Good morning, members of Parliament, staff and hearing participants.
My name is Matthew Gamble. I am a director of the Internet Society Canada Chapter and I am pleased to appear before you today to speak about fraudulent and nuisance calls in Canada.
First, I'll say a few words about who we are. The Internet Society Canada is a not-for-profit corporation that engages on Internet, legal and policy issues to advocate for an open, accessible and affordable Internet for all Canadians. An open Internet means one where ideas and expression can be communicated and received, except for where limits have been imposed by law. An accessible Internet is one where persons and all interests can freely access websites that span all legal forms of expression. An affordable Internet is one where all Canadians can access Internet services at a reasonable price. More information about our board, our activities and our publications can be found on our website.
The Internet Society is fully aware of the impact that fraudulent and nuisance calls have on Canadians. According to a study by Truecaller, Canadians receive an average of 12 spam calls per month. My personal experience tells me that number is far higher.
In the case of fraudulent calling and robocalling, such as the CRA scam calls, it's increasing for several reasons. It's inexpensive to do, has little to no consequence and sometimes, albeit rarely, is effective in defrauding innocent Canadians of their hard-earned money. Between the CRA scam calls and the endless calls for duct cleaning services, it has come to the point where people are hesitant to pick up for any unknown caller and have lost trust in their own telephones.
To give some background on my experience in this area, 13 years ago I was the chief developer and architect of Primus Canada's telemarketing guard service, which at the time was a major step forward in the fight against unwanted calls. Based on a community-driven list of known nuisance callers, it was very effective in stopping millions of telemarketing calls from reaching Canadians.
In the years since its development, however, the landscape has changed dramatically and systems that filter based solely on calling line ID are no longer effective. Bad actors now routinely spoof valid numbers or generate random numbers similar to that of the person they are calling, commonly known as neighbour spoofing.
This new wave of bad actors are exploiting principles wired into the DNA of telecommunications networks. They were built based on explicit trust between carriers and set up to make sure that calls get through no matter what. Carriers don't look at the content of calls before connecting them and multiple companies can touch each call, making identifying the source of calls a daunting, if not impossible, task.
On the surface, the solution to the current robocalling crisis may sound simple. Just forbid calling line ID spoofing. The solution, sadly, is never that simple. There are good feature-related, business-related and privacy-related reasons to allow call spoofing.
For example, imagine a women's shelter is trying to contact a domestic abuse victim at home, without the abuser knowing. They may spoof the client line ID to mask the source of the call so that it's not known to be coming from the shelter.
Other even more basic phone features, such as call forwarding or a business having multiple telephony providers, rely on the ability to set calling line ID dynamically. It's an integral feature of how the PSTN operates and something that cannot easily be disabled without significant collateral damage.
As you heard earlier this week, the CRTC is working with the Canadian telecommunications industry to attempt to fight this problem on several fronts, including requiring calls to have valid calling line ID, directing the CRTC interconnection steering committee to develop a traceback process and directing carriers to implement the STIR/SHAKEN framework for the authentication and identification of calls.
Of all of these initiatives, the Internet Society is most interested in the deployment of STIR/SHAKEN for the identification of calls. Born out of technologies borrowed from the Internet standards working groups, STIR/SHAKEN promises to restore consumers' faith in calling line ID through the use of digital signatures placed in call metadata. When implemented fully, it promises to allow carriers to identify the source of calls in real time and could easily filter parties that are spoofing known numbers such as the CRA, RCMP and others.
The major challenge with implementing STIR/SHAKEN in Canada, and why we have been intervening in these respective CRTC processes, is that there are serious policy, technology and privacy issues that have not been addressed yet with this technology.
First, on the policy issues, STIR/SHAKEN standards were developed by the Internet Engineering Task Force and then adopted by several large U.S. providers for use within their own networks. Since this adaptation was done by large carriers, several early policy and design decisions were made that benefit large carriers at the expense of smaller ones.
The largest of these decisions was to limit the ability to fully attest to the identity of the call to the phone company that owns the number. While this seems logical, ownership of phone numbers is not as simple as it sounds. There are over 1,200 entities registered with the CRTC as resellers of telecommunications services. These are generally telephone service providers, or TSPs, that operate without owning any of their own phone numbers. Instead, they rely on wholesale access agreements with larger providers. These providers deliver valuable telecommunications services to Canadians, including services such as business-hosted PBX platforms, residential over-the-top services and other innovative voice products.
The CRTC, as you know, has asked all telecommunications providers, including the non-facilities-based providers, to implement STIR/SHAKEN.
These smaller carriers will be placed at a major disadvantage when the standards and policies developed to date are implemented, if no changes are made. Without the ability to fully sign their own calls, they will be viewed as “lesser” than larger carriers. Over time, this may cause customers to move their business to larger carriers who can provide full attestation for all calls, thereby creating a two-tiered telecommunications system in Canada, of those who can sign and those who cannot. Were this to happen, it could destroy years of competitive gains and innovations made by smaller carriers.
On the technology issues, STIR/SHAKEN poses a challenge, as it requires carriers to interconnect with each other over IP-based interconnections using SIP. While the smaller providers I earlier referred to generally interconnect with their upstream carriers using the SIP technology, the interconnections among Canada's larger carriers are mostly based on legacy TDM-based interconnections. It's almost ironic that the smaller, SIP-based carriers who are best suited to deploy this technology are being left out of the process, but that's the reality of the Canadian market today.
Finally, the Internet Society has some very serious concerns around consumer privacy as it relates to STIR/SHAKEN. Once calls are digitally signed, terminating carriers will have rich, verified data on the source and destination of calls. The promise is that this will allow telecommunication service providers to develop solutions like Telemarketing Guard, but ones that don't just look at the calling number but look deeper, into such things as the source carrier. This is analogous to spam filtering in the Internet space. Analytics are built not just on the source address, but on the reputation of the networks that traffic has traversed.
While this all sounds wonderful, it poses several issues for the privacy of Canadians, as some carriers have opted to outsource this analytics function to third party commercial entities. With this data, these third party companies could easily augment existing commercial data sets to build even more detailed profiles of Canadian households. For example, you could infer from the data collected that a given household was calling for takeout every night, and that data would be valuable to a life insurance provider who might view that as an unhealthy lifestyle and an increased risk factor.
In conclusion, while this may sound as though we oppose the deployment of STIR/SHAKEN, the opposite is actually true. We firmly believe that the introduction of these technologies into the Canadian telecommunications networks is a much-needed step forward to restoring consumers' faith and protecting them from fraud. We just want participants to be mindful that we need to ensure that this technology is implemented correctly and in an open and transparent fashion. As with other Internet-based technologies, we must ensure that all players, including small telecommunications providers, can participate on an equal footing.
Finally, and above all else, we need to ensure that any technology deployed has strong privacy safeguards built into its DNA. As we have learned from the Internet, trying to augment a system for privacy after it's deployed is like trying to repair a plane in flight: It's an impossible task that should be avoided at all costs.
I thank you for your time and I welcome any questions.