New Delhi: Look away from your phone for a while, and you will return to at least more than one SMS offering all kinds of wares and services, from credit cards and real estate, to offers that sound too good to be true (and probably are).
They are an annoyance alright, but many of these can also pose a threat by luring customers to click on malicious links while exposing them to phishing bids.
Three years ago, the Telecom Regulatory Authority of India (TRAI) brought in the Telecom Commercial Communication Customer Preference Regulation (TCCCPR), 2018, which put in place a mechanism to vet messages before they reach a customer.
This was meant to tackle the deluge of spam mobile phone users are all too familiar with. The rules required telcos to use a technology called Distributed Ledger Technology (DLT) to bar the transmission of certain messages — including those from entities not registered on the platform, and SMSes from firms in a template that the companies haven’t registered with telecom service providers. The rules also allow mobile phone users to specify their preferences vis-a-vis receiving commercial communication.
The process of filtering these messages before they reach users is known as scrubbing.
The rules, enforced Monday, brought in a safeguard for customers. However, the telecom regulator Tuesday suspended them for seven days, potentially setting the stage for a barrage of spam SMSes to inundate users’ phones.
To understand why TRAI would suspend a mechanism that was brought in for user safety, one needs to understand the challenges that have stalked its implementation. The latest of these saw many users left waiting in vain for their OTPs because a few banks and other commercial entities, as also government bodies, were yet to get on board with the mechanism.
Also read: Why TRAI white paper on smart cities infrastructure mentions ‘security’ 106 times
A safety mechanism is implemented
The TCCCPR was introduced in 2018 with the purpose of curbing “the problem of unsolicited commercial communication (UCC)”.
Under the TCCCPR, TRAI asked all telcos to adopt a Distributed Ledger Technology (DLT)-based system to manage commercial communications. The regulation further required businesses or any entity — banks, hospitals, retail outlets, government bodies — that wants to send communications to mobile phone users to register their identities with each telco, and furnish a template for their SMS and voice call communications.
If an entity (known as “principal entities” in TRAI parlance) that is desirous of sending out messages, including OTPs, is registered with telcos, and so is their template, the DLT system will allow their SMSes to go through.
If they aren’t registered to be recognised by the system, then the communications won’t be allowed to pass through.
The full implementation of TRAI’s 2018 rules has been delayed because principal entities sought more time to adapt to the new system, according to a telco official who didn’t wish to be named.
When the rules came out in 2018, telecom industry body Cellular Operators Association of India (COAI) — representing telcos like Airtel, Jio, and Vi (or Vodafone-Idea) — also sought more time to understand how to implement a DLT-based system, on account of the high costs involved.
Now, however, all telcos have been using the DLT system for 8-9 months or so, the telco official said. However, not all principal entities are on board even now, and TRAI has been trying to change that.
Why were the rules suspended?
Originally, TRAI wanted the regulations to come into effect from 28 February 2019. Then, on 20 January 2020, TRAI asked telcos to take measures to get principal entities to register with the new process.
“TSPs (telecom service providers) published the requirements of a new regulatory framework in leading newspapers, from time to time, to inform all PEs (principal entities) to get onboard. TSPs also notified telemarketers and principal entities regarding the implementation of [SMS] content template scrubbing and other provisions of TCCCPR, 2018, from time to time,” TRAI said of efforts made by telcos in this regard.
However, the same year, online payments app Paytm moved the Delhi High Court alleging telcos were not fully implementing the 2018 regulations. It claimed phishing communications to telco customers were using the name of Paytm and its likeness to defraud customers, and sought Rs 100 crore from telcos in damages.
In February 2021, the Delhi High Court disposed of Paytm’s petition and asked TRAI for “strict compliance” of the 2018 regulations.
This order for strict compliance with the 2018 regulations to filter out spam and unsolicited commercial communications created a problem when it was implemented Monday — if a principal entity or their template was not registered with the new system, their customers simply stopped getting OTPs. Many users aired their complaints in this regard on social media Monday.
Hence, the seven-day suspension of SMS “scrubbing”.
@samirk02 Sorry to hear you're not able to get OTP. I'd like to direct you to our partners in India to have this looked into. For contact options visit https://t.co/vmQAWOmjKC. To request them to call you within 2 business days complete this form https://t.co/W7g6iN7ahv. ^John
— Ask Citi (@AskCiti) March 9, 2021
@cbic_india @Infosys_GSTN @GST_Council
OTP is not coming in Rediffmail's ID.
— AdvManishseth☘महादेव (@MANKANISH) March 9, 2021
@MoHFW_INDIA neither Cowin portal nor Arogya setu app is sending the OTP when trying to register for vaccination. Why can't you allow walk in vaccination for eligible citizens?
— Subali (@sudhakarbal) March 9, 2021
Not receiving any OTP since yesterday.@DoT_India , please help.@TRAI
I need to accept a job offer but not able to do since it requires otp to authenticate.— Siddharth Choudhary (@siddharth_0501) March 9, 2021
Also read: Rhea Chakraborty’s TV trial for TRPs shows why TRAI should stop fixing channel prices
What happens next
Explaining why it decided to suspend the 2018 spam filtering rules, TRAI said on 9 March, “It has been observed that some of the principal entities have not fulfilled the requirements as envisaged in Telecom Commercial Communications Customer Preference Regulations, 2018. As a result, their SMS were getting dropped after implementation of the scrubbing of SMS by telecom service providers.”
The suspension is meant “to enable the principal entities to register the template of SMS so that no inconvenience is faced by the customers”.
Experts say this decision will expose users to more spam SMSes.
A telecom industry veteran, who didn’t want to be named, confirmed to ThePrint that there will “potentially” be a rise in the number of spam SMSes that customers receive.
The aforementioned official of the telecom service provider said “obviously, there will be more spam”. “With no filtering, it’s like a free highway for both the legitimate SMS senders and spam senders,” the person added.
Telecom consultant Mahesh Uppal agreed. “It would stand to reason that there would be a rise in unsolicited commercial SMS since the scrubbing of SMS to remove spam has been suspended temporarily. Let us hope TRAI will fix the problems and bring out more robust regulations to deal with unsolicited commercial communications.”
(Edited by Sunanda Ranjan)
Also read: With new telecom policy, Modi govt starts the game of hitting China where it hurts the most
Well, It’s very wrong direction to stop the pishing / spam message. The whole intention is to trace the source. If that can be strictly implemented, it ll help.
Also I ll not suprised Govt ll put the blame on ISP for the UPI fraud because their NW is used. Unfortunately Operators are pushed to the wall.
https://m.timesofindia.com/city/bengaluru/bengaluru-two-landlords-scan-qr-codes-sent-by-fake-tenants-cheated-of-rs-1-2-lakh/amp_articleshow/81387968.cms
When we are promoting digital India, we must ve the machanism to track and solve the problem. Well all these goes to a digital fraud only. If we handle that, it ll be better.
I remember, Delhi CM’s daughter was also a victim of UPI fraud, but the culprit was caught only in 2-3 days, I wish our cyber police ll work on the same speed, then no one ll dare to do this fraud / pishing things..