Years into the robocalling frenzy, your phone probably still rings off the hook with “important information about your account,” updates from the “Chinese embassy,” and every bogus sweepstakes offer imaginable. That’s despite promises from the telecom industry and the US government that solutions would be coming. Much like the firehose of spam that made email almost unusable in the late 1990s, robocalls have made people in the US wary of picking up their cell phones and landlines. In fact, email spam offers a useful analogy: a scourge that probably can’t be eliminated, but can be effectively managed.
Finding the right tools for that job remains a challenge. The Federal Trade Commission has had a strong track record in its 140 robocall-related suits, including a recent victory at the end of March that targeted four massive operations. Bipartisan anti-robocalling legislation is gaining traction in Congress. Apps that flag or block unwanted calls have matured and are solidly effective. And wireless carriers—in part facing pressure from the Federal Communications Commission—have increasingly offered their own anti-robocalling apps and tools for free.
Yet the number of robocalls continues to hit new highs. The anti-robocalling company YouMail estimates that March 2019 saw 5.23 billion robocalls, the highest volume ever. And other firms recorded similar highs. But those numbers don’t take into account calls that were successfully blocked. A more useful measure might be the number of complaints filed per month to the FCC and FTC, which remained mostly static in 2018 and the beginning of 2019.
“Even though we’re at an all-time high, there’s some good news,” says YouMail CEO Alex Quilici. “The numbers may be creeping up a little bit, but the situation seems to be mostly stable at this point. We have not turned the corner, but maybe the corner is in sight.”
In fact, some consensus has emerged about where that corner is. Industry groups led by the Alliance for Telecommunications Industry Solutions have been working since 2016 on a pair of standards, dubbed “STIR” and “SHAKEN,” that will be used across landline, mobile, and VoIP carriers to cryptographically authenticate the source of calls. Basically, this means that the “spoofed” phone numbers robocallers rely on to ramp up their call volume—also the reason so many robocalls appear to come from your area code—will be easily flagged as untrustworthy.
“If you don’t answer the phone the robocaller has to work harder, so they generate more calls. It’s a death spiral.”
Alex Quilici, YouMail
A spoofed call is really just one that displays inaccurate caller ID information, using one of the numerous web portals and apps that enable obfuscation. VoIP software also allows robocallers to bounce their calls around the telephony network a few times before connecting, making it more difficult for law enforcement and service providers to trace robocalls back to their origins. In addition to authenticating that calls are really coming from the numbers they claim, STIR and SHAKEN will also append an “Origin ID” to every call, making it much easier to track robocalls to the source.
ATIS and the newly formed governing bodies of STIR and SHAKEN are still figuring out what exactly consumers will see on their phones when a number pops up—maybe a green check mark or red alert, depending on the source. They’re also coordinating how to share their findings with third-party robocall-blocking apps. ATIS hopes that STIR and SHAKEN will begin to reach consumers by the end of 2019 or beginning of 2020, but the process of setting up the platform’s cryptographic checks and deploying the protocols across every telephony provider in the US is, as you might guess, complicated.
Still, it’s doable. Comcast and AT&T demonstrated the first cross-carrier call with the authentication check in March, and other carriers like Verizon have announced that they’ll implement the protocols. An FCC official told WIRED, though, that it will take time for the process to trickle down to every small and medium-sized provider. The agency has recently pressured large carriers to make the initial investment. FCC Chairman Ajit Pai specifically threatened “regulatory intervention” in February if carriers don’t adopt STIR and SHAKEN.
Both the private sector and government are also managing expectations about what the protocols will actually achieve. “I think that some people are hoping that, ‘poof,’ robocalls will just be gone, and that’s the wrong mindset,” says Jim McEachern, a senior technology consultant at the communication industry standards body ATIS. “It’s more like email spam. It’s still there, but it’s more manageable now. We have the tools in place that the curve will peak and begin to go down to a manageable level.”
And while STIR and SHAKEN will make it harder for robocallers to rely on spoofed numbers, they’ll still be able to use legitimate phone numbers for their scams. The protocols will also make it easier to track the reputation of a given phone number, but both the FCC and industry developers emphasize that the change will also inevitably spur criminal innovation in robocalling to evade or manipulate the new cryptographic baseline.
This cat and mouse game has been playing out all along. For example, in response to apps and carriers getting better at flagging suspicious calls, robocallers upped their volumes and embraced tricks like same-area code spoofing, and aping real organizations’ phone numbers to make calls look legitimate.
“What I think caused the big jump last year was the fact that a lot of the carriers started labeling suspicious calls,” YouMail’s Quilici says. “If you don’t answer the phone the robocaller has to work harder, so they generate more calls. It’s a death spiral.”
In December, the FCC started a reassigned number database so you’ll get fewer calls meant for the person who owned a number before you.
The FTC offers basic recommendations for consumers looking to protect themselves from the threat of robocall scams. The first is to register for the Do Not Call Registry, which, perhaps surprisingly, still exists and collects data on abusive phone numbers and call content. Adding your number to this list only cuts down on telemarketing calls, not illegal robocalls, but it’s a start. You can report abusive calls you receive to the FTC here. Always hang up immediately if you answer a call that you don’t recognize. And finally, consider a call blocking app, like the popular services RoboKiller and Nomorobo, both of which came out of FTC anti-robocalling incubators. Apps and services from wireless carriers or phone makers like Google can also help.
Though it’s frustrating that existing efforts haven’t made much of a dent in robocalling yet, Ian Barlow, who oversees the FTC’s Do Not Call Registry, says that things would be even more dire without the measures that are already in place. “Like any law enforcement agency we’re never going to stamp out every crime,” he says. “But without that enforcement the problem would be much worse.”
As with email spam, the most important step you can take is staying vigilant.
“There’s no silver bullet. You build tools and protective capabilities and mitigation techniques,” ATIS’s McEachern says. “This is not a problem that you solve.”