Robocalls - the next level [telecom]

I got a robocall this afternoon, and it angered and depressed me.

Here's how it went:

(Phone rings, I pick up)

(Oh-so-sweet female voice says) "Hello, this is Samantha, is Bill there?"

(I said) "I'm talking to a machine. Samantha, how much is five plus four?"

(Oh-so-sweet female voice says) "I'm sorry, I have a speech problem, so I'm using this prerecorded system to make it easier to tell you about [something or other men my age are expected to respond to].

(I said) "Shame on you! Don't you have any personal pride?!"

(Oh-so-sweet female voice says) [Silence, followed by disconnect].

I suppose I could have predicted this: spam, robocalls, and political hucksterism are all arms races. Every time someone at my level figures out a countermeasure (such as my micro-Turing-test, above), then the sleaze merchants up the ante and demand that I put up with their lawbreaking.

Bill

Reply to
Bill Horne
Loading thread data ...

I've been trying to sort out effective algorithms to implement an "automated attendant" (imagine a machine that screens calls like a "secretary" would). So you aren't even bothered by a phone ringing!

There are a variety of mechanisms that can be used to identify callers KNOWN A PRIORI (CID, speaker recognition, tendered credentials, etc.). So, its relatively easy to block calls from "unknown sources".

The bigger problem (as I see it) is handling those callers from whom you

*may* want to receive calls -- but haven't "precleared". E.g., your doctor (or a NEW doctor!) calling to remind you of an appointment; the automated phone system at the local library calling to remind you of an overdue book; etc.

Some of these you can recognize "in hindsight": "Ah, I need to add the CID of my MD to my whitelist!" (how likely is a robocaller to know that they can bypass your screen *if* they happen to know the CID of your particular MD??) Others aren't quite so easy to address (your sister's

*neighbor* calling to tell you that she's been rushed to the hospital...)
Reply to
Don Y

There are several obstacles to designing "smart" telephone answering machines. Just off the top of my head -

  • The person I want to talk to at 2PM on Sunday might not be welcome at 9AM on Monday.
  • It's almost impossible to design a workable whitelist without knowing the phone numbers that will be allowed. Predictive algorithms will always fail due to special circumstances, and you mentioned the important ones.
  • Blacklists aren't viable, since CID is so easy to forge.
  • There's no way to implement a "one size fits all" solution, because the spam^h^h^h^h telemarketers will just add the codes to their automatic dialers.
  • Costs will likely be prohibitive.

Still, I applaud your effort: it's an arms race, but you just might be the winner if you can market it quickly and well. Good luck.

Bill

Reply to
Bill Horne

I guess I am just not up with it on the latest technology.

How does the FCC (or anyone) plan to enforce this? I have a phone number on the "do-not-call" list, and all that list does is provide the telemarketers a list of probably good numbers to pester.

With the information the Caller ID provides, there is little chance of successfully filing a complain against any of the harassers that call. And calling a number pack -- if I get a working number -- it always ends up with a voice mail menu that doesn't identify the company reached.

Does my telephone service provider have some way to detect that a call will be a robocall?

Times have changed from when I picked up a phone to make a call and a friendly voice greeted me with "Number please".

...Bob K

Reply to
Bob K

Goal isn't to produce an "answering machine". Rather, an "automated attendant" as part of a much larger system.

If you had a secretary, this event would go something like: "Bill, I have Tom Smith on the phone..." "Put him through!" or "Take a message." (i.e., send it to voice mail) or "Tell him 'I'm in a meeting'" "Tell him 'I will be a few minutes late'" "Tell him to 'Call back later'" "Tell him 'I'll call him on Sunday'" or "I don't want to talk to the bum!" etc.

Why can't an "automated attendant" do likewise? I.e., announce the caller (assuming it isn't someone that you've already decided you

*don't* want to talk to -- like someone with missing CID, blacklisted CID, blacklisted credential, etc.) and then allow *you* to indicate what subsequent action should be taken (as above). The caller need not know (but may *suspect*!) that you are even actively involved in this decision -- just like calling someone "at the office" and the sec'y puts the caller on hold, then comes back a while later with "I'm sorry but Bill is in a meeting" (when, in fact, Bill may have been standing beside her at the time!)

Note that the action you (your attendant) takes can vary with the "identity" (or, CLASS of identities) of the caller. E.g., I don't expect calls from an employer/client on the weekend, after hours or when I am on vacation -- it can wait until I'm back on the clock! I

*might* accept calls from certain friends in the late evening but not other friends. I'll probably accept a call from certain neighbors even in the wee hours of the morning ("Hi Don, Bob has had a heart attack. I'm going with him in the ambulance to the hospital. Can you come over and watch the kids?"). And, would definitely accept a call from a spouse regardless of the time of day, my current activities, location, etc.

You can't base accept/reject/processing criteria on CID. You can use CID in some cases for *some* decisions; e.g., if no CID, then route the call to the bit bucket (don't even take a message from folks who don't want to identify themselves!).

But there are other mechanisms that you can use to identify the caller that aren't as easily spoofed and are more "portable" than CID. I.e., if your spouse is calling from an unfamiliar phone, you still want him/her to be able to get *through* your "attendant" -- regardless of time of day, CID, etc.

You have to build an identifier from mechanisms of varying authenticity. E.g., recognizing a voice regardless of CID may entitle that caller to "leave a message" or "have themselves *announced*" (the latter being far more invasive to the called party than the former). Or, a CID coupled with a "pass key" (DTMF or spoken) -- so a particular smart phone (or, a traditional phone with a note attached that says, "when calling Bill, enter the pass key 308923 when prompted; note only works from THIS phone!") can be used to get to you -- regardless of the person using that phone.

Before even doing that, you can impose simple tests to weed out robots:

- missing CID (or nonwhitelisted CID)

- speaks while your attendant is speaking

- doesn't "respond" to prompts ("who is calling, please?") I.e., doesn't behave like a POLITE human caller would be expected to behave.

Blacklists won't prevent *all* undesirable contacts. OTOH, if you didn't want to hear from your neighbor at 3AM, chances are, *he* won't be spoofing his CID! It's primarily the telemarketers, etc. who are trying to masquerade as someone else.

But, if you only allow the phone to *ring* for whitelisted numbers, how will that telemarketer know that your Mom's CID is in your whitelist? (i.e., how will they know who your Mom *is*? And, that you've included that particular number in your whitelist?)

You can't opt for a one-size-fits all approach because the criteria that *you* use (i.e., the rules that you tell your *secretary* to use when deciding how to handle incoming calls) WILL be different from the rules that *I* use. Screens like:

"Press X to leave a message (else I will hang up on you!)"

won't cut it. Robot dialer just presses all ten digits, sequentially. You could embelish this a bit:

"Press XYZ to leave a message (else I will hang up on you!)"

to make it harder for an "open loop" solution. But, it's still not very smart. Unless you created a random set of digits for each installation (device), there will inevitably be many users who pick the same, lame code: 000, 123, 5551212, etc.

The rest of the system already absorbs those costs. E.g., I rely on similar "authentication" to allow my neighbor to command my garage door shut if I happen to leave it open when I drive away. Or, gain access to the house to water the plants while I'm on vacation, etc.

No desire to "market". Rather, just trying to solve a problem that has annoyed me. And, scare any *live* spammers who find themselves confronting an impenetrable barrier (i.e., push all the buttons on the phone, fake your CID, claim to be the IRS/police/etc. ... none of those are going to get through!).

Most of this is reasonably feasible. But, as I said, the real issue is presenting information regarding the (automatically) "screened" calls to the user for his/her review. You really don't want to put a list of date/time/CID/presumed_identity/how_call_handled/etc. on a

*display* for the user to review. A phone is inherently NOT a visual device (despite all the folks who wander around with their eyes GLUED to theirs!) So, you need a simple means of letting the user verify that the attendant has been operating as expected as well as identifying calls that, in hindsight, should NOT have been "handled" as the attendant saw fit (e.g., dropped, routed to voice mail, etc.)

It's an interesting problem! :>

Reply to
Don Y

Per Don Y:

How about some sort of Challenge-Response?

I keep going on about this even though my knowledge is limited... but the logic seems sound and the basic feature is in place in most businesses today:

- Caller dials my number.

- CallerID is checked against a WhiteList and, if WhiteListed, my phone rings immediately. This is strictly a convenience feature for frequent callers, and not needed.

- Failing the WhiteList, the caller hears a more-or-less standard voice menu. ("Press 1 for Joe, Press 2 for Sam, Press 3 for Gail, ..." and so -forth".

- If the caller presses the right digit - or had pressed the right digit as soon as the Voice Menu picked up - my phone rings.

- All other calls are handled in a manner that I determine: + Just hang up + Flip them to voice mail + (something else?)

I *think* this is currently available with my VOIP provider (CallCentric), but I have not tried it because only my outgoing calls go through the VOIP provider: incoming calls are still on POTS... Reason: I feel more comfortable with local 911 service instead of hoping that some database somewhere in Broken Pelvis, Montana is up-to-date and correct for my particular phone number.

But I'm getting close. We're currently getting 4-6 robocalls per day on our land line - and I have a stack of lame-sounding letters from the Pennsylvania Att'y General telling how they just can't do anything about Do-Not-Call List violations any more.

And then there is NoMoRobo.... but I am too cheap to pay for the extra features necessary for it to work.

Reply to
Pete Cresswell

I understand what you /want/ to do, but few people will buy an "automated attendant". OTOH, a "Smart Answering Machine" or "Mister Jeeves" or other catchy name will bring more sales.

The people whom still have secretaries are, ipso facto, not interested in auto-attendant devices. Forget secretaries: the market is ordinary people with enough money to pay for a device, but not enough to hire a secretary.

Blacklists only work to manage calls from those you know. The abusers win, because they can play whack-a-mole all day long. In fact, that abuse is now part of the system that was supposed to prevent it: I get two or three "hang up" calls a day, each with different CID info, so I think one or more companies are assembling social maps that show which NPA/NXX/line number combinations I or my wife are more likely to respond to.

That won't work.

- Your boss will demand to be cleared at all times, and (s)he doesn't care how: when (s)he wants to talk to you, you're expected to be there.

- Your doctor will demand that you put his/her call through without delay or verification when you call for help out-of-hours. Although some HMO's have installed "dial around" devices to allow their employees to bypass Star-87 restrictions, anything that complicates the process will prevent you getting the medical advice you want.

- Politicians will write laws that prevent any such device from blocking their appeals for money and votes.

... That's the "new normal" of the cell-phone-glued-to-the-ear generation, and it's one of the big reasons why I always look askance at "smart" phones and how they are used: nothing stays static. The system is going to react and adapt!

See above.

Are you sure? ;-)

The question isn't just about letting only some people through: it's really about social norms and how the habit of grabbing the phone whenever it rings has been inculcated in our minds since childhood. If users are willing to miss some calls that they might have wanted, and (more importantly) to commit themselves to the added burdens of learning how to use (and convince their callers to use) a new device that acts to *reduce* the effectiveness of the *other* devices that they are already paying extra for (i.e., cell phones, tables, Skype, etc.), then a selective call-screening device has a chance of success.

My brother-in-law connects his home phone to a fax machine whenever he's home and he doesn't want to be bothered, and he gets his way because he's willing to do without talking to people he *might* otherwise be interested in, if they were calling when he decides to be available.

I'm not that extreme, but I do have an uncommon call-waiting system: if you call my home when I'm talking to someone else, you will hear a quaint audible indicator known as a *Busy* *Signal*. It means that *I'm*

*busy*, and your call has to wait!

Anything more complicated than a one or two-digit code will fail. Voice recognition isn't viable, both because it's not yet reliable enough for everyday use, and because collecting the samples would be too time-consuming and error-prone even if it was.

See above.

Too many false positives.

Again, too many false positives.

See above. Politicians all have a vested interest in discouraging workable screening systems, and they have men with guns they can order around so they don't need to be polite.

Your birth certificate is a public record. Database weenies of all stripes would be overjoyed if that was all that was needed to get by your device: every telemouseketeer would have to pay them for everybody's mother's number.

Eeek! Users! OMG like fer shur, l^husers are *always* the problem!

(Ducks, covers, thinks of his mortgage and tax bills).

If the question is how best to prevent forged CID calls, then that's a problem only the government can address. However, IMNSHO, the question is how to prevent *me* from being bothered, and *any* one-of solution will work, but *any* thing else will fail if it can be gamed by a programmer. The problem is that anything which doesn't present abusive callers from having to pay for a human to solve a Turing test will fail: CPU is cheap.

Yes, but how will the *real* police get through? Don't think it's a minor issue: cops and their bosses are depending on automation (that's what E-911 *is*, btw) to cut down on municipal pension obligations whenever they can. They *will* demand a "one size fits every department" work around.

It's an arm race, just like spam prevention. The best you can hope to do is to reduce the recipient's workload to a *much* lower level compared to what we're doing now. Do that, and the world will beat a path to your door.

Bill

Reply to
Bill Horne

The problem is that there are some robocallers you DO want to let through.

A couple of nights ago I got a robocall from my electric company, announcing that they knew there was a service outage in my area (I wasn't down, although I'd had a number of short blips that day). I'm not sure if I've ever been called by them before (especially since NStar merged into Eversource, so they may have a different number).

You could add numbers to a white-list. But if you default to blocking, how will you ever get the first call from them, so that you learn the number to add? Humans can respond to a challenge-response, but if the first contact is from a bot, it will never get through.

Maybe there's some way that these "legitimate" callers could arrange with the telcos to get on a universal white-list. But phone companies don't have a good track record of vetting third parties -- isn't that how "cramming" became a problem?

Reply to
Barry Margolin

I originally considered that and decided against it -- except as a backup mechanism (e.g., caller has laryngitis so speaker identification algorithm possibly fails in a big way).

I think, (to make things palatable to callers and callees) it must be a more natural part of a "typical dialog". E.g., if you think of the "secretary" model, your secretary recognizes the voices of key callers (spouse, etc.) and, effectively, authenticates them as part of the initial "banter" that normally happens at the start of a call. Yet, neither party actually *thinks* of this as "authentication".

If, for example, a call came in and the CID indicated that it was my neighbor *and* the speaker identification algorithm suggested that it was "Patricia", this is likely a good indication that it *is* Patricia! A telemarketer would have to know the phone numbers from which my neighbors call me (i.e., they may prefer to use cell phones

*or* land lines) *and* the characteristics of each of their voices to "trick" the attendant into thinking that it *is* Patricia.

With *this* level of authentication, I may allow the attendant to tell me "Patricia is on the line" *if* I am home. If not, it may offer the caller a chance to leave a message. (normally, it wouldn't let

*anyone* leave a message!)

If, however, Patricia wants to close (or open) my garage door, I would require a bit more "proof" of that identity. E.g., provide a Patricia-specific shared secret to further prove identity.

We all use something like this to control access to our computers; a user-name can be forged even more easily than a CID! *But*, having that name doesn't inherently grant access -- you *also* need a password that is associated with that specific user name (and, policies on the host that allow that user to access the host at that particular time, perform those particular tasks, etc.)

This means anyone who can guess a number on your CID has access. It would be like guessing user names on a computer and being granted access based *solely* on that! ("Hmmm... let's try 'Administrator' or 'root'!")

I condition this with an indication of who the actual caller seems to be (based on an analysis of their speech). Alternatively, I could require a "secret" that is uniquely tied to that CID (so, if one neighbor calls and tries to use the secret shared with them by *another* of my neighbors, the call won't go through). Note that the "secret" could be something as natural as the caller's *name* (e.g., Patricia identifiers herself as Penny; something a really smart telemarketer wouldn't know!)

So, a telemarketer just presses 1 2 3 4 5 6 7 8 9 0 and *one* of them wins!

If you have a means of identifying the caller (at various levels of confidence -- as indicated above), you can do damn near anything you want with the call.

E.g., if no CID, drop the call (don't even ring the phone or offer an opportunity for voicemail -- I don't want to have to review that voicemail!). If Patricia is calling (see above) and it's "normal hours", handle the call based on whether or not I am known to be home: announce the call to me; put it through; or offer voicemail ("Could you please leave a message?"). If she is calling and it's 3AM, then ring the phone REALLY LOUD! I trust her NOT to call at that hour of the night unless it is something REALLY important! If she abuses this "privilege", then I just need to change the rule for her calls!

OTOH, if my boss calls at 3AM, route it to voice mail or just politely push the call off.

I hold no hope for gummit solutions. Control has to be *at* the called party's end of the line. They can allow loopholes for all sorts of "special interests; but, if my "secretary" blocks the call from reaching my desk, are they going to send an armed contingent to FORCE her to pass the call through to me?? Am I required to even *answer* the phone when it rings? E.g., if the CID says "Police Department", there is nothing to prevent me from letting the phone ring endlessly -- with the wires to the clapper *cut*!

And, legislators to require a tunnel through that service for .

Reply to
Don Y

Per Barry Margolin:

Not me. If the choice is between having to answer a half-dozen robocalls per day and missing one or two "Important" robocalls per month, I'll do without the "Important" robocalls.

But I take your point.

That being the case, it sounds like the field has narrowed down to NoMoRobo and whatever other services crowd-source the function.

I have been using CallControl (another crowd-source-driven service) on my Android phone and it has cut the robocalls to almost nil - maybe one every couple of months.

Reply to
Pete Cresswell

You have conflicting goals: not wanting to be bothered by calls that you don't want to take; yet not knowing, a priori, which calls

*might* come in that you *should* have taken (hence the review of the "log")

That probably requires legislation. Then you get the special interests sticking their foot in the door.

*Best* solution is a scheme that allows the *callee* to bill the caller for the inconvenience of the call. And, that only is allowed if the callee has previously registered with a Do Not Call registry. So, if you've ignored that registry, a savvy callee will "press 9 to bill caller for this call". Ideally, splitting the proceeds between the callee and !

Presumably, TPC would *need* to know a billable entity in such a scheme.

Then, callers would have to think twice before risking taking a financial hit from a few tens of thousands of unwanted calls! Perhaps offering incentives for the callee NOT to "press 9"!

[Ain't gonna happen]
Reply to
Don Y

Whitelists aren't viable either, for exactly the same reason (I've answered a Timeshare robocaller because it had spoofed the familiar Chase Online 1-800 Customer Service number as its CLID).

Cheers, -- tlvp

Reply to
tlvp

Let's not fall into the trap of imagining that no CID implies the caller chose to suppress CID -- in my own +1-203 exchange, CID is never presented for *any* call from across the oceans (not from Europe, not from Asia, not from Africa).

I certainly do *not* want to block phone calls from the hotel or car rental company ... or the relative ... I'm intending to have dealings with on my next trip :-) .

Cheers, -- tlvp

Reply to
tlvp

[Moderator snip]

Google Voice (which will forward calls to one or another of your real telephones) does a lot of those things. Including screening calls (when you pick up, Google can voice prompt the caller to give his name. Based on that, you can press keys to control what happens next (take call, take call & record, send to VM, send to VM and listen). And do various things depending on CID, time of day, what number you want the call forwarded to, etc.

Whether or not you want to share your calls with Google is a completely different question.

My VoIP can do some of these things, based on CID.

Reply to
Dave Garland

If the discussion and thought processes have gotten to this level, I think it's time to acknowledge that the usefulness of the telephone as we grew up with it has passed.

Mourn it, dump it, and move on with alternate means of communication.

Reply to
Elmo P. Shagnasty

Per Don Y:

I like it - but one reason it ain't gonna happen is offshore operations that use multiple VOIP relays. Apparently these guys are considered untouchable - at least by the Pennsylvania Att'y General, from whom I have at least a half-dozen lame-sounding letters to that effect.

(I have no idea what "multiple VOIP relays" are... but it sounds impressive and seems to impress the so-called enforcers)

Reply to
Pete Cresswell

That's just an example of why the "one size fits all" approach won't work.

Here, for example, "no CID" would be an EXCELLENT criteria to screen calls! Any of our friends who would call with their numbers blocked could choose to "unblock for this call". Our doctors, etc. all produce "valid" CID's. We don't deal with hotels, car rental, overseas, etc.

So, a call with *no* CID is almost guaranteed to be one that we do NOT want to take.

[And, if the box is in your control, you could always change those criteria. Typically, "in hindsight" (which brings me back to the "log" issue in my OP)]
Reply to
Don Y

You obviously wouldn't rely on CID as a single-factor authenticator for that sort of contact (but probably *could* for "your friend from college")

It, however, brings up another vulnerability alluded to by Bill, up-thread: callers can probe the criteria that you use (either "manually" or with the aid of a screening service) to answer calls in order to take advantage of information leaks.

E.g., if you answer a call from Chase, then, chances are, you have an account with them! Any other information the caller may have associated with your phone number (e.g., your full name, address, etc.) has now been augmented by this *likely* deduction.

It's like getting an email from your broker that begins: "Dear valued super-platinum customer..." while it doesn't indicate the actual value of your holdings, it easily puts a bracket on the likely range of values! Much moreso than: "Dear customer" would!

This just confirms that *you* want to have control of the authentication mechanism, not TPC. E.g., there's no public/private database that tells you the "pass key" that my neighbor uses to contact me.

Reply to
Don Y

Nonsense! It's just stuck in a low-spot in terms of technology. E.g., we could all implement private *certificates* that are exchanged after the call completes but before the phone "rings" and, thereby, assure ourselves of the identity of the caller.

With the "phone per person" trend that seems to be the norm, nowadays, this would be easy to do. Someone wants to "not participate", then it truly is "no CID" (Certificate ID) and you can develop your own policies to handle that (having dealt with the potential for forgery in the design of the certificates and key exchanges)

You still have the same authentication problem. How do you know that email you received is from the purported sender? How do you know the snail mail's origins?

There are lots of ways of dealing with authentication -- by NOT looking at it as a "one size fits all" proposal. Tailor the mechanism to the "value" of that *particular* authentication (we routinely engage in multiple-factor authentication and don't *balk* at it -- or the added "complexity" that it imposes on our exchanges: can I have your Costco membership card? And, could you please verify your street address?)

The trick is to decide the problem *can* be solved (without requiring legislation, etc.) and then approaching it with that in mind.

Sort of like whether you believe four-leaf clovers are rare and think you'll *never* find one... or, that they are "there to be found" and you just need to look for them! (half full/half empty)

Reply to
Don Y

On a related note, will CallerID ever be made "spoof proof?" That would help, a lot

-Gary

Reply to
Gary

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.