In case anyone missed it, the Truth in Caller ID Act (now of 2007!) was re-introduced in the House as HR 251 on January 5th. The Senate’s version of the previous bill never passed during the 109th Congress, so here we go again… While re-reading through the bill however, I noticed something interesting that I hadn’t noticed before:
`(1) IN GENERAL- It shall be unlawful for any person within the United States, in connection with any telecommunications service or VOIP service, to cause any caller identification service to transmit misleading or inaccurate caller identification information, with the intent to defraud or cause harm.
By specifically naming VoIP service separately from other telecommunications services, and then subsequently defining what a VoIP “service” is:
`(C) VOIP SERVICE- The term `VOIP service’ means a service that–
`(i) provides real-time voice communications transmitted through end user equipment using TCP/IP protocol, or a successor protocol, for a fee or without a fee;
This ammendment seems to very specifically preclude any communications that take place on the Internet or any other “non-telecomunications” network that isn’t transmitted via both IP and TCP, or any successor protocols of IP and TCP used in conjuction that may follow them.
Now, I’m no lawyer by any stretch of the imagination, but that seems fairly clear to me. If true, that precludes Caller-ID information transmitted via any other transport protocol running within IP, or otherwise, from being affected by this law. Does that mean that if my signaling traffic happens to be UDP, as many of the protocols either are or allow, that it is then not subject to this law? I wonder if the tech-savvy, or lack thereof, of the U.S. Legislature may be introducing a nice convienient loophole for an attacker’s attorney to exploit when going to trial… birds of a feather after all.
Series of tubes, indeed.
(laughing) Are you volunteering to head to DC and teach Congress about the OSI model and the different layers of networking? If it survives intact as you show it, I’m sure we *will* see a day when a government lawyer is arguing that “TCP/IP” denotes the entire protocol suite and the defense lawyer will be arguing that none of their signaling used TCP. Fun, fun, fun….
The short answer: No.
However, I WILL head to DC and attend ShmooCon. Close enough? (:
Hi ,
we are thinking about making called id spoofing available to all our customers. Do you think that we are doing something illegal ?
regards,
Ioan
Ioan,
Our (VOIPSA) position has really been not to take sides on the legality/illegality of caller ID spoofing but more to point out that it’s rather trivial to do within VoIP and so anyone basing their trust on CID should rethink that. This is a change, though, because I know that certainly here within the US, people have become accustomed to trusting the CID on the PSTN in screening calls or at least having a sense of who they are talking to. VoIP removes the ability to trust CID because it is so easy to spoof. I’m not sure as a society we yet understand that change in the trust model to which we’ve become accustomed.
Now, it’s pretty clear that some members of the US Congress think that it should be illegal (at least “with the intent to defraud or cause harm”) but I don’t know what is happening in other parts of the world.
Regards,
Dan
Disclaimer: I am not an attorney.
Due to the fact that legislation is being drafted in the United States to make the act of spoofing Caller-ID illegal (with the intent to defraud or harm), that would lead one to believe that it is currently NOT illegal. However, note that this is simply the act itself.
Also keep in mind that in many states, including Texas where I personally reside, it is a crime to access a computer system without authorization. Take into consideration someone who uses falsified Caller-ID information to authenticate to another person’s account on a voice-mail system. While the act of spoofing the Caller-ID information may not currently be illegal, using it to access the voice-mail system in question likely is. While in that case you may or may not be liable for what your customers use the spoofed Caller-ID to accomplish, at the very least you will want to consider such scenarios and watch this legislation closely as it moves through Congress.
then how are these sites still operating?
Pingback: Vishing Scams Taking Advantage of Innocent People | Credit Cards Blog | CreditCardAssist.com