Was the FCC Lied to? What the FCC was told on SMS spam.

I was reviewing the replies to FCC’s Targeting and Eliminating Unlawful Text Messages, CG Docket No. 21-402 published in 2022. You can see all of the replies here. Some that drew my attention are listed below.

The Campaign Registry (TCR) Reply

Before we begin:

The FCC document is about “Targeting and Eliminating Unlawful Text Messages.” However, TCR claims to store business data and never claims to stop spam or robo-texting.  It does not target or eliminate any unwanted text messages. Its role is a commercial entity that charges fees for vetting campaigns, and according to TCR insiders at Tata Communications’ direction TCR must increase profits every quarter.  

Nothing is actually blocked or stopped by TCR. The “registered” status only serves as a flag to allow a message to pass without further scrutiny, whether it is good or bad, and to allow CSPs/DCAs (Campaign Service Provider / Direct Connect (to telco/carrier) Aggregator) to receive lower termination fees from the carriers.

Specifics in the TCR text:

Page 3. “enable our stakeholders to track messaging back to its origins so that they can conduct the necessary follow up for the messaging in question”

The tracking of authorizations and a brand’s identity remains a challenge for TCR. It stems from TCRs dependance on those who register campaigns as the supplier of identity. A spammer could register your well-established business with TCR, sign up for service with a voice telephone company for telephone numbers, text enable them with another company, and the send out scams, fraud, phishing. They only need a few minutes of phishing or hours of spamming to generate a good return on their investment. As most of the work is done through APIs, it can be highly automated.

Another challenge is TCR does not track any of the phone numbers. It uses an API to check registered campaign numbers in NetNumber’s database. NetNumber supposedly has provided a sync to its number history; this tool is ONLY available to carriers and tier 1 DCA (Syniverse and Sinch).

Netnumber’s inability to allow its customers to control their authorizations and or digital rights, continues to harm the ecosystem. Cross-company identity management fails to protect and track identity and / or authorizations attached to telephone numbers. This aids spammers and delays the time for action to be taken in closing off numbers that are spamming / phishing.

Only the currently active registered 10DLC campaign ID is available from NetNumber. When a 10DLC is unregistered from a campaign by the DCA, there is no trace of that 10DLC being associated with any campaign. The TCR has no memory and depends on the other messaging monopolies to keep their records straight. 

Netnumber has had some security and operational issues with number management.  We covered the hack here, interviewing the hacker Lucky225. They were socially engineered by a white hat hacker, and let numbers get ported without direct authority and they have no way to digitally track and attest the ownership rights are accurate. 

This setup only provides the MNO with an ability to check bad messages one-by-one. Assuming that the text was sent from a registered number in the first place and further assuming that the number is still registered. This setup does nothing for any unregistered traffic.

A broader issue is carriers have the ability to block messages, they could simply block any spam they detect, without all the messaging monopolies. It would seem the easiest fix to this problem, and according to some brands this appears to be happening on some of their campaigns.

CSPs are reporting the carriers are suspending campaigns that went through the lengthy TCR process, vetted and approved by multiple parties.  Let’s say days to approve and seconds to shut it down.  However, the carriers are not shutting down spam being generated from their networks and SIMs, which is often P2P.

Page 3. “giving Brands an opportunity to prove they are sending CTIA compliant messaging.”

There is no analysis done or even possible for assessing the compliance of the messages being sent. i.e. no correlation between what they say the campaign is doing vs what messages they are actually sending. 

However, some carriers are now monitoring messages, as mentioned previously several brands are sending SMS on approved campaigns and finding them partially blocked given minor innocuous changes in the text. But the brands are unable to resolve the cause of the blockage, so give up and revert to the previous text that was not blocked. This makes SMS an unreliable delivery channel.

In China all message templates must be submitted for whitelisting and approval prior to the launch of live traffic. This applies to all message types, including test ones. Failure to do this can result in traffic filtering or blocking. We seem to be trending toward China in this respect. As a consumer, having a telco control what a business can send to me seems rather like Big Brother.

Page 4. “While the current process may appear to be reactive, the reality is that MNOs, DCAs and CSPs are quickly making improvements around messaging from the data they are aggregating to/from TCR.”

The process of using campaign registration is entirely reactive, with a process that appears designed to make money not stop spam. The only benefit is that there may be a way to trace the origin of a bad message, but only after the fact and only if the 10DLC was registered. Nothing is done to stop the bad message in the first place, which is the subject of the NPRM (Notice of Proposed Rulemaking).

Twilio Reply

This is an example of a response from the messaging insiders. “SMS spam controls are working, we can work together to make them even better.”

Self regulation is usually a way to pass the buck to the future, and rarely solves the problem for the end customer.

Given the challenges we’ve seen with 800SMS / Toll Free SMS in the past week, many CSPs and brands are suffering in the name of SMS spam control. Yet, Nikki keeps texting me!

Cloud Communications Alliance Reply

Lists the real world problems with the current SMS industry solutions, and calls for an identity based solution. The common ground with the industry insiders in STIR/SHAKEN is not the answer. 

Check out the Telecom Triopoly analysis and the squeeze being put on the UCaaS (Unified Communications as a Service) providers, who are CCA’s members.

Current Status

Last month the FCC released several new rules on SMS spam, as discussed in CXTech Week 50 newsletter

Taking a step back to the comments on the FCC’s CG Docket No. 21-402, the messaging industry said we do not need STIR/SHAKEN we can sort this out ourselves. It’s clear they can not. 

The FCC is now applying band-aids that are within their control (telecoms) in a knee-jerk reaction, which has the brands and CSPs up in arms. 

We’ve discussed on the blog the importance of identity (copying cyber security rather than the current ineffective process from George Orwell’s 1984), and AI (working at scale) are critical technologies for adequate SMS spam control. 

A tiger team must be assembled that is NOT dominated by the messaging monopolies, rather proven technology experts from across telecoms and cyber security (Internet), who can fast-track an adequate solution. This is a soluble problem, it’s simply a matter of motivation to innovate.

An approach could be to empower the consumer with self-managed identity. To set their own data privacy terms and documented consent. One that the FCC could then enforce rights and rules to the carrier as they have done with interoperability in the past.

However, RoboCalling Remains a Problem

Here’s a video from TNID, “Taking Back Control & Save Grandma – The Fight Against Spam and Robocalls!”

Its a call to action for all of us to fight against Robocalls and SMS spam.

To do this click the link below to tell the FCC your robocalling / SMS spam horror stories! www.fcc.gov/ecfs/filings/express

Use 02-278 in the proceeding filed and the rest is pretty easy.

Share your experiences on how Robocalls and SMS Spam have affected your family and/or business in the “Brief Comment” section.

3 thoughts on “Was the FCC Lied to? What the FCC was told on SMS spam.

  1. Pingback: Podcast 33: Truth in Telecoms, Before Bird / After Bird (BB/AB) - Blog @ Telecom Application Developer Summit (TADS)

  2. Pingback: Podcast 38: Truth in Telecoms, Huzzah for the Czar - Blog @ Telecom Application Developer Summit (TADS)

  3. Pingback: Podcast 46: Truth in Telecoms, Revenge of the Messaging Monopolies - Blog @ Telecom Application Developer Summit (TADS)

Leave a Reply

Your email address will not be published. Required fields are marked *