June 29, 2010

Blaming Google and Android for Calling ID Spoofing

Greetings. An article on Slashdot today seems to blame Google and Android for the ease with which two Caller ID spoofing programs can manipulate Caller ID and gain illicit access to AT&T (and other) voicemail systems. It even attempts to draw in the (to my mind irrational) complaining about Google's accidental Wi-Fi payload data collection.

I've talked about CNID (Calling Number ID) spoofing various times before, but let's be really clear about this.

CNID spoofing is not the fault of Android or Google, any more than it's the fault of Time Warner or Comcast when users access Web-based CNID spoofing services. The fundamental problem is that the CNID system was never designed for an environment where, to use the vernacular, every Tom, Dick, and Harry has access to the underlying subsystems, a problem that has become much more serious with the rise of VoIP/SIP-based access mechanisms.

A rather comprehensive history of CNID spoofing [calleridspoofing.info] and related areas makes for useful reading. (This falls into the "it takes one to know one" category of Web sites, apparently.)

Google Voice, as an example of the correct approach, makes users explicitly aware of spoofing risks, and requires additional confirmation steps, if attempts are made to set up accounts without passcodes.

There are legitimate situations where manipulation of CNID data is completely reasonable. Services (like Google Voice, for example) may want to pass through calling number data so that called parties have accurate information regarding the origin numbers of callers. Businesses may want to send their main number as the CNID reference, not extension numbers, which may not even take incoming calls.

There are concerns that currently pending U.S. legislation to outlaw nefarious CNID manipulation might adversely affect legitimate uses. My belief is that it should be possible to craft wording in the final legislation that would protect such honest applications -- this is indeed important.

I do feel though that it is also important that U.S. federal law be on record that use of Caller ID spoofing for the purpose of intentionally falsifying the identity of a caller is generally unacceptable and so would normally be subject to appropriate legal sanctions.

--Lauren--

Posted by Lauren at June 29, 2010 07:39 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein