Michigan Telephone, VoIP and Broadband blog

Wired News carried an article back on Thursday about how the FCC is getting its knickers in a knot over caller-ID spoofing sites. According to the article,

Last week the FCC opened an investigation into the caller-ID spoofing sites — services that began popping up late 2004, and have since become a useful tool for private investigators, pranksters and more than a few fraud artists.

A seven-page demand from the FCC’s enforcement bureau sent to one such service, called TeleSpoof, says the commission is investigating whether the site is violating the federal Communications Act by failing to send accurate “originating calling party telephone number information” on interstate calls. A copy was also sent to VoIP service provider NuFone

The FCC is demanding business records from both companies, as well as the name of every customer that has used TeleSpoof, the date they used it and the number of phone calls they made.

Dated February 24th, the FCC letter gives TeleSpoof 20 calendar days to respond.

The operator of the site, a 21-year-old hacker who spoke on condition of anonymity, says he’s looking for an attorney, and has not yet released any information to the FCC. “If a customer sees this, they’re going to be kind of bummed,” he says. “They wouldn’t want their info released, and I may have to give it up.”

The article goes on to explain what spoofing services are, and how they have been used (and misused). But near the bottom, it suggests that the real motivation for this investigation may be political. As an Associated Press story reported,

Last fall, U.S. Rep. Tim Murphy’s office started getting phone calls from constituents who complained about receiving recorded phone messages that bad-mouthed Murphy.

The constituents were especially upset that the messages appeared to come from the congressman’s own office. At least, that’s what callerID said.

“People thought we were making the calls,” Murphy said.

I remember back when Caller ID was first introduced – I thought it was a bad idea then, but realized it would probably become very popular (if the phone companies had been more reasonable in their pricing of the service, I think nearly everyone would have taken it). One reason I thought it was a bad idea is because it only identified the number of the calling telephone, which may or may not reflect the identity of the person doing the actual calling.

Let’s say you have three or four people sharing an apartment, and they all have different last names (not that uncommon these days). Whose name shows on the Caller ID display? What if the person being called doesn’t like the person who actually has their name on the account, but might want to talk to another resident of the apartment? See, I always thought that any sort of “Caller ID” scheme ought to be based on the actual person calling, not the number calling. I suspect that since Caller ID was introduced, a lot of calls have been deliberately unanswered, where if the called party had known the actual identity of the person calling, they would have picked up the phone.

I also learned that it was futile to argue the point – it was almost like a religious argument. Different people had different viewpoints and nobody was going to change their mind. I think in part the response was based on each individual’s life experiences – a person who was plagued by telemarketers, for example, tended to be much more enthusiastic about Caller ID than the person who was perhaps worried that someone might not accept their call in a time of distress.

Anyway, back then the problem was that several people might share the same number. Today we have the opposite problem – many people have three or four phone numbers (if you count home phone, one or two cell phones, a direct line at the office, and maybe a VoIP number or two – most people don’t have all of those but it’s not that uncommon for people to have three or four). But no matter which number they are using to make outgoing calls, many times they’d prefer all incoming calls wind up at the same place, usually a voice mailbox or an answering machine.

What most of the articles and the FCC aren’t telling you is that large businesses do Caller ID spoofing all the time. Usually it’s for the same reason a person might want all of his or her calls coming to the same number – if the company has a large call center, they probably want a customer returning a call to hit the switchboard, not a specific direct inward dial (DID) number within the company.

Still, I understand that if people are to be able to trust their Caller ID displays, there has to be some mechanism to weed out the people who misuse it. So I propose that rather than an outright ban, the FCC or Congress should pass a regulation or legislation that in effect says this:

If you are a legitimate user of more than one phone number (by “user” I mean that you pay for the accounts, or you are a member of the account holder’s immediate family or otherwise have a right to use the number), you can set your caller ID to display any of the numbers that belong to you, or that you’re authorized to receive calls on.

If you are a corporation and you use Caller ID spoofing strictly for commercial gain, you get fined and you have to pay restitution to those whose numbers you misused, in the amount of the profits made while using that number (with a $10,000 minimum to each person whose number you misused without their permission).

If you are an individual or a member of law enforcement, you may spoof caller ID under certain specified conditions when necessary to protect yourself or someone else from death or injury; provided that the owner of the number you use has agreed to let you use their number (or you use a number that’s obviously not valid, such as 000-000-0000). Law enforcement officials and shelters for the abused could obtain unused (not currently in service) numbers from the phone company.

If someone uses spoofed Caller ID in an attempt to collect a debt, they would be barred from further collection efforts of any kind and the first $10,000 of the debt would be canceled. In the case of a second offense, the entire debt would be canceled no matter what the amount. In addition, they’d still have to pay the $10,000 to the person whose number they misused.

And finally, if someone uses spoofed caller ID with the intent of causing damage to a person’s reputation, or to get them in trouble with the law, an employer, a spouse, etc. they would be considered to have committed libel and/or slander, by giving information under false pretenses. They would still have to pay the person whose number they misappropriated, and in addition would be on the hook to any and all persons damaged by their actions (which is to say, they could be sued). There would probably have to be some sort of criminal penalties also, so those who are indigent can’t just harass people using spoofing services with abandon.

And I’d write the law so that a good-faith belief that one had the right to use a number, or believed they had been given permission to do so, would be a defense against any charges. It would be assumed, for example, that an employee using his personal cell phone to do work for his employer would have the right to send the office Caller ID on business related calls, so long as there was no attempt to deceive the called party (the presumption in such as case would be that it’s simply for the convenience of the called party when returning the call, and so that they can always associate a single number with a particular individual).

Note that I’m not dealing here with exactly how the spoofing might take place – seems that’s already been addressed. What I’m saying is, let’s punish those who misuse it, while not impeding the ability of people to use it for legitimate reasons. If you ban the practice outright, a lot of big corporations are going to be upset, and if they let large corporations continue to do it but pounce on individuals that are doing it for legitimate reasons, that’s not really very fair!

As for the services themselves, I don’t really think they should be offering Caller ID spoofing on quite as casual a basis as some of them are doing now – there’s too great a potential for misuse. But I’m not sure where to draw the line. Should they be required to positively identify customers? Run background checks of some kind, perhaps? Or is it sufficient if they simply know they have a valid callback number? What do you think? Comments are always welcome!*

*Well, actually, MOST comments are always welcome. You may disagree with me, that’s fine. But if your entire comment is gratuitous insults, it will be unceremoniously dumped into the bit bucket!

Technorati Tags: Telecommunications, Telephone, CallerID, spoofing, regulation, FCC, MichiganTelephone