It’s time to restore identity and trust to digital communications

Way back when the Internet was young and early internet surfers were using 3600 baud modems to launch themselves via copper into the Netscape driven cyberverse, trust and identity were not really as important as they are today. Flash forward to today: Identity and reputation both play a critical role for re-establishing trust across digital communications. Who calls or emails us and their credibility (whether the caller or sender is someone who’s credible enough and worth the time of the recipient to respond) are key elements that help us decide whether to take a call, open an email or respond to an SMS. Precautions, such as two-factor authentication, is based on the fact that we can’t trust just one form of identity. I hate to sound like an alarmist, but the Internet can be a scary place.

There are a number of other technologies and initiatives aimed at ensuring trust. For me, as someone who appreciates the history of digital communications, it’s interesting to see all of these efforts trying to accomplish something that was invented more than 50 years ago: caller ID. Remember caller ID from the good ol’ landline days…where you could view the number that was calling you on your phone and see or hear the caller’s name and location?

Caller ID: Where has it gone?

The short answer is: caller ID still exists, but it’s a lot more complicated than you think.

When I said that it’s more than 50 years old, I wasn’t kidding. Caller ID was invented in 1968 by Ted Paraskevakos – long before cell phones were even an idea. The system that Mr. Paraskevakos invented (and Kazuo Hashimoto perfected in 1976) boiled down to this: when a person dialed another person, their phone sent a signal through the wires to the recipient. Landline numbers were (and today often still are) tied by physical wires connected to the local phone company’s central switch. In those days, a number was always identified with a specific address and location. Caller ID simply matched the number and location with the subscriber’s name and location.

How cell phones complicate caller ID

The advent of cell phones made the caller ID process more complicated. Cell phones now dominate phone calls. Nearly 55% of US homes in 2018 did not have a landline – only a cell phone. That number jumps to 77% when you only count millennials (aged 25-34)! The basic technology of cell phone calls involve the use of any number of various stops between multiple carriers. In the U.S. alone, there are more than 1600 phone carriers, all with their own networks and sources for caller information. A cellular call is not tethered nor dependent upon physical landlines. In the old days of landlines, your neighbor down the street was on the same network that you were on. Nowadays, your neighbor might be on AT&T’s network and you might be using Verizon’s, regardless of the fact that you live around the corner from each other. Just imagine how many places a signal has to travel to connect you to family and friends that may live in the next suburb let alone halfway around the globe. The complexity is mindboggling.

In the early days of cell phones, caller ID was largely dependent on the contact list stored in someone’s cell phone. For the most part, during those days, the only people calling each other were people who knew each other. From a product perspective, wireless carriers in that era didn’t see caller ID as critical as other services – like text and voice mail – because of the prevalence of the contact list. A lot of consumers felt they already had caller ID, and still do today. But, in reality, as has become apparent in an age of robocalls and rampant phone scams, the majority of consumers do not have caller ID, and trust in the overall communications process has plummeted.

There’s a link here with how companies viewed address books for email marketing. A brand who managed to get their recipient to add their from address to their email client’s address book benefited from improved inbox placement. Similarly, caller ID helped establish credibility when a company calls to schedule delivery or returning a customer service call. Again, we live in an era of trust but verify because our communication channels and platforms have been exploited.

Caller ID comes to cell phones

The wireless carriers did eventually get around to offering true caller ID in 2011 for around $3-5/month. The delay was partly because smartphones – which could accommodate the complex caller ID process – didn’t hit the market until 2007.

But the main reason caller ID wasn’t a priority? Because it really wasn’t needed – until the plague of robocalls, spoofing and phone scams started to become ubiquitous. That led to a demand for caller ID with a name attached to a number that showed up on the phone.

And now:

T-Mobile offers services like Scam Likely and Scam ID
AT&T customers can opt-in to services such as Call Protect and Call Protect Plus
Verizon has Call Filter while Sprint offers Premium Caller ID.
iOS 13 will give iPhone users the ability to route all unknown calls to voice mail thus preventing the delivery of robocalls, but legitimate calls in the process, how many of you store the number of your Doctor’s Office, and is it consistent for inbound and outbound?

The problem is, fewer than 5% of consumers have opted into caller ID and name services on their cell phones. Again, caller ID has been available – it just hasn’t been widely utilized by consumers.

And now, even with traditional caller ID enabled on their cell phones – like we used to have on landlines – consumers may still not know who is calling them.

The reason? Spoofing. In its simplest form, spoofing a number or email address means the sender is pretending to be someone they are not when placing a call or sending an email. There are legitimate use cases for spoofing, such as a doctor’s office calling you, or the placing of a call by a ride-sharing app to protect the driver’s and the callee’s personal information. In an age when the phone system is no longer tethered by copper but has gone virtual thanks to SIP calling, bad actors (and some good) can decide who they want to be when calling you. They can even call you from your number! Today’s caller ID system only uses the phone number associated with the incoming call to lookup the name and location of the owner of that phone number in the database. That doesn’t work with spoofing when a call might appear to be from someone you know, but in reality it may be someone with malicious intent spoofing their number to trick you into answering it.

So while caller ID still exists today and is readily available, it doesn’t instill enough trust for you to answer the call. There really hasn’t been a way to prove that the person making the call is indeed who they say they are.

The new (old) era of communications

Spoofing is why the communications industry is now starting to roll out a new technology known as SHAKEN/STIR. SHAKEN/STIR stands for “Secure Handling of Asserted information using toKENs” and “Secure Telephony Identity Revisited.” Simply put, with SHAKEN/STIR, the service provider that originates a call onto the public telephone network will cryptographically sign the caller ID and called number with a private key so the call can transit the networks securely. Upon reaching the terminating carrier, a public certificate is used to decrypt and verify the call.

Under this scheme, when a call finally reaches its destination it might be accompanied by a checkmark or some other indicator to signify it’s been certified as a legitimate call. Even for certified calls, the end user must still decide whether to take or reject a call based on the information they have.

The process is very similar to how websites currently handle trusted communications. Certification authorities (CAs) issue digital certificates verifying the authenticity of websites and their content. As a result, a user knows they are visiting a legitimate website, as opposed to one that has been setup to capture or steal information. This process is somewhat mirrored in the inbox by those little green and red lock icons you see in certain email clients that denote if the message was transmitted using TLS or if it failed certain authentication checks. This concept is finally coming to your mobile handset – and just in the nick of time! By some estimates, there are 9,500 fraudulent robocalls per second!

Times they are-a-changing!

In November 2018, Ajit Pai, the chairman of the Federal Communications Commission (FCC), required carriers to implement the SHAKEN/STIR framework to help establish the validity of placed calls by connecting callers and numbers through cryptographic signing. Remember caller ID? Knowing who called and being able to, with confidence, attest to the validity of that caller is critical to combatting spoofed calls and robocalls. Although SHAKEN/STIR won’t tell you exactly who called, it will provide a visual indicator that the caller owns the number initiating a call and help in tracing fraudulent calls. If a carrier can “automagically” tell that a call isn’t who it claims to be, or from whom it purports to have originated, then they can simply not deliver that call. This is pretty much how email authentication protects us from the rash of phishing attacks.

Earlier in the year, I wrote about the history of email in a 3 part series. Email had/has a similar authenticity problem: how do I know that the email I received actually came from the brand or person that claims to have sent it? As I said then, email was built at a time when trust and identity wasn’t as important. As the Internet matured and more of us came online, bad actors saw email as a highly exploitable channel. Standards bodies, such as the Internet Engineering Task Force (IETF), and their members took it upon themselves to create mechanisms to identify legitimate senders and drop the mail of bad actors pretending to be a legitimate brand. This potent mix of standards is now known as SPF, DKIM and DMARC.

The problem of phishing and spoofing in email is by no means solved. Bad actors continue to evolve their attacks. Simultaneously, the channel is thriving through evolutions such as Google’s AMP for Email and the renaissance that newsletters are having. Everything old is new again!

What’s next?

Wouldn’t it be great if the consumer had more information than just a green check mark indicating the call has been verified? For me personally, I’m not sure that would instill enough confidence to answer a call from a number I hadn’t seen or heard of before. Call me a skeptic. Numerous companies – both carriers and technology vendors — are working on solutions to make the call you see more friendly and informational. Some of the solutions out there not only verify the call, but also create the ability for the caller to transmit the reason for the call. In the hypothetical example below, how likely would you be to pick up the call if your flight was canceled versus how it’s done today with a 1-800 calling you? If I hadn’t put United’s number in my contact list, I’d never answer that phone call. What if the notice on your phone looked like this?