Why can't mobile networks stop spoofed calls?

(Usual disclaimer - I used to work for Vodafone UK and Telefonica UK & maintain commercial interests in both. This is intended as a general discussion, not an in-depth investigation.)

I just received a scam call - you've probably had a few. A monotonic robot voice told me it was calling from HMRC - the UK tax authority - and there would soon be a warrant out for my arrest.

The phone number is suspiciously similar to the real HMRC number but, of course, it has been faked.

There are two main reasons why phone networks are so easily spoofed.

Firstly, there are legitimate reasons for spoofing a number. A large outbound-calls centre may want to display the phone number of their main office. Or a fleet of travelling sales reps may want any calls they make to look like they've come from a regional office. I'm sure you can add dozens of examples.

Being able to say "Please present a different number on my outbound calls" is a value-added feature which phone networks are keen to offer their paying customers.

The second, and slightly more depressing reason, is that phone networks were originally designed on "gentlemen's agreements". Phone companies were all large, professional organisations. They were trustworthy players in a market. At least, that's what they thought.

If Network A routed a call to Network B's customer - A told B what phone number to display. A knew their customers and had a billing relationship with them. B would charge A for the call, but didn't really care who actually placed the call.

This is similar to how the early Internet was designed. Anyone could advertise a faster interconnect route, anyone could send email with any headers they liked, anyone could look up your name from your web address.

Needless to say, the system was taken advantage of.

With the complex interconnect of national, international, and virtual telecoms providers, your phone company may not even know they're passing a spoofed call. Nor will they know the original number which is calling you.

There are all sorts of technical fixes for this. HMRC could publish a document saying "We own this phone number. The only networks allowed to spoof it are X and Y." Your telco would see an incoming call from network Z and refuse to deliver it.

(If you're familiar with Email, think SPF and DMARC.)

This technical fix exists! It is called, amusingly, STIR/SHAKEN.

There are several main problems with this.

The first is that phone networks are big and old. Trying to co-ordinate literally thousands of systems to make this work is hard. Especially when all those networks are competing with each other. It looks like the US networks might be regulated into implementing this - but no sign of anything in the UK.

Secondly, the risk of false positives is high. Do you want a call not to connect to you just because your phone provider thinks it is spam?

Thirdly, who is going to pay for it? Would you, as a customer, pay £3/month more for a "no spam" phone line? Or are network operators just expected to bear the cost?

Fourthly, does this place undue restriction on who can set up a call? Do I need to set up an expensive certificate just to place a call onto the network? Is that fair or reasonably priced?

Finally, are telcos responsible for the content they carry? Most countries treat them as common carriers and they are immune from prosecution for the messages they deliver. If someone calls you up and threatens to kill you, it is the caller who is criminally responsible - not the phone line provider.

All of this adds up to one big, international mess. And I don't see it being fixed any time soon.