FCC Drops the Ball on Spam Text

Most FCC orders make technical sense, even when their details are wrong on policy grounds. But every so often the agency crafts an order that so clearly misses the factual points that I find myself scratching my head as I wonder what went wrong.

The March 17 Report and Order and Notice and Further Notice of Proposed Rulemaking on Targeting and Eliminating Unlawful Text Messages (CG Docket No. 21-402) is a real doozy. It simply imposes robocall regulations on text messages without considering whether such a move makes any sense.

The order needs to be withdrawn and replaced by a new one that makes sense. Read on for reasons.

How We Block Robocalls

Fake robocalls – as distinct from legitimate robocalls about weather conditions, police alerts, and healthcare reminders – need to trick the consumer into answering a call. Hence, they spoof legitimate phone numbers.

Meaningful regulation – such as STIR/SHAKEN – authenticates originating phone numbers to prevent consumers from being fooled about who’s calling. Once we’ve got a handle on who is actually calling, we can block calls from low-reputation callers.

Carriers do the authentication and check numbers against blacklists in their proprietary apps. Third party apps like Nomorobo, Hiya, RoboKiller, Truecaller, and Call Control do another layer of reputation checking. Together, this approach prevents your phone from ringing when a robocaller is on the line.

How We Block Spam Texts

Nearly all spam texts originate from valid numbers on valid networks or valid service providers. As the expert group Messaging Malware Mobile Anti-Abuse Working Group (M3AAWG) explained to the FCC:

“Nearly all illegal, unwanted and abusive text messages originate from over-the-top service providers; emails sent to email-to-text gateways; or banks of illicit computer-driven mobile network devices, historically in this order of descending prevalence.”

Hence, STIR/SHAKEN authentication does nothing to reduce spam texts.

Text message carriers rely on user feedback to throttle and block spam and to take down abusive service providers. This means forwarding malicious texts to shortcode SPAM and replying STOP to unwanted texts.

These reports are shared among legitimate service providers to escalate from individual recipient blocking of abusive numbers to network-wide blocking. This system is already in place and it works well.

The Better Analogy is Spam Email

Text messaging is different from phone calls because it doesn’t require manual acceptance of each communication. Text messaging is different from email spam because the originating party is nearly always whoever they claim to be.

But just as spam blocking depends on rapidly learning the sources and content of unwanted messages, spam text blocking depends on detecting messages that can be sent from a variety of names or numbers. Both are exercises in information sharing.

As M3AAWG puts it:

Defense against unwanted text messaging is fueled by collection and dissemination of threat intelligence to other specialists in positions to use that information to disrupt attacks and direct defense actions towards abusive, negligent and complicit parties. This collaboration plays an important role, and is typically born of forums, including M3AAWG, where experts converge to teach, learn and collaborate.

One of the barriers to effective spam blocking is privacy concerns that prevent information sharing. FCC needs to understand this.

Does the FCC Even Need to Act on Spam Texts?

This question has come up in nearly all FCC enquiries since the dawn of the net neutrality adventure 20 years ago. As we learned from that red herring, industry self-regulation is often more effective than agency imposition of half-baked rule sets. The Internet is fine without help from the net neutrality lobby.

In the absence of FCC attention to spam texts until very recently, the industry has addressed the issue by collaboration under the aegis of M3AAWG and similar organizations:

We observe that the less-regulated text messaging industry has had anti-spoofing technologies in place for well over a decade and is now advancing beyond service provider registration with registration of high-volume [Application-to-Person (A2P)] senders (e.g., brands) themselves. We urge the FCC to consider the risks of creating regulation in spaces where industry already has solutions in place…This absence of excessive mandates has enabled the industry’s successes, most notably making text message spoofing so rare.

Wise words from the experts.

What Needs to be Done

Spam texts are much less common than spam calls or spam email. But they’re just common enough for the FCC to feel that it needs to be more involved.

There is a role for the FCC on this particular issue that comes down to three steps:

  1. Educate consumers about reporting and STOPing spam texts.
  2.  Clarify the fact that privacy regulations do not and should not interfere with spam mitigation efforts.
  3. Raise the agency’s awareness of the unique properties of text spam versus robocalls and spam email.

There is no current need to mandate authentication or blacklisting. Authentication is unnecessary and blacklists are already common:

Given that many millions of messages are blocked daily – using a combination of millions of message “fingerprints,” message blocking rules, sender/receiver reputation and consumer feedback, and by many layers of defense (e.g., of device and network vendors’ blocking systems) – it is difficult to envision a set of regulations governing general text-message unblocking processes and procedures that would be workable and cost-effective.

The FCC should revoke its mandates and allow the engineers to continue doing what they already do.