CallerID Spoofing to be Made Illegal

MadJo writes "US Congress has just approved a bill that will make it illegal to spoof CallerID. From the bill: 'The amount of the forfeiture penalty (...) shall not exceed $10,000 for each violation, or 3 times that amount for each day of a continuing violation, except that the amount assessed for any continuing violation shall not exceed a total of $1,000,000 for any single act or failure to act.'"

Interesting

That's a law that should be more proactive than reactive.

How about an additional law that makes telephone companies responsible for allowing caller ID spoofing to happen?

Or is that too difficult to prevent?

Re:Interesting

Allowing subscriber lines to set caller ID data is a feature, not a bug.

-Peter

Upside-down.

Leave it to Slashdot to predictably label fraud as a "feature" and laws designed to prevent it "nannystate".

Re:Upside-down.

That's the damn thing. Last I checked we already had laws against fraud. So why make a law specifically towards something like this? I can understand the disabilities act, but really, go after spoofers for fraud and if the penalty isn't high enough ADJUST the penalty for fraud across the board. We're making every damn little thing a frickin' crime in this country anymore.

Re:Upside-down.

The reason they make a law like this is to
limit the liability. It's a fixed amount.

That is the number one reason laws have no teeth,
they have fixed monetary penalties, that are
really no penalty to big business. They are
just a cost of doing business to the business.

Re:

That's why fines in some countries are not set at a specific sum (at least when it comes to amounts > 100 bucks), but rather to "day rates". A day rate is what the person or organisation found guilty earns per day. This is, in case of a person, 1/360th

Re:Upside-down.

Last I checked we already had laws against fraud. So why make a law specifically towards something like this?

Because one size does not fit all.

Should impersonating a police officer, identity theft, false advertising and passing fake checks all have the same punishment? These are all, at the base, fraud. Could they even reasonably fit under one singular law?

We're making every damn little thing a frickin' crime in this country anymore.

Here's the thing, the general term "fraud" is not illegal. Only specific forms of fraud. For example, claiming you can bench 200 lbs when you can barely press half that is not illegal. So, instead of just making "fraud" illegal, laws target specific types, and they *define* those specific types. Caller ID spoofing probably doesn't fall into any existing category of fraud, so this form of fraud can be presently engaged in with impunity.

So what choices are there? Basically, they are to expand an existing law to cover Caller ID spoofing, create a new law, or ignore it altogether. Ergo this story.

Re:

'claiming you can bench 200 lbs when you can barely press half that is not illegal'

Yup, and its not fraud. Lying and fraud are NOT synonymous. A Fraud is a deception deliberately practiced in order to secure unfair or unlawful gain. Deception in and of its

Re:Upside-down.

Yup, and its not fraud. Lying and fraud are NOT synonymous.

Yes, they are. You can't stop at the first definition in your dictionary. Fraud does not require financial gain as a component (even if it's usually the case, and is part of the first definition in your dictionary).

Ummm... yes?

Impersonating a cop gives you power over others you don't deserve. That's a very different crime than stealing someone's identity, or committing bank fraud, which are financial, and those two have very different effects on two very different targets. If you think these should all be equally punished, you are a sociopath.

You claim that the secondary crime should be the differentiator. I say merely *impersonating* a cop should be illegal, not just as some generic "fraud", but because it's an attempt to gain general power one doesn't have the right to, even if no other crime is committed. Merely stealing an identity, even if you don't commit any other crime, should be illegal, and have a different punishment, and writing a bad check should be illegal as well, etc.

In any case, any law which makes a tool illegal rather than bad actions performed with the tool is a bad law.

Then you have no problem whatsoever with your neighbor (not necessarily your existing neighbor, but any neighbor you may ever have, by choice or not) owning a nuclear bomb? Sarin gas? Or someone keeping dynamite in an apartment building?

The fact is, some tools *should* be illegal or severely restricted. Your sentiment goes too far, it goes from cases where it's true (in general, outlawing a tool *is* foolish), and applies it too broadly (to say outlawing a tool is *always* bad).

That's because caller id spoofing ISN'T fraud it is a harmless deception. If you use that deception to illicit an unfair gain then you have committed fraud and would have committed a criminal act without this law.

Are you certain of that? Laws are specific things (they have to be), and if Caller ID spoofing does not fall under a current law, then it *won't* necessarily be illegal, even if it is fraud (the money kind you seem to think is the only kind).

For example, calls pretending to be from the DNC, which are really from the RNC (this happened during the 2004 election, although I do not know if Caller ID spoofing was involved) had nothing to do, directly (i.e., legally) with money, and instead had to do with political influence.

Is that harmless?

Re:

Yup, and its not fraud. Lying and fraud are NOT synonymous.

Yes, they are. You can't stop at the first definition in your dictionary. Fraud does not require financial gain as a component (even if it's usually the case, and is part of the first definition in your dictionary).

But just maybe the dictionary does not define the law. Try a legal dictionary.

Ummm... yes?

Impersonating a cop gives you power over others you don't deserve. That's a very different crime than stealing someone's identity, or committing bank fraud, which are financial, and those two have very different effects on two very different targets. If you think these should all be equally punished, you are a sociopath.

So strippers who dress as cops have power over others they don't deserve? Be careful of blanket statements, for they make you look more of a fool than you clearly are.

You claim that the secondary crime should be the differentiator. I say merely *impersonating* a cop should be illegal, not just as some generic "fraud", but because it's an attempt to gain general power one doesn't have the right to, even if no other crime is committed. Merely stealing an identity, even if you don't commit any other crime, should be illegal, and have a different punishment, and writing a bad check should be illegal as well, etc.

the seco

Re:

'Asterisk does a great job of keeping unwanted calls off my home line, but to work best it needs valid callerID info.'

I'm sorry but there is no justification for creating a new law and a new class of crime so that your Asterisk system will work.

That said,

Re:

Leave it to someone who doesn't know what they're talking about to determine what should be considered "fraud". Do you implement the evil bit [faqs.org]? I hear it's supposed to prevent hackers and fraud and all that...

Re:Interesting

If slashdot's comments and moderation can be abused, how is that a bug? Some features are inherently prone to different forms of abuse, and there is no magical way to completely solve the problem without removing the feature. I do not have faith in the idea that features can always have a perfect solution. If there was not a mistake in how something should function, it is not a bug. One could make improvements to make abuses harder, but this would be an improvement on the system - not a bug fix.

Re:Interesting

Feature: (n) - A bug with seniority.

NannyState?

This isn't "NannyState" at all, this is an attempt at stopping scammers and other slimeballs from taking advantage of people.

Does this mean...

Does this mean I won't be able to call my ex girlfriend up at 3am with a phone number she doesn't recognize, and proceed to breathe heavily into the phone?

But seriously, I think it's a good idea. They've closed the door to many a tele-scammer. Hopeful

Re:

so how does this make anyone any safer? all it does is up the penalty not prevent the crime. people always delude themselfs that high penalties will prevent crimes, even though the truth slaps them in the face everyday - people commit crimes thinking they

Re:Does this mean...

Does this mean I won't be able to call my ex girlfriend up at 3am with a phone number she doesn't recognize, and proceed to breathe heavily into the phone?

We gotcha covered. Post her number and the friendly folks here at slashdot will do it for you.

Re:Does this mean...

Nah, the real number is 202-456-1414 her name is Laura.

Re:Does this mean...

Don't call this number, everyone! It's not his ex-girlfriend, it's his mother!

Simple question

When the police/people see the incoming phone records, will it show the spoofed number or the real number?

Re:Simple question

When the police/people see the incoming phone records, will it show the spoofed number or the real number?

Police and the phone company use the ANI system (Automatic Number Identification). This is the system that tracks your billing. You do not have any say in what this system records as far as Name, Number, etc. Caller ID is a separate and unrelated system. Caller ID information is usually set by the originating switch--- essentially the point where the call turns from analog to digital. If you get all your lines piped into your office via a T1, then you are in control of the device that sets the Caller ID name and number and can set it whatever you like.

Re:

Police and the phone company use the ANI system (Automatic Number Identification). This is the system that tracks your billing. You do not have any say in what this system records as far as Name, Number, etc.

Unless, of course, you spoof that as well. [google.com]

3 times a day

So...If they get caught 3 times in one day, they can do it as much as they want that day? And...If they get caught 100 times, they can do it all they want forever? Fun.

How will they enforce this?

If the ID has been spoofed, they might be able to know after the fact that it was spoofed, but how do they find out what it really was if it was spoofed in the first place?

Re:

There are several services out there that will do this real-time before you even answer the call. Like PDXUSA, they compare the ANI with the ID of the carrier originating the call, and the CID to see if they are consistent, then the CID display on your ph

A campaign

There's a campaign going on at Binary Freedom right now that some of you may be interested in.
http://binaryfreedom.info/node/163 [binaryfreedom.info]
Basically, there are several arguments against this law

1. It doesn't do anything
Criminals will still make calls and spoof, so it won't stop fraud. Police can already track down spoofers with the same amount of non-spoofers who are using their phones for illegal purposes.

2. It costs money
We're gonna have to spend money to catch spoofers.

3. Jurisdiction
If the phone companies want to stop spoofing, they should design a secure system instead of relying on the congressional police

4. Privacy
It strips privacy that is gained by spoofing.

5. Legitimate use
It has legitimate uses such as for telecommuters who want the name when they make business calls to be the company's. Or how about a business that has several people using one phone line? They might want the sales associate's name to appear, which would be done through spoofing.

Fact of the matter is, this gains us nothing. If I can write a fake name on a letter and mail it, why can't I do the same with my phone?

Re:A campaign

I work for Congress, but not on this issue. But I can correct some misinformation.

1. You're right. We shouldn't make murder illegal either.

2. See number 1. The question is whether the money spent on this law is worth the societal good of making it easier to prosecute scammers.

3. The phone companies don't have an incentive to stop scamming. Congress does (they're occasionally responsible to voters.)

4. It doesn't stop you from not allowing the number to show up at all. It just stops you from faking it.

5. It was specifically written to exempt these uses, since Congressional offices, for example, have the public number show up when people call out from them, rather than individual extensions.

Sorry, no

5. It was specifically written to exempt these uses

...because governments tend to be very good at predicting and allowing for all of the possible "legitimate" uses.

2. See number 1. The question is whether the money spent on this law is worth the societal

Re:A campaign

I'm not so much worried about criminals, but I don't think this bill addresses what I want it to:

I'm sick of companies calling and their damn name not showing up, for whatever reason. "Tollfree number" (well no shit, other than collect, when do I get charged for receiving calls?) or "Unknown Caller"

Some of them are bill collectors. Who want someone that isn't here, and don't seem to want to believe that no, that person isn't here, and isn't going to be, so stop calling me. But either way, if they can't identify themselves, they shouldn't be calling my damn number. Which is why I disagree with #4 on your list.

If you're calling my house, I have every right to know who you are. Can you seriously come up with a legitimate situation where you should be able to call me and me not be able to see who you are before I answer the phone?

I barely answer unless I recognize the number anyway, because of a massive amount of wrong numbers. And some of the numbers these idiots are trying to dial aren't even close.

I agree with #3, however, in regards to #2, the cost of it will just be passed on to you one way or another. #5 I can see, but I've never had a business call me and use a sales associate's name.

#1 is a silly argument. Making rape illegal hasn't stopped it, either. You can make the case that no law is ever going to stop any crime. However, it makes it so that if you do it and get caught, you can be punished.

Re:A campaign

"Can I have your mailing address?"

Certified mail:

In reference to your repeated attempts to find Person X on phone number X, consider yourself formally informed that this person has no connection with this number, and further, that this number is a cellular service for which an uninvolved third party is billed for each call from your business. Accordingly, you are instructed to cease and desist calling this number in relation to this matter, or I reserve the right to take action on the grounds that these calls are civil harassment, and to seek redress through appropriate channels for costs and damages incurred in dealing with this matter."

Re:

If you don't want the number you're calling from to show up on my caller ID, then don't call me. Problem solved.

Re:

WRT point 5, what the bill outlaws is "to transmit misleading or inaccurate caller ID information." If a company has its PBX configured so that it sends a salesperson's name rather than the company's name when she makes a call, I think a lawyer would have

Re:

Fraud generally requires either a pecuniary motive, or commission of the act in furtherance of some other crime. Simply putting some name that is not my own on a letter is neither of these things. I could sign my letters "Harry Potter" and the name as suc

Congress isn't allowed to do this...

According to the Constitution in Article 1, Section 8, Congress isn't allowed to regulate communications. Therefore this is unconstitutional.

That's kinda funny...

Well, around here the police department spoofs their caller ID info. Any time you get a call from anyone at the police station downtown, it only shows four zeros as the caller ID. It is different from when it says ID unavailable.

Okay, what about calling cards?

My parents insist on using a calling card. When they call me, what comes up in my caller ID is the city where whatever bank they got sorted through is located. For instance, my caller ID will show some 1-800 number and say "MONTGOMERY, AL" or some such city. Would this fall under spoofing?

Fines in America - just can't figure it out

I don't get why in America we can't figure out that fines only work when the penalty is commensurate with the infraction. If you want fines to work, you have to do what they do in Scandinavian countries - charge a percentage of your income. What is a $500 parking ticket for a billionaire? But $500 will ruin your life if you work for minimum wage. It's not fair, it's not just, and it doesn't work.

Fines for corporations should certainly have a minimum value, but they should have NO upper ceiling. When companies like Microsoft or Phillip Morris or ExxonMobil are fined $200 million dollars - as most of them have been - they don't even blink. It's completely useless. The law in America in this regard is completely idiotic in this regard.

Re:Fines in America - just can't figure it out

So fines against people don't have a minimum but fines against companies do? What if your $1M minimum fine puts 10 people out of work because the company goes under? Either using a sliding scale or don't; let's not make up silly rules based on angst against "evil corporations".

The US System Works

That's why in America we have three types of penalties: monetary, incarceration, and administrative.

• Monetary: That's the fines. To somebody like Paris Hilton, the fine means nothing. In fact, to most people, the amount of the fine is trivial. In my sta

My Other Me

If I send my landline phone# from my mobile phone, is that "illegal spoofing"?

All For It

Good, now I'll stop getting cold calls from "caller unknown". If my phone displays "caller unknown", I just made $10k.

Re:

Informative? Hah.

No, intentionally blocking is not forging caller ID. If your phone displays "Caller Unknown", you just made $0

Actually, nothing happened

So I'm actually reading the legislative action on this bill (through Thomas, provided by the link), and it doesn't appear as though there's been any kind of a vote on this. Am I, you know, missing something? Or does somebody not understand that a bill actually has to be voted on by each full chamber (both the House and the Senate) in an identical format, before it can be said that "Congress" has approved anything?

You insensitive clod! I don't have CallerID!

I don't have caller ID! Why would I? If I don't want to answer the phone, I don't. (Actually, my wife probably will answer it anyhow, she is kind of type-A that way. But still, I have no problem putting undesirable callers on hold "forever", I am kind of an A-Hole, that way.)

I have saved hundreds and hundreds of dollars over the years for a feature I could have used maybe, once or twice.

Seems like a bargain to me.

Sheesh, you don't have to buy product offered to you.

I am not a technophobe, I have two land lines and four cell phones. The Cell phones come with caller ID "for free".

Re:

True enough, I suppose ... but given that most phone companies bundle services you often end up with Caller ID whether you want it or not.

The whole thing is absurd

It's a stupid bill for four reasons:

1. It's a solution without a problem. The actual impact of caller ID spoofing is almost nil, while it's a valuable learning tool for many people just getting started with phones. The only argument I can see for it is that it makes reporting violators of the Do Not Call list. However a.) that's not a big enough benefit to justify any but the smallest trade off and b.) the Do Not Call list is stupid, and its impact should be achieved via implementation of blacklists by phone carriers. The government shouldn't be acting unless there's a serious matter at hand, nor should it engage in yet another unConstitutional regulation.
2. It's too open-ended.

   `(4) REPORT- Not later than 6 months after the enactment of this subsection, the Commission shall report to Congress whether additional legislation is necessary to prohibit the provision of inaccurate caller identification information in technologies that are successor or replacement technologies to telecommunications service or IP-enabled voice service.
   ...
   `(A) CALLER IDENTIFICATION INFORMATION- The term `caller identification information' means information provided by a caller identification service regarding the telephone number of, or other information regarding the origination of, a call made using a telecommunications service or IP-enabled voice service.

   Why not apply this to IP-spoofed or proxy'd Ventrilio/TeamSpeak/etc... conversation? This only increases the Constitutional argument against this amendment, because even if you buy the absurd assertion that the commerce clause gives the USFG power over anything that even remotely involves interstate commerce, where's the commerce in a private Teamspeak server? It also increases the chances of abuse by law enforcement, like the kids above.
3. The bill doesn't just restrict malicious spoofing, like making a threatening phone call look like it's coming from inside the house, it restricts simply playful spoofing, like ordering a pizza for I.P. Freely and making it look like comes from the local police precinct. Nor does it make a distinction between spoofed info that represents someone else's information accurately, and displaying non-existent information like '555-555-1212'. There's no reason the government should be spending my tax dollars on something as asinine as this. Osama bin Laden isn't calling up the White House and asking for Prince Albert in a Can while spoofing his CID to say "SUCK IT DRY".
4. The fines are absurdly out of proportion with any _potential harm_ presented by caller ID spoofers. What incentive does the USFG or the states (which the bill empowers to act on these matters) have to NOT go after 14 year old kids for $10k a pop? None. But nobody will think that at first, until the first few kids get busted, and are we really OK with _anyone_ being jacked by something this stupid?

I call BS

My real name is not Strange Ranger.

Why should I have to reveal my real number when placing a call?

Yes I know this is a forum and calls are more "personal".
But sometimes I call companies. Or heck maybe city hall.
Where does the tracking and ID'ing end?

Nice

I sort of hope it passes, for selfish reasons. I direct the support department at a VoIP provider and I cannot tell you how tired I am of people's endless, nonstop whining about their caller ID, and how they want it changed, and why can't I make it look like they're calling from somewhere else... on and on and on. This will give me a convenient excuse to tell them to shut up.

On a slightly more serious note, though, it's amusing to note why the bill is being introduced. Senator Stevens was blithering about how it's important because people rely on caller ID for "critical information". I cannot imagine what could possibly be considered "critical" about caller ID information, particularly considering what a half-assed hack the entire system is anyway and the lack of any real standards. Please note that caller ID is entirely different from ANI (automated number identification).

Caller ID is a fine example of a semi-convenient feature that people took and ran away with. The general population now sees Caller ID as the Oracle at Delphi, infallable and impossible to live without, and go absolutely apeshit if it's wrong (which is quite often, believe it or not). I guess people just don't understand the technology, but to "rely" on caller ID information is ludicrous.

I remember about fifteen years ago, maybe a bit more, when Caller ID was virtually unheard of, and the Bells were just starting to roll it out to homes. My parents got the little box from Radio Shack, signed up with the service, and my friends and I would rush over to the ID box with childish glee every time the phone rang, cause hey! How cool is this, man!

But in the end that's all we thought about it. It was a cool little novelty. That people take it so seriously now baffles me.

We used to deal with the phone ringing and not knowing who it was in advance with the following method: a) answer the phone, b) don't answer the phone, or c) let them leave a message and get back to them if we feel like it.

Somehow, though, what I don't remember is that the pre-Caller ID era was some kind of a Dark Ages where nobody got anything done.

But you'll never convince the public of this.

Re:DEATH TO "UNKNOWN CALLER"

I block it just fine on verizon.

I have all phone lines and voip lines going into a asterisk server. if you dont have a real caller Id string and are not on my blacklist your call goes through.

It's quite easy to block UNKNOWN CALLER. and cheap too. a asterisc pots card is $29.00 on ebay and an asterisk server is pretty much free. (P-III 500 is more than enough horsepower) all you need is a voip phone handset or adapter to go to regular phone ($19.00 ebay sipura spa-2000)

Way better than any answering machine you can buy, I can block anything I want, I can force unknown callers to a special mailbox that states " I do not answer unknown calls" or better yet a 30 minute "hello? hello? I cant hear you. wait a second. can you hear me now? hello? can you speak louder? I can kind of hear you now, what was that?"

wasting a telemarketers time is a wonderful thing. when they get that you are honey potting them to waste their time they add your number to the do not call list on their own.