“Zapping Rachel”

“Zapping Rachel”

Federal Trade Commission (FTC)

Summary

Robocalls—or prerecorded phone messages trying to sell something—have plagued consumers for years.  The vast majority are illegal and often peddle scams.  Although the FTC has taken aggressive law enforcement actions against robocallers, these perpetrators exploit technology to mask their identities and avoid detection.  To stem the tide of robocall harassment, the FTC has unveiled a number of initiatives to help protect consumers from illegal robocalls, including issuing public challenges to stimulate the development of technological solutions that address this prevalent issue.

The FTC Robocall challenge logo features robocall bot Rachel in crosshairs.

The FTC Robocall challenge logo. (Image courtesy of FTC)

Following on the success of its first challenge in 2012, the FTC held its second robocall contest, Zapping Rachel, at DEF CON 22, one of the oldest conferences for information security experts.  Zapping Rachel’s primary goal was to develop the next-generation robocall honeypot—information systems, or a collection of phone lines, that gather data on robocalls.  Robocall honeypots can enhance law enforcement efforts and advance technological solutions that combat robocalls, as well as further the general understanding of robocaller tactics.  In addition, the FTC hoped to gain new insights from information security experts, engage new partners from the technology community, stimulate the development of private-sector robocall solutions and raise public awareness of FTC goals.

The FTC divided Zapping Rachel into three phases, and contestants could enter one or more phases as individuals or teams.  For phase one, contestants designed a honeypot that identified inaccurate call detail information (i.e., spoofed caller IDs) or categorized incoming phone calls to identify likely robocalls.  For phase two, contestants identified methods of circumventing a honeypot so that the honeypot could not collect information about the incoming calls.  For phase three, contestants analyzed data from a honeypot and developed algorithms that predicted robocalls.

The FTC awarded a total cash prize of $12,075 divided between the three phases.  The winners of the best solution for each phase received $3,133.70.  For phase three, two contestants also received the honorable mention prizes of $1,337 each.  All five winning teams or individuals also received recognition from the FTC.  The prize money came from FTC appropriations, as authorized by the America COMPETES Reauthorization Act.  All solutions are open-source and the FTC made the winning solutions for phases one and three available online.

The FTC announced Zapping Rachel on June 16, 2014.  Phase one opened on July 18, 2014, and phases two and three opened on Aug. 7, 2014.  The submission deadlines were Aug. 8, 2014, for phase one, and Aug. 9, 2014, for phases two and three.  The judging period for all three phases took place Aug. 8-10, 2014, and winners were announced on Aug. 28, 2014.

The FTC drew on partner relationships from a diverse array of experts as it formulated Zapping Rachel.  The FTC’s partners included prior Robocall Challenge winner Aaron Foss’s company Telephone Science Corporation and VOIP service provider Twilio.  Aaron Foss partnered with the FTC on all three phases of Zapping Rachel, including by providing the means of testing the honeypot submissions for phase one, creating the honeypot for phase two and providing the honeypot data for analysis in phase three.  Twilio partnered with the FTC for phases one and two by providing credit for contestants to use its platform. Both Telephone Science Corporation and Twilio signed memorandums of understanding and nondisclosure agreements to formalize the partnerships.

The Canadian Radio-television Telecommunications Commission, Federal Communications Commission, the White House, the General Services Administration and academic advisors also assisted in providing guidance on designing the challenge.  Moreover, DEF CON 22 organizers provided assistance with marketing and promotion.

Results

Zapping Rachel was a success for many reasons.  First, stakeholders involved in the fight against robocalls obtained new insights on honeypot design from the open-source solutions, improving the functionality of current honeypots.  The new insights advance law enforcement efforts and help further stakeholders’ understanding of robocaller tactics.

Second, private-sector companies developing technical solutions to combat robocalls have expressed interest in utilizing the open-source solutions and the new insights to improve their product designs, thus better protecting consumers from illegal robocalls.

Third, Zapping Rachel attracted individuals who had not previously worked on stopping robocalls. For example, many of the individuals or teams who participated in phase three did not have any prior experience working on telecom-related issues. Winners for all three phases are mostly from the private sector, in industries from telemarketing to computer games.

Fourth, by holding the contest at DEF CON 22, a conference attended by roughly 20,000 people, the FTC conducted effective outreach to a community of information security experts regarding the purpose of Zapping Rachel, the robocall problem and the FTC’s technological initiatives to tackle it.

Many DEF CON attendees that did not participate in the contest were interested in learning more about robocalls and offered numerous promising ideas to tackle this thorny issue.  Since Zapping Rachel concluded, the FTC has gained several new partners from DEF CON 22 who are now working with the FTC and other industry stakeholders through the London Action Plan International Cybersecurity Enforcement Network and the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) to create solutions to stop illegal calls, as well as the related topic of fraudulent caller ID information.

Finally, Zapping Rachel’s broad media attention promoted public awareness of the FTC’s technical initiatives.  In particular, the media’s interest in the topic gave the agency an opportunity to convey its consumer education messages about illegal telemarketing calls to a broad audience.

Areas of Excellence

Area of Excellence #1: “1.3 Define the Problem to Be Solved”

After the FTC amended the Telemarketing Sales Rule in 2009 to prohibit the majority of robocalls, the FTC noticed a steady rise in the number of consumer complaints it receives on this issue.  The FTC receives more complaints about robocalls than any other topic, averaging approximately 300,000 consumer complaints per month.  To explore the causes of this consumer frustration, the FTC held a public meeting—the Robocall Summit—in October 2012, bringing together industry experts, telecommunications providers, academics and government regulators.  The Robocall Summit made clear that the convergence of the legacy telephone system and the internet has given rise to a new environment where robocallers can blast millions of calls to consumers at minimal cost, while simultaneously hiding their identities. The Robocall Summit also explored whether a technological solution could be developed to attack this scourge.  The FTC concluded the Summit by launching its first robocall challenge to stimulate private sector development of call-blocking technologies.

After the success of the first robocall challenge, the FTC continued working with stakeholders interested in developing technological solutions through industry groups such as M3AAWG.  One M3AAWG initiative was the development of robocall honeypots.  Although honeypots are successful tools that have been applied in other arenas, such as reducing email spam or dealing with malware, they had not yet been used to combat robocalls.  In 2012, the FTC launched its own robocall honeypot.  To further explore the use of honeypots in combatting robocalls, the FTC decided to launch its second contest, Zapping Rachel, and tap into the ingenuity of information security experts to generate ideas on how to develop the next-generation robocall honeypot.

Area of Excellence #2: “2.8 Prepare to Announce”

In announcing Zapping Rachel, the FTC took several steps. First, the FTC identified its target audiences and developed appropriate communication strategies for each audience type.  The audience type ranged from consumers harassed by robocalls to information security experts attending DEF CON 22.  The communication strategies included posting consumer friendly blog posts and hosting social media chats to allow potential contestants to ask questions about the contest.  Second, the FTC developed a contestant friendly website to provide the key pieces of information with respect to the contest deadlines and events.  Third, the FTC developed promotional materials, graphics and logos designed to attract DEF CON attendees to participate in Zapping Rachel or learn more information about the robocall problem and the FTC’s technological initiatives.  The promotional materials included a large banner advertising the contest, stickers with the contest logo and website, a 6-foot-tall cutout of Rachel the Robocaller, infographics on how a robocall works and poster handouts with background information about Zapping Rachel, the FTC’s law enforcement mission, and the FTC’s technical initiatives on robocalls.  Fourth, the FTC worked with DEF CON organizers to promote Zapping Rachel, including posting a video of Zapping Rachel on social media during DEF CON 22, connecting with relevant media outlets and preparing and launching a PSA over DEF CON radio.  Finally, the FTC worked with GSA to ensure that all relevant contest materials were posted and available on Challenge.gov.

Throughout each step, the FTC ensured that staff members with relevant expertise were engaged in every step of formulating and executing the communication plan, including the contest project manager and experts in consumer outreach, media outreach, graphic design, video design and website design.  FTC staff members developed all materials used in the communication strategies, including the contest website, graphics for the promotion materials, infographic on robocalls, poster handouts and the radio PSA.  FTC staff also consulted with the contest judges and other FTC employees familiar with the DEF CON community on the appropriate promotional materials to use and their design.  The FTC used outside vendors to create the stickers and 6-foot-tall cutout of Rachel the Robocaller.

Area of Excellence #3: “3.2 Accept Solutions”

For each phase, contestants were required to submit source code and a written description of their proposed solutions.  For phase one, contestants were also required to provide access to the honeypot and the associated call detail records from the honeypot.  For phase two, contestants were also required to submit all means necessary for the judges to replicate the proposed solution.  For phase three, contestants were required to submit an answer key of the calls they predicted to be robocalls.

Contestants submitted their solutions by email and the requested documentation as attachments or as links to accounts on repository hosting services that contained the solutions.  Contestants also provided all necessary information to access those accounts in a secure manner.

Area of Excellence #4: “5.1 Document Metrics, Results and Outcomes”

In order to track the success of Zapping Rachel, the FTC defined three clear goals of its contest.  First, the FTC hoped that Zapping Rachel would generate design ideas for the next-generation robocall honeypot.  Second, the FTC hoped to engage a community of information security experts that have not yet applied its expertise to the robocall problem.  And third, the FTC hoped to promote public awareness of the FTC’s technical initiatives to fight robocalls and disseminate consumer education on this issue.

To measure the success of each of these goals, the FTC kept track of specific metrics as required by the COMPETES Act.  For example, to ascertain the success of the FTC’s first goal of creating the next-generation robocall honeypot, the FTC assessed the quality of the submissions and the interest that industry demonstrated in applying the insights.

To track the success of the FTC’s second goal of engaging information security experts, the FTC gathered metrics on

  • the number of contestant registrations and submissions by collecting contestant registration forms;
  • the number of individuals that FTC staff spoke with at DEF CON by tracking materials distributed at DEF CON;
  • the number of individuals or companies who have continued engaging with the FTC through industry groups such as M3AAWG; and
  • the number of individuals who participated in the FTC’s outreach efforts through social media.

FTC staff

  • collected 96 registration forms for all three phases;
  • distributed approximately 4,900 promotional materials (e.g., copies of the official rules, FTC fact sheet, robocall infographic, contest fliers and contest stickers);
  • gained three new partners who have continued to engage with the FTC through M3AAWG;
  • generated 323,543 impressions from the FTC’s 67 tweets; and
  • reached 14,864 people through the FTC’s other outreach efforts on social media.

Additionally, the FTC contest website received 18,214 unique page views of the contest homepage, the rules, judging criteria, FAQs, resources and contest judges.

To determine the success of the FTC’s third goal of promoting public awareness of the robocall problem and the FTC’s initiatives, the FTC tracked

  • metrics such as the number of media outlets who covered Zapping Rachel;
  • the number of individuals who saw the FTC’s social media campaign;
  • the number of individuals who visited the Zapping Rachel website and other consumer blog posts on Zapping Rachel; and
  • the number of individuals who saw the FTC’s press releases regarding Zapping Rachel.

FTC staff spoke with media outlets, including major print outlets, technology blogs and websites, other widely read websites, national and local radio and television shows, regarding the contest that resulted in more than 35 stories that covered or mentioned the contest.  The FTC’s press releases and blog posts received 22,413 unique page views.

Challenge Type

Software

The overall goal of Zapping Rachel was to create the next-generation robocall honeypot and to tap into the ingenuity of technologists with information security expertise.  The contest was structured in three phases that focused on different aspects of building or utilizing a robocall honeypot including the creation of a honeypot that could analyze data in real-time, circumvention of a honeypot to prevent the honeypot from functioning as intended, and analysis of data from a honeypot.  The FTC formulated Zapping Rachel so that each phase would appeal to solvers with different skill sets, but the insights of each are important in developing different aspects of the next-generation honeypot.  Additionally, as demonstrated by the winners of the contest, solvers did not need extensive expertise in the telephony industry to successfully compete in the contest.  For example, in phase three, many of the contestants were individuals with expertise in data analysis and algorithm development, and most did not have prior experience dealing with telephony systems.

Legal Authority

America COMPETES Act

Challenge Website

www.ftc.gov/zaprachel

April 29, 2016