It’s not nice to try to fool caller ID services – in fact, it’s now illegal, with violators looking at possible $10K penalties.

“Spoofing” a phone call – that is, hiding your true identity from caller ID services – may sound like a harmless prank, but it’s a serious enough problem to have attracted the attention of Congress. Last year Congress passed (and, in December, President Obama signed) the “Truth in Caller ID Act”, making it unlawful to transmit misleading or inaccurate caller ID information “with the intent to defraud, cause harm, or wrongfully obtain anything of value.” The law charged the FCC with responsibility for enforcing the new prohibition. In late June, the Commission dutifully revised its own rules to reflect the new law;  it also issued a report (ordered up by Congress) on caller ID in new telephone technologies.

The upshot of all this: a new anti-spoofing regulation with a potentially stiff penalty (max $10K for each violation) and a request that Congress broaden the FCC’s authority to reach more spoofers.

Spoofing provides many opportunities well beyond the merely mirthful; in fact, it affords the motivated criminal plenty of ways to wreak serious damage. A malicious caller might, for example, elicit a social security number from an individual by appearing to be from a bank or government office. Or circumvent a bank’s security screening by appearing to be the account holder, calling from the number of record. Or, in a really creepy use, make threatening calls from the recipient’s own number, thus appearing to be actually in the house. Nothing mirthful there.

At one time, spoofing was a do-it-yourself exercise requiring a degree of technological sophistication. Things have changed. Now there are dozens of third-party spoofing services and do-it-yourself technologies (particularly for VoIP users) available for disguising a caller’s original phone number.

There are, of course, beneficial – or at least benign – reasons to spoof. For example, a small business person or doctor on call might want to use a cell phone without disclosing that phone’s number – preferring instead to have the caller ID reflect an office call-back number. Or a battered spouse taking shelter at a domestic abuse center might want to place a call without divulging her current location.   Such spoofing would not run afoul of the statutory limitation, which specifies that spoofing is illegal only when it is committed for fraudulent or harmful purposes.

It’s clear from the Senate report accompanying the Act that Congress was targeting the use of spoofing for criminal (or at least improper) activities such as the ones described above. But pinning the sheriff’s badge on the FCC may not have been the best approach for that purpose. The Commission’s ability to “prosecute” rule breakers who don’t happen to be FCC regulatees (i.e., licensees, certificate holders, applicants for authorizations and the like) has historically been limited.

When a non-regulatee is accused of an FCC rule violation, Section 503 of the Communications Act specifies that no fine can be imposed until (a) the Commission has first issued a “citation” to the violator, and (b) the violator has then broken the rule again. In other words, the non-regulatee would normally get a free bite at the spoofing apple under the Communications Act’s enforcement provisions, since Congress did not expressly say otherwise in the Truth in Caller ID Act. 

However, the Commission has chosen to interpret Congress’s silence to mean that non-regulatee spoofers should not get a free ride. Whether the courts will agree with that interpretation remains to be seen. There is no such procedural limitation for state authorities, however, who are also permitted (in coordination with the FCC) to enforce the federal anti-spoofing law.

Regulated carriers were quick to spot another, related, practice against which the new rule can be invoked: “phantom traffic” – i.e., VoIP traffic that a terminating carrier can’t identify in order to bill intermediate carriers. Phantom traffic is a heated issue right now among carriers, and FCC proceedings are under way to reform the process.

The new law may provide a possible weapon against carriers who manipulate caller ID or automatic number identification (ANI) parameters to avoid paying access charges to other carriers. That is, the new prohibition potentially may give carriers a way to avoid being stiffed by their spoofing confrères. This potential arises because the Act defines “caller identification service” broadly, going beyond just caller ID to encompass call set-up parameters that are used for intercarrier billing (and emergency services), such as charge numbers and ANI. Manipulation of these numbers can lead to misrouted 911 calls (a very bad thing); it can also make it impossible for carriers to get paid for terminating the call.

Since the Act appears to targeted individual miscreants, invoking it to target phantom traffic seems like a stretch. But in a footnote to the anti-spoofing order, the Commission appears to condone such an application – saying outright that “we believe that caller ID spoofing done to wrongfully avoid payment of intercarrier compensation charges . . . would be a violation of our rules.” And, unlike non-regulated spoofers (identity thieves, malicious ex-spouses, etc.) who might arguably get one free pass under Section 503 (despite the Commission’s contrary belief), regulated entities such as carriers have virtually no chance of enjoying such a luxury.

Thus, a law initially envisioned as a consumer protection measure may also be deployed on the front lines of an internecine industry battle.

The new anti-spoofing law applies broadly – any exemptions are limited to law enforcement activity and court orders. The FCC declined to act on carriers’ requests to explicitly exempt other activities, such as a carrier simply transmitting a (spoofed) call, pointing out that such an exemption would be redundant given the limitation “with the intent to defraud, cause harm, or wrongfully obtain anything of value.” Assuming a carrier merely transmitting traffic does not know that the signaling has been manipulated, it is safe. Similarly, a spoofing service that does not act to defraud, cause harm, or wrongfully obtain anything of value, has not violated the rule.

The new rule extends to all interconnected VoIP as well as traditional phone services, but the FCC is not finished yet. It would like to go after services that unmask caller ID, i.e., which recover caller ID after a caller has pressed *67 to block the calling number. The FCC has also asked Congress to expand its authority to cover spoofers located outside of the United States, IP-enabled services that do not connect to the PSTN (such as calls between two computers or within Internet-based internal corporate networks), and spoofing in text messages. It also has video calling in its sights, as deaf people already use video widely, and the rest of us are not far behind.