Schneier on Security
A blog covering security and security technology.
« The Seven Habits of Highly Ineffective Terrorists |
| Chinese Monitoring Skype Messages »
October 7, 2008
Turns out you can add anyone's number to -- or remove anyone's number from -- the Canadian do-not-call list. You can also add (but not remove) numbers to the U.S. do-not-call list, though only up to three at a time, and you have to provide a valid e-mail address to confirm the addition.
Here's my idea. If you're a company, add every one of your customers to the list. That way, none of your competitors will be able to cold call them.
Posted on October 7, 2008 at 3:51 PM
• 42 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
So... should this be called the remove-from-list-before-calling list?
Since it's so hard to have an anonymous email address, this can't possibly be a problem.
I don't see how being able to add numbers to the list is a problem. Telemarketers NOT being able to call people is a good thing...
Maybe you missed Bruce's remark:
"Here's my idea. If you're a company, add every one of your customers to the list. That way, none of your competitors will be able to cold call them."
Depending on how you look at it, this could be a good or bad thing. If the customers are really happy with their current service, then great! No more annoying calls, and the company gets a little more security, knowing their customers will stick around.
But hey, not every telemarketing call is a terrible deal. Sometimes, it could be just the offer you're looking for, to get away from your current service provider... and in this case, the company is not being fair to it's customers (besides misrepresenting itself, which may be unethical, depending on how you look at it)
Similarly (and more seriously), one can enable USPS mail holding online anonymously. I do this often when I leave town, but there's no reason one couldn't do this for/to another person.
I never did put my number on the US list. It's unlisted and I can probably do a better job of managing it than to risk problems, breaches, etc. by coughing it up to the US gov't (and its 3rd-party commercial contractors). I rarely get a problem call.
How about a project that list every personal land line in the country and everyone adds a few a day to the DoNotCallList ?
Great idea Bruce. And then you can have fun being sued for tortious interference.
i also noticed that "charities, political parties, newspapers, pollsters and companies that customers have used in the past 18 months" can still call.
There are oddities with both the US and Canadian DNC lists, but business phone numbers are not eligible to be on either list in the first place. Whether anyone is checking, or whether there is any way for a telemarketer to check, is another matter. But a B2B telemarketer generally doesn't call numbers at random or sequentially, because they use much more targeted lists than those dinnertime B2C callers. If they do reach a residential number, they probably have a reasonable "sorry wrong number" excuse.
The US list is bizarre because while it rejects Canadian area codes, it accepts toll-free 800 (and 888,877,866...) numbers, which may well not be in the USA, and are almost always business numbers. I added a Canadian 800 number to the list five years ago, and it's still there. The US list now never expires (it was originally a three-year list, as the CA one is), but supposedly telco records will cause entries to be removed as numbers are reassigned. But they are probably not set up to get 800 number records from Canadian carriers, so that number (now unassigned) may be on there forever.
The Canadian list is controversial because of the number of exemptions (charities, pollsters, newspapers, politicians...) but most of the exempt callers are still required to maintain individual DNC lists. A private site ioptout.ca has been set up by Michael Geist, a law professor at U of Ottawa, and it allows anyone to manage a personal DNC list with fine-grained control. The telecom and DNC regulator (CRTC) recently rejected appeals by telemarketers, and ruled that emailed notifications from such a site are presumed valid and must be honoured.
I got on the NDNC Registry the day it opened. Telemarketer calls doubled shortly after that and haven't let up in the years since.
The guy in charge of it considers it a wonderful success story, of course.
Every one of those TM calls to me is a violation of the law. The feds track every phone call made, and they can quickly figure out which numbers are telemarketers, so by referring to the NCNCR, they can detect every violation.
They are overlooking millions of calls every year. If the fines average $1,000, then they are forgiving billions of dollars in fines.
I get a few problem calls. That's why I like the advanced features of my VOIP provider. I know, VOIP is terribly insecure.
However, I CAN block and reroute calls at my whim. Right now the fireman's fund goes directly to voicemail, the guy calling from Costa Rica (scam) gets a "you're not welcome here, please do not call again" message, and so forth.
Companies tend to have many many multiples of three customers, and it wouldn't be economically feasible to minorly block the marketing of their competitor in this fashion.
@baron dave romm
three at a time, but you can do as many batches as you want. I've personally blocked 14 numbers, using the same email address.
@LegalBegal: This is the US; they could sue him whether he did anything or not. In fact if he IS successful in his business they will probably sue him just as a business strategy to drain his resources and impeach him with his customer base; even (especially) if he is completely innocent and above board.
Its only if he ACTUALLY does commit a tort that he can't be sued because as long as he has more expensive lawyers than they do he can tie them in knots and bribe the judge and get extensions until they give up or go bankrupt.
Thats why the justice system in this country is called criminal.
So what's the fix Bruce?
You're right, it can be abused, but seriously so can the take a penny leave a penny jar at the corner store. Computers just make abuse bigger and faster. How about a call back to confirm? That's sort of a fix. It proves you have access to the phone. Something most marketers wont have.
My point is it's not that important, it's fixable, and this story is a not a good example of why I like you.
Since Francis brought up "penny jars", do we really need to be spending $$$$$$$ designing and making FOUR NEW penny designs??? I mean when there is a cup in every gas station, fast food joint and quick shop where you can take them for free then THEY ARE NO LONGER MONEY! Stop minting them altogether!
"I don't see how being able to add numbers to the list is a problem. Telemarketers NOT being able to call people is a good thing..."
Can someone, as a public service to the country, write a script that would remove everyone's number?
"add every one of your customers to the list. That way, none of your competitors will be able to cold call them"
Even better: add all your competitors to the list!
In all my 25+ years of having a phone (meaning after I moved out of my parent's home), I've NEVER received a telemarketing call in which I had an interest.
Sorry, but I'd rather miss that elusive "just the right deal" call than have to listen to all the tens of others I received beforehand.
I've proposed a solution for spam which works just as well for telemarketing: install a digital cash framework and charge, say, 25 cents per call. "If you've got something important to tell me, deposit 25 cents and my phone will ring. If I agree that it was important, I'll give the money back." Come to think of it, we could all get 900 numbers for roughly the same effect.
(A while ago Bruce ran an article about the "coin-operated doorbell"-- one of the very few articles on which I completely disagreed with him-- but I didn't see it in time to comment.)
Not sure if behavior was changed recently, but this is what is now required to remove a number from the Canadian list: "To remove a residential, wireless, fax, or VoIP telephone number from the National Do Not Call List (DNCL), you must call the National DNCL Service Line at 1-866-580-DNCL (1-866-580-3625) or by at TTY 1-888-DNCL TTY (1-888-362-5889) from the number you wish to remove."
The canadian list does not block call from outside of the country so telemarketers can outsource their call to another country and go around the list
> So what's the fix Bruce?
That's quite simple. Get rid of the National Do Not Call Registry. I should have to opt-in to get garbage phone calls, not opt-out to avoid them. The political campaign, nonprofit, and "companies you've done business with" exceptions make the existing list useless.
I still open about 1 out of every 7 calls now with, "My number is on the national do not call registry, and I don't know where you obtained my number but I would like you to remove my phone number from your list, please."
If a company or organization wants to call me, they should have first acquired my phone number from *me*, not by them having acquired it elsewhere.
I would like to be able to donate money to a nonprofit with the caveat that they don't call me in two months and ask for more money. I would like to be able to be politically active without getting robocalled two days prior to the election with a bunch of prerecorded 30 second sound bite campaign promises that have nothing to do with whether or not I'm going to vote for the candidate. I would like to be able to buy a car without having the dealership hand my phone number off to the service branch and have them use a computer to call me for months reminding me that my warranty is about to expire.
The problem with this idea is that most companies seem to be ignoring the do-not-call list anyway. They've realized the government won't do anything about complaints until the number reaches some massive threshold.
Beta: what you propose is basically the same thing that the email anti-spam folks call "attention bonds". Problems with those, most of which also apply when it's used for telephone calls, are listed here:
@Matthew Skala: "...what you propose is basically the same thing that the email anti-spam folks call "attention bonds". Problems with those... are listed here:..."
1, 2 assume bad features of the money system (non-anonymity, "escrow agents", etc.) which are not neccessary.
3 simply makes no sense to me.
4 is contrived and false-- even "children, the homeless, and many people in developing countries" can obtain a dollar for long enough for me to receive and return it, if they can afford the telephone call (or internet access) in the first place. And personally I don't get many messages from penniless people I don't know.
5 ("they'll just move to another medium") and 8 ("they'll just put spam in the subject line or something") aren't very strong arguments.
6 assumes a contract that doesn't exist.
7 describes a problem with money, not with this scheme.
9 is a problem with entities that don't respond well to messages (such as companies that charge for tech support, or don't answer the phone at all), not with this scheme.
The first nine were easy to rebut-- I won't bother reading the rest.
"Since Francis brought up 'penny jars', do we really need to be spending $$$$$$$ designing and making FOUR NEW penny designs???"
Please don't derail threads onto unrelated subjects.
Your rebuttal assumes that issues such as, "problems with money, not with this scheme" are easy to correct, can be implemented in a reasonable time, and are worth the cost of changing the system of money.
I think that's entirely too simplistic a rebuttal.
Put another way, your scheme may be entirely "end-to-end" fine internally, but those ends don't touch any of our current socioeconomic realities, so you're scheme is impractical at best.
one can invoke PIPEDA to deal with the firms and charities that are exempted from the Canadian DNCL, even if you have dealt with them in the last 18 months...
@Pat Calahan: 'Your rebuttal assumes that issues such as, "problems with money, not with this scheme" are easy to correct, can be implemented in a reasonable time, and are worth the cost of changing the system of money.'
Not at all. My rebuttal is still sound if we assume that problems with money (e.g. people can gamble with it, one of the examples given) are completely unsolvable.
My scheme does involve a system that does not (yet) exist. If that is enough to prove it impractical, then everything that has ever been invented was impractical, and "impractical" has no meaning.
I'm feeling generous, so I'll suggest a good argument against my scheme: modern governments will fight hard against anonymous digital cash (for reasons having nothing to do with this scheme) so the scheme would be hard to implement in its pure form.
The instructions say you must call using the same phone as that to be registered or removed.
Questions: How easy is it to spoof a landline? and
How many telemarketers would have the personnel capable of performing the required hack?
I accidentally added a number one digit off from mine to the list. You get a screen to review the numbers but I didn't check it, and now some random guy is missing his calls from newspaper subscription solicitors. Well, he may not actually miss them, but still...
And there was nothing I could do to cancel it, either.
In the meantime, before all the calls stop, I've gotten in the habit of hanging up on them. And yes, it doesn't apply to political canvassers, (there's an election going on in Canada now) nor should it.
Anything is easy to rebut if you think that ignoring a problem makes it non-existent. I expect better.
Seems to me, any person working for an organization that conducts telemarketing should be forbidden from adding their personal landline number to the list. If you want to take pity on the peons, allow non-exempt workers to opt out. (In the US, hourly and some salaried workers are considered 'non-exempt' if they are covered by certain labor laws, including overtime rules http://www.allbusiness.com/government/... Ditto for any exempted organization that hires a telemarketing firm or employs telemarketers - political groups, charities, whatever. Their free speech rights are not infringed, but they can share the burden they create.
Fair is Fair :-)
"Here's my idea. If you're a company, add every one of your customers to the list. That way, none of your competitors will be able to cold call them."
personally I would consider this a service. ;)
I do not find that spam phone calls are a problem but they drive my husband nuts. I just hang up on them.
For many years, we had a rule that if the phone rang during dinnertime it would be ignored. We arranged a code with our daughter so that we would pick up her calls.
Has this been suggested before? Write a script to set up an email address for confirmation, dial the do-not-call list, request to opt out of a given number, then confirm the email. Drive this with a wardialing script. One step further: Use a distributed computing framework to parcel out phone numbers. Eventually, every phone number will be on the do-not-call list.
Frances, was that because your daughter didn't know when dinner time was?
One thing I love about cellphones is the clear "off" mode. Since people stopped respecting the "don't call between 2000 and 0600 unless it's an emergency" I've taken to turning off/taking off hook my phones when I go to bed. If it's important they'll come and knock on the door.
With telemarketing, I just note the company and hang up. If it bothers me I tell the company that's being advertised. With junk mail pasting their junk mail to their front windows often gets the message across, for instance.
It's probably not a big problem considering that much of the telemarketing is done by telemarking firms. I'm sure those firms are quite happy calling the same numbers on behalf of several competing companies.
Besides, cold-calling is just one marketing option.
For some time I have been getting automated call systems (ACAD) calling me to offer me a free vacation. As in "push 9 to hear a message..."
These calls come from the US, to my home (and mobile) in Canada. This seemed to have started sometime just after the US Do-Not-Call-List started. My impression is that the people in this business/scam couldn't call the US numbers anymore.
The thing is that ACADs are illegal in Canada: it has to be a human. But, the CRTC says I should call the phone company, and the phone company hasn't a clue and suggests calling the CRTC.
All I can think of, is that the phone company needs to implement the Usenix death penalty here.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.