identity and location Network traffic sampling suggests that overall call attempts from such sources may be of the order of 1 – 2 billion per annum across all networks in the UK Geneva, Switzerland, 2 June 2014 3

4. Motives, impact and policy responses Most calls are unsolicited live marketing calls or automated messages from “lead generators” – little evidence to date of “Voice DDOS” problems seen in North America Calls create significant consumer concern and undermine trust – some cases of exploitation for fraud through “social engineering” Clear breaches of regulation and law – coordinated action being taken by Ofcom and ICO, and a UK Government Action Plan was announced by DCMS in March, 2014 - https://www.gov.uk/government/news/nuisance- calls-action-plan-unveiled Geneva, Switzerland, 2 June 2014 4

5. Short term mitigation Aim to stop Nuisance Calls at source Requires an agreed call tracing process and appropriate action when the source has been identified – NICC ND1437 – http://www.niccstandards.org.uk/files/current/ND1437 V1.1.1.pdf - now in use by Ofcom Use clear regulatory guidelines on CLI to identify calls which are problematic NICC producing revised rules dealing with VoIP and VoIP to SS7 transition Should allow national regulatory, commercial interconnect and network based mitigation actions Geneva, Switzerland, 2 June 2014 5

6. 6 Stage 0 Stage 1 Stage 2 Stage 3 Basic data to trace call is assembled Ofcom obtains information required for a call trace from the terminating CP, e.g. - Time of call, CLI of calling/called parties, presentation number, incoming route id, CP contact number Contact the CP hosting the calling CLI (i.e. the originating CP) for caller information If CLI is missing/inaccurate, this step will definitely/probably fail Even with valid CLI, it may be international, subcontracted to a reseller, ported out, misallocated – all of which may lead to failure of this step Trace the call through the upstream networks This step occurs if Step 1 fails Obtain caller information from originating CP If this network CP is also retail CP, then customer identity = caller identity If there is a reseller then a further request(s) may be needed to obtain caller identity Ofcom Transit CP3Transit CP2Transit CP1 Originating CP 1. Trace request 2. Trace Response (speak to CP2) 3. Trace request 5. Trace request 7. Trace request 4. Trace Response (speak to CP1) 6. Trace Response (speak to OCP) 8. Trace Response (identity of caller) ND1437 tracing process

7. A sample trace Geneva, Switzerland, 2 June 2014 7 Example 2: 128 complaints about calls using 039393939 CP1 asked to trace Calls routed through CP2 via CP3 in UK who routed calls from CP4 in Vancouver via a VoIP call centre in Kolkota, India who have been unwilling or unable to say on whose behalf the calls were being made or why they were made.

8. The need for international collaboration Call tracing often requires international co-operation to be successful – need for regulatory/administrative Code of Practice? Existing MoU between USA, Canada, Australia, UK etc regulators complemented by London Action Plan and M3AAWG initiatives to share best practice and take effective action could form template Standards bodies need to ensure they are responsive to emerging problems and provide appropriate technical framework Problems may get worse as transition from legacy SS7 based “PSTN” to VoIP future through SIP, VoLTE and other technologies is completed Geneva, Switzerland, 2 June 2014 8

9. Longer term solutions? Key enabler of the problem is the lack of control over CLI in VoIP, particularly SIP, and the much lower cost of call generation these technologies have delivered. Whilst greater regulatory clarity over acceptable practice and effective enforcement will help, a more systemic means of providing caller identity assurance is needed IETF STIR project seems to offer a promising route to providing such assurance but many issues need to be resolved both in the technical domain and in ensuring rapid and effective adoption Geneva, Switzerland, 2 June 2014 9

10. Implementation issues The existing E164 administration and allocation processes will need to be integrated with any identity certification methodology adopted Such certification, RPKI based or otherwise, will need to be encouraged if not mandated on an international basis to have significant effect Regulators and administrations have key roles in ensuring and policing adoption but, ultimately, wider telco and Internet “communications community” needs to take collective ownership Key test of governance over next 5 years+ Geneva, Switzerland, 2 June 2014 10

11. Conclusions and Recommendations CLI spoofing problem is growing Current mitigations unlikely to be fully effective Longer term solutions will take time Implementation will be complex International cooperation and collaboration must be made more effective Implementation of longer term solutions needs to be considered in parallel to technical work Geneva, Switzerland, 2 June 2014 11