Short of MitM'ing all VoIP traffic, how could this be proactively enforced? It's far more practical to focus proactive enforcement where actual phone lines are used, which is exclusively in the U.S.
Scam call centers employ 1000s of people. You just need one of them to talk and collect evidence. The companies pay poorly and have high turnover, so they shouldn’t be hard to find.
That is not proactive enforcement. Also, it has been done before, and is clearly too slow - they may arrest one or two people, while the other thousands can easily relocate their laptops and headsets.
The most effective place to stop it is at the "border", and that is what DOJ is doing here.
The big telecoms get call traffic from a manageably small number of interconnect companies/organizations.
They probably can’t figure out the initial source, but they can figure out which interconnect it’s coming from.
They should call them at their 24/7 NOC and tell them to trace it back a later to trace back another layer to trace it back another layer. Or else they’re getting shutdown in 24hrs.
Same as AT&T would do if Cogent was sending them spoofed scam traffic.
The problem is that the telecoms get paid for these 4th string interconnects by the minute.
How do you enforce that with how disposable DIDs are?
It is trivially easy to acquire a block of numbers from any number of sources with easily falsifiable information, connect them to a SIP application to robocall/robotext victims using easily falsifiable CID data and disappear just as trivially.
Programmatic voice via SIP trunking only makes this worse-not critiquing services like Twilio, Plivo or Telnyx, just highlighting one of the unfortunate risks the technology available to us enables.
CID enforcement is a grand idea but I have no clue how you'd actually accomplish it.
How about the number? If I'm making a SIP call on, say, Alianza, shouldn't what I present as my number for Caller ID match what Alianza thinks my number to receive calls is? Or, if I'm a large organization, shouldn't it at least be one of the numbers registered to my organization?
I may be able to spoof the name. The number? Not so much.
You also send your number as part of the invite. Responsible VoIP providers limit this to numbers you own, but it's totally possible to send calls using a number you don't own. There are CNAM databases but not all carriers make use of them and they aren't a source of truth. How would your solution deal with numbers which go back into a carriers pool? How would your solution deal with newly claimed numbers? How do you verify the numbers on file for an organization?
I was thinking along these lines: It may be possible to send calls using a number I don't own. It should not be possible to send calls using a number that the VoIP provider doesn't own. If I'm sending a VoIP call to someone's cell phone, and I'm saying that I'm a cell phone in the same block of numbers as the destination phone, a responsible VoIP provider should block that, even if they don't restrict me only to my number.
But we both used the word "responsible". I think that's the problem - there are some irresponsible VoIP providers. Maybe even deliberately irresponsible. For obvious reasons, they attract the spammers and scammers. And that brings us back to this lawsuit as a reasonable response to that kind of irresponsible behavior.
