There was some discussion about the $50K challenge last week, and I still don't think anything can happen without industry buy-in. It's mostly a policy and people problem, and the only technical barrier I've been able to identify is that Caller ID can still be forged.
The whole situation bears an interesting contrast to the battles over anonymity on the Internet, where the telephone industry is trying to preserve the ability of their customers (telemarketers) to avoid detection.
I watched the webcast of the Robocall summit, and it was fascinating.
It was clear that most of the telephone industry really hates phone spammers. An AT&T guy was saying that evil robocall outfits often forge the numbers of their existing customers, causing AT&T no end of headaches. Plus they get a ton of complaints from call receivers. I am sure that the major carriers would shut down phone spammers in a heartbeat if it were easy.
Looks like the FTC now has the videos from the summit up on the web:
Anybody seriously interested in the problem should check out the videos. There's a lot of good stuff in there about the technical issues. And there are some interesting technical solutions as well.
I work at the lone automated calling company that represented the "industry " at FTC Robocall Summit(http://www.call-em-all.com) and we are interested to see what solutions to this problem might come from this.
We definitely would love to have a solution to where we could guarantee that no illegal calls are being made (Recent Blog Post: http://blog.call-em-all.com/3-reasons-we-are-excited-about-f...). We have our own internal checks but something which can be implemented on a higher level would be great for us.
The reality is that with the mix of old tech and new tech (read VOIP), tracking who is really making the call is very hard right now (timely and costly). Scammers knowingly break the law and unfortunately, a list of people saying don't call isn't going to stop them from scamming.
I can't imagine how to solve the problem in an acceptable manner. Without something like certificates and encryption, some concept of identity, you're just not going to get anywhere, and I'm about fifteen miles into the "unacceptable" territory with that suggestion ("hey, guys, let's just rewrite the entire infrastructure from the very bottom!"). Your primitives are broken, any system built with them will be broken, and it's going to be more years before people are ready to even think about that.
So what amount above zero has the industry spent time and/or money in order to combat this problem, possibly to prevent their industry being killed by the bad companies? Does the legit part of the industry support unspoofable CID or any other technical restriction? Has your company publicly suggested any solutions?
We haven't proposed any solutions at this time, but we feel that a method in which we can utilize certificates or authentication is potentially the way in which is the least disruptive to the current infrastructure.
But the infrastructure is the real problem. So many switches around the country are so old that hops through the network are very difficult to track and make any innovative technology solution hard to implement fully.
Can anyone explain, or point to a resource that explains, why this is still the case in 2012? Is there some technical reason why this is the case, or do the phone companies make enough money off of scammers and robocallers that there's no incentive for them to fix it?
The reason why Caller ID can be forged is that the calling device announces its CallerID number.
The easiest way to get into spoofing CallerID is by using a SIP-driven POTS gateway (very common 6 years ago, telecom moves very slowly, so I suspect they are still easy to find today). Some providers will validate the number you want to announce, and prevent you from announcing a number that they don't think you should be using. Others don't care at all. There are a lot of different telecom service providers, so finding one with lax policies isn't hard.
Almost anyone who is actually operating a phone card business has all the equipment needed to do this, for example. Phone cards are incredibly competitive, so if you head over to your local telecom hotel you won't have much trouble finding people willing to take your money in exchange for steady business.
The next time you are in a data center, take some time to talk to the people messing with the funky gear that doesn't look like any firewall or router you've ever seen.
There's no real system that would allow verifying if telco X can use number Y for a given call. Verifying that is actually not as simple as it would be 20 years ago. These days you can move numbers between providers pretty quickly. You can request services which fake the callerid for legitimate reasons (when you setup call forwarding, it's your telco making the new call but you probably want the original number to be preserved). There are also cases when you want to authorise some numbers to be faked (for example you want your company phone to have caller id set to the office switchboard).
There would have to be a global opt-in system allowing to verify those cases. And it would be as effective as the DNS records for verifying sender domains - you probably want to assign it a score, rather than reject right away.
Actually you cannot spoof a number on your own pots line. At least not a standard end-user line, because that one's connected directly to your telco and is bound to one specific id. But if you have a trunk with your own control channels (so basically you and telco assume trust between each other and that you provide correct information) you can publish any numbers you want.
It's quite popular with the internet telephony providers to relax the rules a bit. Basically some allow you to check the "I promise not to break the law, believe the data I send" and will accept any caller id you want. Since there's no way for one telco to verify other telco's source numbers, everyone else has to believe your caller id too.
The whole situation bears an interesting contrast to the battles over anonymity on the Internet, where the telephone industry is trying to preserve the ability of their customers (telemarketers) to avoid detection.