Industry Committee on March 12th, 2020

Good morning, members of Parliament, staff and hearing participants.

My name is Matthew Gamble. I am a director of the Internet Society Canada Chapter and I am pleased to appear before you today to speak about fraudulent and nuisance calls in Canada.

First, I'll say a few words about who we are. The Internet Society Canada is a not-for-profit corporation that engages on Internet, legal and policy issues to advocate for an open, accessible and affordable Internet for all Canadians. An open Internet means one where ideas and expression can be communicated and received, except for where limits have been imposed by law. An accessible Internet is one where persons and all interests can freely access websites that span all legal forms of expression. An affordable Internet is one where all Canadians can access Internet services at a reasonable price. More information about our board, our activities and our publications can be found on our website.

The Internet Society is fully aware of the impact that fraudulent and nuisance calls have on Canadians. According to a study by Truecaller, Canadians receive an average of 12 spam calls per month. My personal experience tells me that number is far higher.

In the case of fraudulent calling and robocalling, such as the CRA scam calls, it's increasing for several reasons. It's inexpensive to do, has little to no consequence and sometimes, albeit rarely, is effective in defrauding innocent Canadians of their hard-earned money. Between the CRA scam calls and the endless calls for duct cleaning services, it has come to the point where people are hesitant to pick up for any unknown caller and have lost trust in their own telephones.

To give some background on my experience in this area, 13 years ago I was the chief developer and architect of Primus Canada's telemarketing guard service, which at the time was a major step forward in the fight against unwanted calls. Based on a community-driven list of known nuisance callers, it was very effective in stopping millions of telemarketing calls from reaching Canadians.

In the years since its development, however, the landscape has changed dramatically and systems that filter based solely on calling line ID are no longer effective. Bad actors now routinely spoof valid numbers or generate random numbers similar to that of the person they are calling, commonly known as neighbour spoofing.

This new wave of bad actors are exploiting principles wired into the DNA of telecommunications networks. They were built based on explicit trust between carriers and set up to make sure that calls get through no matter what. Carriers don't look at the content of calls before connecting them and multiple companies can touch each call, making identifying the source of calls a daunting, if not impossible, task.

On the surface, the solution to the current robocalling crisis may sound simple. Just forbid calling line ID spoofing. The solution, sadly, is never that simple. There are good feature-related, business-related and privacy-related reasons to allow call spoofing.

For example, imagine a women's shelter is trying to contact a domestic abuse victim at home, without the abuser knowing. They may spoof the client line ID to mask the source of the call so that it's not known to be coming from the shelter.

Other even more basic phone features, such as call forwarding or a business having multiple telephony providers, rely on the ability to set calling line ID dynamically. It's an integral feature of how the PSTN operates and something that cannot easily be disabled without significant collateral damage.

As you heard earlier this week, the CRTC is working with the Canadian telecommunications industry to attempt to fight this problem on several fronts, including requiring calls to have valid calling line ID, directing the CRTC interconnection steering committee to develop a traceback process and directing carriers to implement the STIR/SHAKEN framework for the authentication and identification of calls.

Of all of these initiatives, the Internet Society is most interested in the deployment of STIR/SHAKEN for the identification of calls. Born out of technologies borrowed from the Internet standards working groups, STIR/SHAKEN promises to restore consumers' faith in calling line ID through the use of digital signatures placed in call metadata. When implemented fully, it promises to allow carriers to identify the source of calls in real time and could easily filter parties that are spoofing known numbers such as the CRA, RCMP and others.

The major challenge with implementing STIR/SHAKEN in Canada, and why we have been intervening in these respective CRTC processes, is that there are serious policy, technology and privacy issues that have not been addressed yet with this technology.

First, on the policy issues, STIR/SHAKEN standards were developed by the Internet Engineering Task Force and then adopted by several large U.S. providers for use within their own networks. Since this adaptation was done by large carriers, several early policy and design decisions were made that benefit large carriers at the expense of smaller ones.

The largest of these decisions was to limit the ability to fully attest to the identity of the call to the phone company that owns the number. While this seems logical, ownership of phone numbers is not as simple as it sounds. There are over 1,200 entities registered with the CRTC as resellers of telecommunications services. These are generally telephone service providers, or TSPs, that operate without owning any of their own phone numbers. Instead, they rely on wholesale access agreements with larger providers. These providers deliver valuable telecommunications services to Canadians, including services such as business-hosted PBX platforms, residential over-the-top services and other innovative voice products.

The CRTC, as you know, has asked all telecommunications providers, including the non-facilities-based providers, to implement STIR/SHAKEN.

These smaller carriers will be placed at a major disadvantage when the standards and policies developed to date are implemented, if no changes are made. Without the ability to fully sign their own calls, they will be viewed as “lesser” than larger carriers. Over time, this may cause customers to move their business to larger carriers who can provide full attestation for all calls, thereby creating a two-tiered telecommunications system in Canada, of those who can sign and those who cannot. Were this to happen, it could destroy years of competitive gains and innovations made by smaller carriers.

On the technology issues, STIR/SHAKEN poses a challenge, as it requires carriers to interconnect with each other over IP-based interconnections using SIP. While the smaller providers I earlier referred to generally interconnect with their upstream carriers using the SIP technology, the interconnections among Canada's larger carriers are mostly based on legacy TDM-based interconnections. It's almost ironic that the smaller, SIP-based carriers who are best suited to deploy this technology are being left out of the process, but that's the reality of the Canadian market today.

Finally, the Internet Society has some very serious concerns around consumer privacy as it relates to STIR/SHAKEN. Once calls are digitally signed, terminating carriers will have rich, verified data on the source and destination of calls. The promise is that this will allow telecommunication service providers to develop solutions like Telemarketing Guard, but ones that don't just look at the calling number but look deeper, into such things as the source carrier. This is analogous to spam filtering in the Internet space. Analytics are built not just on the source address, but on the reputation of the networks that traffic has traversed.

While this all sounds wonderful, it poses several issues for the privacy of Canadians, as some carriers have opted to outsource this analytics function to third party commercial entities. With this data, these third party companies could easily augment existing commercial data sets to build even more detailed profiles of Canadian households. For example, you could infer from the data collected that a given household was calling for takeout every night, and that data would be valuable to a life insurance provider who might view that as an unhealthy lifestyle and an increased risk factor.

In conclusion, while this may sound as though we oppose the deployment of STIR/SHAKEN, the opposite is actually true. We firmly believe that the introduction of these technologies into the Canadian telecommunications networks is a much-needed step forward to restoring consumers' faith and protecting them from fraud. We just want participants to be mindful that we need to ensure that this technology is implemented correctly and in an open and transparent fashion. As with other Internet-based technologies, we must ensure that all players, including small telecommunications providers, can participate on an equal footing.

Finally, and above all else, we need to ensure that any technology deployed has strong privacy safeguards built into its DNA. As we have learned from the Internet, trying to augment a system for privacy after it's deployed is like trying to repair a plane in flight: It's an impossible task that should be avoided at all costs.

I thank you for your time and I welcome any questions.

Thank you, Madam Chair, and honourable members.

My name is John Lawford, and I am executive director and general counsel at the Public Interest Advocacy Centre here in Ottawa.

PIAC is a federally incorporated non-profit and a registered charity that provides legal and research services on behalf of vulnerable consumers' interests concerning important public services.

PIAC regularly participates in proceedings before the CRTC and represents consumer interests in retail banking and payment systems with the FCAC, the Department of Finance and the OBSI.

Consumer fraud is a hot potato. Companies avoid it because they do not want the risk of liability for the fraud. Police have insufficient resources to address its overwhelming size and daunting technical complexity, which changes with each vector. Regulators like the CRTC define their jurisdiction narrowly to avoid being responsible for the problem, viewing it as an operational black hole.

On an individual level, fraud is humiliating and often devastating. We naturally avoid this issue like we avoid discussing poverty because we recoil from the obvious injustice and pain that is inflicted on the victims. Avoiding a problem never makes it better, though, so we commend this committee for insisting that we take a look at one aspect of fraud in today's committee hearing, phone fraud.

The statistics we do have about the scope of the “fraud problem” are so fragmentary as to themselves pose a problem for dealing with the problem. There is no definitive and official source for them. We have recent data from the Canadian Anti-Fraud Centre that show about 46,000 reports were made in 2019, with 19,000 victims and a loss of around $100 million.

The calls to CAFC largely covered fraud committed over the phone and Internet. However, the FCAC, for example, cited 15 million fraud victims losing $450 million in 2007, likely including other types of fraud, including in person, but more reliable or current numbers are scarce. The CRTC, for example, only has numbers of complaints made in relation to the do-not-call list and not specific fraud numbers.

However, PIAC believes, based on its work in the sector, that the scope of fraud committed by telephone to be one to two orders of magnitude higher than CAFC numbers. That's voice and text fraud, in part using regular phone numbers, but leaving aside Internet-based scams you might get on your mobile phone.

It is also our belief, based on direct contact with consumers and with seniors and low-income groups such as the National Pensioners Federation and ACORN Canada, that phone fraud both specifically targets and inordinately affects seniors and low-income Canadians, some of whom may be newer Canadians. They can least afford to suffer a fraud.

I will not be addressing number porting or SIM swap fraud. It's a recent concern that requires urgent attention, though. Shortly you will hear from Randall Baran-Chong, who is both a victim of this fraud and an eloquent advocate for fixing this devastating hack. I will leave it to him to describe. However, I do note that PIAC has called for an open public hearing at the CRTC with consumer groups, wireless users, CWTA and major providers. However, so far the CRTC and CWTA have refused to have a public inquiry.

Instead, I want to talk today about good old phone fraud, getting a victim to answer their phone, home or mobile, and engage in a conversation with a fraudster which culminates ultimately in the victim transferring money to the fraudster or revealing so much personal information that the fraudster can then transfer money himself, without the victim's knowledge. This sort of fraud can be catalyzed by the spoofing of numbers or call display names to mislead consumers into thinking they are receiving a call from a legitimate agency such as a government department or a local police office number.

However, what makes for really good old phone fraud is volume and automation. The more calls made, and the more efficiently made from the scammer's viewpoint, the more likely it is to ensnare a victim.

I can tell you that billions of calls are made a year to Canadian numbers, and at least tens of millions of those calls are stage one fraud robocalls. Here's how it works. A program written by a fraudster calls thousands of phones in an hour usually with a spoofed originating phone number. No people are involved. Now multiply this by many programs, computers and other scammers doing the same thing and targeting multiple area codes and you get the idea.

In stage two, however, the potential victim answers and does not hang up but listens to the recorded message, possibly because they trust the source, fear the source or are simply lonely and looking for some human contact. If the victim presses “1” to hear the message, a live fraudster walks the victim through the fraud to the point of money transfer.

Robocalls are just fishing lines flung out to the sea of phone-owning humanity. The secondary calls with a live agent are vastly smaller in number. This smaller number is still very large; we just don’t know how large. That is where the fraud takes place.

What's new? What's changed in this area lately to give you the impression that we have a phone fraud epidemic? “Epidemic” is a bad word today. Why are more and more Canadians, especially seniors and low-income Canadians, falling victim to phone fraud?

The answer is that the phone system has been technologically democratized. In the past, to dial multiple numbers, a knowledge of the phone company’s network software was required. This software allowed only a certain throughput of dialed numbers. Now almost the entire phone system runs on Internet protocol. This allows many millions of calls to be made to many millions of numbers and transmitted by a small number of computer operators.

While IP-based telephony has allowed new competitors and services, it has allowed fraud to balloon, in part due to the possibility of spoofing numbers with IP, which is harder than with the old software. The bottom line, so to speak, is that with more fishing lines come more hooked fish.

The phone industry, especially legacy carriers such as Bell Canada and Telus, know this reality all too well, as does the CRTC, which at least views nuisance robocalls as within its telemarketing jurisdiction. It deals, at least in part, with numbers on the do-not-call list. They are all working together on the spoofing part. The CRTC already requires them to block obviously spoofed numbers such as 000-000-0000. They are all working on implementing the STIR/SHAKEN protocol you just heard about, which really works only on entirely IP-based calls. All it really does is provide a confidence rating for each call. That is, it allows the recipient software to automatically block these likely robocalls. Both of these measures will help, but they will not totally stem the tide.

However, there are also new network-level blocking technologies, like those developed by Bell Canada, which has now applied to the CRTC to allow this. They claim to use AI-based algorithms to identify likely robocall sources, along with some confidential extra fail-safes that they have promised, and then to block all such suspicious calls that are transiting Bell’s network. Bell's network is vast in Canada.

While this does raise concerns from other carriers that must use Bell’s network to connect calls and it concerns legitimate customers who may have their calls illegitimately blocked, it does attempt to address the volume aspect of our problem. It attempts to use automation against automation. We believe it is likely, on balance, a positive development, but will it be sold to us or offered for free?

Last, what is missing to combat the actual content of fraud calls is more authority in this area for the CRTC. We suggest looking at the U.S. Telephone Consumer Protection Act, and a dedicated anti-phone fraud act, for example, one more akin to the Telemarketing Consumer Fraud and Abuse Prevention Act in the United States. In this regard, we also noticed that the broadcasting and telecommunications legislative review report seems to have missed a chance to recommend amending the Telecommunications Act to give the CRTC more authority to deal with fraud calls or to recommend a dedicated anti-phone fraud act, whether administered by the CRTC or perhaps by the new data commissioner.

We also need a better, more centralized, comprehensive and reliable set of phone fraud and Internet fraud-related statistics and reports to be gathered and publicly released at regular intervals. Finally, we need continual oversight and democratic encouragement by Parliament of work on phone fraud. It is too important to allow this game of hot potato to be played between regulators, companies and the police.

Thank you very much.

I think consumer resilience, if you want to call it that, could be a lot better in Canada. I think it's only part of the problem, but let's start there.

There have been efforts made to reach out in other areas in which consumers are defrauded in languages other than English and French. It's part of no one's mandate at the moment, and I can't think who would be doing it. The CRTC probably could undertake this type of work—to produce materials for people, to try to reach out to the community—but it's really one of those cases in which you have to get direct contact with consumers in a language they understand.

I'm not sure how getting out into these communities and getting a trusted person to communicate with them would be directly delivered, but it's a great idea.

Sure. That's the issue you're going to hear about from Randall in the next panel. It's the SIM swap.

At the moment, the CRTC has exchanged letters with the wireless association saying to please tell them what they're doing on SIM swap because other countries, for example, Australia, have already set out rules about avoiding SIM swap. There's an exchange of letters on this on the website, and I'm asking, “What are you guys doing? Why isn't there a public inquiry such as we usually have at CRTC?”

So far, the answer from the companies has been that they don't want to talk about fraud in public, because it might be telling scammers what's going on. From the CRTC.... I don't know why they don't want to do a public inquiry. I think they want the industry to solve it quickly. However, I don't understand why that's done, because normally fraud is not helped by obscurity; it's better to discuss it in public. Rules that are made in an open, transparent process usually are better rules.

The process right now with the CISC working group of the CRTC is that the concerns of the smaller players are there, although only a few of them are represented.

I will say that many of these smaller carriers don't have the resources to participate in these types of forums. They are things that take time from staff, and if you have a company of two or three people, it's hard to dedicate somebody to work on technical standards.

The CRTC submissions from the carriers to date acknowledge that this is an issue, but they say it's something that should be solved at a later date, with no real understanding of when that date would be.

That is correct. The view so far seems to be that we should implement with the big players and then let the small players catch up later. As you know, trying to fix something after you've done it is always problematic.

That is correct; or they would be tied to using a single provider as their wholesale source through which all the numbers would have to go. They would lose the flexibility of choosing which wholesale partners they deal with.

When fully implemented, every call will have a source of at least some level associated with it. There are three different levels: gateway, partial and full. Gateway just says that it knows where the call came from on the network, so that you basically know where it was injected from the Internet side into the phone network side. At a minimum, you would know which end user it came from.

That is correct. There are no KYC requirements in telecom.

The messages that are sent out are ones that are designed to elicit fear or something of interest. They can work, for example, targeted at new Canadians, if it's fear-based. The ones that our seniors are sent might be an “interesting offer” kind of approach. They can receive the fear-based ones as well.

Both parties are susceptible to these calls, but seniors have the additional.... Well, there are two things I can honestly say. Generally speaking, as one gets older, one gets more trusting. Also, as one gets older there is some social isolation. That's what our client groups tell us. One is more susceptible just to taking any call. That is known by the scammer. That's why the high volumes get targeted at seniors. They're hoping to phish somebody who is lonely, to be honest.

I haven't studied the messaging, exactly what's said. I think the threats work better on folks who may be newer immigrants.