Will: Hello, Jim. Welcome to the show.
Jim: Great to be here.
Will: Jim, I saw you quoted in the New York Times in this article about robocalls, and it is a topic that I’ve just been curious about for years, but why these things are so hard to stop. I was so delighted that you agreed to come on the show here to talk about it. How is it even possible to spoof numbers?
Jim: Well, thanks for having me here. You’re right. That question I get lots of times. People will go, I don’t know how I can go into my mobile phone, and there’s no secret screen that lets me change my numbers. How can I… How does this even happen? You’re right. If you have a landline, it’s hardwired to the telephone company. They put in your caller ID. Your cell phone, same thing, so you can’t. Where you can is if you’re a business.
Jim: The business actually has equipment they call private branch exchanges or PBXs that will basically bring a line into the business, and serve all of the desks that they have in the business. With that equipment, you in fact can insert the number that you want to appear on the outgoing calls. That’s basically where it’s being spoofed. It’s being spoofed with that kind of business type equipment.
Will: Okay, so how is this even allowed?
Jim: Yeah, and that’s exactly it. You can’t do it as an individual. Why are you allowed to do it as a business? Well, in fact, there are a number of very legitimate reasons for business.
Jim: One of the reasons, first of all I just should say, is that it’s been that way for 50, 60 years. Without the time machine we would be hard to, do a hard reset. Business have been allowed to do this forever. But they have very legitimate reasons for doing that. An obvious one: in your business, do you want the number to appear so people call back? Do you want that to be the individual’s desk or do you want that to be the receptionist, so that they can screen the calls for all the people in your business? It’ll depend on your business. Do you want it to be the 800 number, so they can do a toll free callback? If you’re a national company, and you’re calling about something from a central location, would you rather have a local callback number in every city that they can call?
Jim: Again, depending on your business, you legitimately may run one or the other of these situations.
Jim: There are also scenarios where the smaller entities are not quite personal, but they’re close, personal uses. And a good example that I’ve heard for that is the case of a veterinarian. On the weekend they get a call, someone’s dog is sick and they’re going, “Should I panic and take them into the emergency room, or should I just wait and bring them into the clinic on Monday morning?” And the vet calls back to assess the situation and give them an answer. Well, the vet is probably out and about and using her personal mobile phone to call. They don’t want their personal mobile phone number to appear. They want the office number to appear, and therefore, they would legitimately spoof that.
Jim: So it gives you an idea. There are many legitimate reasons for doing that, and that’s why it’s allowed.
Will: Okay. So I totally got that. So, I totally understand IBM, they have an office. They should be allowed to have a number that when someone dials out, the number that appears on my screen would just the general number to the IBM operator. Okay, I got it, or any legitimate business. But why is it so hard for the telecom… so I got that. But I would think that the telephone company would know all of these phone calls are coming from this business. And if the people were all complaining about it, then they’d be able to track it down, trace the wires back somehow and figure out that it was coming from this scammer. So, could you talk a little bit about why it’s been so hard for telcos to block all of these illegal scams.
Jim: Yeah. So, several questions in there, so I’ll try and piece them apart and address them. One thing that’s worth pointing out is that, take the case of IBM with the business office. IBM doesn’t send all their calls to a single phone company. They probably have two carriers that they use for redundancy and for costs and all those things. But they only got the phone number from one carrier. The other telco, they may not know that that number is a legitimate IBM number. So there is some ambiguity there. But the bigger problem is that you need to… this is a good place to contrast phone scams with email spam.
Jim: With email spam, you get the whole message, you can scan it, you can look at, you compare it with other scams and then you can make a decision, is this a scam or is this not a scam?
Jim: The problem with phone calls is that you don’t know that for sure until the person answers. And at that point, if we’re lucky, we recognize it as a scam, and you say okay, you can mark that as a scam. And then we’ll know that all the calls coming from that are scams in the future, and warn other people. Of course that’s at the receiving end of the phone call. But at that point, you don’t know if that number that appeared was a true number or if it had been spoofed, as we discussed before. You don’t know. You know it’s a scam, but you don’t know that.
Jim: However, if you go to the start of the phone call, at that point, they actually do know if the number has been spoofed or not. In many cases, they know it hasn’t been spoofed. Again if it’s your landline or your mobile phone, they know it hasn’t been spoofed. If coming from IBM, they know it’s coming from IBM. And you’re right, they could do the trace-back, but they have no way today of giving that information to the originating, sorry, the end point of the call so that they can connect the dots.
Jim: So you’re right, in a sense, all the information is out there. It’s just it’s in different places and there’s no defined way to bring it all together so that we can make intelligent decisions. And that is, essentially the insight, that we changed to as we are developing Shaken, and we built it around, “Okay, how do we make that possible?”
Will: Okay. So what is Shaken? And how is it going to address this problem?
Jim: So basically, it begins with, again, what I said, what the originating service provider, telco knows at the beginning of the call. So if it’s coming from your mobile phone or your landline, they know the number to put in there. And they know that absolutely, and they can take that, “Okay, this number is the true number.”
Jim: If it’s coming from IBM and, as we discussed, they’re allowed to spoof the number, they know it’s IBM, but they didn’t check the number. I’m not saying it’s not legitimate, I just haven’t checked it. And then there’s other cases where a call is coming from another non-IP carrier where you just know where it entered your network. We’ll leave that aside for the moment. So that originating telco, they then take what they know, whichever level, and they create a digital signature with the phone number in there, the level of confidence they have in it, what they know about it, and they then cryptographically sign, that digital signature. And they send that along with the call to wherever the call ends. And then at the other end, they can then verify that, again cryptographically. And at the other end, they know exactly what they know at the beginning, and they can bring all the pieces together.
Jim: And they also, you alluded before, trace it back to the beginning. The other thing that this does is that when they verify that signature, they can see exactly which telco signed it in the first place. So they, in fact, know where the origin was. So if they do need to trace back for law enforcement or whatever, they know exactly where to go. And that’s at a high level, in a nutshell, what Shaken does. It takes that information that you already knew and distributed since, it allows you to reliably and cryptographically securely send it along with the call so that you know it at the other end.
Will: Okay. So, let’s say, currently today, before Shaken gets implemented. Like just today, I get, like probably everybody in America, multiple of these robocalls every day. Even though I’m on the do not call list and stuff. So you get this robot voice that says like, “This is Jamie Diamond at JP Morgan. Your account has been compromised.” Or it will be like, “This is the IRS” or something. So let’s say that I get one this morning, claiming to be Apple saying that my iCloud has been compromised. My service provider is AT&T. So, theoretically right now, if I said to AT&T right after the call, “Hey, that person that just called me that was a spammer. Where would AT&T be able to trace that back to? Would it theoretically currently be possible to actually trace that back to the computer or the office that sent that call, or is currently impossible to get all the way back to figure out who the source of that call was?
Jim: It is, with some ca veats, it is in fact possible today to trace it back. And the industry has been co-operating to do exactly that. A number of the major service providers are working together to allow you to do that. The catch is that it’s still a fairly manual process to do that. And basically what it does, is that your providers AT&T, you call them up and you say I just got this clearly scam call. And then AT&T looks at the records and they say, “Okay, this call came in to you at this time, it said it was from here, look at our records, oh we got it from Verizon.” So then they go to Verizon, they say, “Okay, you handed a call over to us at 11:56 and this morning it had da da da da… where did it come from?”
Jim: Verizon looks and they say, “Ahh, I got from T-Mobile.” And the calls do routed through these multiple carriers in this way. And then they need to go to the next one. And they go step by step back through. Each one looks at their records and correlate it and say, “Okay, yeah that’s a call. I got it from here.” And eventually you get back to the origination of that call. Yes, that is complicated and as awkward as it sounds, but in fact, most of the enforcements that have been happening of late have used that to identify the source of the calls. But again, with that level of complexity, you need to be going after fairly big fish to make it worth your while.
Jim: That’s going to get a whole lot easier with Shaken.
Will: The source of these calls, is it mostly a computer that is based in the US somewhere or is it concentrated in some country overseas? You know, I never stay on long enough to get transferred to a human, but are these just being all created by a computer somewhere? Like, where would they trace it back to?
Jim: How do I say this? Basically, many of them are computer initiated. A lot of it is Voice Over IP mainly because of the cost and efficiencies around the equipment and such. But the other thing is, so let’s take a typical scenario. You actually get connected to the agent or they come on right away. And it’s clear that this is not someone who’s an American down the street. The accent gives it away instantly. So you think that call is coming from international, or wherever, so we couldn’t trace it back all the way to there. The trick is, the way that call likely came is there’s a call center in India or Uzbekistan or wherever with call agents at it. But they connect over the internet to a piece of computer equipment in the US and that piece of computer equipment in the US actually dials and initiates the call. When they connect to you over the internet, it goes from that equipment back to the call center wherever.
Jim: The reason it does that is that international calls are still expensive. The internet connectivity is cheap. The local call from the computer equipment in the States is easy to set up and is cheap. So they do it that way for cost effectiveness. The good news in all that roundabout explanation is that when you trace back, you’ll come to some entity of that signed up for a service with some local telco and has an entry point into the network there. And so you do have at least something domestically that you can latch on to and trace it back to, and then use that as a entry point to find out who is really behind it, no matter where the agents actually are.
Will: So one thing that I’ve been doing is when I get these calls is I will go and say, “Okay, block this number, on my iPhone.” But maybe I’m just wasting my time doing that. If they’re spoofing the numbers every time, do they end up just kind of re-using those spoofed numbers or if they’re just randomizing the phone number each time, maybe I’m just wasting my time blocking it.
Jim: Yep. You definitely are.
Will: I am. So I’m just wasting my time. So all these blocked numbers, it’s not like they’re gonna call me from that one again. They’re going to call me from a different one.
Jim: Yeah. To be honest. If you’re lucky, you’re wasting your time. If you’re unlucky, you’re actually blocking a legitimate number. They never called you, but if they try to call you again, they’ll be blocked because of that. And that, by the way, as an individual phone number, the chances of you actually blocking someone that you really want to talk to are slim. It’s just a waste of time.
Jim: But, there are a number of call blocking apps. The analytic engines that actually will block numbers on your behalf. And they’re crowdsourcing that information. And that’s something they need to really be careful about because if they start seeing a bunch of spoof calls coming from a given number that turn out to be fraud or spam, and they then flag that as a suspicious number, if it in fact was spoofed, then they may be, for a bunch of consumers, blocking all calls from that number. So they need to put in mechanisms when they do blacklist those numbers to recognize that, “Oohh, that actually shouldn’t have been blacklisted and we need to take it off.”
Will: Yeah. I mean, I have one of those Nomorobo. That kind of works. Although it seems that all the spammers have shifted to spoofing that it hasn’t been working as well recently.
Jim: Those services actually, I’d say, they work surprisingly well given that the calls can be spoofed. To that extent they work until they start working and then the scammers work out a way around it because they can spoof, right?
Will: Mm-hmm (affirmative)
Jim: And once we get Shaken in, right now those services are built on a foundation of sand, essentially, because that number can be spoofed. Shaken will provide a concrete foundation for those to build on. So you’ll find they will work far better once shaken is widely deployed.
Will: So Shaken, let me see if I captured it. So the originating telco in our case, let’s say if the person is in India or Uzbekistan, like you said, and the PBX is some computer here in the United States, so that call coming out of the computer in the United States, that would be the originating telco. So that originating telco would generate some kind of cryptographic digital signature saying this call came from this particular phone PBX located in XYZ, Florida or something. Like in some given town, at this address. So this is the address that this came from and they would send that digital code all the way through, along with the phone call, so that the receiving company would know that digital signature.
Will: So if the receiving company gets a complaint from their customer, they can say, okay, this digital signature, someone at this is a bad actor at that particular PBX.
Jim: Yes. And then in addition, the Nomorobo or Hiya or whichever one of the call blocking apps, if they were part of that call, they would then know, “Ahh, yes. Calls from that particular PBX in the future, it’s now a known scam.” And if you decide to prosecute them, and you went to the FCC, they would know exactly what address, or billing address at least, to look for the people at.
Jim: So you’re right. It starts connecting the dots.
Will: So, what would the digital signature actually tell us? If I could take one of these digital signatures and decipher it, what actual information would it contain?
Jim: It contains the number that you want for the caller ID. And then it has a confidence level. We call it attestation level, which is a word that I’ve used a lot in the last few years and I don’t think that I had ever used in my life before then. And if we have full attestation, or A-level attestation, that means this is the number of that person, or the number that that person has a legitimate right to use. So you can believe that number.
Jim: If it’s the IBM example we gave where I know the customer but I didn’t check the number, they give a B or partial attestation. But in that case, they then take that business location and they give it a unique identifier. We call it an origination identifier or orig ID. Think of it as a serial number associated with that customer location, and then they send it along. So if you’re trying to build reputation or trace back, that orig ID is the one that will point to a specific customer.
Jim: And then I mentioned briefly if it came from another carrier that wasn’t IP, because Shaken only works with voice over IP stuff, with the legacy TDM. The legacy network doesn’t work alas, but they’re all being discontinued, if it came from one of those networks, then you would give it a C-level or a gateway attestation that just says this is where it came into my network. But that will still tell you the carrier that delivered it to you. So it’s better than nothing.
Will: What has to happen for Shaken to get implemented, is it something that congress has to legislate or is it something that the industry association is agreeing and doing on their own?
Jim: The industry has been moving for sometime to doing it on its own. The FCC has made it very clear that they’re watching and that they expect the industry to keep pressing ahead. I think the implication is that, by the way, if you don’t, we’ll explain it to you properly. So the industry is deploying at speed. In fact it’s in most of the major networks today and rolling out. And a number of people are having calls signed. Again it’s still, percentage wise, relatively small. But it’s happening and the intent is it’ll be largely deployed and operational by the end of this year. Canada is also in the process of deploying, a little bit further behind, but they’re on track to deploy as well.
Will: All right. That’s awesome actually. Is this going to work for international calls?
Jim: In [inaudible] yes. In the short term, when we developed initial specification, it only took a single country view. And various practical reasons for that. Mainly just that it was a complex enough problem only looking at one country without making it more complicated. Earlier this year, because Canada and US were both in the process of deploying, we initiated a work activity to specify how it would work if you had multiple countries. So that if a call was signed in Canada and verified in the US it would work. And that document that specified how that would operate has recently been agreed and it’s currently being [inaudible] for approval. So that will be, before the end of this year, in place.
Jim: The only ca veat I would put in is it’s for countries with similar legal and regulatory regimes like Canada and US, this will work fine. If you want to put in the UK, and the EU and Japan and ones like that, it will work just fine. It won’t be a good model to take you all the way to all the hundred and ninety something in the world where you’re getting two countries with very different legal systems and regulations, and different levels of trust. And so we recognize that there will be a long-term solution that needs to fleshed out to get us to all countries. But that’s future. We got something for the initial bulk of the countries that are likely to deploy and a plan for the longer term.
Will: What will you see on your phone when you have an incoming call when Shaken is implemented? Will there be some kind of green check mark or something it’s been verified or any kind of trust indicator?
Jim: Very good question. That’s one of the areas that the industry hasn’t yet reached a consensus on. I think that depending on the carrier you’re with, in the short term you may well see a check mark. Others worry that because people won’t understand it, that could actually confuse them and cause them to not trust the whole system. And that’s why there’s a debate going on. There are a few patterns that are starting to emerge from that though, so I can give you an idea of what I think. [inaudible] what’s likely to happen. One thing is that what Shaken verifies is the number. It doesn’t say anything about the name or the intent because a scammer can get a real phone number and make calls and they would be fully verified, and it would still be a scam call.
Jim: He’d be easier to track down and, stop but nonetheless, they could do it. So if you do have a check mark, then one the suggestions is that check mark should be very clearly associated with the number. And if you have a name on there, have it separate because you haven’t verified the name, you’ve just verified the number. If you do give a check mark, you’d only give it with a full attestation because this is actually from this number.
Jim: Another thing that has been suggested is that if you want to give an indication this is a scam that’s likely, you should not do that just on the basis of Shaken because, again, you’re just verifying the number, you don’t know anything about the intent. Where you do get some idea of intent is with analytics. You mentioned Nomorobo, and they can start, and they already do start indicating it’s spam likely. And so that negative indication, if it’s going to come in, would only come in after you’d added in the analytics. It took the number and other information and said, “Ooh this pattern, looks suspicious.”
Jim: Those are the two key things, but again, it’s being actively studied. A number of telcos have user trials where they’re showing users different things and getting the reaction. “Did you understand what that meant? Is it useful?” And as that continues to deploy, and we get some experience, we’re working to distill that down to some concise guidelines, which then will go out to the entire industry so that we do all the same thing and don’t confuse people.
Will: You mentioned showing the name of the caller, I think I’ve seen on some landlines or maybe it’s some VoIP systems, some people’s phones, when the phone comes in that’s not in their contacts, you actually still get like the actual name of the caller. The phone number plus the name of the caller. But I don’t get that on my cellphone. Could you just explain that. How does it happen that some people see that information, the name of the caller, not just when it’s in your phone book but it’s being provided by the originating phone company. How does that work, and why can’t I get it?
Jim: It works a couple of different ways. One of the things is that the calling name is, in the US, defined as a terminating service. So basically the name is not inserted when you start the call, just the number is inserted, and when you get to the termination, then basically the end carrier accesses a database somewhere that tells it, “Okay, this number is associated with this name.” And there are competitive databases to do that. But of course, since it’s a service you need to get the number, there’s costs associated and some carriers do it, and some don’t.
Jim: My suspicion, I don’t know for a fact, my suspicion is you’re less likely to do it with a mobile phone because you do, in fact, have your contact list that has most of the calls that will matter, whereas with landlines you don’t have that contact list in the same way.
Jim: I will also point out, just to confuse it even further, is that different countries have different processes. So for example in Canada, the name is actually inserted by the originating carrier so that it just comes through and you don’t have to worry about it no matter what.
Will: So there is a database? I mean I have AT&T, so if AT&T wanted to, they could offer that as a service, right? They could say, “Hey Will, you can pay an extra ten bucks a month or something, and then whenever you get an incoming call, even if it’s not in your address book, we’ll tell you the name of the person associated with that phone number?”
Jim: They could. And by they way, when you say there’s a database, there are multiple databases. Which is just one of the complications. You know, there’s one’s by the carriers and then various other competing ones. But at least conceptually, yes they could. I don’t know whether the specific equipment supports it and that, but yeah. Conceptually, absolutely.
Will: But some carriers do do that. I don’t know who it is, but it seems like some VoIP or some landline companies will actually, at a business, you can see who’s calling, right?
Jim: Yeah. The VoIP and landline ones, I think it’s fairly common. And again, it’s fairly common because if they didn’t have that, they would not see the name for anyone. And that is, at least it used to be, typically a paid service where you would pay for name display.
Will: All right. Well, AT&T if you’re listening, I would pay like ten bucks a month easy if you offered that as an extra service.
Jim: I think you’ll get a call shortly.
Will: Yeah. AT&T, please add that. That would be awesome. I mean, maybe even twenty bucks a month. It’d be so useful to know who’s calling you, right.
Will: Okay, but back to what we’re talking about. Have the phone companies resisted this a little bit? I mean, I imagine to some degree, if these spammers are paying phone bills, that’s a pretty decent volume of phone calls. Maybe the phone companies are saying, “Actually, I don’t mind getting the revenue from all these spammers.”
Jim: No. And I’ve heard that suggestion before. Basically, at least the phone companies that we’ve been working with, well, let’s back up. The Shaken specification was developed by the industry, led predominantly by the phone companies who were developing the specification. So they were doing the work to come up with a solution. And if you think about it, they recognize that it’s in their interests to stop all these scammers because even if some carriers are picking up a little bit of revenue from all these calls, it undermines trust in the phone network. And if trust in the phone network disappears, people will stop using the phone, and that’s not a good thing.
Jim: I think that, at least [inaudible] phone companies have long recognized that it is absolutely in their interest to stop this problem, and to do what they can. The reason it’s taken so long, is because it’s a complex problem as I went through the various legitimate scenarios and what we know and don’t know. It’s not a simple problem. And that’s why it’s taken as long as it has.
Will: Have there been regulatory barriers to doing something like Shaken? Maybe, there’s some FCC rules against providing this information to the receiving carrier, something like that that they had to change?
Jim: Not around Shaken. If you were saying that the carrier should just spot these things, this is clearly a whole bunch of problem calls coming because of some pattern in the calling that clearly looks like it’s a robocall they should just block it and not let it go through. That they can’t do. The carriers have to complete the calls. So, again, the FCC is now allowing them to block calls at network level under very specific circumstances. So, for example, if the caller ID shows all zeros, where you go, “That’s clearly not a number I can dial”. So, that’s clearly something going wrong. And so the FCC, has just, in the last couple of years, allowed them to block for that. And they are expanding the range of circumstances underwhich they can block, on behalf of the user.
Jim: Shaken doesn’t block the calls. So Shaken isn’t going to solve this problem all on its own. If you look at what you’re doing, Shaken with the signature and the verification it just gives you more information. It’s an enabler that will allow you to do other stuff with it later. So, for the point of Shaken, no it’s just the cost and the time to define it in the right way.
Will: But, what you’re saying, it sounds like current regulations would prohibit the originating telco from doing analytics to say, “Hey, there’s this PBX that’s sending out calls every ten seconds and lots of these calls get hung up on within the first five seconds.” Doing some analytics to suggest this PBX is a probable spammer, we’re going to go shut them down. Most calls get hung up on, they’re doing a ton of calls, it looks like they’re being automated, they’re not allowed to do that analytics on their own customers now?
Jim: We’re getting into an area that’s a little outside my area of expertise, so just take it with a little bit of grain of salt, but I can comment a little bit on it. If they were just to do that analytics, and just block it, then I think that would, in fact run foul of the regulations. However, what they can do is that if this is a customer that they signed a contract with, if they spot that this customer is doing some stuff that looks highly suspicious, then it would be appropriate for them to go and say, “So, I don’t think we like your business, or can you explain to us why this is why we should still continue to offer you service?”
Jim: In fact, within the last month, a number of the attorneys general and the telcos issued a press release that they, in fact, the New York Times article you saw the quote in was about that. Where they’re encouraging the telcos, and the telcos are saying it’s a good idea, to provide extra due diligence in investigating the people who say they want to sign up as customers, if they’re going to be generating a whole bunch of traffic. So the fact that they wave a credit card shouldn’t be enough to automatically allow them to be one of your customers. So that’s, I think, way that they get around it. They don’t just block it. They say, “That doesn’t sound like a legitimate reason to make calls.” Because, just to cover, once a call is in the network, there’s an obligation to complete it. I don’t believe there’s an obligation for you to accept every customer who says they want to sign up with you.
Will: Got it. So a little bit kind of analogous to the financial industry with know your customer laws. Of saying like, “How many calls are you going to make a month?”
Jim: Yep. That’s exactly what it is. And in fact, there’s a number of related variations in the telco industry. They use exactly that terminology, the “know your customer”.
Will: So this has been a super helpful intro to Shaken, could you give us a little bit about you and your role in this. You’ve been a consultant in this space for a while. What’s been your role in helping the industry come up with this?
Jim: So I’ll give a bit about myself and the [inaudible 00:36:31]. So, you’re right. I’ve been consulting primarily for the Alliance for Telecommunications Industry Solutions, or ATIS as we call it. It’s an association that has broad representation across all aspects of the telecommunications industry. So all kinds of carriers, landline, mobile, cable, are over the top, Google and Skype, as well as the equipment providers and the system integrators, they all come together to solve problems like this. They come together because this is something where if AT&T came up with their solution, and Verizon came up their solution, and T-Mobile came up with their solution, it would work great for calls within their networks, but if you had a call that originated in one network and the other one, it wouldn’t work. So co-operation makes perfect sense.
Jim: I’ve been consulting with them for a number of years on a range of problems that fit that description. A number of years back, the one that bubbled up, one of the problems that came up was the whole robocalling. What do we do about it? How do we come up with mitigation techniques? Out of that grew the initiative that became Shaken. At the time it was one of a half dozen things that I was involved in, and of course over time it expanded and it gained momentum. That’s the point where it was the only thing that I was basically doing because it had such visibility and was so important.
Jim: The tactical stuff is largely driven by the industry. So, the Comcast, AT&T and others, they were providing the technical stuff to define this, and I representing the industry, was just kind of helping. Now, in practice, being at the table for all the discussions, I was obviously part of those discussions and, I hope, shaped it as well. But then mainly just helping the industry collectively move forward to solve their problems.
Jim: Does that give you a sense…
Will: It does. Give a little bit of a story of what’s it take for an industry to agree on some kind of technical standard like this one. What are some of your lessons learned or observations from seeing that whole process?
Jim: Mainly it starts with a recognition that these are problems that we need to come up with a single solution. They’re not problems that can be addressed by competitive market driven solutions. And again, there’s very distinct types of problems that [inaudible 00:39:25]. So, once the industry recognizes that, then it’s just having a neutral forum where they can come together. Some of the things that are important for that neutral forum to work, are ensuring that everyone’s voice is heard. So if people come in with some idea and they’re shut out, that’s not going to be helpful. So fair, neutral processes. Everyone’s voice is heard, and a mechanism for determining a consensus.
Jim: Consensus is not the same as everyone getting exactly what they wanted, but how do you identify consensus that balances all the needs and emerges as [inaudible] to consensus.
Will: I imagine that some technical options that might have been slightly more favorable for one carrier versus another. Maybe option A would have been cheaper for Comcast and more expensive for AT&T, and option B would be the reverse, what was the mechanism that they used to say, maybe ahead of time, like, “This is how we’re going to vote and get consensus and if seven out of ten of us vote yes then we’ll all agree to do it ahead of time.” Or something? So what was the mechanism to get to agreement?
Jim: There is a well defined voting process at the end to determine whether or not it passes. But there’s a strong desire or strong mindset to ensure that wherever possible, you don’t get to that count the votes up, and winners and losers. In general, you want to have something that actually comes up with some objective ways. So it’s not exactly what you’re getting at, but there were a couple of times you got into areas where there were some significant costs. And one of the principles that was put forward is that if this mechanism has the potential for additional revenue and it is going to induce additional cost, we should try and align it so that the person who gets the extra revenue is the one that gets the extra costs.
Jim: Whereas with this other approach, yes, the carrier that starts the call has to pay all the money, but the carrier that terminates it gets all the revenue, or vice versa. That’s not an ideal solution.
Jim: So those kinds of principles, which is pretty hard to object to, create an objective set of criteria for helping to encourage a working consensus.
Will: That makes sense. So there’d be different ways it could have been structured. What about things like, I don’t know, but I imagine that some things may not be completely variable. That maybe some things are sort of a fixed cost for any carrier to implement regardless of your size. For a really small carrier it would be kind of tough and for a big, big carrier, it would be peanuts. Was there explorations around how do we divide the cost up so it’s fair?
Jim: The reason I’m hesitating is that this is all driven by concrete proposals. So if someone just complains that something is problematic or difficult, that’s one thing. So what? Because there’s going to be costs no matter what you do. But when people come in with a concrete alternative proposal, that’s when you can do that kind of analysis. And yes, you worry about the size of the carriers.
Jim: Where that came in, in a major way was when we looked at the governing structure for how do you control who gets the certificates and how do you ensure it’s secure? And in that, we looked very carefully at, “Okay, we want to make sure we put in something that distributes the costs and the voice evenly so that no one is left holding all the cost or not having a voice.
Jim: So it depends on where you fit. But yes. And again, we count very much on people presenting their view and if they don’t like something, then coming back with a concrete proposal because just, you know, “Well that sucks.” Doesn’t take you too far.
Jim: Saying, “I hate that, how about this wording, or that?” Now you can have a sensible debate, right?
Will: Who owns the IP for this? Or is it like nobody gets the patent or did some industry association get the patent on it so that everybody can use it for free or something?
Jim: There’s no patent for this. This is all done under a committee. The IPNNI, it stands for Internet Protocol Networking Network Interface, working group between ATIS and the SIP forum, which is another association. They developed this. And under the IPR rules for that. Anyone who has IPR would have had to declare it upfront and then that would have been factored in to the selection. Because again, if you have two proposals, one that was encumbered with IPR and the other that wasn’t, that would make a difference in your solutions. But, in fact, no one declared a IPR that was essential to this, and it’s basically an unencumbered with IPR. Knock yourself out and deploy as quickly as possible.
Will: Great. What’s the best place for people who want to keep track of this issue, to follow it and learn more? Is there a website you want to point people to or?
Jim: Yes. Under ATIS website, which is atis.org, there is a website for the governance authority, the Secure Telephone Governance Authority. It has a number of links to progress and into the standards. There’s a test bed that ATIS and [inaudible] have been running to allow people to bring their implementations in, and make sure they work, and those are largely all linked in there.
Will: Fantastic. Well Jim, this has been really interesting to hear how all this is playing out, and I thank you personally for your work to help prevent the robocalls that I won’t be getting in the future after this is implemented.
Jim: I’m glad I could talk to you. And I’m looking forward to having them stop too.
Will: Okay. Thanks a lot Jim.
Jim: Okay, thanks. Bye bye.