An important document from the FCC's document archive dated
May 2, 2014, FCC-14-57A1 documents Purple's failure to follow the FCC's
requests for reasonable steps to keep fraud from happening. Purple was ordered
by the FCC to use a reasonable process to verify the signup information of
their TRS services. Unfortunately, Purple violated the FCC’s orders by using a “flawed
process”
to validate incoming signups, thus facilitating
fraud coming from non-validated account signups. As a result, the FCC assessed a
penalty on Purple.
Welcome back from reading a LONG 26-page document. If you
stuck to reading just the numbered paragraphs, you're in good shape. I've
broken down what I've understood of what the FCC has been talking about in the
paragraphs. I will include the numbered paragraph in italics and below it my
own response in normal text.
The first several paragraphs indicate the FCC's requirements
for an effective relay service incorporating 10-digit phone numbers. Page 5 is
the beginning of the Discussion section.
A. Purple Apparently Violated the Second Internet-Based TRS Order by
Failing to Implement a Reasonable Verification Process
No kidding. After reading through the rest of the document,
Purple's in deep stuff.
12. While not requiring any specific verification procedure, the
Commission has described three types of procedures that it considers reasonable
for purposes of verification. These procedures share several key factors. Each
verifies the name and mailing address provided at registration, and each
affords timely verification, thus producing a reasonable period between a
user's registration and the determination as to whether the user is eligible or
not to make TRS calls. Any reasonable verification process would have included
these key factors and ensured that providers did not profit from allowing
unverifiable users into the TRS system and allowing them to make calls over an
extended period of time.
Observe how the Commission has requested reasonable procedures with the key word
being REASONABLE. Consider what is reasonable and why. In order to
reduce fraud, one must take steps to reduce it despite the difficulty with
completely eliminating it. The user's name and mailing address is, indeed,
reasonable. Now look at the last sentence. Reasonable
verification process. This means a way to verify and validate that
account's information.
How does any agency that offers services do this? Often,
we're required to show them our drivers license or something similar. And how
do we get those forms of ID? Many states require that the person present their
birth certificate and other similar items in order to get this ID.
13. Prior to 2008, Purple was aware that IP Relay had been misused by
persons to defraud domestic merchants and that one of the Commission's goals in
implementing the new requirements was to eliminate user anonymity and IP Relay
fraud.
Up until 2014, they did nothing. How much was defrauded?
Most likely the numbers are inaccurate, but could easily be way into the high
millions. Can they be held responsible for these losses?
14. Due to the shortcomings in Purple's procedures, the evidence shows
that Purple did not, in fact, verify the name and/or mailing address of at
least 40,000 False Name registrants, yet nevertheless assigned these users
ten-digit telephone numbers, and then submitted reimbursement requests that
included minutes generated by such users. As described below, we find that
Purple failed to institute a reasonable process to verify user registrations as
required by the Second Internet-Based TRS Order.
Makes you wonder how flawed of a process was used, if any
verification was used, and if any efforts were made to even try to reduce the
ongoing fraud. Someone had to know about those 40,000 fake accounts. The phone
company doesn't just throw a phone number at you and say that it's yours. An
account has to be created and validated.
From (date redacted) until (date
redacted), Purple's process made no attempt to verify registrants' names and
mailing addresses.
ZERO verification of the account holder's name and mailing address.
As explained in more detail below, the Company used a (redacted)
process, confirming that (big redaction). In (redacted) Purple added an e-mail
component to its process; (big redaction). This e-mail component did not,
however, involve any effort by Purple to verify the accuracy of the information
provided by the user. The fundamental point is that Purple's (redacted) process
and e-mail component never even attempted to verify the accuracy of the user's
name or mailing address as required by the Second Internet-Based TRS Order.
Now why didn't they use email verification even after adding
the component? It’s an easy implementation to verify and validate all three. What kind of process did they use?
Paragraph 16 basically repeats the failure of the name,
address, and phone number validation.
For example, if a registrant had given an empty parking lot as his or
her address, the (redacted) would have verified the address as long as the
parking lot were (redacted) even if no habitable structures existed at that
address.
Makes you wonder. The post office ain't gonna deliver to a
parking space.
In one instance during its investigation, the Bureau examined an
address that Purple had provided that was associated with 299 different
registrations; each registration had listed "201 Alice St., Alger, OH
45812" as the registrant's address. No such mailing address existed.
Bureau staff contacted the post office in Alger, Ohio (a town with a population
of less than 1,000) and confirmed that the mailing address did not exist.
...but 299 registrants using a single fake address? I can
understand maybe 2-5 of a single address, maybe a deaf family or deaf roommates
living there, but 299? I tried looking it up on Google Maps, and the post
office for that area displayed. Alger is east of Lima in central Ohio just off
I-75, about a short 20-30 minute drive.
Paragraph 17 talks of the use of Verity assigning each
registrant a reliability score. Verity is software created by Imperium, located
in Westport, Connecticut.
Just how low a V-Score did Purple use?
Paragraph 18 has a lot of redactions. Basically, Purple
tried to improve their validation and verification implementations, but still
failed. As a programmer, it's not too difficult to add some coding routines
that can verify and validate the provided email as well as have a human send a
printed letter via snail mail to the provided address. Some banks and other
places use this method when their clients set up their online account and send
a letter with a confirmation code.
It's not too hard as well to set a flag or flags on an
account to show that it's locked until the email validation and/or address
verification are done. That plus compare addresses, physical and/or email, for
multiples. If that address shows up after a certain count, a report can be
created and sent to the appropriate person(s) within the organization. The
account database should have the capability to sort by various columns or rows.
Multiples will show up right there.
20. Indeed, Purple knew or should have known that the False Names were so
patently defective that they could not possibly have been the actual names of
eligible users. However, instead of rejecting the False Names (based on their
nonsensical nature) or attempting to confirm that they belonged to eligible
users, Purple chose to disregard the verification requirements by accepting
these names without reasonable further inquiry regarding users' actual names
and mailing addresses.
It's hard enough or next to impossible to claim they
couldn't have known as there was at least someone who had access to the account
database. And this is someone I'd love to hear from.
Paragraphs 21 to 23 have Purple still claiming their
processes were reasonable in the face of evidence that proves otherwise.
Paragraph 22 is quite heavily redacted, with them looking like they're using
certain techniques. Then the FCC in Paragraph 24 blows Purple out of their
shoes, out of the water, and out the airlock.
While Paragraph 25 is long, Purple is still making claims,
showing their “proof,” which unfortunately, is mostly redacted. They've got
something called a “guest user or access policy.” Apparently, the new account
could immediately start making calls right when it was created. Again, we can
see right there through their smoke-blowing that there was zero
verification/validation. In reality, this account should have been set so that
the person could not make calls, but still modify the preferences and other
entries until it was cleared. We know that guest accounts are typically known
to allow limited access until more access is granted.
In Paragraph 26, the FCC rolls over and flattens Purple's
claims in 25. And then in 27, Purple shoots a major hole in itself by “suggesting that it should have (redacted)
because it reportedly did not (redacted). Purple's actions, however, are
inconsistent with this suggestion.” Then the Commission does one final shot
in 28, saying that Purple failed to implement a reasonable verification process
of the time periods covered. In the entire report, the word reasonable
is used.
Then like a judge delivering his/her verdict:
B. Purple Apparently Violated Section 64.604(c)(5)(iii)(D) of the
Commission's Rules by Submitting Inaccurate Data to the TRS Fund Administrator
and for Seeking Reimbursement for Calls That Were Not Compensable
The Commission delivers the penalty, a forfeiture proposal,
meaning to pay back or give up. After reading the charges, the Commission
delivers a judgment of requiring Purple to pay back $11,937,549.
So what does this mean for the future of IP-Relay? First,
take a look at what I've said above. Then, decide on how the fraud will be
reduced. Next, answer the question about the sustainability of the rates, given
the history of the FCC lowering them every year compared to other TRS rates.
Purple has a call center in the Philippines. With the lower
labor costs out there, why can’t they make a profit at the current rate paid,
which is $1,039/minute?
Once the reasonable
procedures are followed, then fraud will be reduced greatly.
