Virginia’s anti-phone spam bill offers no real solutions, may have unintended consequences

*Edited 2/22/2019: This post has been updated to add commentary on the current bill to pass the Virginia House and Senate, HB 2170, which is now headed to the Governor’s desk this year. The bill originally covered in this article, HB 2564, failed to get enough support in the VA House.

As the new year rings in, many Virginia residents are trying their best not to pick up the phone. That’s because the amount of phone spam in Virginia and across the country has ramped up to what some are calling ‘epidemic’ levels. In response, Virginia legislators have proposed and unanimously supported a new bill, HB 2170, that would not only make it illegal to produce phone spam but assigns a fine to those caught in the act.

The only problem? That bill is unlikely to catch any of the bad actors producing phone spam and provides no real solutions to a primarily technological problem. More concerningly, there could be unintended consequences for some otherwise law-abiding Virginians.

What is HB 2170, or Virginia’s the “phone spoofing” bill?

Introduced by Del. Emily Brewer, HB 2170 is in some ways similar to the 2009 Truth in Caller ID Act passed in 2009 by the US Congress. HB 2170 is designed to cover current issues with spam calling and, in particular, the type of local exchange or NPA-NXX spam calls many US residents are now seeing more of than ever.

More colloquially, this is known as “phone spoofing” or “neighbor spoofing”, where the spam call number shares the same area code as the recipient, but also where the spam caller is unlikely to be located within the same area code, state, or even the same country.

Concerns with HB 2170

It’s easy to compare HB 2170 with the 2009 Truth in Caller ID Act. Like the federal law, HB 2170 makes it illegal to call anyone in Virginia by using spoofed Virginia area code that displays on the recipient’s caller ID. The bill thankfully adds a significant limitation on who it targets: those who would “defraud, intimidate, or harass” others as they hide behind a spoofed number.

Still, there are several issues with this bill’s approach that reduce its potential effectiveness and may make it a danger anyone with a Virginia area code.

Importantly, HB 2170, which made it through the House and Senate with wide support, is a vast improvement over a competing bill which died in the House, HB 2564. The language in HB 2564 was broad enough that it could have made a large amount of legitimate VoIP usage illegal.

According to the now-dead HB 2564:

“The measure prohibits conduct to otherwise (i) circumvent caller identification technology that is designed to allow the receiving party to identify the telephone number, location, or organization from which the call or text message originates or (ii) misrepresent the origin and nature of the call or text message.”

While the bill placed a limitation on who this applied to (only those with the intent to “defraud, harass, cause harm, or wrongfully obtain anything of value”), it could have potentially been illegal for some Virginia residents to use a VoIP number from New York, for example, with possible fines assigned to residents who decided to create and use numbers from that service.

The general assembly decided to opt for the more clearly defined and easier to navigate HB 2170 bill, which would still make phone spoofing illegal, but significantly limits the language used that could have had significant impacts on legitimate VoIP usage in the state.

What is “neighbor spoofing”?

HB 2170, which is intended to offer law enforcement room to work with in prosecuting spam callers, misses the mark on the origin of these calls. The bill hinges on allowing VA residents who receive spam calls to report suspected numbers to the police, who will then decide how and if to proceed with investigation and prosecution of a misdemeanor. What police would primarily be targeting, in this case, is called neighbor spoofing.

Neighbor spoofing is the application of VoIP services to create a local area code, and then using that number to spam call others who have the same area code. For Virginia residents, that could mean getting a phone call from a 540 or 434 number, when in reality, the individual making the call is located far outside of Central Virginia.

Cybercriminals utilize this method as a form of psychological manipulation. The idea is that you’re more likely to pick up the phone if the area code or even the name is familiar. And given the many reasons why someone might get a call from a local number that’s not saved in our contact list (doctor’s office, car mechanic, kid’s school, etc.), it’s easy to see why this scheme not only works, but is now the most common type of phone spam Virginians and other US consumers receive.

Scam callers now often spoof real numbers owned by individuals who may not realize their number is being used as part of a scam. From a technical standpoint, all it takes is the right computer software for spam callers to insert themselves into a network with a spoofed number, or by using technology that allows the caller to trick your device’s caller ID into thinking it’s receiving a call from a different name and phone number. At that point, you have no way to tell if the caller is real, unless you pick up the phone (not recommended).

Additionally, the spam callers can hide behind various proxy services and methods when creating and sending spoofed numbers through VoIP services, making it nearly impossible to trace the original source.

As a result, some Virginia residents may unwittingly find themselves on the wrong end of a law that does little to effectively distinguish between the bad actors and their victims. Those accused of originating spam calls may indeed instead be victims themselves who could be forced to pay undue costs to prove their innocence.

The technological weaknesses of HB 2170

From a real-world application standpoint, HB 2170 also does nothing to stop the root of the neighbor spoofing and phone spam problem. While the bill makes it illegal to for anyone in Virginia to spoof numbers for fraudulent purposes, the bill offers none of the technological solutions required to address phone spam in Virginia.

The illegality of creating phone spam has thus far failed to dissuade cybercriminals worldwide. Virginia’s law may make it illegal at the state level, but it only adds more legislative bureaucracy while remaining unsupported by any of the emerging technology solutions that can effectively filter out and block phone spam from Virginians’ phones.

No one understands the overall futility of such legislative efforts better than the software companies that design spam blocking applications. According to Truecaller’s director of communications, Kim Fai Kok, “By just looking at the trends and statistics, we do not see spam calls stopping any time soon.”

“Just last year, Americans lost nearly 9 billion dollars to scam calls — and we believe this is only the tip of the iceberg,” he explained.

While Fai Kok agreed that consumers need more information and education about the topic, something HB 2170 may be able to accomplish through media attention, he also explained to us that the issue with Virginia’s legislative efforts is indeed a lack of communication and cooperation with the tech companies that have the experience and technical background to find viable solutions.

“We believe that by working more closely with legislators and telcos, we have a greater chance to tackle this problem more effectively,” Fai Kok said.

The majority of the cybercriminals behind the phone spam Virginians and other US residents receive are not based in the US. Most of these operations run from discreet, international locations, particularly in India, Pakistan, and China, far outside of the reach of Virginia’s law enforcement officials.

Although the US government occasionally catches some of the conspirators based in the US, as they did in 2018, it takes an international effort to find where the spammers operate. Even then, considering it’s a federal crime, anyone caught in Virginia is unlikely to face consequences at the state-level; they’ll most likely be handed over to federal prosecutors, instead.

Furthermore, one needs only look at the federal government’s attempts to stop phone spam to realize that simply making phone spam illegal and assigning a fine does nothing to fix the problem. Nearly half of all phone calls Americans receive in 2019 will be spam. That’s up from 3.7 percent in 2017. Meanwhile, the Federal Trade Commission (FTC) Do Not Call Registry was signed into law and established in 2003. The ultimate goal of the DNCR was the same as Virginia’s HB 2170 (to dissuade spam callers), but in the past two decades, the phone spam problem has only gotten worse, not better.

If the federal government could not make a dent in the problem, it’s unlikely a law officially making spam calling illegal in Virginia will have any impact, either.

Virginia legislators have an uphill battle if they want to solve the phone spam problem. Adding legislative weight to the issue is an admirable goal, but without a real, technical solution applied across the telecommunications networks, an update to existing law carries no weight and will be unlikely to make an impact.

Unlike the bipartisan Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) Act proposed in the US Senate, which would require telecommunications companies to implement call filtering technology across their networks, Virginia’s HB 2170 only adds penalties without actionable solutions.