On Hurricanes and Spoofers
Aggressive telemarketers -- or marketers in general -- have a long, successful history of seizing opportunities and running with them. In fact, this is what all good marketers always intend to do regardless of industry. Certainly those marketers have relied on (and often exceeded the boundaries of) the ever-evolving rules established by the Telecommunications Consumer Protection Act (TCPA, 47 U.S.C. 227), signed into law in 1991 by President George H.W. Bush. You'd likely be accused -- at least in this industry -- of living under a rock if you'd never heard of or been affected by it, either when the landline rang at dinnertime, or when your mobile device received calls or texts from unidentified or familiar-looking numbers trying to offer you a vacation, free money, or home repair services.
What's worth considering now is that in light of the destruction wrought by this aggressive hurricane season, and the needs of enterprise and government to reach out to citizens, a quick recap of the rules is likely in order. TCPA prohibits autodialer calls or text messages, as well as prerecorded calls, to any telephone number assigned to a cell phone or other mobile device (such as a pager) unless made with the prior express consent of the called party or the calls or text messages are:
- Made for emergency purposes
- Free to the end user and have been exempted by the Federal Communications Commission (FCC), subject to conditions prescribed to protect consumer privacy rights
- Made solely to collect debts "owed to or guaranteed by the United States" (see 47 U.S.C. § 227(b)(1)(A)(iii) and 47 CFR § 64.1200(a)(1)(iii))
FCC on the Watch
Without question, public safety trumps the nuisance factor in the delivery of unsolicited messages to mobile devices. However, it's important to recognize the difference between those entities that have the right to text or call a mobile device without explicit opt-in permission in an emergency vs. those that choose to reach out to individuals and enterprises to solicit new business. This post-hurricane clean-up rush creates opportunities for consumer abuse by overly aggressive marketers. And the FCC is paying attention.
Earlier this summer, the FCC assessed a massive penalty -- $120 million -- on serial spoofer Adrian Abramovich. Over a three-month period in late 2016, the FCC was able to determine that Abramovich's companies, Marketing Strategy Leaders and Marketing Leaders, made just shy of ... wait for it... 100 million calls, appearing to originate from local phone numbers and often identified as coming from TripAdvisor. The records contained the called number, time stamp, call duration, and the caller's IP address.
By relying on a new phenomenon called "neighbor spoofing," Abramovich's companies were able to spoof the first six digits (area code and exchange) of the numbers being dialed, thus making the recipient more likely to answer the call than ignore it because the number looked familiar. While acknowledging that there may be some valid reasons for spoofing a number (law enforcement, legitimate collection calls), the FCC, in seeking comment earlier this summer, recognized that any potential harm to consumers outweighs the benefit of allowing spoofing, which has created great opportunities for fraud and misuse.
Stir and Shake
With this in mind, the FCC has acknowledged the efforts of the Internet Engineering Task Force (IETF), the Alliance for Telecommunications Industry Solutions (ATIS), the SIP Forum and others to develop both protocols and a multi-phase framework "designed to validate calls and mitigate spoofing and fraudulent robocalling." The FCC sought comments on the implementation of authentication standards for telephone calls as well as on the proposals made by both ATIS and the SIP Forum. More specifically, the FCC continues to evaluate and consider options on what it can do to promote development and adoption of the ATIS/SIP framework, or other alternative frameworks. Finally, the FCC is interested in learning whether existing market incentives exist to encourage the adoption of authentication technologies, as well as determine the best way to validate such authentication service providers.
As a result, two new caller ID validation methodologies are evolving. Secure Telephone Identity Revisited (STIR) is the first method that carriers and providers are contemplating using to identify spoofers, and Signature-based-Handling of Asserted Information Using Tokens (SHAKEN) is another (yes, you're supposed to channel your inner James Bond). Both require the participation of all providers (at current count that's around 4,000), and remain a long way from implementation. However, they do create a step toward managing the challenging aspect of TCPA enforcement -- that is, identifying the bad actors and chasing them down.
I've written about TCPA violations extensively, and certainly a well-organized class action bar has been quick to jump on any opportunity to create a class, win a judgment, and share the proceeds of the judgment with consumers who have been harmed. Recently, Hooters, American Eagle, and the L.A. Lakers have found themselves, for different reasons, on the losing side of a TCPA-based dispute. They've all paid dearly in legal fees, as well as in cash or gift cards.
When hurricanes strike and damage is massive, legitimate government entities along with related business interests (as well as those that are less savory) are likely to reach out to share time-critical information and generate business in the form of assisting in recovery efforts. That said, the priorities created to bring out a return to "normal" knock the management of unwanted robocalls or texts off the top of most people's lists. But the fact remains that unsolicited texts or calls are permissible only under the three circumstances I delineated above.
After a weather-related disaster, calls in the first category are what count. Others should not and cannot be tolerated. To report spoofed calls, visit the FCC's Consumer Complaint Center. When you think you're too small to make a difference, remember the FCC wasn't shy about taking action against serial spoofers and TCPA violators.