Michael Kaplan • almost 10 years ago
Sorry, but my solution is vastly superior. Was it not understood?
It should have been realized that the core problem that we are dealing with is one of authentication. The ‘winning solutions’ are doomed to failure because they do almost nothing to address the core problem that caller ID can be effortlessly spoofed.
My solution involves a very unique application of public key infrastructure. I argue that it is by far the most practical, simplest, and most rapidly deployable solution that will ACTUALLY WORK. It requires only a one-time update on behalf of either telephone companies or calling device developers, yet universal deployment is not needed before it starts to work.
A vast number of legal callers will have their calls authenticated after the participation of a small number of companies. In relatively short time universal authentication of calls will be inevitable as the only one-time participation of a finite number of companies is required.
It has the following properties:
- It will authenticate all calls. Conventional landline phones as well as personal computer based phone calls will be authenticated.
- Legal robocallers will not be blocked.
- Calls that are legally spoofed will not be blocked.
- Legal calls that use caller ID blocking will not be blocked.
- It will be completely invisible to the consumer.
Can anyone point out a flaw in this system? If so, I would like to know it.
Comments are closed.
David Frankel • almost 10 years ago
Michael, since you asked, here are a couple of practical hurdles that I see:
1) The signaling systems for telephone calls are VERY RIGID and change at a glacial pace. Have you identified how your "Encrypted TC (or Caller) Reputation ID" would be carried through the network? As I understand your scheme, this might be generated in a smart phone, so it would have to be carried in the GSM or CDMA call set-up over the air. For ALL calls (mobile or otherwise), the new data item you have defined would have to then be carried along with the rest of the call set-up message to the destination. This is most often done with Signaling System 7, and the detailed parameters are spelled out in the ISDN User Part (ISUP) of that specification. As the call hops along its way, it may also be interworked to Session Initiation Protocol (SIP). Getting this new data item successfully handed off and carried end-to-end could be quite challenging.
2) I think getting universal adoption is harder than you imagine. The installed base of telephone company landline switching equipment (Lucent 5ESS, Nortel DMS, Siemens EWSD, and a smattering of others) don't get software feature updates any more; Nortel is out of business. There are thousands of these still in the network. Not all mobile phones are smartphones, and not all smartphones get updates. (My 18-month-old smartphone doesn't get updated by Motorola any more.) I think it will be several years before you'd be able to penetrate a significant majority of these devices, and much longer for a ubiquitous deployment (meaning the non-updated devices/systems go end-of-life).
One idea (which may already be part of your plan): If a call arrived at the called destination without your new authentication packet, your global database could still be queried with the calling number that was presented, to see if it SHOULD have come with authentication. If not, the call could be further screened.This might limit the need for ubiquity.
One other thing to consider: Much of the existing telecom infrastructure DOES have screening capability in place for caller-ID (in other words, spoofing can be disabled if this capability is turned on; only truly "trusted" callers can be allowed to spoof). But most carriers choose not to bother with this because of the administrative overhead. It's not clear to me how willing they would be to deploy your solution, even if it were technically feasible.
Michael Kaplan • almost 10 years ago
Older systems that are unable to receive the encrypted data during the set-up phase can simply receive this information after the set-up; all that matters is that from the caller and recipient perspective is that this process remains invisible.
During the set-up phase a code will be transmitted that will effectively mean "this is an authenticated call". Now similar to how a voicemail system works the call will be instantly answered by a computer – now the encrypted data will be transmitted just like a phone modem. If the call checks out the receiver's phone will ring. The calling parties will be oblivious to this process.
Even the simplest of telephone systems need do nothing more than be able to forward the call (a property of the 'winning' systems) to a computer that is capable of processing this encrypted data. Legal calls are then forwarded back to the recipients phone.
Near universal authentication should happen relatively quickly, I'll guess within five years.
The alternative is to do nothing.
Michael Kaplan • almost 10 years ago
I neglected to address some of your other concerns in my hast to answer the initial technical concern you had.
The reason why I make specific reference to smartphones has nothing to do with the most of calls that are made via these phones as most calls are just standard cell phone calls. An update by the cellular service provider will make all cellular calls compliant with my proposal.
I mention smart phones as a few people use VoIP apps such as Skype or Google Voice to make calls. My system allows for redundant levels of authentication. An update by the VoIP provider will suffice in most cases. Skype can issue the user a Reputation ID for use. Skype will inform the Global Database what the 'cost' of this Reputation ID was for the user.
In time I do want to see a one-time update to Android, iOS, and other smartphone systems that will allow all VoIP apps to use a Reputation ID that will serve as proof that the caller purchased a smartphone. So you haven't had a smartphone update in 18 months? I would guess that within 2 years of a smartphone OS developers update that >50% of users will have this update, and that penetration will be even higher among those that actually make VoIP calls from there smartphones. Ubiquitous deployment will be inevitable, by my system doesn't require ubiquitous deployment, it merely becomes more effective the more it is deployed.
True, telephone companies have not fully instituted available technologies to verify caller ID. Part of the issue is that these existing technologies do not offer a comprehensive a solution to the problem (my proposal goes way beyond just verifying a caller ID), so the incentive to deploy them is reduced. Another issue is that as robocalls don't directly cut into their profits so they have little incentive to spend anything to upgrade. My proposal proposal is comprehensive and relatively inexpensive to institute. Once the system is up and running the FCC may be needed to 'encourage' straggling phone companies to implement it.
I went through lengths to design a system that would not require the active participation of the common user, it merely requires a small amount of cooperation by a finite number of companies. The 'winning' proposals (to my understanding) require tens of millions of users to actively participate – an unreasonable and impossible amount of effort for systems that won't work even if implemented.
Again are there any technical reasons why my system will not work or will not be practical? Is it better to just do nothing (the winning proposals are pretty close to nothing)? Is there a better way?
David Frankel • almost 10 years ago
First, I agree with you 100% that suggesting tens (or hundreds) of millions of consumers take individual action to address this problem is nonsense; we need a "system level" solution.
You ask, again, "are there any technical reasons why my system will not work or will not be practical?" I offer the following (some of this is repetition but I don't believe you addressed it earlier).
Let's forget smart-phones and VoIP and just talk about "regular" phones (mobile and fixed) for the moment.
1) I mentioned earlier that the signaling system that carries call set-up information from the call origin to the destination has very rigid fields. There is no place to store your Reputation ID. There is no facility in the existing end-offices to send or receive data "in-band" (like your modem suggestion). To move further, you will need to be VERY PRECISE about EXACTLY how this data is supposed to get from one end to the other given the current infrastructure.
2) The "switches" (also called "end offices") through which these phones connect to the network are made by a number of different manufacturers (some now out of business). It is no small matter to add features (or even fix bugs) in the millions of lines of code that run them. You say "an update by the cellular service provider will make all cellular calls compliant." Have you explored exactly what that "update" will entail? Somebody will have to write detailed specs; the switch manufacturers will make bids or other offers to do the work; carriers will have to roll it out to thousands of individual switches. The network for managing your Reputation ID's is also going to have to specified and implemented. Given the high availability and redundancy requirements of the PSTN, it seems that everything in this domain costs 10 - 100X what it might cost under "normal" circumstances.
3) You commented in your first response that "even the simplest of telephone systems need do nothing more than forward the call (a property of the 'winning' systems) to a computer ...[and] then forwarded back to the recipients phone." This is, in fact, a fatal flaw in these proposals. The bulk of existing telephone systems (landline, mobile) ARE NOT currently capable of this. There is no universally available "star code" that does this. If you actually try to set up a "conventional" telephone line to do this (where you have calls come in, get diverted to an alternate destination, and then come back to the original called number and actually ring the phone) you will find that you cannot do it and successfully preserve other features that end-users demand (like voice-mail, caller-ID, call-waiting, and the like). You will also find that you cannot send calls directly to voice-mail under program control, and that you cannot properly interoperate with home answering machines.
Those are a few examples of issues with any solution that depends on new functionality at the receiving end of the call (let alone with new functionality at the ORIGINATING end as well, which your solution requires).
The devil is in the details. Anyone actually implementing a solution is going to need to go through these and other points in excruciating detail to try to get all the pieces to fit; sweeping generalizations do not a working solution make. Intimate knowledge of how the existing systems function will be required. Bear in mind that the PSTN is not homogeneous; there are many different variations of equipment and architectures and release levels that all must be accommodated.
Is there a better way? Of course I think something along the lines that I suggested in my challenge submission would be practical and cost-effective, but I'm sure others can find fault with it too. My scheme does not require any changes to the existing call signaling or processing that goes on today; calls proceed as they currently do. But I use complaint data, plus the call signaling data already captured by carriers as the calls move through their networks, to find the source of robocalls within a short time of them being reported. This way, all of the energy is focused on the offending calls. Perpetrators can be quickly identified and shut down at the point where they enter the network. This DOES require the cooperation of the network operators, but it is a much smaller investment than the alternatives I've seen.
Michael Kaplan • almost 10 years ago
My system is essentially a digital signature based system, except I do not use this term as the encrypted data does not contain a message hash. Digital signatures are path independent as they maintain their integrity regardless of the path it takes to get from point A to point B. It doesn't matter if it travels over PSTN, and PSTN will not require any upgrade to handle my system.
The encrypted data for my system can be transmitted either during the call set-up (as is currently be feasible for VoIP companies) or it can be transmitted after the call is established (as with POTS over PSTN).
I am aware that there are many antiquated phone systems in use that cannot currently receive and handle this data. Each phone company, whether initiating or receiving the phone call, will need a computer with appropriate software and an internet connection to handle each call. No aspect of the phone network between a calls originating point and the calls receiving point will need to be upgraded.
My system will not require any hardware additions that would not be required by a conventional public key infrastructure system to verify caller ID, even though my system is far more comprehensive.
Robocalls are becoming more intolerable and prevalent with each passing moment. It is an act of denial to think that this problem can be controlled without phone companies upgrading their equipment to allow for rudimentary processing of their calls via a computer. No existing filtering solution is likely to be significantly more successful than the Google Voice filters, and Google Voice is likely only able to achieve its current success rate (intercepting half of robocalls??) because relatively few people use it and robocallers are not highly motivated to subvert the filters.
Again, my proposal is not the quickest/easiest/most inexpensive proposal in existence, it is merely the quickest/easiest/most inexpensive proposal in existence that will work. And once again it does not require universal uptake from day one as it will become more effective as it becomes more prevalent. One aspect – your phone number can never be spoofed once your phone company this system (there is some nuance to this that I won't get into now). Every current proposal or proposed filtering system will become more effective as this system becomes more prevalent.
The federal government needs to pressure telephone companies into doing some basic upgrades instead of accepting the de facto telephone company response of "This problem isn't affecting our profits so we're not compelled to spend a penny solving it.".