Kelley Robinson - What if we had TLS for Phone Numbers

If you are anything like me, your missed calls list is going to look a lot like this. This is actually a screenshot I took from earlier today. I think there was a point at some time in 2020 where all of the robocallers just decided that they weren't going to do the robocalling anymore and we thought we might have been rid of them, but then in the last couple of months it picked up again. And so we know that this is a problem. I know I'm not unique in this problem. The average person gets about 14 unwanted calls every month. I think I'm averaging more than that. I got what, at least three today. You might notice that some of these are flagged as a spam risk and that's somewhat

useful, right? But what if we could start to actually do the opposite of saying this might be bad and do the opposite and say, this might actually be a good call? What if we could start to verify callers? And we already do this with websites. We already do this with emails. Why can't we do this with phone numbers? And the short answer is that we can. And that's what I'm going to be talking about today. This TLS like technology that's been developed to solve the call authentication problem. It's called Shaken Stir and we'll be diving into the history of why this is a problem. Some definitions and technical jargon related to the spec, how the US specifically is going to enforce implementation of this.

Unfortunately, a lot of the technology and and the regulation around this are specific to the US and somewhat Canada right now. So if you are watching this video at any point outside of the US, there's going to be a lot of different things that are happening internationally. But that's one of the things that we're going to get into is also what the limitations of this technology are.

So that's me, I'm Kelly Robinson. I've been working at Twilio for a little over three years now. Twilio, if you're familiar, is a company that does a lot of things with phone numbers. We've expanded beyond that a lot in the last few years. I specifically support Twilio's account security products for things like phone verification and phone intelligence, also email verification, anything around like the account security user journey. The team has evolved a lot since we acquired Authy five years ago. years ago and Authy is our free consumer app for two-factor authentication. And one of the things that I got interested in kind of outside of the work that my team is doing on the user verification side of things is how that intersects with the phone

security, the telephony security side of things. So there's an entire different team at Twilio that's actually working on this and I'm not on that team. This was more just like a personal interest of me because of this intersection of telephony and security that I'm doing in the rest of my job. So I'm gonna be spending some time kind of incorporating things that I've learned on my own research and talking to some of the people in the industry that are implementing some of this call authentication solutions around shake it and starve. But we're gonna start with a little bit of history, like all things history helps inform and explain the system and how we kind of

got to where we are today. First, and you know, start with a couple of fun facts, things used to be a lot different. So Alexander Graham Bell, of course, widely credited with inventing the telephone, he actually thought that ahoy should be the standard greeting when you answer the telephone. So this is both to illustrate that things used to be a lot different in the history of telephony, But also that we have Thomas Edison to blame for changing the very cool greeting of Ahoy to the word hello, which wasn't even really a popular word until the 1800s. Thomas Edison decided that's how we should answer the phone. So you have him to blame for that. I

personally think we should all go back to using Ahoy and really honor Alexander Graham Bell. Maybe try that the next time that you answer the phone, see what people say. But neither Bell nor Edison was really thinking about security when they were debating telephone greetings. And when telephony was started over 100 years ago, there was this monopoly of companies. And even as recent as 30 years ago, the network basically looked like this. It was private, it was closed, there was a lot of proprietary technology, and there was just a few companies and they all knew each other and they all trusted each other. And so there wasn't really that need for any kind of systemic security within the telephone network. And if you compare that to

today, now there's thousands of companies, the telephony network is relatively easy to access and there's a lot of standard technology built on top of IP. And there's so many paths that a call could take to get from a business to a customer, from a customer to a customer. I like to think of it as kind of the difference between like what we used to use to deploy websites. You used to have your own, have to have your own server, have to have your own hardware. And now you have things like AWS, even Netlify, like, all these services, it makes it really easy to get, you know, your website up on the World Wide Web. The same thing is kind of true for the telephone network today. It's just

a lot easier to connect a call into it. And so before we go on, I have to give a little bit more context on some of the telephony jargon.

Starting with the PSTM, so this is the publicly switched telephone network. This is a set of analog and digital systems, things like cellular networks, undersea fiber optic cables, copper telephone lines. This is everything that allows people across the globe to complete voice calls. Next we have, of course, VoIP. This one you might be more familiar with, voice over internet protocol. This is what actually a lot of mobile infrastructure and businesses are using today. And then the last one that I wanted to introduce is SIPP. And so this is a way to initiate IP based phone calls and other communications. It doesn't necessarily have to be a phone call. I think of it as kind of like an HTTP request for phone calls. It contains metadata and

instructions about where the call is coming from, who the call is going to, that kind of stuff. And this is important to mention because shake and stir, the meat of what we're going to get into will only apply to SIPP initiated calls.

So let's talk about the problem here, right? I specifically frame this as unwanted robocalls because not all robocalls are bad. So we can think about things like prescription pickup notifications, your food delivery service person, things like school snow day notifications. But as we know, most of the robocalls that we get aren't that, they're spam calls and that's bad and we don't want them and that's why this is a problem. And the reason that this has gotten super common in the last five to 10 years is for a few things. There's a few reasons behind this. And first is that there's cheap dialers now. So if you were trying to scam people 10, 15 years ago, it might not have made as much financial sense. All

of a sudden things got cheap enough that suddenly the ROI of these things is starting to look a lot more favorable. You could actually make money off of this process. Second reason, there's over 4,000 service providers in the US alone, and that makes it both really easy and gives you more options to access the network. And so you're gonna have an easier time, again, going on with your scam. And the third reason for this is that there isn't a standardized validation or authentication on the from number. So you can place a call and spoof the from number to say that you are whoever you want to say you are. You could say that you are calling from a government agency. You could say that you're calling

from the number 867-5309. This is an app that I downloaded on iOS that allows you to spoof numbers for free without knowing anything about how SIP works. And you're just gonna have to believe me that this is a call that I was able to place for myself because this is something that's a solution that is available and out there and that people are using to scam people with these spoofed phone numbers. So you might be asking like, why isn't this just illegal, right? And the main reason is that because there are companies out there and there are still some legitimate use cases for spoofing phone numbers. So nowadays companies like Uber or DoorDash or like a political campaign that would be calling you on behalf of the candidate that

they're supporting, they're doing that by proxying the phone calls through a third number. But in the before times, you also had enterprise systems, private branch exchanges, PBX, you might have heard them called. And what you have with those is that you might be placing a call from an individual agent's phone number. So a call center agent is trying to call a customer. They don't want their line or their specific extension showing up on the caller ID. Instead, what they want to have show up there is the toll free callback number for the company. Same thing, another example with a doctor's office, doctors calling from their personal or work but personal line at the work office. They don't want that to show up. They

want to have the office phone number show up so that if the person needs to call back, they can get connected to the front desk or whoever needs to help them out whenever somebody is available. And the problem with this is that these systems are still in place. A lot of these systems still exist. And so we can't just outlaw this practice completely. In fact, the New York Times spoofed their from number until 2011. And that was to help protect their journalists and help protect the people that were calling sources. And this is just to show you that this is recent history. And while the New York Times might have changed this, there's still a lot of companies out there that haven't made the switch over from one of

these PBX spoofing systems to something that's more of a proxy phone call system. And we did introduce legislation to address this problem. We did say that even if there are legitimate use cases for spoofing numbers, in 2009, the Truth and Color ID Act said spoofing is illegal if there's the intent to defraud, cause harm, or wrongly obtain anything of value. But like I said, we can't completely ban spoofing because of the the legitimate ways that businesses are still using it. So the legislation only addressed the use cases of the fraud angle of these things. But that was 11 years ago, and this is still a huge problem, right? And most of the reason for this is because the Truth and Caller ID Act is like basically impossible to

enforce. And the reason for that is that there's a lot of these network hops, right? You remember the slide about how the telephony network looks today. be you know bouncing through five or ten service providers before you actually know who initiated the call and then they can tell you about the caller if they have tracing on their end and because of that tracking down a spammer takes time and effort and therefore money and so not everybody is going to make the investment to try to track down all these spammers unless it's a huge coordinated effort And that brings us to the solution. So you might've been wondering like, what is the shaken stir that she's been talking about? Well, it's one, the most egregious of Bacronym

crimes. So shaken is the signature based handling of asserted information using tokens. Stir I think came first and that's secure telephony identity revisited. Of course it does get worse. There's a proposal for lemon twist, which is leveraging, no, we're not even gonna talk about that. But basically, shake and stir as the FCC describes it, calls would have their caller ID signed as legitimate by the originating carriers and then validated by the other carriers before it actually reaches a consumer. So the idea here is that we're actually going to instead of saying this might be spam, we're going to say, nope, this one's legit. And it does so in a way that leverages existing web authentication standards. We're not reinventing the wheel here. It's using public key

infrastructure, it's using certificates, it's using JSON web tokens. And it's really similar to emails DKIM slash DMARC, if you are at all familiar with how email has done the from authentication on their side. So there was a lot of coordination between the standards bodies that had authored DKIM and DMARC and the people that were authoring

So let's take a look at how this process works. This is a simplified view of the end-to-end system. Starting kind of on the left side of the screen, the signing service is going to include the PKI key management and the originating service provider will have to do that key management. And so then calls are routed in a few ways. There may or may not be multiple service providers in the route. If there are service providers in the middle, they're gonna pass it through to the end. And how that works is there is something called the LNP or the local number portability. And that acts kind of like a DNS lookup to look up phone numbers and route calls to the right service provider. That's usually used

using something called least cost routing. It gets into a lot of the telephony stuff of how calls are actually routed to the end user. There's inter exchange carriers, Lots of interesting stuff there if you are either familiar with telephony or want to dig in more, just that process is really interesting in and of itself. But the important thing for Shaken and Stir is that most of the onus here is going to be on the originating provider and the terminating provider, and everything in the middle is just going to be passed through. And so the certificate authorities that are being called to by the terminating service provider, those are being chose by a standards body called

ATIS. So that's the Alliance for Telecommunications Industry I'll just throw in all the acronyms at you in this talk. So that's the standards body that authored the shaken spec. Some of the certificate authorities that have already been chosen are people like New Star and Transnexus. I think there are a couple other ones that might not have been publicly announced yet. These are very similar to the certificate authorities that administer TLS certificates. So people like Let's Encrypt. So you can think of it kind of like that. And then finally, when a call reaches the terminating service provider, and this is one of the interesting things about how this is going to work, it's up to the actual client, and so that would be somebody like Apple or Google, to display

how or if the calls are trusted. And so some of the ways that people are talking about doing this is with check marks, saying things like verified caller, using locks like we do in the URL bar for things like TLS. And so similar to how browsers have the ability to tell whether or not a website is trusted, the client that the person is receiving the call on is going to have that same power to display whether or not the call is trusted in the method of their choice. So there's a good chance that we will see that evolve at some point because that's not part of the standard. That is just something that we're expecting

the clients to do. So let's take a look at the SIP identity header. As a reminder, SIP is a way of the originating voice of originating VoIP calls in the telephony network. And so this is what the SIP header looks like currently. You can see some of the metadata included there. Note the from number. And like I mentioned before, the problem here is that this from number can be spoofed if the originating service provider allows it or isn't doing validation. So some service providers are doing that validation. Twilio does a lot of validation to make sure our customers are only using phone numbers that they're allowed to use. But not every service provider does this. And this is why some of these robocalls keep happening and spoof numbers

keep happening. And what Shaken does is it introduces this new identity header. This is in the form of the base64 encoded JSON web token. And we're gonna walk through some of the information that's encoded in this header. And so in this header, this is going to include information both like the certificate that the originating service provider is using, but also the attestation level. We'll talk more about this on the next slide, but this is basically saying whether or not we trust this caller. It's going to include more information about who the call is going to, who placed the call. And then one of the really interesting things that this includes is the Ridge ID. And this is information about the service provider's underlying customer. you're

Comcast or Verizon or Twilio, and you are placing the call on behalf of one of your customers, that Ridge ID is going to point back to whoever that customer is. It's set by the originating service provider. They're putting their neck on the line here. And in combination with the token signing URL, the Ridge ID makes it near instant to identify the bad actors. And that's what's going to make it possible to enforce the truth in caller ID act. And so one of the big things that Shaken does is in addition to saying, hey, I'm going to sign legitimate calls as legitimate. If a service provider does sign a call, gets it wrong and receives complaints about that call, it makes it really easy to trace back the

bad actors, which is a big part of what we're missing right now. And so let's talk a little bit more about the attestation levels. So there's three attestation levels. And again, the originating service provider is going to be putting the reputation on the line by saying, I think my customer is trusted in one of these three levels. And so a shaken sign call is far less likely to be fraudulent, even if it's a C level call than one that's not signed at all. But pretty much from what I can tell in the industry, we're only going to be seeing those like whatever the client decides to show is like a checkmark verified call or something

like that for a level attestation. That's the highest level of attestation that basically says, I know who this customer is. And I know the number that they're calling from and I know that customer has access to be using that phone number. And so most of the clients will probably only be giving a check mark to calls that are signed with an A-level attestation. That could change, but that's one of the interesting things that we'll have to see how this develops because this is all still pretty new. And while people are starting to roll this out, you might even notice in your call logs some check marks next to phone numbers or phone calls that you've

received in the last few months. This isn't as widespread yet as we'd like to see in the next year or so. And that kind of brings us nicely to how this is going to be enforced. New technology is great, but we need to make sure people are actually implementing it. And the main way that we're going to ensure that is through the TRACED Act, again, another fun acronym, the Telephone Robocall Abuse Criminal Enforcement Deterrence Act. So this was passed by the Senate in May of 2019. So this has been in the works for a while, of course, bill was written long before that, but it was signed into law at the very end of 2019. And so it's basically been about 11 months that

this has been in place, been law, and some of the major things the TRACED Act says is that we can allow it up to a $10,000 fine for offenders. And it basically gives telecom companies a deadline to implement stir-shaken for SIP-initiated calls. But the authentication requirements there do depend on the type of call. So one of the problems with this is that they acknowledge that there isn't necessarily a good solution for non-VOIP call yet. And so Newstar has a solution out there that they call stir out of ban for non-VOIP authentication. But they basically just said, if you're making calls that aren't VOIP calls, reasonable measures to authenticate that those are coming from who they say

they are is what you need to do. And so I don't exactly know what those reasonable measures are yet. I don't know if they know that yet. So we'll see how that ends up getting enforced. And so that also brings us nicely into some of the limitations of shaken and stir some of the limitations of the trace act and why this isn't necessarily going to be a perfect solution. So I like this quote from my coworker, Randy, who's been working in telecom for a while, which basically is that the phone network is an ungodly beast. And one of the reasons that Randy says this, and one of the reasons that is actually called out in the TRACE Act itself is that there is this thing

called time division multiplexing, frequently called TDM. And this is essentially the opposite of VoIP. It's old school hardware that's been around for 50 years. It's baked into a lot of enterprise private networks. And the bill itself acknowledges that the burdens are barriers to implementation, including providers of voice service to the extent the networks of such providers use time division multiplexing. This is specifically called out in the bill as a potential issue to rolling out shaken and stir. And so this is something that because it's hardware, this isn't going to disappear overnight. And so we have to acknowledge that this is going to stay around and maybe find a solution for authenticating calls that use this type of technology. Another thing that we

have to think about is just like the fact that there are a lot of service providers and you need to think about the investment here. So not only does the service provider on the originating and the terminating side have to implement the actual shake and stir bit, But you also need to implement the process by which your company decides whether or not to sign off on a call. I've mentioned before that the originating service providers putting their neck on the line here and they can get fined up to $10,000 for every spam call that they have. And that's going to be a lot easier to trace back now. And so for people that are putting

their neck on the line even more than before, they're probably going to want to invest more in know your customer, KYC initiatives, automation for that type of process. That's one of the things that Twilio did when they were automating this is now you have to go through a couple of extra levels of verification of your business profile before we will start signing your calls. And that's something that's going to take some work and I'm not sure if every service provider is going to do that. And then Like I said, there's like other problems that we have to consider here, like international calls outside of the US. You know, this is a problem in places like the UK and Norway at least. But other than Canada, I haven't really

heard of any initiatives outside of North America that are going to address the robocall problem. The TRACE Act is obviously a US-based law And so that's something that isn't necessarily going to solve this problem globally. Of course, phone number porting, when you give up a phone number and reassign it to somebody else, that's something else that we have to think about. And then of course you start to get into other channels of communication, but especially ones that are using phone numbers like text messages, how do we start to verify those as well?

So the FCC's number one complaint is robocalls. And so they're really incentivized to fix this. So they stopped getting so many consumer complaints. And in terms of the timeline here, the Traced Act enforcement is, you know, in the bill, it was originally saying that you want to start seeing this implemented by the end of 2020 and into 2021. So if you are a business that is doing phone calls to your customers, Most businesses won't have to do much in terms of implementation here, unless you are a service provider and making the actual phone calls as part of your business. But you want to talk to your service provider because the large service providers are already rolling this out. So if your company is using somebody like Comcast or Verizon

or AT&T or Twilio, there's a good chance that they already have a solution in place. Like I mentioned, you might need to go through some extra KYC validation with your service provider before they'll start signing your calls. So what that meant at Twilio is that you need to create a profile with some additional details about who you are and some technical contacts that we can get in touch with if there's an issue and you have to do that and we have to verify it before you would be able to get the highest level of attestation. There's of course other precautions that you can take if you work with your application security team, if you are

the application security team, you can protect your numbers from web scraping bots. That's one you don't wanna have too many of your company phone numbers available on your website. If you have a lot of employees with phone numbers, don't assign them sequential phone numbers. That's one way that people can get targeted. You can kind of just like auto dial everybody between two phone numbers. And then one of the other things that I've talked a lot about in a different context is just using actual authentication in your call centers. Until we can kind of know that a call is coming from who we say it is, there's ways that you can actually authenticate the people calling into your contact center in a way that isn't just asking them for their

date of birth. And so using other authentication that's available in your mobile app, one time passcodes, that kind of thing, there's other ways to actually authenticate people. Of course, there is some ongoing legislation here, but things have been pretty quiet from the FCC this year. I double checked again this morning and there hadn't been anything else announced lately. The last memo from the FCC was March 31st of this year. I know we've all been a little preoccupied with the coronavirus this year, but this is not something that I've seen a lot of action on. And so I don't exactly know what the enforcement timeline is going to look like if it's still planned to be,

you know, end of this year, early next year, if that's when they're going to start still enforcing this. you know, we'll see, I guess, the FCC, one of the things they did late last year was they did give telcos the ability to block unwanted robocalls without explicitly getting permission from their customers. And so, you know, like Verizon could now say, hey, I think this is spam. I'm not gonna like actually send this call through to Kelly, or I'm going to make sure that it doesn't like ring through and it only shows up in the missed calls list. This is something you as a consumer can set in your preferences depending on the phone that you

have. And there's other things that I'll get into in some of the consumer actions in this space. So like I said, the last update from the FCC was on March 31st and it kind of reaffirmed their call to implement shake and stir. But one of the things that had already kind of walked back was an extension for small voice service providers. I don't know what a small voice service provider is, but they're basically already granting an exception if you're not like Comcast. So again, talk to your service provider. If you're somebody that's doing a lot of phone calls for your business, something that you probably wanna look into. Like I mentioned, some consumer protections that

are available today. I wanna focus the onus of this on the businesses taking responsibility here, but obviously this is annoying. And so there are some things that you can do if you or somebody in your family is really annoyed by all these robocalls. You can install an app. Your mileage may vary with these, especially on Android. Some of them take complete control over your phone and the dialer of your phone. And so that's a lot of access to grant an app. Your mileage may vary on how much you trust these. Of course, a lot of the consumer telecoms are selling spam detection services now. So Verizon offers their call filter plus for the low, low price of $3 a month on top of this. You can Google kind of

depending on who your carrier is and what type of phone you have. There are some settings that you can set on your phone to like I mentioned, send things straight to voicemail or silence incoming spam calls and that kind of thing. There's options that you have here. At&T has partnered with a company called Haya to do some of this in the meantime before shaken and stir gets rolled out. But you know, these might be nicer long term solutions too, because like I kind of addressed, not all of the shaken and stir implementation is going to be widespread right away.

And you know, it's not going to solve all the problems. Shaken and Stir is not the silver bullet here, but people are really optimistic that Shaken and Stir will help restore trust and telephony. And one of the reasons for this, and businesses are incentivized to do this because they want their customers to answer the phone when they have a call that their customers wanna see. And so there is incentives here other than just people complaining to the FCC about robocalls. And I think that's the other thing that's going to be driving the implementation here is that businesses want to have that check mark next to their business. Think about it like your prescription reminder comes

through, you know, CVS or Walgreens wants to show up in your phone with a green check mark that says, hey, I'm the pharmacy calling, you know who I am.

So I hope this gave you a little bit of an overview of what's happening with Shaken and Stirred, some details into the history of telephony security and why this is a hard problem to solve. You can find me on Twitter if you have any questions. Once again, my name is Kelly Robinson and thank you for listening.