In defense of Caller-ID spoofing

It's not me mounting the defense, mind you. However, I thought it worth noting that a pair of recent posts -- "Confessions of a Caller-ID spoofer" and "Caller-ID spoofing burns fire equipment company" -- generated significant reader reaction, not all of it in lockstep condemnation of the practice.

Turns out that Caller-ID spoofing has fans -- see unscientific survey results here -- and not only among the criminal, unscrupulous and desperate: For example, you're about to read pleas for understanding from an engineer who works for an IP PBX manufacturer, as well as a dutiful father (his is priceless).

For those who missed the initial items, the first post concerned the tale of a telecom industry veteran who used a Caller-ID spoofing service -- over and over and over again -- to break through the voice-mail of a former employer he says owed him thousands in unpaid commissions (more from him below), while the second involved a small Maine company that was put out of business for more than 24 hours by a spoofing-enabled credit con.

They were enough to convince me that Congress needs to outlaw such services, a conclusion not everyone was quick to embrace.

First we'll hear from Jeff Rowley, an engineer at ShoreTel:

Two beneficial uses of Caller-ID spoofing that we implement in the ShoreTel IP-PBX include being able to send a remote-based soft-phone user's home telephone number when they call 911out a corporate trunk and, second, sending the Caller ID of the original caller when using our "Find Me/Follow Me" feature.

The first feature allows a home-based IP call-center agent to place normal outbound calls from their PC-based IP soft-phone and the IP-PBX system sends their corporate caller ID out the corporate PRI.  But when they call 911 we can send their home telephone number instead, directing the emergency response team to the correct (home) address.

The second feature enhances our Find Me/Follow Me feature.  This feature allows a caller to "press 1 to have the system find me."  While the caller is waiting the system places outbound calls to the user's cell phone (or home phone, etc.) but sends the original caller's Caller-ID so the recipient knows who the call is really from, rather than just another call from the corporate office.

We also allow a user to specify their cell phone number as their primary CID to be sent from the PBX even when they are calling from their office phone (if they want to use that number as their "one number to reach me"-type of number.)

These beneficial features are not possible if the carrier filters out Caller-IDs that are outside of the "proper range" of DIDs.

I asked Rowley about end-user control in the examples cited and whether it could be abused.

In our system all three of the examples I mentioned are set by the administrator - not by the end user. Still could be abused but it would have to be a company-wide plot. ;-)

How does society allow the good while eliminating the abuses of Caller-ID spoofing?

Tough one, as is all choices between security, privacy, freedom, convenience and the like. I would equate it to allowing a consumer to being able to host their own SMTP mail server. The ISP allows this unless there is abuse (the server turns into a SPAM-monger) and then port 25 gets turned off for that connection. … Similarly CID spoofing shouldn't be "automatically" assumed to be bad or abusive but looked at more in an "abuse it and you lose it" fashion.

Now we get to that dutiful Dad, one Mitch Crane from Bethlehem, Ga.

I have to confess, I, too, am a Caller-ID spoofer. You see, I have two teen-age daughters who have uncanny luck with their phone service: It goes out when they don't want to hear from a parent. I just randomly pick one of their friends' numbers, spoof it and I miraculously get through.

I'm sure they too think the practice is evil and should be outlawed.

Wonder how many times you'd have to do that before the kids would just give up and answer when Mom or Dad calls.

Update: Just got an e-mail in reaction to this post from the original confessor in "Confessions of a Caller-ID spoofer," who as you may recall is a telecom industry veteran, and, coincidentally, a regular Buzzblog reader. Here's what he has to say about the "legitimate" needs for spoofing technology and how they could be accommodated in federal legislation outlawing the likes of Spoofcard.

My personal recommendation would be to make all forms of spoofing covered by the law, and (also) selectively permit under the law a user/enterprise/service provider to display a CLID other than what the actual caller is using if and only if the user/enterprise has a legal vehicle (permission note, letter of agency, etc.) explicitly allowing them to do so. This would allow the enterprise or service provider in question to support both of (Jeff Rowley's) scenarios with a simple upfront form (possibly electronic) that the user would agree to - similar to the E911 waivers in place with most service providers today, actually.

The first case (delivering PSTN "real" number of remote extension user) is actually pretty bogus though, as an IP PBX with traditional PSTN access will deliver an emergency call to their local PSAP.  If I am remote (as in, outside of the area/territory served by the PSAP) then having my originating out-of-area number doesn't do them much good.  The only way that this works is IF the PBX is IP connected to a service that will route the call the appropriate public safety access point that server the Caller-ID that the originating enterprise spoofed (like Level 3 SIP service) for instance - and L3 only offers that service for prescribed serving areas, not for any originating NPA-NXX you can think of.  Practically the liability to the enterprise of "choosing" which information to send to 911 will cause most enterprises to default to sending the address of the local office (wherever that may be).

Bottom line, Paul, if your ticker gives you problems again - don't call 911 from a softphone on your laptop VPN'd into your work if you want to see an ambulance .... that's what land lines are for!

I think we may be in agreement here - Congress needs to create a framework that defines acceptable use of spoofing (these are 2 possible scenarios, more common would be allowing teleworkers or outbound call staff to display their corporation's identity to callees) with significant penalties to violators and (more specifically) service providers that allow/facilitate violators.

Good advice about that landline ... advice I hope not to need any time soon.

Welcome regulars and passersby. Here are a few more recent Buzzblog items. And, if you'd like to receive Buzzblog via e-mail newsletter, here's where to sign up.

Just using Facebook gets this guy dragged into Wikileaks case.

In defense of Caller-ID spoofing.

Google says EFF's barking up an empty tree.

Stallman on handing over GNU Emacs, its future and the importance of nomenclature.

Call "retail renting" what it is: short-term theft.

Google renames the Persian Gulf.

Get $500 just for going on a job interview. (No, really.)

Top 10 Buzzblog posts for '07: Verizon's there, of course, along with Gates, Wikipedia and the guy who lost a girlfriend to Blackberry's blackout.

8 can't-miss tech predictions ... for 1998

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:
Now read: Getting grounded in IoT