In one of its many attempts to curb robocalls, the Federal Communications Commission said it is making it harder for Voice over Internet Protocol (VoIP) providers to obtain direct access to US telephone numbers.

Robocallers make heavy use of VoIP providers to bombard US residents with junk calls, often from spoofed phone numbers. Under the rules in place for most of the past decade, VoIP providers could easily gain access to US phone numbers.

“This VoIP technology can allow bad actors to make spoofed robocalls with minimal technical experience and cost,” the FCC said.

But under rules adopted by the FCC yesterday, VoIP providers will face some extra hurdles. They will have to “make robocall-related certifications to help ensure compliance with the Commission’s rules targeting illegal robocalls,” and “disclose and keep current information about their ownership, including foreign ownership, to mitigate the risk of providing bad actors abroad with access to US numbering resources,” the FCC said.

The FCC order will take effect 30 days after it’s published in the Federal Register. A public draft of the order was released ahead of the FCC meeting.

Current system provides easy access

“It was eight years ago that this agency decided to allow interconnected VoIP providers to obtain telephone numbers directly from our numbering administrator. Before that, they could only get numbers by making a request through a traditional carrier,” FCC Chairwoman Jessica Rosenworcel said in a statement for yesterday’s commission meeting.

Simplifying the system had benefits but also unintended consequences, Rosenworcel said:

Too often the providers picking up these numbers en masse are the same folks using VoIP technology to facilitate robocalls. So in the interest of curbing these bad actors, we are adopting new guardrails. We are putting conditions on direct access to numbering resources to make sure we do not hand out numbers to perpetrators of illegal robocalls. This will safeguard our numbering resources, make life harder for those who want to send us junk calls and a little easier for all of us who don’t like getting them.

The current rules that will be replaced “do not require interconnected VoIP providers to disclose any information about their ownership or affiliation, nor do they specify a process to evaluate applications with substantial foreign ownership,” the FCC said. The new ownership disclosure rule “will assist Bureau staff in their existing practice of identifying applications that require further review to determine whether the direct access applicant’s ownership, control, or affiliation raises national security and/or law enforcement concerns,” according to the order.

The FCC said applicants must also certify to their compliance with other rules applicable to interconnected VoIP providers and “comply with state laws and registration requirements that are applicable to businesses in each state in which numbers are requested.”

While the rule change applies to new applicants seeking direct access to numbering resources, the FCC is also taking public comment on a proposal that would “requir[e] existing direct access authorization holders whose authorizations predate the new application requirements to submit the new certifications, acknowledgments, and disclosure.” The FCC adopted yesterday’s order unanimously, saying that it is consistent with requirements in the TRACED Act (Telephone Robocall Abuse Criminal Enforcement and Deterrence) adopted by Congress in 2019.

Bad actors “set up shop under a new name”

Yesterday’s order came two days after the FCC took action against a gateway phone company accused of routing many illegal robocalls from outside the US to consumer phone companies like Verizon. The company, One Owl Telecom, is on the verge of having all its calls blocked by US-based telcos after being accused of ignoring orders to investigate and block the robocalls.

One Owl’s operators were connected with two previous companies that were punished by the FCC for similar offenses. The case illustrates challenges faced by the FCC when enforcing robocall rules against companies with foreign operators and opaque structures. Describing One Owl, the FCC said the company’s efforts “to operate under the cloak of ever-changing corporate formations to serve the same dubious clientele demonstrate willful attempts to circumvent the law to originate and carry illegal traffic.”

“Right now, it is very easy for bad actors who get caught facilitating illegal robocalls to set up shop under a new name and carry on with business as usual, and these rules will make it harder to do that,” Nicholas Garcia, policy counsel for consumer-advocacy group Public Knowledge, told Ars.

Garcia noted that “false or fraudulent registration and compliance reports would be an obvious way for the most dedicated bad actors to circumvent these new rules. But that itself may provide new avenues for enforcement, and more requirements and friction raise the cost and risks” for VoIP operators that don’t follow the rules.

  • zeppo@lemmy.world
    link
    fedilink
    English
    arrow-up
    61
    ·
    1 year ago

    The way they can spoof originating numbers is absurd. The phone system needs to fix that somehow.

    • tony@lemmy.hoyle.me.uk
      link
      fedilink
      English
      arrow-up
      20
      arrow-down
      1
      ·
      1 year ago

      In many countries it’s not lawful to spoof a number you don’t own, and VOIP providers simply won’t let you do it (without sufficient proof of ownership, and a lot of the smaller ones just block such things completely). The phone system is fine and contains to tools to stop this, it’s the laws that need fixing.

      You could always spoof numbers even back in the analogue days through a primary rate interface but they’re expensive and becoming less common… and again illegal to do in many cases.

      Of course some random provider in the back of nowhere can still do that kind of thing and you can’t really stop it, except for preventing numbers coming from overseas that don’t have the right country code (I think this is done in many places now… it used to be I’d get overseas spam calls that looked local but haven’t seen any for a while).

      • zeppo@lemmy.world
        link
        fedilink
        English
        arrow-up
        24
        ·
        edit-2
        1 year ago

        The problem is the people doing this maliciously are already breaking several laws and scamming people, and certainly don’t care whether it’s legal or not. They’re also outside of the US.

        For instance an ex-girlfriend answered a phone one day that was from a bank number, Chase, which was saved in her Contacts, so she assumed it was really them. They told her some stupid story about a fradulent Zelle payment not going through and she swears she signed in to her bank and saw a $5000 payment there declined that then, she says, disappeared from the list. Then they told her she had to send money to a special service number so they could ‘backtrace’ the fraudulent payment. So she did (she was also credulous/dense/gullible I guess). Obviously, this was bullshit. it was especially annoying because I walked over a couple of times and asked her “wtf are you doing? Who is that?” and she just waved me away and ignored me. She ended up losing $600. So anyway, the main thing that gave them credibility to her was calling from the Chase number.

      • xthexder@l.sw0.com
        link
        fedilink
        English
        arrow-up
        5
        ·
        1 year ago

        It should be technically impossible, not just illegal. Scamming people is illegal too but it happens all the time.

        We have the technology to stop it, just like I can’t spoof google.com or one of their IP addresses.

    • SmashingSquid@notyour.rodeo
      link
      fedilink
      English
      arrow-up
      11
      ·
      1 year ago

      There’s already callerid authentication (stir/shaken). The problem is these companies were easily getting real numbers assigned instead of just spoofing so they were verified. This change makes it harder for them to get numbers assigned because when their traffic gets blocked right now they just pop up under a new name and get more numbers.

      If they can stop these companies from getting numbers they can hopefully start blocking unverified numbers. Unfortunately I get calls from drs still that aren’t verified despite it being a requirement to support it now.

    • ciferecaNinjo@fedia.io
      link
      fedilink
      arrow-up
      3
      arrow-down
      1
      ·
      1 year ago

      I would hope it can be done without collateral damage. I spoof my own number (in fact as a self-defense maneuver) and wouldn’t want to lose that option. I subscribe to a voicemail-only number which I give to countless untrusted entities (e.g. banks). Then to make outbound calls to businesses, I use a numberless voip line that spoofs the voicemail number.

      • zeppo@lemmy.world
        link
        fedilink
        English
        arrow-up
        9
        ·
        1 year ago

        Yeah, I’m sure there are legitimate uses. Another would be a call center that wants to show the main customer service number rather than the phone of the specific person speaking.

      • Overzeetop@kbin.social
        link
        fedilink
        arrow-up
        3
        ·
        1 year ago

        I currently have (almost) only VoIP numbers. My cell phone technically has a carrier number, but only my immediate family and two friends (8 people in total) actually have that number for my contact, and I keep it that way for safety/security purposes. As a result, I already can’t do things like try ChatGPT, use the some vendor apps, or get quasi-2 factor codes from several businesses - including the IRS. Their systems simply can’t interact across a VoIP gateway. There really should be a certificate authority for these things, but the POTS system is just so fucking old.

        • GregoryTheGreat@programming.dev
          link
          fedilink
          English
          arrow-up
          3
          arrow-down
          1
          ·
          1 year ago

          What? Many home lines are VoIP and can use services just fine. Are you talking about SMS based 2FA? That should work unless your carrier is broken. I have 2FA on my VoIP lines no problem.

          • Overzeetop@kbin.social
            link
            fedilink
            arrow-up
            1
            ·
            1 year ago

            SMS and (at least for craigslist) voice 2FA doesn’t work with VoIP (Google Voice numbers, including numbers ported from mobile operators). IRS 2FA via SMS definitely doesn’t work, nor does Dunkin Donuts (which invalidates use of their entire app on all mobile platforms). Some services offer voice 2FA which will go through, and some offer email, but many don’t. Of course the vast majority of 2FA over SMS work with the major VoIP providers, but if you hit one where it doesn’t…there’s either no way around it or you have to wait for a snailmail 2FA token (IRS).