European Telecom Regulation to prevent CLI Spoofing

Created by Daniel Kauffer, Modified on Tue, 21 Nov, 2023 at 10:42 AM by Daniel Kauffer

Calling Line Identification (CLI) spoofing is a practice that has been on the rise in recent years, especially since it is facilitated by the migration to IP-based networks. Different countries have adopted various regulations to combat this practice.

One approach that has been proposed is a two or three-stage solution. 

 - In the short term, traffic pattern analysis can reduce some of the problems, but it is not a real-time solution. National and international/regional forums can promote industry groups to facilitate discussions on traffic analysis and information sharing to combat CLI spoofing. 

 - In the mid-term, national solutions may be implemented to make domestic calls more reliable. 

 - In the long-term, techniques such as Secure Telephone Identity Revisited (STIR)/Signature-based Handling of Asserted information using tokens (SHAKEN) could be implemented.



Many countries have introduced regulatory practices intended to disrupt and combat CLI Spoofing. A number of these practices are examined below:



APPROACH IN BELGIUM

In Belgium, the Belgian Institute for Postal Services and Telecommunications (BIPT) has published CLI guidelines that provide more clarity on CLI use and presentation. The guidelines put forward four principles that aim at safeguarding the CLI’s veracity and increasing its reliability. The BIPT also keeps a blacklist of geographical numbers that are susceptible to fraud, and operators use this list to block calls with these CLIs originating abroad.




APPROACH IN FRANCE

In France, the Electronic Communications, Postal and Print Media Distribution Regulatory Authority (ARCEP) has taken several decisions to combat CLI spoofing. In 2012, ARCEP forbade the use of premium rate numbers as a CLI. In 2018 and 2019, ARCEP made recommendations to reduce fraudulent calls using spoofed CLIs. ARCEP concluded that it is justified that operators are allowed to block the routing of calls or messages with a French geographic or non-geographic number received through an international interconnection (outside the EU). ARCEP also recommended that operators implement a validation process for the user-provided CLI.




APPROACH IN GERMANY

In Germany, the legal situation before December 2021 was limited to certain provisions regulating the transmission of numbers for outgoing calls. The revised German Telecommunications Act (TKG) came into force on December 1, 2021, intending to improve the situation regarding Caller ID Spoofing. The new approach includes new technical protective mechanisms, new obligations for disconnecting calls with forbidden numbers, and giving the regulatory body the power to prosecute breaches of the provisions on number manipulation. The legislation provides for implementation periods of up to one year. 

More info: German Call Regulations: Federal Network Agency Issues Reminder for Telemarketers




APPROACH IN LATVIA

Latvia has used formal regulation to oblige operators to block calls where the A-number has been manipulated. The National Regulatory Authority (NRA) of Latvia has developed a procedure regarding the elimination of fraud using numbering. Latvia's regulation foresees that Electronic Communications Service Providers (ECSPs) should block the routing of calls and access to the relevant number immediately if fraud performed using numbering or incorrect use of numbering is detected.




APPROACH IN NORWAY

Norway was one of the first countries to adopt a formal regulation on CLI in 2013. The regulation obliges operators to block calls where the end-user does not have the right to use the A-number or where the A-number is not routable if it is technically possible and economically feasible. This move was significant because it put the onus on the operators to take proactive steps to prevent fraud and protect consumers.

The Norwegian Communications Authority (Nkom) has also provided legal guidance to stakeholders to clarify the right to block calls to prevent customers from financial loss and consumer harm. They have created an industry guideline for number display/ CLI in collaboration with stakeholders in the Norwegian Working Group on Numbering. Additionally, Nkom has created an industry expert group to develop measures to prevent CLI spoofing and Wangiri. This includes call filtering (including traffic monitoring and location verification) and ad hoc solutions for victims of spoofing.

Nkom has also arranged joint workshops with police authorities and operators and interacted with the National Electronic Communications Industry Anti-crime Organisation (ITAKT2) to combat fraud and protect consumers. However, there have been limited operator-based initiatives to reduce SMS spoofing on a case-by-case basis.




APPROACH IN FINLAND

Traficom has implemented measures to block international scam calls by preventing foreign operators from using Finnish phone numbers to make calls to Finland. This is done by verifying that the caller ID number matches the country code and the network operator, and that the caller is using a legitimate network.
As a result of these measures, some legitimate users of VoIP services may experience difficulties when trying to make calls to Finland using a Finnish phone number. This is because the verification process may not be able to distinguish between legitimate and illegitimate users of these services. However, Traficom has stated that it is working with VoIP providers to find a solution to this issue.
It is worth noting that these measures have been implemented to combat the rise of international scam calls, which have become a growing problem in Finland and many other countries. By preventing foreign operators from using Finnish phone numbers to make scam calls, Traficom hopes to reduce the number of fraudulent calls and protect Finnish consumers from scams and other fraudulent activities.




APPROACH IN UK

The United Kingdom (UK) has implemented a series of measures aimed at ensuring that the CLI data presented to callers is correct, promoting trust in CLI and protecting the interests of consumers. 

Ofcom, the UK’s communications regulator, requires operators to provide CLI facilities and to ensure that the CLI data provided with a call includes a valid, dialable telephone number that uniquely identifies the caller. A valid number complies with the International public telecommunication numbering plan, and a dialable number is in service and can be used to make a return or subsequent call. 

The CLI guidelines set out the definition of a valid and dialable CLI for operators in different parts of a telephone call, based on what is technically possible today.

Operators have a greater role to play in ensuring that accurate CLI data is presented to end-users, and Ofcom has worked with operators to help block calls without a trusted CLI. This includes convening an industry working group on nuisance calls, providing a list of ‘protected’ numbers that should not be in use, and compiling a ‘Do Not Originate’ list of numbers that organizations do not use to make outbound calls.

Where an operator considers that the CLI provided with a call contains invalid or non-dialable CLI data, they are required to prevent the calls from being connected to the called party, where technically feasible. For calls that originate outside of the UK, the operator at the first point of ingress is responsible for ensuring that the call is populated with valid CLI data and replacing invalid or missing CLI data with a number that has been assigned to them for this purpose.

The delivery of reliable CLI data to end-users, which respects the user’s privacy, relies on the data being correct in the first place and the cooperation of all the ECNOs (Electronic Communications Network Operators)/ECSPs (Electronic Communications Service Providers) involved in the call chain to pass on this information correctly. 

The CLI obligations require operators to ensure that CLI data is exchanged with greater accuracy and that only valid CLI data is made available to end users.

More info: OFCOM Call Regulation in the UK



APPROACH IN USA

In the United States, the Federal Communications Commission (FCC) has adopted the "STIR/SHAKEN" framework, which requires voice service providers to implement caller ID authentication technology to combat spoofed robocalls. STIR/SHAKEN is a call authentication technology that allows telephone networks to verify that the caller ID information transmitted with a call matches the caller's real phone number. In addition, the FCC has established rules that prohibit the use of automatic dialling systems to call emergency lines and adopted new rules regarding the blocking of unwanted calls and texts.

More info: FCC Regulations to Combat Unwanted Robocalls in the US




Conclusion

CLI spoofing is a growing problem, and countries have implemented various regulations to combat it. While short-term solutions like traffic pattern analysis can help, mid and long-term solutions like national implementations and STIR/SHAKEN are necessary for a more comprehensive approach. Some countries have taken specific steps, including the creation of CLI guidelines and the implementation of blacklists and validation processes, to combat CLI spoofing.



For more information about VoIP restrictions, please visit the following link: 

https://datahub.itu.int/data/?i=100042&s=3202

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article