Saturday, June 23, 2007

Caller ID spoofing

You may have read about this: Someone, using easily available technology, spoof the caller ID information that appears on your phone when a call comes in. Indeed, there are websites that make it very easy for you to do this.

So to use an odd example I saw on TV, your phone rings, you check the caller ID and instead of giving an unknown name and set of numbers, you see “The White House” and a set of phone numbers that are, in fact, for the White House. I’m not sure why anyone would want to use the White House’s number in caller ID spoofing, but you certainly could do so, if you were so inclined.

The spoofing is being used to commit identity theft and other types of fraud, though, as I note below, it’s also been used for some other undesirable purposes. For fraud and identity theft, the would-be perpetrator spoofs the caller ID so the person taking the call believes they are talking to their bank, credit card company or some other source with which they would feel free to share personal information, such as their Social Security number. The caller persuades the person to give up as much information as seems useful, hangs up and identity theft or some other kind of fraud is set in motion, with the person duped by the caller ID spoofing as the victim.

It’s also been used, at least occasionally, for other purposes. Back in April a column in the Washington Post described how SWAT teams have been sent to empty buildings or other places after someone called police, using spoofed caller ID, and reported a crime in progress. According to the Washington Post article, a SWAT team was sent to an apartment after police received a call from a woman who said she was being held hostage there; there was no hostage, the caller ID was spoofed to make it look like the call came from that location.

I can see where spoofing caller ID could become a very useful tool for stalkers and others bent on “harming” someone; it would, for example, be very easy to trick a murder victim into showing up at the place where the perpetrator was prepared to commit the crime. All the would-be killer would have to do is, say, to call someone and tell them they needed to come to a particular, no doubt remote, location because their spouse or their child had been injured or some other emergency. (It’s also possible to alter the sound of one’s voice, which would probably help in orchestrating this kind of scenario.)

Last Wednesday, the House of Representatives approved the Truth in Caller ID Act of 2007, which makes it “unlawful for any person within the United States . . . to cause any caller identification service to transmit misleading or inaccurate caller identification information, with the intent to defraud or cause harm.” H.R. 251. A version of the bill has gone to the Senate, so we’ll see what they do with it. It looks like both versions make caller ID spoofing a crime, which is what I really want to write about.

Not to sound like a broken record, but do we need a law like this?

I started thinking about that because someone I saw interviewed in a news story about caller ID spoofing pointed out that it’s like falsifying the return address on an envelope, and we don’t make that a crime. Instead, we fold that kind of misrepresentation, which is merely one step in the ultimate infliction of “harm,” into the charges for the target crime or crimes . . . fraud or stalking or theft or extortion or whatever the misrepresentation is intended to promote.

So I started thinking (and I’ve just started) about why it should be different for spoofing caller ID. Spoofing caller ID is a slimy, devious trick, one that, like most slimy, devious tricks, is optimally calculated to exploit the vulnerable among us – our less sophisticated, more trusting neighbors.

It’s also calculated to exploit what I see as an increasing tendency among us: to trust what technology tells us. Why is spoofing caller ID any more deserving of criminalization than the practice of misidentifying or otherwise misrepresenting yourself when you call someone? Fraudsters have used misidentification and misrepresentation for centuries, probably longer. Misidentification is a tool of the trade for fraudsters; fraud is defined as deceiving someone to get them to give you their property or other valuables. So a law like the one I note above is criminalizing the use of a tool to commit what is already a crime, which may be redundant.

Some states criminalize the possession of burglar’s tools, and you might analogize the caller ID crime statute to those statutes. Both would be tool crimes. The burglar’s tools statutes are arguably redundant when and if they’re used to charge someone who has already broken into a house or business for the purpose of committing, say, theft; at that point, the person could be charged with both burglary and possessing burglar’s tools (if a prosecutor wanted to do that). Burglar’s tools statutes are not so clearly redundant when they’re used to charge someone who’s arrested before they break into a house or building to commit burglary; indeed, this is the whole point.

They let police do something when they encounter someone who is carrying what the law says are unambiguous tools for committing a particular crime. That gives police an advantage: they can prevent the commission of the crime by arresting the person on the lesser charge of possessing burglar’s tools. Of course, they could do the same thing by charging the person with attempting to commit burglary, a charge that could be based on having burglar’s tools and, say, being in the alley behind a house or a business. Attempt charges work if the facts support the inference that the person was headed toward committing the crime. Burglar’s tools statutes just make that easier, and push the time frame back a bit.

So, okay, maybe the proposed caller ID spoofing crime is a burglar’s tools crime, and maybe there isn’t anything wrong with that. I think the difficulty I’m having with this proposed law is that it says something about our relationship with technology. We’ve never criminalized falsifying the return address on an envelope, as such; we criminalize committing fraud and using the mails to commit fraud. Why, then, criminalize caller ID spoofing?

I wonder if the drive to criminalize caller ID spoofing is implicitly based on the premise that falsifying caller ID information is somehow more reprehensible, more “harmful,” than falsifying the return address on a letter. Why might it be more “harmful” than falsifying information on a snail mail item?

Well, and I’m just speculating here, I suspect we’re a little more skeptical of addressing and other information on snail mail, because we – the general public -- all know how easy it is to falsify documents. We, the general public, know that because we know it’s people who put addresses on mail and we know how easy it is for a person to put incorrect information on mail. We know all that because it’s embedded in our culture; we know people lie and fabricate, and we know people create addressing information on snail mail (with, of course, the help of some basic technology).

I suspect things are different for caller ID. When we look at the caller ID screen on our phone, we don’t think we’re getting information from a person (who can lie); we think we’re getting information from a technology (which can’t lie, so far, anyway). I may be wrong, but I think that’s why people (me, included) are finding caller ID spoofing to be particularly obnoxious.

There’s an implicit breach of trust there that I don’t think we’d find, or at least not find in the same degree, if we learned that, say, the letter which seemed to come from our bank or credit card company was a fake, a fraud. We’d be angry when we found out the letter was a fake, but we wouldn’t be . . . offended, for lack of a better term . . . because that would fit into what we know of the world. Crooks are out there, crooks fake things to take our money.

Maybe I’m crazy, but I think we trust technology more than we do each other.


Ed Dickson said...

Found your blog via a post from Tom Fragala (Truston).

Nice work!

Anonymous said...

Here is another site offering caller id spoofing services:

This one looks to be hosted offshore!!

Anonymous said...

check out caller id spoofing by the zero group. Mention this blog and get a free 20 mins

Anonymous said...

"We trust technology more than we do each other" ... ?

Wha...? Meanwhile 2 of your 4 comments are spam. Nice work on policing your technology, hon.

Anonymous said...

I think that your view on the subject is insightful -- but perhaps misleading. There was a time when there was no option to see who was calling. Now, their is no option but to untrust who we think is calling. I don't see a fundamental change. Don't give away your info to anyone that calls you ... it's that simple.

Anonymous said...

Going through a situation now where it looks like caller ID fraud is involved. Not just for money scammers but Caller ID spoofing is used for harmful pranks and personal revenge. Don't trust your Caller ID solely.