Will ‘vamming’ plague VoIP?

You’re eating dinner after a hard day’s work, and the phone rings. It’s a telemarketer. “Hey, I’m on the ‘Do Not Call’ list, so stop calling me,” you say. He laughs and keeps calling, every 10 minutes, day and night, forevermore. Sound like a nightmare? Maybe not.

What keeps telemarketers from calling day and night? It’s not just that there are laws against it; it’s that the telemarketers can be identified and made subject to those laws. Suppose telemarketing invaded the VoIP world, creating “vam” instead of spam? What’s to stop a telemarketer using VoIP from spoofing a calling address the same way spammers spoof e-mail addresses? Why couldn’t a big server in some offshore haven generate zillions of Session Initiation Protocol (SIP) calls with these spoofed addresses?

What kind of VoIP we get is likely to depend on how pushy we are about the problems of vamming. The time has come to recognize that Internet freedom means letting people protect themselves and to look more closely at VoIP service technology.

The standard for VoIP, SIP, establishes an open model where users have IP phones linked to the permissive Internet infrastructure. In theory, anyone who can locate such a phone via scanning can call it, and with the cost of an Internet call near zero, this model invites vamming as soon as the community of open VoIP users gets large enough to exploit. Fortunately, this isn’t a popular model among VoIP providers.

What is popular is a closed model, some version of which nearly every VoIP provider uses today. Under it, users have IP phones that are in some way isolated from the open and uncontrolled Internet community. Some providers, such as Skype, are partitioning through the use of proprietary protocols and encryption; others, such as Verizon, are looking at doing VoIP over a true VPN. Either of these approaches would limit access to VoIP customers by outsiders, including telemarketers.

In a closed model, users can be authenticated, which makes enforcing civil or criminal penalties possible. In theory, VoIP users in these closed systems could demand that their carriers filter out calls from sources not subject to U.S. telemarketing laws. If all members of a VoIP community are identified, and called parties can refuse calls that are not subject to prevailing telemarketing or other consumer legislation, it would work like the public switched telephone network.

The devil might be in the details of how this would be done. SIP has mechanisms for trust and authentication, but there is still a question of how multiple VoIP carriers would exchange the trust information on their members and whether you can trust someone else’s customers. A maverick VoIP carrier might become a leak through which vammers can enter. A vammer might set up someone as a kind of Trojan horse, entering a closed VoIP community and vamming for a few days, then disappearing. It’s like a spammer adopting a temporary e-mail account.

Right now, we’ve got an IP voice model that’s not successful enough to be targeted, but that’s going to change. Carriers should be expected to present not only an inexpensive and reliable form of VoIP, but also one that can protect consumers from vam. For VoIP to work, we need strong authentication of user identity and location, and a reliable way of exchanging identity trust between carriers. We’ll also need technology to detect abuse and quickly shut it down.

We’ve messed up e-mail by letting the problem of spam get ahead of our ability to deal with it. We can’t afford to do the same thing with VoIP. We need VoIP carriers to address three essential issues: how they will authenticate their customers’ identities; how they will let customers bar calls that can’t be made subject to telemarketing enforcement; and how they will exchange identity information reliably when the caller and called parties are on different networks.

Voice calling is essential in today’s market. Uncontrollable calling is intolerable, and a few good vam horror stories will stop VoIP progress in its tracks.