How Robo-Callers Outwitted the Government and Completely Wrecked the Do Not Call List
On the morning of Oct. 1, 2015, a middle-aged telemarketer arrived at the Washington headquarters of the Federal Trade Commission. His name was Aaron Michael Jones, or possibly Michael Aaron Jones, and in any case, he went by Mike. According to court documents, Mike was a father and widower. He lived well, paying $25,000 a month for a Spanish Colonial Revival in a gated community near Laguna Beach, Calif. He also employed a personal chef, drove a couple of Mercedes, and maintained a gambling account at the Bellagio in Las Vegas.
Jones sustained his lifestyle by spamming people with robo-calls. He worked with a revolving cast of co-workers under the auspices of about a dozen corporations. At the core of his enterprise was a computer program capable of blasting out irritating, prerecorded phone messages to just about anyone in the country. Jones allegedly paid for exclusive access to the program, which he then rented out to other robo-callers. He and his associates also used it to peddle their own off-brand products, including auto warranties, home security systems and search-engine optimization tools. Anyone curious or lonely enough to listen to one of Jones’s robo-calls, then press “1,” would be directed to a call center, which often meant one or two of Jones’s underlings sitting in a room in Irvine, Calif.
The FTC was investigating Jones’s empire and had called him to Washington to testify under oath. The companies affiliated with Jones may have been dubious — two weeks earlier, Google had filed suit against one called Local Lighthouse for trademark infringement and false advertisement — but the feds were more concerned with the robo-calls themselves. Virtually all robo-calls, whatever they’re selling, are illegal. And Jones had made a staggering number of them. According to the FTC, he was facilitating roughly a billion a year, more than any individual it had ever identified.
At 9:50 a.m., Jones and his attorney arrived at a fifth-floor FTC conference room, where two of the commission’s lawyers, James Evans and Ian Barlow, would confront him. But a curious thing happened as they began asking questions: Jones didn’t deny much of anything. When Evans tried to pin down the volume of calls he was capable of placing, he answered, “I did a lot,” then punched out an estimate on his phone’s calculator. Jones eventually grew restless and tried to move the interview along: “Obviously, the underlying issue is the calls are illegal. We know that already.” Afterward, he returned to California and resumed robo-calling. In January 2017, the FTC sued him. Five months later, a federal judge banned him from telemarketing and hit him with a $2.7 million penalty. He didn’t bother contesting the judgment. (Jones emailed me that he’d “love to discuss” the matter, then stopped responding to messages.)
Jones, it appears, didn’t really care about getting caught. The same goes for the rest of the robo-calling industry. The financial rewards of bothering people on the telephone are clearly greater than the risks. “We continue to bring cases and shut down as many folks as we can,” says Janice Kopec, the FTC’s point person on robo-calls. “What we recognized, though, was we shut down an operation and another one springs up behind it almost instantaneously.” Hence our modern scourge. In 2015, the call-blocking app YouMail estimated that close to a billion robo-calls were being placed every month. Two years later, that number has leapt to 2.5 billion. At best, these calls annoy. At worst, they defraud. By far, they constitute the top consumer complaint received by the FTC.
In theory, there is a fix: the National Do Not Call Registry, created in 2003. Today, 230 million numbers are on it. The point, obviously, is to not be called. And yet the FTC receives 19,000 complaints every day from list members who have, in fact, been called. There is a battle being waged over the inviolability of our telephone numbers — over the right to not be bothered. On one side there is Mike Jones and his robot army. On the other side, there is the federal government and its list. It is clear who’s winning. But why?
“The educated criminal skims the cream from every new invention, if he can make use of it.” So said a Chicago police inspector in 1888, describing an early telephone scam. A wealthy trader had installed a telephone line between his home and office, one of the first in the city. One weekday, according to a 19th-century newspaper called the Electrical Review, a smartly dressed man identifying himself as Thomas Jefferson Odell knocked on the trader’s door and asked his butler for use of the house phone. The butler obliged. Odell called the trader at his office. “The cook, the chambermaid, and your wife are lying here bound and gagged,” he told him, asking for $20,000 in ransom. The trader delivered the cash to one of Odell’s accomplices, then rushed home to find his wife in fine shape and none the wiser.
Over the next half-century, telephone scams became problematic enough that MGM produced a short film to warn of their dangers. It ran 19 minutes and featured a gang of swindlers who compiled telephone numbers of financially distressed people, then got them to invest what they had left in a bogus horse-racing scheme. The movie was called “Sucker List.”
A few decades later, nuisance calls evolved to include legitimate sales pitches. In the 1960s, door-to-door salesmen were suffering. The rise of two-income families meant fewer women were home during the day to buy their products. In 1967, a public-relations consultant named Murray Roman saw a business opportunity, creating a telephone sales operation that could reach customers well into the evening. In his first major campaign, he hired 15,000 women to place a collective million calls a day from their homes on behalf of the Ford Motor Co. The idea wasn’t to sell cars — at least not yet — but to gauge consumer interest. This was called lead generation, and it professionalized the sucker list. Roman’s success rate was low, but his call volume was high enough to make up for it. Of 20 million people reached, 187,000 turned out to be decent leads. Of those, 40,000 bought cars. Ford, according to a 1976 article in the Harvard Business Review, made $24 million on the gambit. Telemarketing was born.
Murray Roman died in 1984, just before people would have started blaming him for ruining their lives. Two years later, a Virginia telecom analyst named Douglas Samuelson invented something called predictive dialing. The technology allowed department stores and politicians and scammers to dial widely and quickly, while weeding out phone lines that were busy or unresponsive. The industry grew exponentially; aggravated customers began to wail to their government representatives. In 1991, Congress passed a law that curtailed some telemarketing activities and created the first Do Not Call registries. Unfortunately, the registries weren’t maintained by the government but by companies doing the telemarketing, and the only way to get on them was to call the companies themselves. Nothing changed.
By 2003, the national telemarketing crisis had grown acute enough to warrant bipartisanship. A nationwide Do Not Call Registry would be established and the FTC would administer it. The House bill to create it passed 412 to 8. Only Ron Paul, Jeff Flake and a handful of other shrink-the-state types dissented. George W. Bush marked the occasion with a Rose Garden announcement. “When Americans are sitting down for dinner, or a parent is reading to his or her child,” he said, in dad-voice, “the last thing they need is a call from a stranger with a sales pitch.” Telemarketing groups would have to pay to download lists of numbers on the registry, organized by area code. If they were later found to have called any of those numbers, intentionally or not, they could be fined up to $11,000 per call.
All but telemarketers were elated. In three months, 50 million people signed up. Syndicated columnist Dave Barry called it the most popular government program since the Elvis stamp. The industry, meanwhile, filed several lawsuits against the FTC, arguing its new toy violated their First Amendment rights. “It will be like an asteroid hitting the Earth,” predicted Tim Searcy, then the chief executive of the American Teleservices Association. “Two million people will lose their jobs.” Barry, capturing the national mood, responded by printing the ATA’s phone number in a column and suggesting his readers flood it with calls. The lawsuits failed, the Do Not Call list became a permanent fixture, and telemarketing never recovered.
“It changed the industry dramatically,” says Stuart Discount, CEO of the Professional Association for Customer Engagement, which is just the new name of the beleaguered American Teleservices Association. “A lot of the outbound calling became calling your own customers, trying to increase their value. Cold-calling or trying to sell something really took a hit.” Set aside that it was now verboten to dial a wide swath of the country. Would someone on a Do Not Call list really be receptive to an unsolicited sales pitch? The registry, says the FTC’s Kopec, was “the nail in the coffin for outbound telemarketing.”
It was an era of good feelings and uninterrupted square meals. And it ended almost as soon as it began.
Ami Dziekan, 41, has worked for the Federal Trade Commission since she graduated from Georgetown Law in 2004. She began her career as a staff attorney before being named program manager of the Do Not Call Registry in 2010. Kopec and her boss Lois Greisman oversee the FTC’s big-picture robo-call strategy, while Dziekan manages the list’s day-to-day operation. (The registry’s customer service people — the human beings fielding calls from dissatisfied list members — are employed by a contractor with offices in Indianapolis and Albuquerque.)
“I have a reputation of having an office full of plants and pictures of family,” Dziekan says, glancing around happily. By federal government standards, her L’Enfant Plaza office building is an inviting one: “If I open my door, I get to look out of a window, which is nice.” Dziekan, a redheaded mother of two, lives on Capitol Hill and is active in her church. Her outlook on life is admirably sunny, given that her job entails dealing with two kinds of people: consumers who don’t want to be called, but are; and telemarketers who want to call, but can’t.
In simpler times, this wasn’t a major problem. By downloading the list of numbers on the Do Not Call Registry, and then declining to call them, telemarketers largely policed themselves out of existence. By the late 2000s, though, a new threat had emerged: robo-calls. Instead of live telemarketers, working for recognizable companies, a new breed of humanoid irritants came calling with all manner of crappy sales pitches and outright scams. Robo-calling itself was not new; a robo-call is just another word for a prerecorded phone message. Public schools have been using them forever to announce snow days and two-hour delays. But now, the technology — far more efficient than traditional telemarketing, in that a live human is needed only once a customer decides to engage — was being marshaled for profit and fraud.
Suddenly “Rachel from Cardholder Services,” the ubiquitous fake bank rep, was plotting to take your money. Around tax season, fake Internal Revenue Service agents came calling, too. They left menacing messages like, “This is a final notification call to inform you that there is an arrest warrant issued against your name and your identity.” From there, targets would be directed to call a number where an operator would be waiting to bilk them. In one scheme, victims were commanded to drive to their grocery stores and pay phantom back taxes in the form of iTunes gift cards. For their part, legitimate companies began outsourcing illegal robo-calls to third parties. (Last year, a federal judge hit Dish Network with a $280 million penalty in part for doing that. Dish Network says it’s appealing.) And none of this includes the related problem of spam text messages.
In the quaint era of man-made telemarketing, it was mainly large corporations like Ford that could pay for the infrastructure and manpower to dial thousands of numbers at once. A couple of technological shifts changed that. One was the advent of voice-over-Internet-protocol (VoIP) dialing. This is the technology that makes Skype possible and is now used by a bulk of the country’s telephone landlines. VoIP “allows telemarketers to make lots and lots of calls for less money, from anywhere in the world,” says Will Maxson, an assistant director in the FTC’s consumer protection bureau. “It also allows you to set up shop, tear down, move. All you really need to make a lot of calls is a computer and an Internet connection.” Combine that with an automated dialing platform, plus some co-workers, and you’re Aaron Michael Jones.
Equally important was the rise of call “spoofing,” or faking a telephone number. Back in another quaint era, you may recall, Paris Hilton was accused of hacking into Lindsay Lohan’s voice mail by pretending to call it from Lohan’s phone. All it took was a perfectly legal $10 “SpoofCard.” (SpoofCard terminated Hilton’s account.) Robo-callers were employing more sophisticated tools, but the principle was the same. It allowed them to entice targets by calling from numbers that bore their own area codes, and, simultaneously, throw law enforcement off their scent.
In 2009, the FTC responded by outlawing almost all robo-calls, exempting those from political organizations, schools and other entities not trying to sell you things. Now, it was not only illegal to call a number on the registry, it was illegal to solicit any customers using robo-calls. The ban had no perceptible effect. From 2010 to 2011, the number of annual Do Not Call complaints jumped from 1.6 million to 2.3 million, the largest increase since the list’s inception. The following year, the number rose again by nearly 70 percent. Last year, the FTC received a record 7.2 million complaints, and the calls were as disreputable as ever. The top violations reported were debt-reduction schemes, vacation and timeshare offers, warranties and protection plans, and impostors. (Most of these were robo-calls, though live holdouts remain.)
Meanwhile, a shift occurred in the way people thought about unwanted calls. The Do Not Call Registry had promised tranquility. Now, it couldn’t deliver. This made people angry twice: once at the robo-calls, then again at the impotent gatekeepers letting them through. “We know that there are people who put their faith in the Do Not Call Registry as blocking every single phone call that they do not want,” says Dziekan. “I try to be flattered that they think I can block every single call that they don’t want. Unfortunately, I can’t.”
Here’s a sad anecdote: In 2013, the FTC published a blog post on its website. It was called “10 years of National Do Not Call: Looking back and looking ahead.” The post featured a cute graphic and plucky copy. “To etiquette purists, the 10th anniversary dictates gifts of metal,” it read. “The FTC presents this iron-clad guarantee: You can count on us to continue to take action against companies that violate the Telemarketing Sales Rule.” Later that day, a commenter named Helen wrote, “Awesome!!!” But every year, a dozen or so new comments would appear, and as time went on, they grew darker. “I think you all have done an awful job,” wrote one commenter in 2016. “The Spammers still call with NO fear of our Government.” Added another: “You no longer function at all.”
At the root of this public relations problem is a likely misapprehension about how the Do Not Call Registry works. When you add your number to the list, nothing actually happens. No legal muscle or technological wizardry suddenly prevents a solicitor from calling you. All the list does is provide you with vague recourse in the event you are called, by allowing you to complain that someone has called you. So, you can report the violation by calling a toll-free number or filling out a form on the Do Not Call website. Then, if the number you were called from shows up in enough complaints, the FTC will leap into action and prosecute the offending dialer.
Except, it almost certainly won’t. In the age of live telemarketing, the mere threat of prosecution or penalty was enough to deter companies with shareholders and reputations to protect. In the robo-calling epoch, dialers couldn’t care less. One, nobody knows who they are or where they’re calling from, because they all spoof their numbers. Two, more of them are doing it every year, since it’s cheap and easy to blast out automated calls from anywhere in the world. All this makes it nearly impossible to identify robo-callers, let alone penalize them. At a hearing on robo-calls in October, Sen. Susan Collins (R-Maine) said she was getting so many of them, she’d disconnected her home phone. “The list,” she said, “doesn’t work.”
When I met with Kopec, the FTC’s de facto robo-czar, she drew a distinction between two eras of the Do Not Call Registry. “Prior to the beginning of the robo-call epidemic, we really approached the problem in two ways: law enforcement and consumer education,” she said. Now, she no longer has the resources to realistically tackle the problem. With an annual budget of $300 million — by contrast, the FBI’s is $9 billion — the FTC is a relatively puny federal agency. There are only 43 employees in the Division of Marketing Practices, which oversees unwanted calls. None of them, including Kopec, work full time on the issue. Ami Dziekan, who works in a different department, is the lone steward of the Do Not Call Registry. Since the robo-call ban went into effect in 2009, the FTC has brought just 33 cases against robo-callers. In those cases, defendants have been ordered to pay nearly $300 million in relief to victims, and nearly $30 million in civil penalties to the government. But even then, the FTC can’t force perpetrators to pay the fine if they argue they’re broke. Which robo-callers often seem to be. So the FTC has only collected on a fraction of those sums: $18 million in relief and less than $1 million in penalties.
(Point of clarification: The FTC is the sheriff here. Its job is to prosecute shady business practices, and robo-calls tend to be shady. But various other state and federal agencies, including the Federal Communications Commission, also police nuisance calls. In theory, there are legal distinctions between which kinds of cases the FCC and FTC can bring, though neither agency could explain these to me clearly. As a practical matter, an FTC spokesman figures, it doesn’t matter: “There are enough violators in this space to keep us both busy.”)
The bottom line is that the problem has become too sprawling to litigate. The FTC is like a commercial fisherman trying to use his bare hands. “What the robo-call problem prodded us to do,” Kopec says, “was to recognize that there has to be a technical piece to this solution as well.” Less reactive policing, more proactive call-blocking. Unfortunately, it couldn’t do that either. “The FTC is largely a civil law enforcement agency. We have a whole lot of attorneys, and a whole lot of economists, and a few technologists,” Kopec explains. “We don’t have the expertise.”
Ever get a phone call from a number that looks suspiciously like your own? This video explains them, and what you should do about them.(Jhaan Elker/The Washington Post)
For a while, neither did anyone else. In fall 2012, as the nation’s robo-call affliction grew more severe, the FTC created a contest, offering a $50,000 prize for the most promising call-blocking proposals. Eight hundred entries were submitted; A-list tech journalist Kara Swisher served as a judge. The following spring, two winners split the reward. The more auspicious of the two was called Nomorobo, devised by a Long Island programmer named Aaron Foss.
Foss, now 39, was working as a freelance software developer in Port Jefferson, on the island’s north shore. “I didn’t even know what robo-calls were,” he says. “Even back then, [the FTC] was like, ‘We’ve done everything we can. Can anybody else do something?’ ” Foss started by piggybacking off technology called “simultaneous ring,” which allowed an inbound call to travel to multiple destinations at once. So when someone called your number, they were also calling Nomorobo. At the same time, he began compiling a blacklist of likely robo-call numbers. By marrying simultaneous ring with the blacklists, Nomorobo picked up inbound calls before its subscribers did, then blocked the bad ones from going through.
The call-blocking field soon grew crowded. Truecaller. RoboKiller. Hiya. The FTC hosted another $50,000 contest called “Robocalls: Humanity Strikes Back.” Yet another was called “Zapping Rachel,” in honor of the “Cardholder Services” menace. Cute names both, but the fight had already become a technological arms race — App Store Autobots against boiler-room Decepticons, basically. And the bad guys were winning. The apps grew more sophisticated — Nomorobo now says it blocks 27 million calls a month — but consumers were receiving more robo-calls than ever. “The robo-call problem is getting worse,” Foss says, “even though there are all these technological answers to it.”
I tracked down several hypotheses as to why. For one, it’s very hard to identify a robo-call from its phone number alone, which in turn makes it difficult to compile comprehensive blacklists. A decade ago, the future of email was clouded by a massive spam problem. By cataloguing bad actors by text keywords and IP addresses, Google and others were able to all but eradicate the problem. Gmail now claims that less than 0.1 percent of the emails its users receive are spam. By contrast, a spoofed phone number — which can be hastily abandoned or belong to a legitimate entity — tells us little about the content of the call itself. This is why we know roughly how many robo-calls are being made but not how many human beings are behind them. “Maybe 1,000 scammers could be generating most of the problems,” says Alex Quilici, the CEO of YouMail. Or more. Or less. Nobody knows.
Two, there’s a square-peg-round-hole problem plaguing the call-blocking start-ups. Different call-blocking technology works for different kinds of telephones — Nomorobo focuses on landlines, others on smartphones — and all of them use different blacklists. Which means robo-calls will find a way to slip through. Meanwhile, the population most vulnerable to telephone scams — the elderly — are also the most likely to have old-school copper-line phones. According to the FCC, there are 54 million of these in the country, and they can hardly block spam calls at all. The only technology available for them are hopeless little analog boxes that require users to enter unwanted numbers by hand.
Three, good luck firewalling a tool as central to modern life as a telephone. “It’s really hard to get a consumer not to answer calls,” says Quilici. “If you’re a plumber, it could be a customer. You need to answer.” Email spam filters have made it harder for intruders to impinge on our digital lives, but people like to keep their phone lines open. And this openness means we’re vulnerable not just to receiving phony calls, but to being manipulated once we answer. “The easiest way to compromise an entity is social engineering. Sort of appealing to people’s emotions,” says David Dewey, director of research at Pindrop, a cybersecurity firm. “We’ve seen instances of fraudsters that will call in to our customers, and they’ll pretend to be super angry. Or super polite and friendly — ‘You sound like you’re having a bad day today; I’ll ask you real simple, what’s your Social Security number on file?’ ”
Finally, there’s the problem of the telecom giants that do nothing. As the FTC pushed its boulder and the start-ups chipped away at it, major telephone carriers stood and watched, claiming they didn’t have the authority to address the problem. For good reason, Washington has been loath to tell phone companies to censor calls. Still, if carriers weren’t going to block the illegal calls plaguing their own customers, the problem seemed likely to persist.
In 2014, Foss protested by lugging 25 boxes of printouts, representing the millions of calls Nomorobo had blocked, to the headquarters of the Federal Communications Commission, which regulates phone companies. A year later, the FCC woke up and voted to allow carriers to offer their customers external call-blocking apps like Nomorobo on their landlines. Next, in 2016, the FCC convened a group called the Robocall Strike Force, a sort of industry Knights of the Round Table in which telecom executives periodically sat in a room and brainstormed. Finally, in November 2017, the FCC gave carriers the power to block certain illegal robo-calls directly. Now, on the horizon — perhaps — is a moonshot called Caller ID authentication, which would function like the blue Twitter check mark that verifies a user’s identity. Developed by a consortium of telecom providers, it’s being tested by AT&T, Comcast and others. It may or may not see the light of day in 2018.
All this activity appears to be having a positive effect. We know this because the hobbled telemarketing lobby is angry again. “Our contact rates have plummeted about 20 percent” recently, says PACE’s Stuart Discount. His theory (though he doesn’t have data to prove this): Newly zealous carriers are accidentally blocking legitimate calls from companies innocently trying to reach their customers.
Still, the last of the human, legal telemarketers have more to fear from robo-callers than from the robo-call police. Says poor Discount: “They created the atmosphere of these billions of calls made each year that interrupt legitimate contact between companies and customers, because people won’t answer the phone.” In other words, we’ve lost trust in our own telephones. “It’s very difficult and obviously we recognize the problem,” he continues. “Look, we’re all consumers, too. I don’t want to get these calls.”
A few months ago, I told a friend in Boston I was writing about the robo-call epidemic. He was pleased to inform me that an app had slowed the deluge of spam calls he was used to receiving on his iPhone. But it wasn’t perfect; the version he was using couldn’t block robo-texts.
I decided to spam him. There is a software platform called Twilio that allows companies, or anyone, really, to send out phone calls and text messages from a random number. This is a legal and legitimate business practice, so long as it is not being done with the intent to defraud or harm a recipient. Indeed, there are good, privacy-related reasons for spoofing a call; imagine that a women’s shelter is trying to contact a domestic abuse victim at home without her abuser knowing. In any event, for the price of $1, I bought one of Twilio’s countless 202 (D.C.) area code numbers. Then, over the course of an afternoon, I followed a tutorial on how to program and send out a text message from that number. Programming a phone call would have been more difficult, but an adept coder could have done either in a few minutes.
I embedded my bogus 202 number, then his real number, then the body of my text, into Twilio’s open-source software. I sent him this:
“This is a message from the U.S. Federal Trade Commission. Our records indicate your phone number is registered on the federal Do Not Call registry. This is a routine list-maintenance message. To confirm, write YES. To remove your name, write REMOVE.”
Giddy with mischief, I held out for like a minute, then asked him if he had received a text from a 202 number. He had. “Looked legit to me,” he said.
Simon van Zuylen-Wood is a writer in New York.