We’re all familiar with nuisance calls and text messages, and in India it’s a serious problem. To address it, the Telecom Regulatory Authority of India (TRAI) consulted with the telecoms firms to thrash out a solution. The result was a 2018 TCCCPR regulation that outlines a blockchain network to store the telco subscriber consents for specific brands and preferences such as suitable times for messages delivery. This is no small undertaking with 1.2 billion mobile phone subscribers in India of which 800 million are active. And on average, each receives eight to ten messages a day.
The scale of the Indian spam problem is significant. Since 2011 in India 1.8 million unregistered telemarketers have been disconnected and 580,000 blacklisted for unsolicited commercial communications (UCC).
But these messages aren’t just a nuisance. In some cases, they can result in substantial financial losses. For example, if a message is sent about a stock that is about to jump in price. Some of the recipients may be duped into investing. Meanwhile, the spammer bought the stock before sending the text and uses the “campaign” to offload its holding, and eventually the price drops.
This isn’t India’s first run at the spam issue. There’s already a National Consumer Preference Registry and a Do Not Disturb (DND) registry. Tech Mahindra’s Head of Blockchain, Rajesh Dhuddu, noted that the day after he signed up to the DND registry, his spam texts and calls doubled.
The previous approaches to address the issue had drawbacks. Firstly, the marketing firms had access to the data and made use of it for the opposite purpose. Secondly, there was a mismatch in incentives. The penalties were on the marketing firms, whereas now TRAI will penalize the telecoms firms if they don’t restrict a misbehaving marketer’s activity.
Given the spam calls and messages are paid for, telecoms firms may have profited from the spam. In fact, to deter unregistered marketers, any SIM that sends more than a hundred messages a day is charged a premium for the SMSs. Earlier this month TRAI removed the requirement for this premium pricing, a move most of the telecoms firms resisted.
The blockchain solution
The distributed ledger technology (DLT) network to address the spam issue is in production with the major telco firms, but the solution is not fully live. Consent relating to 500 million subscribers is already on the blockchain network, with launch expected around September time.
Each telecoms firm has one or more nodes on the DLT network that stores a fingerprint or hash of the consents as well as preference information for all subscribers, not just their own. The solution is similar for voice and SMS, but we’ll deal with the latter.
When a marketing firm wants to send a message on behalf of a brand, it has to register itself and pre-approve certain “header” data with the sending telco such as the number it will send from and the title ‘message from Brand X’. When it’s ready to go, it provides a message content template and a list of numbers.
The sending or originating telco performs scrubbing to cross check the data with the subscriber’s consents and preferences. It stores the fact of the check on the blockchain so the subscriber’s telco can verify that the scrubbing has happened and the message only gets sent if it has the all clear.
Critically, the marketing company does not have direct access to the blockchain nodes. Tech Mahindra’s Rajesh Dhuddu gave an example of 100,000 mobile numbers that are submitted with 10,000 numbers failing the consent and preference check.
“But the marketeer won’t know which of those 10,000 mobile numbers because those mobile numbers are completely tokenized,” explained Dhuddu. “So the marketeer will get back the file pertaining to 90,000 numbers, but he wouldn’t know which number, which customer passed through the test and which did not pass through the test. This anonymization is being done so that the marketeers do not cross pollinate that information and use that information for other purposes.”
Consumers can log complaints which are entered on the blockchain, and the telco that sent the message has to investigate promptly and restrict the sending marketer if the subscriber did not provide consent. If it doesn’t do so or delays, there are hefty fines on the telco and the ultimate censure is a loss of its license.
The solution uses enterprise blockchain platform Hyperledger Fabric, and each telco has one or more nodes. These nodes are hosted in multiple clouds, including IBM Cloud, Microsoft Azure and Amazon AWS. Enterprise blockchains are known to be more scalable compared to some public blockchains. However, given the data volumes, the scrubbing is performed off chain with a hash of the result recorded on chain.
Each telecom firm has an implementation partner and numerous other systems need to be integrated with the DLT. We believe IBM is working with Bharti Airtel. Tech Mahindra has partnered with Jio, Reliance Communications and Tata Teleservices (though Rajesh Dhuddu didn’t validate this). Vodafone Idea, BSNL and MTNL are working with Tanla Solutions. Additionally, Tanla also has the TruBloq solution, which is used for marketers and brands to register and for subscribers to provide preferences and consents. Neither IBM nor Tanla responded to queries about this story in time for publication.
Privacy and honeypots
On the face of it, the DLT seems like a robust solution to address spam. However, all of India’s consent data is essentially in one place. The question is whether this is a giant honeypot of personal data. That said, the consent data (but not preferences) is encrypted and hashed. We asked what happens if the private keys of one of the telecoms firms is compromised.
“Respective private keys have to be safe custody of each operator and there are adequate security measures practiced to keep the private keys safe,” said Dharmen Dulla, Blockchain Technical Architect at Tech Mahindra. “However, it is not just the private keys. Someone will have to also hack into the operator’s infrastructure and firewall protected blockchain node to be able to query the ledger data since this is a permissioned network.”
Only the subscribers’ phone company has access to the original data. For all other telcos, the consent data is only available in encrypted form and hashed to support scrubbing.
In Europe and some other jurisdictions, privacy regulations provide a right to be forgotten, which is tricky with blockchain. One solution is Self Sovereign (SSI) Identity, which gives users control over their information. “Once Self Sovereign Identity becomes completely mainstream, TRAI has a roadmap to integrate SSI into this,” said Rajesh Dhuddu.
That may also address another issue: a desire by the telecoms firm to monetize the information on consumer behavior. And the subscriber firm has a good picture of its customers’ consents and preferences across all the brands. However, so far, TRAI and the UCC regulations don’t allow them to sell consent and preference data.