Regular readers of Commsrisk may think they know my opinion about the contents of the US Robocall Mitigation Database (RMD), but I only share a tiny proportion of the crap I find in there. To recap, the RMD is the kind of thing you get when one country decides it will get many entities worldwide to all register their details so they can be vetted and the public protected, but has no serious plan for the actual checking of the register and vetting of the (mis)information it contains. Whilst I have previously highlighted the the inept scrutiny of data stored in the database, I will reiterate the point because any auditor worth their salt should immediately see what is wrong with the following entry, which was added to the database last week.
Business Name: bhavesh
I was a professional auditor, but you do not need to be a professional auditor to notice this name is suspicious. It does not sound like the name of a business. It sounds like the name of a person. And that is exactly what it is. It is the first name of the person who submitted the entry, not the name of the business. I can deduce this by observing the name of the business per this RMD entry is the same as the name of individual who is the FCC’s contact for the business, which is the same as the name of the CEO of the business, but is not the name of the business displayed on the website of this business.
You might say this does not matter. I think it matters. The supposed purpose of the RMD is make it difficult for liars to lie about things. I am not suggesting Bhavesh is a liar, though he was a bit lazy with capitalizing his own name. He probably just did not read the FCC’s form correctly. But FCC employees are so lacking in curiosity that they do not instantly see there is something wrong with this entry, then how will they ever identify a determined liar? This RMD entry is wrong because there is no business with this name providing communications services, but somehow this entry exists. The RMD exists to support industry-wide know-your-customer (KYC) checks, so it is a sorry state of affairs if the quality of the industry’s KYC is so low that there is not even the expectation to get the name of the customer correct.
You already know the telltale weaknesses of scammers. They make spelling mistakes. Their corporate websites look like they were constructed using stock images and Windows 95. I do not wish to be rude about Bhavesh. He may be a busy guy. But he does make a lot of spelling mistakes. And the last time I saw such a ropey slow-loading website, I was using Mosaic as my browser. Some would consider these to be warning signs.
Just the few minutes spent doing research for this piece would have been sufficient to call Bhavesh and have a friendly chat with him. Asking him about the name of his business would have been an easy opportunity to see if his business is genuine, or whether he made a few mistakes with his RMD entry. I have not done that; it is the wrong time of day for me to call Bhavesh’s number in New Zealand, and I am not paid to do the FCC’s work for them. But if somebody at the FCC had contacted Bhavesh then any mistakes with his RMD entry might have been fixed immediately. Evidently they did not contact Bhavesh, although the main purpose of the RMD is to have a list of phone numbers so you can call people if something goes wrong. Which begs another question: if the names can be wrong, how can we trust the phone numbers in the entries?
I read Bhavesh’s robocall mitigation plan, and it was bad. It was not the worst; he actually did write some sentences about things that sound like mitigations of nuisance robocalls. The main difficulty was that Bhavesh’s robocall mitigation plan begged many questions about compiling many unexamined documents in a big database that is never scrutinized by anybody but me, and only by me when I feel like making fun at the FCC’s expense. The three most common words in Bhavesh’s robocall mitigation plan are: “upstream”, “provided” and “carrier”. That is because each of the mitigations in Bhavesh’s robocall mitigation plan were provided by the upstream carrier. So that suggests Bhavesh is an honest fellow who is telling the FCC how things really are. But it also means the FCC has learned nothing that it would not have learned by asking the upstream carrier how they mitigate robocalls.
To be clear, my guess is that Bhavesh is somebody who runs a small business and who put only a little effort into his RMD entry because the FCC puts even less effort into checking the submissions it receives. Currently the FCC is consulting on whether to introduce fees for people registering with the RMD, so the money can be spent on performing checks of the quality of the entries in the database. On the one hand, they obviously need to spend more money on checking the entries in the RMD. On the other hand, do we trust the FCC to spend this money well? And on the other other hand, how many small businesses will try to skip this fee by asking their upstream provider to do it for them instead?
The FCC makes a fair point in their consultation on RMD fees: they will not get decent quality control checks without spending some money on controlling quality. What a shame that did not occur to the FCC when they told the whole of the USA that STIR/SHAKEN guarantees calls are authenticated, although nobody was told to spend a single additional penny on checking who was making those calls.
