In 2010, to tackle the problem of unsolicited commercial communications (UCC), or spam calls and messages, the Telecom Regulatory Authority of India established the “Do not disturb” registry. Over 23 crore subscribers are registered on this database. The purpose of the registry was to give subscribers the choice to opt out of receiving blind calls for commercial purposes. This did not really tackle the problem, as marketers found unethical ways of obtaining the consent of users, or used unregistered telemarketers to make the calls. At the same time, the number of fraud related calls also increased. In September 2017, TRAI initiated a public consultation on the feasibility of using blockchain to tackle the problem, and register the consent of the users. This was followed up with an open house discussion in December 2009. Following the responses to the consultation, on May 29, 2019, TRAI notified draft regulations for using distributed ledger technologies, or blockchain to tackle the problem. A part of the implementation includes using AI to identify and track spam callers.
On August 27, 2019, Tech Mahindra and Microsoft announced a collaboration to build a blockchain based solution in line with the draft regulations of TRAI. A series of sessions were conducted with the authorities and the various stakeholders, or the telecom operators to design the solution. The solution is built on the Microsoft Azure platform.
Through the system, the telecom operators can keep track of preference registration, consent, dynamic preferences, stakeholder onboarding, complaint registration and tracking. To the end user, this means more granular options regarding spam calls, depending on their preferences. Additionally, it also becomes easier to complain and track the response in case they recieve any unwanted communications. The same system will also be used to track and prevent fraud calls.
Rajesh Dhuddu, Global Practice Leader, Blockchain at Tech Mahindra, says, “Blockchain as a technology is a powerful tool to combat the issue of spam calls and fraud risks, to protect user information, as well as the integrity of the telecom sector. This Distributed Ledger Technology (DLT)-based solution will enable enterprises to stop financial frauds and perpetration of misleading financial information by unregistered telecom marketers who rampantly use the SMS service of Telcos”.
Prashant Shukla, National Tech Officer at Microsoft India says, “The intersection of cloud and blockchain will ensure a new way of monitoring and enforcing compliance throughout the ecosystem. Through this solution we will be able to help service providers be compliant with the new regulation. With a Microsoft Azure blockchain-powered solution, we will ensure that we mitigate loopholes used by fraudsters and spammers to reach end users. Microsoft believes blockchain has significant potential to eliminate waste, fraud and abuse from markets of all types.”
We reached out to Dr. Pandurang Kamat, the Chief Technologist & Associate CTO, Persistent Systems to better understand the implementation. Our first question was how exactly the blockchain would be implemented. “Blockchain will be used to record user consent for receiving calls/sms from a particular business, keep a record of any changes the user makes to this consent and the confirmation of communication to the user confirming those changes. The last part is important to mitigate any surreptitious consent changes either the telecom provider or marketer may do without informing the user,” Kamat said.
The second question was on how the nodes and the consensus would be used. Kamat replied, “The nodes in a blockchain typically store the persistent data recorded on the chain. In this instance it likely would be a hash of the user’s consent related transactions as well as a hash of every call or sms log from a marketer to a user. It really depends on the level of compliance the detailed regulation spells out. It would be advisable to not records personally identifiable information about the user on the blockchain directly. This is particularly important given the upcoming data privacy regulations which empower a consumer to ask to be forgotten (deletion of all their personally identifiable data) by a service provider when they stop using a service. The consensus part of a blockchain is an underlying mechanism to ensure that all the nodes in the network consistently and securely record a given entry into the chain. It does not have any application specific connotations.”
Our final question to Kamat was the actual benefit to the end user. Kamat’s response was, “TRAI should be a party to the blockchain network that is recording the user consent, changes and communication logs. Since the marketing communications will be cross referenced with consent, any audits or complaint resolutions can be automated and cross checked against the tamper-evident ledger held by the blockchain. This makes for speedier resolutions and a much lower cost of enforcement. Two of the major problems today are that telcos typically close any user complaint with a template response saying “no fault found at our end” offering no proof of recorded consent. This is a major source of nuisance to end users that is expected to be solved by this approach. Secondly marketers or telcos surreptitiously record user consent without an explicit communication informing the user about it. If that is made mandatory and also logged on the chain, it will empower the end user to revoke surreptitious consent. Overall the balance of power between the user and the telcos and marketers will be more even keeled offering more visibility and control to the end user.”
There are some questions regarding the implementation though. Shirsendu Karmakar has outlined some concerns (PDF) in the implementation of blockchain to tackle spam. The main problem point is that the the blockchain implementation will be private and centralised, as against public and decentralised. This means that the authority can fudge the data in the blockchain, or the operators could collude among themselves to make changes. The security of the blockchain implementation comes into question, when it is a private, centralised blockchain. Additionally, there is no mining and no stake in the blockchain, giving the participants little incentive to update it. Such a system has never been tested in the scale that TRAI intends to implement it. In the end, a private blockchain takes away most of the benefits of distributed ledger technologies, and is little more than a shared database.
We asked Venkat Krishnapur, Vice-President of Engineering and Managing Director – McAfee to weigh in on the security concerns. One of the first questions we had was how effective the proposed solution would be, when it came to holding the entities responsible for the spam calls. “Given that blockchain is an open verifiable digital ledger, diverse use cases are being found for it. The proposed use of this technology by telecom regulator TRAI, will ensure that only authorized agencies will have access to data of only those subscribers who have agreed to receive such communication,” Krishnapur said, “Telecom subscribers in India have long been victims of spam, telemarketers and credit card companies to either sell or promote their new offerings. Additionally, many cases of frauds by duping customers to give out sensitive information such as credentials, PIN numbers, etc., have been on the rise in the country.
This is one of the first instances where blockchain technology is being used to limit the use of subscriber data at such a large scale in the telecom sector. The impact of the proposed regulation will become clearer as the draft is strengthened, incorporating inputs from various stakeholders- subscribers, operators, regulatory authority, vendors etc. However, this is a big leap for adoption of blockchain in telecom and a positive start for stricter security norms in the sector. The regulation is certainly poised to play a big part around security, avoiding third party intermediaries, identity management and accountability towards ownership of subscriber data.”
We then asked Krishnapur to outline some of the security threats that the implementation could face.
“Blockchain, being an emerging technology, is often a hotbed targeted by cybercriminals. As more businesses turn towards blockchain to solve their problems and as consumers increasingly rely on these technologies, due diligence is needed to understand the evolving threat landscape to develop an effective and tailored risk management system. The primary attack vectors include phishing, malware, implementation vulnerabilities, and core blockchain technology vulnerabilities.”
Some of the potential threats outlined by Krishnapur are:
Exchanges Under Attack
The principal players, and targets in the blockchain scenario are cryptocurrency exchanges. Cryptocurrency exchanges can be assumed to be banks wherein users create accounts, manage finances, and even trade currencies including traditional ones. Attacks on the exchanges are harder due to the myriad of defenses usually employed. But smart criminals are always trying to break into crowdsourced servers.
Endpoints, as the name suggests, are the points where people and blockchains meet. For the most part, endpoints are the computers that individuals and businesses use to access blockchain-based services. Regardless, if these are financial institutions, industries, or cryptocurrencies, the use of a blockchain begins with information being entered into a computer and ends with information being output from a computer. It is during this process of accessing and editing the blockchain, the data on the chain is most vulnerable. Some of the potential scenarios under this category of endpoint vulnerabilities include :
Generally due to uncertain user behavior, dictionary attacks can leverage certain applications of blockchain. Brain wallets, or wallets based on weak passwords, are insecure, yet people still use them. These wallets are routinely stolen.
Phishing is another popular deception technique to obtain passwords. This is the first stage where malicious links could be clicked, and malicious applications get downloaded to devices.
Malware attack – A compromised device from a phishing attack could reveal ids and addresses if there are malicious apps such as keystroke loggers or applications that hook into the clipboard and replace original addresses during a transfer process (particularly in crypto currency scenarios)
Blockchain application vulnerabilities
There are a number of applications and utilities that are created over the core blockchain platform – often times by fly by night programmers or inexperienced ones who pay least attention to secure coding practices. These result in vulnerabilities in the application that can be easily exploited and once compromised, the hacker has access to a host of data and able to launch any kind of attack he so chooses.
“Since attackers are prone to targeting unpatched vulnerabilities, McAfee envisions these threats to emerging technologies, thus providing adequate solutions by developing advanced systems to tackle them.,” Krishnapur explained.
We then asked if the new regulations would encourage or stifle competition. Krishnapur’s response was, “Organizations need to work around regulation, not above it. Innovations must not be deterred by the regulation. Appropriate regulations are required to protect people and their lives. Particularly, an individual’s identity and privacy must be respected and protected.
However, that said, regulations also need to consider impact on other parameters such as security, ease of use, value creation to the user from their data and so on. Therefore, regulations need to be balanced. Industries need to come under a regulated process but at the same time have the flexibility to create applications and products that will provide value to the user without compromising their identities or privacy. To a large degree technologies like blockchain use high grade cryptography and this makes it harder for the bad actors to exploit.”
Our final question was regarding the potential threats of using AI to track spam calls. “AI requires the use of large amounts of data of different types that are then thrown into learning engines that work at high speed. Pattern recognition algorithms kick in and do classifications of that data. These are then used to make smart and intelligent decisions. Therefore, unmanaged data could, in theory, pose privacy or identity risks. Appropriate pre-processing stages that use techniques such as anonymization, pseudonymization and data minimization will ensure that technology could be put to use for the larger benefit of consumers and society while at the same time ensuring consumers are not compromised online. Additionally, with the passage of the recent Supreme court ruling on privacy, the tabling of the Sri Krishna commission report on data protection and GDPR that has come into force protecting customers data is now mandated by law. They are no longer guidelines. Between a combination of educated users who follow basic online hygiene, usage of the right tools and technology and regulations we should have reasonable protection and safe online experience for our citizens,” Krishnapur said, “AI is not here to bring a change for the worse – Smart tools merely signify the next stage in development, for humans and the companies for which they work. However, considering how unsupervised machine learning is the latest threat to cybersecurity, it is imperative to develop robust security systems that will curb opportunities for criminals, political operatives, while parallelly developing a strong code of ethics for the use of AI.”
While it looks like TRAI is going to go ahead with the implementation of blockchain, there are some concerns that the telecom service providers themselves have raised. The entire industry is going through a period of extreme stress, and these regulations may mean additional investments that would burden an already troubled sector. The costs include servers for maintaining multiple copies of the blockchain, high speed connections between providers, and computing resources to make sure ever node stays on the server. It is a perpetual cost. What exacerbates the problem is that the technology is not commonly understood, and is unproven at this scale. Additionally, the operators point out that the original Do Not Disturb system did not have any major problems. Finally, the proposed regulations penalise the service providers, but not the telemarketers who abuse the connections provided to them.
An independent study by Deloitte showed that 92% of the blockchain projects initiated by individuals or organisations since 2016 have ended in failure.
Blockchain is an emerging technology, and the authorities have found an innovative use for it to block spam. The required systems are being developed by the top tech companies in the world. It may well turn out to be an effective way of tackling the twin problems of spam and fraud calls. However, there are serious questions on the implementation and security.