[SoftTalker]

I don't agree. I don't think it's reasonable to expect it, because companies show over and over that they cannot do it. And let's face it, the only reason your company hasn't fallen victim to a data breach or ransomware is that you haven't been seriously targeted yet.

We need to change our approach. We need to look at why these kinds of data are valuable, and then make them not valuable. Then nobody will bother with hacking to get it.

[simfree]

This data is valuable primarily for spam mitigation and perhaps customer profiling.

Expect every SMS and MMS sent or received to be part of a spam mitigation and profiling program where it's stored indefinitely.

Apple not encrypting RCS is likely due to similar factors, where they have seen existing spam problems on RCS that are much harder to root out when you have end-to-end encryption.

[pooper]

In my not so humble opinion, the biggest problem with phone numbers in general is the general ability to spoof any number. Please correct me if I am wrong but stir/shaken is only available on the new stuff and even then there is no good way to track the origin of a phone call. This is beyond ridiculous and clearly leadership is asleep at the wheel.

There needs to be a firm timeline -- maybe a year maybe a decade, I don't know the details but something that allows customers to transition to a system where all calls can be traced through the network with 100% guarantee.

Step zero is actually having a process/protocol where any phone is tamper evident meaning we can tell 100% that this call came from this operator and the operator knows the call came from this user.

Perhaps the first phase allows individual users to opt in. So we would ask our operators to only route us calls and texts that positively identify themselves as fully traced with whatever the new protocol is that will replace SS7/sigtran so the origin of a call or text is positively identified. If this guarantee is not available, route the call to spam inbox somehow.

Then the hard part I'm guessing is fixing all the defects?

The second phase is to say after this date, no operator in the US is allowed to relay calls that are from legacy systems. This will likely take many years as I don't know how we will handle international calls and texts. But at some point we have to put our foot down and say enough is enough.

[miki123211]

> Step zero is actually having a process/protocol where any phone is tamper evident meaning we can tell 100% that this call came from this operator and the operator knows the call came from this user.

This basically doesn't work because the mapping between phone numbers, users and operators isn't exactly 1:1:1.

Some businesses have a single number that they use as Caller ID on all their calls , despite having one corporate HQ in New York, one branch in New Orleans and one customer support callcenter in New Delhi. All of these use different carriers and are based in different countries, yet they're all legally authorized to use that number.

If you want to read more about why this is such a hard problem to solve, see https://computer.rip/2023-08-07-STIRred-AND-SHAKEN.html

[SoftTalker]

> ...yet they're all legally authorized to use that number.

But why? I get that they want a unifed appearance, but as a phone subscriber I want to know if it's BigCo calling from New Delhi vs. BigCo calling from Chicago.

[collinmanderson]

Amazing article about why phone spam is so much harder to fight than email spam.

Thank you for sharing it!

Now I need to lean SS7 signaling.

[trinsic2]

Finally, some sense. My first though when reading the article was why are we even allowing these companies to collect that data in the first place.

[Aloisius]

How would they bill customers and other providers for usage if they didn't keep call/text metadata?

[yazzku]

These are records from 2022. The hack wasn't carried out the second the calls were made. You really need to keep the records that long to do your billing? That's absurd.