[VOIPSEC] Truths on "Truth in Caller ID Act" (possible industry solution)

[Bruce Stewart]

I wanted to let the list know that we've just published an article on  
O'Reilly's Emerging Telephony site based on John Todd's post to this  
thread proposing a vendor-neutral industry consortium to address  
these issues.

http://www.oreillynet.com/etel/blog/2006/10/ 
solving_the_caller_id_problem.html

If anyone possibly has any more to say about this topic, there is  
also a comment section at the end of the article on the ETel site.

Bruce Stewart
Editor, Emerging Telephony
http://www.oreillynet.com/etel/

On Oct 6, 2006, at 12:02 PM, John Todd wrote:

>
> I would agree that this becomes a trust federation issue.  I have a
> proposal at the end of this message which may interest some of you,
> so please skip to the "POSSIBLE SOLUTION" section if you want to hear
> about action instead of more pontificating.
>
> For several firms that I have worked, including my current employer,
> the caller ID issue has been of central concern.  Users without E.164
> numbers, users with several E.164 numbers, users wanting to move
> E.164 numbers to their calling device and network of choice - these
> are only some of the things that arise with the development of mobile
> and VoIP infrastructures that decouple devices with E.164 addresses.
> It's going to get much more complex and customized from the user's
> perspective, and it's up to us as an industry to figure out how to
> provide accountability for our customers and ourselves.
>
> This document really only speaks about E.164, and the "VoIP" part of
> this is only relevant to this list insofar as there seems to be the
> greatest disconnect between VoIP<->PSTN transmissions and identity
> assurance.  The methods of SIP authentication and auditing seem to be
> easier to solve, though by no means trivial.
>
>
> Assertions:
>
> 1) Caller ID (and ANI) is insufficient for authentication purposes
> other than as a "hint".  It is wildly irresponsible to assume that
> the person attached to a device is "authenticated" merely by using
> that device, when control of those devices has no additional security
> policy that is universal or even commonplace.
>
> 2) I agree that identity presentation should be separate from the
> network provider.  As users become more and more distinct from
> telephony devices, this will only become more pronounced.   This
> applies to E.164 numbering as well as other identity methods.
>
> 3) I do not agree that there is a technical solution to this problem
> that works on the front-end. SIMs, or biometric authentication, or
> other methods are too complex, or at the least are going to be
> selected independently by each vendor.  (but I do think there is a
> solution on the back-end - keep reading.)
>
> 4) Law enforcement does need a way to determine who made a call, or
> at least to what company a warrant should be presented for further
> data.  Currently that does not seem to be the case.
>
> 5) I think that the "Truth in Caller ID Act" is probably more
> political grandstanding than actual effective legislation, since as
> mentioned there already exist wirefraud statutes which make false
> impersonation a crime, and I seem to recall (though I cannot find
> reference) that there have been already-prosecuted cases on the topic
> of caller ID.   This pre-existing law will not prevent assertion #6...
>
> 6) Law enforcement in the United States currently can ask for and
> receive almost anything they want as far as legislation.  As soon as
> an investigation reveals that caller ID re-writing was integral to
> some type of "terrorism", the industry will suddenly find itself at
> the wrong end of an even more-poorly written legislative cannon which
> will crush companies and investment.  Other nations are already in
> situations where certain products are illegal or grey market due to
> bad legislation, and some will follow the lead of the US.  Being
> prepared for this in advance with a solution that is pre-built is the
> only way to avert a crisis.
>
>
> Problems to overcome with any solution:
>
> A) Many "next-generation" telephony/mobile application firms who are
> receiving funding right now use Caller ID as a key to their services.
> I don't think their investors have been shown the potential for fraud
> yet or understand the threat of legislative hysteria.  Didn't
> everyone learn from the calling card business yet?
>
> B) The PSTN cannot turn on a dime and restrict ANI/CLID from clients.
> It is used too widely for completely legitimate purposes.  A
> "check-ahead database" that is consulted before call completion at
> any/every border is unworkable as a matter of cost and willpower, I
> believe.
>
> C) Most firms are unwilling to participate in a system where their
> user data or CDRs with user relationships are centrally managed, as
> they have serious legal and commercial privacy concerns about control
> of that data.
>
>
> So clearly, we have a looming problem.  There does not seem to be any
> solution that is feasible that works on the front-end (authentication
> before completion.)  And there is a legitimate fear of any
> centralized databases since many of the service providers don't want
> to expose their customers to an unknown trust element in the center
> of the network ("Wait! You mean we can't trust AT&T not to give our
> records to the NSA?" <cough>)  Legislation _WILL_ happen if nothing
> else is inserted into the vacuum, and it will be far more unpleasant
> than that which is currently proposed.  So, what to do?
>
>
> POSSIBLE SOLUTION:
>
> I would suggest an industry-neutral, non-profit entity that provides:
>      a) A set of agreed-upon rules for member participants regarding:
>           i) Methods of user and E.164 authentication
>          ii) Acceptable caller ID/ANI re-write circumstances
>         iii) Acceptable CDR formats, user data, and archive guidelines
> for internal use
>          iv) Common interface specifications for CDR transmission  
> and LEA access
>           v) LEA interaction guidelines
>      b) A set of penalties for rules transgressions (removal from  
> membership?)
>      c) A central database that members update with call events
>      d) A method to authenticate law enforcement request entities
>      e) A method to deliver data to law enforcement upon valid warrant
> presentation
>      f) A central focus for technical legislative advisory advice  
> ("lobbying")
>      g) A central focus for development and implementation funding
> that is tax-sheltered
>
>
> This membership-based organization would serve as a trust broker,
> both from the perspective of providing "legitimate" firms a safe
> haven from further regulatory heavy-handedness, as well as providing
> Law Enforcement Agencies (LEA) with an effective method of pursuing
> warrants for criminal investigations.  The members would be able to
> safely transmit call data for LEA use without revealing their
> customer's identities, and the LEA would have a single first point to
> contact if there were calls about which they would like to gather
> more data.
>
> Members would be any firm that re-writes caller ID and inserts that
> into a PSTN or even a VoIP-only network.  This can range from VoIP
> providers who create "on-the-fly" caller ID on PSTN calls for users
> with no E.164 address (Skype) to firms which allow users to specify
> their caller ID on outbound VoIP calls.
>
> "What is in the database?" you might ask.  The database would contain
> only a minimal amount of data, that which would be necessary to
> determine from what member a particular call originated, but NOT the
> identity of the end call originator.  (originating_member,
> destination_number, originating_clid, originating_ani,
> call_start_time, call_end_time to name only the most important
> fields.)  Data would be inserted into the database after call
> completion, so this is a "back-end" tracking system and not an
> authentication system of any kind.  The data associating a call event
> with an end user would be kept by the member organization which
> created or proxied the call, and would be uncovered by the LEA
> contacting that member directly.  However, the central database would
> allow LEA to determine what organization was the correct recipient of
> the next warrant, which I believe is a significant portion of the
> burden during investigation.  The LEA could come to the clearinghouse
> and ask "Were there any calls to 1-XXX-XXX-XXXX starting at
> approximately 2006-10-06 22:02 from CLID 1-YYY-YYY-YYYY?"  The trust
> broker would then look through the database, and respond with
> something like: "Yes, there was a call matching your request, and for
> further information you should talk to FooTelecom, Inc. since all we
> know is that such a call took place but have no data on the end user
> who made the call."  The important thing to note that this is NO MORE
> DATA than is currently exposed in the PSTN, but it allows
> accountability to which company made the call.  It would seem odd for
> a firm to object to the data requirements unless they were providing
> illegitimate use cases to their customers, but that might become more
> self-evident as time goes on and membership grows.
>
> To speak for my own company: we are happy to comply with any warrant
> presented to us, but at the moment there is no clear way for a LEA to
> know that they should give the warrant to _us_ as opposed to any
> other telephony firm that is interconnected to the PSTN.  For every
> company in our position it would be inefficient to set up an LEA
> system, since the LEA would then have to ask every company the same
> question, and the rules and expectations would almost certainly be
> different for each relationship.  That clearly would not scale, so
> the concept of a central registry for call events sounds more
> reasonable.
>
> This would obviously not solve the problem completely.  There is
> nothing saying that membership would be universal, nor does it say
> that only members can accept calls from other members - that is their
> decision to make independently.  I am not a proponent of making such
> an organization legally required.  However, it is what I think is a
> first good step towards that the industry could make towards
> preventing further legislation which may become more technically
> impossible and stifling.  Members that do not join may eventually be
> seen as less-legitimate, and it may be the case that they are not
> allowed to interconnect with CLID/ANI capabilities (though this
> certainly remains to be seen.)  Just like many ISPs will not peer
> with other ASNs if there is no written policy of ingress filtering,
> it may be the case that membership in this organization becomes the
> "policy" precursor for interconnection.
>
> Anyone wanting further information on this concept should contact me
> off-list.  My company is looking to provide basic funding for the
> construction of a non-profit and participation in the database, and
> we will only act if others are willing to minimally invest in the
> experiment.  Please forward this message to technical or executive
> staff of firms that you feel have an interest in keeping their "Phone
> 2.0" businesses unregulated in this regard.  Additionally, I am
> interested in the LEA perspective here - I haven't contacted anyone
> on this thread yet, and it would be useful to hear about the current
> state of the art and thoughts from law enforcement on the future.
>
> JT
>
>
>
> At 11:08 AM -0400 2006/10/5, Geoff Devine wrote:
>>
>> I see this as a trust federation.  Today, you can be fairly confident
>> that a wireline phone connected to the PSTN is not spoofing CallerID.
>> Today, you can be fairly confident that an MSO PacketCable phone
>> connected to the PSTN is not spoofing CallerID.  Today, you can be
>> fairly confident that a cellular telephone connected to a cellular
>> provider is not spoofing CallerID.  The problem is that there is this
>> new breed of service providers who should not be allowed into the  
>> trust
>> federation.  You can certainly set up VoIP so it's unlikely that  
>> users
>> will spoof CallerID.  Issue them something like a GSM SIM chip.   
>> Have a
>> contract with them.  Use AAA methods that are at least as hardened as
>> what is used today on the cellular network.  If a service provider
>> doesn't conform to these requirements, they're not allowed to join  
>> the
>> trust federation.  If you don't like it, use a SIP URI rather than an
>> E.164 number and live in the mayhem created by the IETF.
>>
>> Geoff
>>
>> -----Original Message-----
>> From: J. Oquendo [mailto:sil at infiltrated.net]
>> Sent: Thursday, October 05, 2006 10:51 AM
>> To: Geoff Devine
>> Cc: voipsec at voipsa.org
>> Subject: Re: [VOIPSEC] Truths on "Truth in Caller ID Act"
>>
>> Geoff Devine wrote:
>>>  So....
>>>
>>>  Why would a "truth in Caller ID" law be bad?  If you placed the  
>>> burden
>>>  on telephony service providers to prevent spoofed CallerID and  
>>> made it
>> a
>>>  crime for an individual to spoof CallerID, I'd classify it as sound
>>>  public policy.
>> It's not that its a bad idea, it just won't work the way it's  
>> pitched.
>> First of all, placing the burden of all telephony provider to support
>> this may work in the country of origin but it won't work in Nigeria
>>
>>>  If it doesn't happen, my telephone is going to start
>>>  ringing at 3 AM with spoofed calls from Nigeria claiming to be my
>>>  employer or a family member.  Unlike Email spam, a telephone  
>>> call is a
>>> very intrusive thing.  There may be an emergency where I absolutely
>> need
>>>  to have my phone ring at 3 AM.
>>>
>>>  Geoff
>>>
>>>
>> I've yet to see one response as to why this will work with proof  
>> of it
>> working. How does the US government intend on having telephony  
>> providers
>>
>> outside of the US following suit and conforming to this? So let's  
>> make
>> you a provider with this law passed and create the following  
>> scenario:
>> <scenario> Yourcompany gets a call from a Nigerian hosted spoofed  
>> caller
>>
>> ID site. Yourcompany passes the call. Yourcompany now gets sued for
>> passing that call.</scenario> How much sense does that make to you?
>> Makes little to me. There is NOTHING, absolutely NOTHING the United
>> States is going to do that will completely stop this from happening
>> (spoofing). All that *WILL OCCUR* will be the introduction of  
>> frivolous
>> lawsuits to Yourcompany since it did not stop this spoofed call from
>> coming through your network along with you having to conform to this
>> "Truth in Caller ID" policy as well as Yourcompany spending money on
>> "compliant" equipment that you *HOPE* will stop this from happening.
>>
>> So how is it a bad idea, simple, its may be practical in the United
>> States, but worldwide it means nothing.
>>
>> Mpierce1 at aol.com wrote:
>>
>>> . It can not be, if used as defined in American National Standard
>> T1.625
>>> and several equivalent ITU-T Recommendations.
>>
>> Note the word "Recommendations"
>>
>>> , the industry finds ways to stop the abuse, so that the telephone
>>> system continues to be a fairly secure, protected way for people to
>>> communicate. The use of CLI for identification is appropriate for
>> certain purposes.
>>
>> Using CLI for identification purposes is moronic from my view  
>> hence my
>> previous example that I shall re-paste: If I stepped into a bank and
>> asked to make a courtesy call, I can engineer information from  
>> someone
>> since (what you call verifiable and ABSOLUTE) CID will show the
>> information from a bank. Takes no technology to pull this off.
>>
>>>  It seems that part of the
>>> original comment was based on a belief that there are perfectly  
>>> good,
>>> legitimate reaons for spoofing CLI.
>>
>> There is no perfectly legitimate reason so this was not a portion  
>> of the
>>
>> original post I made. The original point I was making was and will
>> continue to be that this is a moronic law which will 1) cost more
>> carriers money to conform to, 2) not deter someone from spoofing  
>> (it may
>>
>> in the US but the US is not the world's government).
>>
>>> And it results in things like the ridicule of a proposed US
>>> law (which began this string) which tries to deal with this emerging
>> scourge
>>> on our communication system.
>>
>> It is ridiculous and imposing nothing more nothing less.
>>
>> So here is your sane response to your comments and something of a
>> reverse role.... China, Korea, Russia and the EU have decided that  
>> when
>> calls come into their countries, their caller ID's should NOT pass
>> information. Their governments decided it was intrusive to their  
>> people
>> to have information being passed over telephony so they've decided to
>> make a law that states "Should any telco pass any information through
>> telephony, they can be held liable for invasion of privacy. Those not
>> conforming to this standard will be fined". US carriers pass  
>> information
>>
>> off to these countries and lawsuits begin. ChinaTelephonyCo is suing
>> USTelcoCom for not following their rules and passing on CID  
>> information.
>>
>> Is that fair? This is what you're purporting here in a reverse  
>> fashion.
>>
>> US GOVERNMENT: If someone from anywhere passes off *SOMETHING WE  
>> DON'T
>> LIKE* they will be held liable for breaking the law.
>>
>> Sounds Dictatorish to me and it won't work. It won't work because  
>> there
>> is nothing under the sun at this point in time I can find to cite,
>> quote, ponder on, etc., that proves me wrong other than someone's
>> personal view.
>>
>> --
>> ====================================================
>> J. Oquendo
>> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
>> sil . infiltrated @ net http://www.infiltrated.net
>>
>> The happiness of society is the end of government.
>> John Adams
>>
>>
>> _______________________________________________
>> Voipsec mailing list
>> Voipsec at voipsa.org
>> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org