Since I’ve posted several times before about spoofing the caller ID for a phone call, you might think I would be interested in the Truth in Caller ID Act of 2007 that was recently introduced in the US Senate. And you would be correct.
Originally introduced in the House as H.R. Bill 251 and passed by voice vote, the bill has moved on to the Senate. A very similar bill, the Truth in Caller ID Act of 2006, was also introduced and passed in the House last year, but never made it out of the Senate. Both of these Acts were designed as amendments to Section 227 (RESTRICTIONS ON THE USE OF TELEPHONE EQUIPMENT) of the Communications Act of 1934.
Here are the major differences:
- Changed “telecommunications service or VOIP service” to “telecommunications service or IP-enabled voice service”
- Removed the qualification of “with the intent to defraud or cause harm”
- Added exemptions for “any authorized activity of a law enforcement agency” or “a court order that specifically authorizes the use of caller identification manipulation”
- Added a statement that implies (at least to me) that the FCC can include exemptions that the “Commission determines appropriate”
- Added a statement that the FCC shall report back 6 months after enactment as to whether additional legislation is required to cover new technologies that have emerged
- Added explicit civil forfeiture penalties and criminal fines for each violation (including up to $10,000 for each violation and treble damages per day for continuing violations)
- Specified a 2-year statute of limitations on events ocurring after a violation notice has been delivered (here’s an example of a real notice as defined by the Communications Act of 1934)
- Added explicit statements regarding enforcement of the Act by States (though States must wait in line if the FCC is already taking action for an alleged violation). This section of the Act is intended to replace section 227, sub-section f, of the Communications Act of 1934, at least in regards to violations that involving Caller ID spoofing.
One of the challenges faced by the authors of the Act is not to disallow legitimate uses of caller ID spoofing. When outbound calls are placed by an outbound calling service, the trunks that are used do not normally accept inbound calls. Although many outbound trunks may be used simultaneously, it typically makes sense that returned calls would go to a single recognizable number. Let’s say an emergency notification system were established to place outbound calls to a community in case of an accident at a nearby oil refinery or chemical plant. Obviously, many calls must be made very quickly, so lots of outbound lines would be used. In this scenario it makes sense to spoof the caller ID for each outbound line to a single inbound number that distributes the calls to people who are trained to answer questions about the notification.
The 2006 Act stated that it applied to cases where spoofing the caller ID was done “with the intent to defraud or cause harm”. While I can understand the desire to avoid having to prove the intent of an alleged violator, I’m worried that the new Act removes this statement and leaves it at – “transmit misleading or inaccurate caller identification information”. While my above example illustrates a case where the spoofed information is not misleading, one might technically argue that it is inaccurate. Maybe I’m splitting hairs, but I can think of several cases where “inaccurate” caller ID information is not necessarily harmful.
This Act covers more than just the calling party number (which is, strictly speaking, the caller ID). The Act also covers any other information that is also provided as part of a calling number identification service, such as a brief alphanumeric name that can optionally be requested along with the phone number, depending on the service provider.
Regardless of whether this Act passes, you should change your mobile phone voicemail account (if you haven’t done so already) so that it requires a password. The typical default setting is not to challenge you for a password if the caller ID for the call matches your mobile phone number. Convenient, but terribly insecure. You don’t want me listening to your voicemail, especially since I already read your email.