Wednesday, November 12, 2014

Here's Why Purple's in Deep DooDoo!

An important document from the FCC's document archive dated May 2, 2014, FCC-14-57A1 documents Purple's failure to follow the FCC's requests for reasonable steps to keep fraud from happening. Purple was ordered by the FCC to use a reasonable process to verify the signup information of their TRS services. Unfortunately, Purple violated the FCC’s orders by using a “flawed process” to validate incoming signups, thus facilitating fraud coming from non-validated account signups. As a result, the FCC assessed a penalty on Purple.

Welcome back from reading a LONG 26-page document. If you stuck to reading just the numbered paragraphs, you're in good shape. I've broken down what I've understood of what the FCC has been talking about in the paragraphs. I will include the numbered paragraph in italics and below it my own response in normal text.

The first several paragraphs indicate the FCC's requirements for an effective relay service incorporating 10-digit phone numbers. Page 5 is the beginning of the Discussion section.

A. Purple Apparently Violated the Second Internet-Based TRS Order by Failing to Implement a Reasonable Verification Process

No kidding. After reading through the rest of the document, Purple's in deep stuff.

12. While not requiring any specific verification procedure, the Commission has described three types of procedures that it considers reasonable for purposes of verification. These procedures share several key factors. Each verifies the name and mailing address provided at registration, and each affords timely verification, thus producing a reasonable period between a user's registration and the determination as to whether the user is eligible or not to make TRS calls. Any reasonable verification process would have included these key factors and ensured that providers did not profit from allowing unverifiable users into the TRS system and allowing them to make calls over an extended period of time.

Observe how the Commission has requested reasonable procedures with the key word being REASONABLE. Consider what is reasonable and why. In order to reduce fraud, one must take steps to reduce it despite the difficulty with completely eliminating it. The user's name and mailing address is, indeed, reasonable. Now look at the last sentence. Reasonable verification process. This means a way to verify and validate that account's information.

How does any agency that offers services do this? Often, we're required to show them our drivers license or something similar. And how do we get those forms of ID? Many states require that the person present their birth certificate and other similar items in order to get this ID.

13. Prior to 2008, Purple was aware that IP Relay had been misused by persons to defraud domestic merchants and that one of the Commission's goals in implementing the new requirements was to eliminate user anonymity and IP Relay fraud.

Up until 2014, they did nothing. How much was defrauded? Most likely the numbers are inaccurate, but could easily be way into the high millions. Can they be held responsible for these losses?

14. Due to the shortcomings in Purple's procedures, the evidence shows that Purple did not, in fact, verify the name and/or mailing address of at least 40,000 False Name registrants, yet nevertheless assigned these users ten-digit telephone numbers, and then submitted reimbursement requests that included minutes generated by such users. As described below, we find that Purple failed to institute a reasonable process to verify user registrations as required by the Second Internet-Based TRS Order.

Makes you wonder how flawed of a process was used, if any verification was used, and if any efforts were made to even try to reduce the ongoing fraud. Someone had to know about those 40,000 fake accounts. The phone company doesn't just throw a phone number at you and say that it's yours. An account has to be created and validated.

 From (date redacted) until (date redacted), Purple's process made no attempt to verify registrants' names and mailing addresses.

ZERO verification of the account holder's name and mailing address.

As explained in more detail below, the Company used a (redacted) process, confirming that (big redaction). In (redacted) Purple added an e-mail component to its process; (big redaction). This e-mail component did not, however, involve any effort by Purple to verify the accuracy of the information provided by the user. The fundamental point is that Purple's (redacted) process and e-mail component never even attempted to verify the accuracy of the user's name or mailing address as required by the Second Internet-Based TRS Order.

Now why didn't they use email verification even after adding the component? It’s an easy implementation to verify and validate all three.  What kind of process did they use?

Paragraph 16 basically repeats the failure of the name, address, and phone number validation.

For example, if a registrant had given an empty parking lot as his or her address, the (redacted) would have verified the address as long as the parking lot were (redacted) even if no habitable structures existed at that address.

Makes you wonder. The post office ain't gonna deliver to a parking space.

In one instance during its investigation, the Bureau examined an address that Purple had provided that was associated with 299 different registrations; each registration had listed "201 Alice St., Alger, OH 45812" as the registrant's address. No such mailing address existed. Bureau staff contacted the post office in Alger, Ohio (a town with a population of less than 1,000) and confirmed that the mailing address did not exist.

...but 299 registrants using a single fake address? I can understand maybe 2-5 of a single address, maybe a deaf family or deaf roommates living there, but 299? I tried looking it up on Google Maps, and the post office for that area displayed. Alger is east of Lima in central Ohio just off I-75, about a short 20-30 minute drive.

Paragraph 17 talks of the use of Verity assigning each registrant a reliability score. Verity is software created by Imperium, located in Westport, Connecticut.

Just how low a V-Score did Purple use?

Paragraph 18 has a lot of redactions. Basically, Purple tried to improve their validation and verification implementations, but still failed. As a programmer, it's not too difficult to add some coding routines that can verify and validate the provided email as well as have a human send a printed letter via snail mail to the provided address. Some banks and other places use this method when their clients set up their online account and send a letter with a confirmation code.

It's not too hard as well to set a flag or flags on an account to show that it's locked until the email validation and/or address verification are done. That plus compare addresses, physical and/or email, for multiples. If that address shows up after a certain count, a report can be created and sent to the appropriate person(s) within the organization. The account database should have the capability to sort by various columns or rows. Multiples will show up right there.

20. Indeed, Purple knew or should have known that the False Names were so patently defective that they could not possibly have been the actual names of eligible users. However, instead of rejecting the False Names (based on their nonsensical nature) or attempting to confirm that they belonged to eligible users, Purple chose to disregard the verification requirements by accepting these names without reasonable further inquiry regarding users' actual names and mailing addresses.

It's hard enough or next to impossible to claim they couldn't have known as there was at least someone who had access to the account database. And this is someone I'd love to hear from.

Paragraphs 21 to 23 have Purple still claiming their processes were reasonable in the face of evidence that proves otherwise. Paragraph 22 is quite heavily redacted, with them looking like they're using certain techniques. Then the FCC in Paragraph 24 blows Purple out of their shoes, out of the water, and out the airlock.

While Paragraph 25 is long, Purple is still making claims, showing their “proof,” which unfortunately, is mostly redacted. They've got something called a “guest user or access policy.” Apparently, the new account could immediately start making calls right when it was created. Again, we can see right there through their smoke-blowing that there was zero verification/validation. In reality, this account should have been set so that the person could not make calls, but still modify the preferences and other entries until it was cleared. We know that guest accounts are typically known to allow limited access until more access is granted.

In Paragraph 26, the FCC rolls over and flattens Purple's claims in 25. And then in 27, Purple shoots a major hole in itself by “suggesting that it should have (redacted) because it reportedly did not (redacted). Purple's actions, however, are inconsistent with this suggestion.” Then the Commission does one final shot in 28, saying that Purple failed to implement a reasonable verification process of the time periods covered. In the entire report, the word reasonable is used.

Then like a judge delivering his/her verdict:

B. Purple Apparently Violated Section 64.604(c)(5)(iii)(D) of the Commission's Rules by Submitting Inaccurate Data to the TRS Fund Administrator and for Seeking Reimbursement for Calls That Were Not Compensable

The Commission delivers the penalty, a forfeiture proposal, meaning to pay back or give up. After reading the charges, the Commission delivers a judgment of requiring Purple to pay back $11,937,549.

So what does this mean for the future of IP-Relay? First, take a look at what I've said above. Then, decide on how the fraud will be reduced. Next, answer the question about the sustainability of the rates, given the history of the FCC lowering them every year compared to other TRS rates.

Purple has a call center in the Philippines. With the lower labor costs out there, why can’t they make a profit at the current rate paid, which is $1,039/minute?

Once the reasonable procedures are followed, then fraud will be reduced greatly.

No comments: