ITU Workshop on “Caller ID Spoofing” (Geneva, Switzerland, 2 June 2014) Experience of an inbound telephony provider Anne-Valérie Heuschen, Head of legal & regulatory affairs, Voxbone, Belgium aheuschen@voxbone.com Geneva, Switzerland, 2 June 2014 Agenda Voxbone Meaning of Caller ID/ CLI Examples of Caller ID/ CLI regulations Caller ID/ CLI spoofing Caller ID/ CLI spoofing from an operator perspective (I and II) Conclusion Geneva, Switzerland, 2 June 2014 2 Voxbone Company Founded in 2005 Offices in Brussels (HQ), San Francisco and Los Angeles Global IP backbone carrying 2 Gbps of voice traffic with 5 SuperPOPs Business and services Services in 50+ countries, inbound exclusively VoxDID : Voice inbound services through local or national phone numbers in 50+ countries covered (4000+ area codes) Vox800: Voice inbound services through toll free or free phone numbers in 25+ countries covered Geneva, Switzerland, 2 June 2014 3 Meaning of Caller ID/ CLI Caller ID = Caller Identification refers to E164 number and/or name calling CLI = Calling Line Identification refers to the E164 number calling At network level, if CLI is provided by origination network (in SIP, under a “Passerted identity”), it will be forwarded until termination network (presence in the CDRs) Geneva, Switzerland, 2 June 2014 4 Examples of Caller ID/ CLI regulations US Truth in Caller ID Act protects the privacy of the person calling by requiring telephone companies to make available free, simple and uniform per-line blocking and unblocking procedures. EU Directive 2002/58/EC, article 8: CLIP= Calling Line Identification Presentation CLIR= Calling Line Identification Restriction Intl: Privacy right is a human right as approved in “The right to privacy in the digital age” by the UN General Assembly, 20 November 2013. => At network level CLI is forwarded (in SIP “P-asserted identity” header) but CLIP/CLIR is an end user privacy right (in SIP “privacy” header) Geneva, Switzerland, 2 June 2014 5 Caller ID/ CLI spoofing To spoof = to deceive, to abuse, to fool Malicious intent is key: Not financial in the telecommunication sense (except in cases of premium rates numbers) Scam/ Identity theft, harassing calls CLIP/CLIR protects the privacy of one individual and CLIR should not be considered as spoofing by definition Spoofing= CLI transformation with malicious intent; flexibility of CLI transformation is and should not be considered as spoofing, as long as it is not in a wilful or illegal mean. Prohibition of caller ID/ CLI spoofing for the purposes of defrauding or otherwise causing harm (e.g. US Truth in Caller ID Act ). Geneva, Switzerland, 2 June 2014 6 Caller ID/ CLI spoofing from an operator perspective (I) Spoofing is detrimental for the reputation of an entire industry Spoofing already existed in a non-IP world CLI is generally received by the terminating network but no mean of ensuring the authentication of the CLI Geneva, Switzerland, 2 June 2014 7 Caller ID/ CLI spoofing from an operator perspective (II) Prevention: Authentication of CLI (i.e. calling party has an authorization to use the number) at origination is crucial; if CLI has not been authenticate by originating network, no call origination should be allowed, or only with the “primary” authenticated CLI on file Already a best industry practice at administrative level IETF/ STIR committee work at technical level Sanction: LEAs have in practice tremendous difficulties to find the offender(s) due to 1) misunderstanding of the principles and 2) international nature of offenses Geneva, Switzerland, 2 June 2014 8 Conclusion Technical standards : IETF/ STIR committee work Regulations: spoofing prohibition (transformation of CLI with wilful intent) Foster international cooperation Practical level: training of national LEAs to have an understanding of spoofing Geneva, Switzerland, 2 June 2014 9