Washington, DC
December 6, 2018
Ian Scott, Chairperson and Chief Executive Officer
Canadian Radio-television and Telecommunications Commission
Check against delivery
Good morning.
Thank you for that kind introduction. I’m pleased to be here with you today.
For those who don’t know, the CRTC is an administrative tribunal that regulates and supervises Canada’s broadcasting and telecommunications systems in the public interest. It’s our goal to ensure that Canadians have access to a world-class communication system that promotes innovation and enriches their lives.
Our mandate is broad. Much more so than those of many of our regulatory colleagues around the world. And we perform a wide range of activities in support of it. Of particular interest to this conference, we promote compliance with Canada’s Unsolicited Telecommunications Rules, including the National Do Not Call List.
The National DNCL and caller ID spoofing
The CRTC created the National Do Not Call List a decade ago in response to complaints by Canadians about nuisance telemarketing calls. The list gives consumers the power to reduce the number of telemarketing calls they receive by registering their telephone numbers. Indeed, since the list was created, Canadians have registered more than 13 million telephone numbers—and continue to do so at a rate of about 800 numbers each day.
This is a clear sign that there was—and continues to be—a need for this service.
The rules associated with the list also require that telemarketers and their clients register before they may contact Canadians. To date, more than 18,000 have. These rules also set out a series of responsibilities for telemarketers and their clients.
During the time that the National Do Not Call List has been in place, we have been working to build a safe telemarketing environment for Canadians through extensive outreach and enforcement activities. We have the power to investigate complaints and impose monetary penalties on telemarketers and their clients that we find to be in violation of the Unsolicited Telecommunications Rules.
And while we’ve done great work to reduce the number and frequency of the telemarketing calls Canadians receive, and to bring businesses into compliance, we are not about to rest on our laurels. The fact of the matter is that the telemarketing industry is evolving in lock step with the telecommunications sector. The bad actors have new tools at their disposal to disguise themselves and elude authorities.
The big challenge in front of the CRTC right now is one common to all of us. It’s the work being done by illegitimate actors to hide their identities. One of their preferred tactics is to spoof the caller ID, so that they can hide their locations and fool consumers about their intentions.
Canadians have told us loud and clear that spoofing is a big problem. They’re fed up with it. They’re worried that they can no longer trust that the caller on the other end of the line is who he or she claims to be. They’re concerned, and rightly so, about threats to their privacy—and about the risk of harm that could come from the simple act of picking up the phone.
In the past five years, more than 74,000 Canadians have complained to the Canadian Anti-Fraud Centre about being targeted by a particular phone scam. The caller claims to be from the Canada Revenue Agency—our national tax authority—and that they must pay taxes owed to the government or risk imprisonment.
Imagine you’re a senior or new immigrant receiving this threatening call. Little wonder, then, that Canadians have lost more than $15 million to these scams over that same period of time. And that’s the victims we know about. Once they realize what’s happened, many are too embarrassed to file a report.
Responding to nuisance calls
We’re working on the problem, and our response is evolving. It began in 2015 when we held a public consultation to look into the problem of caller ID spoofing. At the time, we understood that of the more than 900,000 alleged violations of the Unsolicited Telecommunications Rules that we received, more than 40% were due to caller ID spoofing. That’s about 360,000 complaints.
As part of our consultation, we asked carriers and other parties to provide information on the options and features that were available to help Canadians protect themselves from unsolicited and illegitimate calls. And while hardware and software solutions such as call filtering and call blocking were available to subscribers—some at an additional cost—neither was an all-encompassing solution. Yes, they allowed users to block specific callers, or to not be disturbed at certain times of the day, but none offered meaningful ways of verifying that the caller on the other end of the line was really who he or she claimed to be.
We therefore adopted a three-pronged approach to get to the root of the problem.
First, in 2016, we issued a new policy that directed telecommunications service providers to develop technical solutions to block illegitimate nuisance calls on their networks. We tasked an industry-led working group, the CRTC Interconnection Steering Committee, to develop these solutions and to report back to the Commission.
We subsequently launched a public consultation inviting comments on the possibility of requiring all Canadian telecommunications service providers to implement universal network-level call blocking. At this time, we are reviewing the comments we received and expect to issue a decision before the end of the year.
Second, we identified best practices for opt-in filtering services and asked providers to report back to us with details on the filtering services they offer, or would propose to offer, to their customers.
Third, in January 2017, we began a follow-up consultation to build on this regulatory policy. That process culminated at the beginning of this year when we asked the members of the CRTC Interconnection Steering Committee to do two things:
- The first was to implement measures that will allow them to verify and authenticate the caller identification information for Internet Protocol voice calls by March 31, 2019. Telecommunications service providers are required to submit to the CRTC Interconnection Steering Committee a report every six months on their efforts and progress in implementing authentication/verification measures for caller identification information.
- The second was to develop a call trace-back process that allows providers to track nuisance calls back to their points of origin. We requested that the steering committee develop an industry-wide call traceback process and file a report regarding such a process with the Commission.
I’m very much looking forward to seeing what progress they’ve made on these important issues. Once we’ve reviewed the reports, we will decide what further measures may be required, including whether to mandate providers’ participation in a call trace-back process.
I want to be clear that we are taking these issues very seriously. I mentioned a moment ago that in 2015, caller ID spoofing allegations accounted for about 40% of the complaints we received through the National Do Not Call List. This problem isn’t going away. Quite the opposite. It’s growing. And we need to act.
These are the steps Canada is taking to root out the caller ID spoofing problem. We have put Canadian service providers on notice that we are prepared to take further action if we are unsatisfied with the progress made to date.
I’m pleased to see that government and telecommunications operators on this side of the border are also taking action on this issue. I’d like to acknowledge the work being done by the Federal Communications Commission and the members of the Internet Engineering Task Force to develop the Secure Telephone Identity Revisited protocol. STIR will enable telecommunications service providers to confirm the identities of callers.
I’d also like to recognize the work being done by the members of the Alliance for Telecommunications Industry Solutions and, of course, the members of the SIP Forum, for developing the SHAKEN (Signature-based Handling of Asserted information using toKENs) specification.
Combined, the STIR/SHAKEN protocols will offer a practical mechanism to provide verified information about calling parties as well as the origin of the call. The protocols will give service providers the tools they need to sign and verify calling numbers. In turn, they will make it possible for consumers to know, before they answer the phone, that the calls they receive are from legitimate parties.
International collaboration
I said earlier that the challenges in the telecommunications industry are evolving. Bad actors are becoming much more sophisticated in their work. They’re finding new ways and new tools to do their bad deeds. I also said that our approach to finding them and weeding them out is evolving. It has to.
Although we focus a large part of our approach to investigation and enforcement within our borders, we’re not blind to the need to work with our international partners. We recognize the importance of developing a global and coordinated approach to address unlawful automated telephone calls (also known as robocalls) and inaccurate caller identification, as well as the threats that they pose to consumers and their confidence in critical communication systems.
In 2016, we signed a formal agreement with the FCC to combat, amongst other things, robocalls and caller ID spoofing, and to share knowledge and expertise. The agreement allows our respective organizations to collaborate on research and education activities, new training programs and staff exchanges. These activities will better equip our investigators to understand the nature of these problems and respond to them in kind.
We have also signed memoranda of understanding with our counterparts in Japan, the United Kingdom, Australia and New Zealand. Similar to our arrangement with the FCC, these arrangements allow us to share information and provide investigative support.
In 2011, we were the co-chair and one of 12 founding members of the International Do Not Call Network. Members meet annually to establish best practices, encourage the development of robust telemarketing laws and policies around the globe, and educate consumers to recognize and report telemarketing violations.
Finally, we are also active in international groups such as:
- the Unsolicited Communications Enforcement Network, which promotes international spam enforcement cooperation and addresses spam related problems, such as online fraud, phishing and virus dissemination;
- the Messaging, Malware and Mobile Anti-Abuse Working Group, which is an international information technology industry forum that works to reduce threats from bots, malware, spam, viruses, denial-of-service attacks and other online exploitations; and
- the International Mass Marketing Fraud Working Group, the purpose of which is to exchange information and intelligence on mass-marketing fraud, to coordinate cross-border operations to detect and disrupt those people and organizations that commit mass-marketing fraud, and to drive public awareness about international mass-marketing fraud schemes.
Our involvement in these groups, be they government-to-government or joint government and private sector initiatives, is helping us and our partners stay current on not only the latest threats to our citizens, but also the latest thinking on how to combat those threats. As spoofers work across borders to threaten Canadians and Americans, we are using all the tools and solutions at our disposal to find these bad actors and shut them down.
Conclusion
I’m pleased to say that we’re making progress in our efforts to protect Canadians against unwanted telemarketing practices.
Our National Do Not Call List is working.
Meanwhile, the Unsolicited Telecommunications Rules have set a clear framework within which legitimate telemarketers and their clients must operate. Combined, these tools have helped us make a significant dent in the number of calls Canadians receive.
But the problem is far from solved. Caller ID spoofing is the current problem that we must address. It’s pervasive. It’s insidious. And it’s a real threat to the security of Canadians’ personal and financial data.
I’m encouraged by the work that’s been done on the STIR/SHAKEN protocols here in the United States, and I am eager to see the solutions that our own Canadian working group will bring forward later this month.
I’m also encouraged by the work being done across borders through various working groups to share information and best practices. Because one regulator alone can’t fight this problem. The only way any of us will achieve our goal of protecting consumers is by sharing resources and information.
Thank you.- 30 –