copyright notice
link to the published version: IEEE Computer, March, 2023; link to archive copy
link to the related Ars Technica article by Ashley Belanger, 6/30/23

accesses since March 7, 2023


Hal Berghel

ABSTRACT: When it comes to 911 Swatting and doxxing, VoIP takes this digital mischief to a new level.

“Swatting” or “911 swatting” is a malicious act that involves making fraudulent 911 to cause emergency response teams such as law enforcement SWAT teams (that's where the gerund's root comes from) to react forcefully to a non-existent public threat. [1] Swatting is commonly an act of personal retaliation and/or revenge against targeted victim(s) for offenses real or imagined. 911 Swatting has become so widespread that several sub-classes have been defined:

  1. celebrity swatting directed against public figures [2]
  2. gamer swatting directed against adversaries in online game environments [3]
  3. Ideological swatting directed against ideological adversaries [4]
  4. partisan swatting directed against politicians [5][6]
  5. hate swatting or mean-spirited attacks motivated by bigotry, racism, homophobia, or personal animosity [7] [8]
  6. coercion swatting intended to compel others to behave involuntarily. An example is retaliation against the victim of a failed extortion or blackmail attempt. [9]
  7. Coercion swatting shares objectives with cancel culture. [10]

911 swatting is closely aligned with criminal doxxing which reveals personally identifiable information to embarrass, traumatize, intimidate, bully, harass or encourage acts of violence against victims

In any of its current manifestations, 911 swatting is intuitively an act of primarily domestic terrorism directed against noncombatant targets for personal reasons. Although federal legislation against 911 swatting has been proposed over the past decade, as of this date none of this legislation has passed through Congress. Domestic terrorism legislation has a similar record. As a consequence, prosecution for 911 swatting and domestic terrorism is subsumed under other statutes dealing with fraud, civl rights, hate crimes, Patriot Act, etc. [11] One consequence of this legislative ambivalence is that there is no way to know exactly how widespread 911 swatting is because law enforcement does not track it as a separate category of crime. However, by everyone's estimate, 911 swatting is on the rise despite the spate of state laws that call for severe punishment.

Who's doing this? A mangy mix of people with low self-esteem and anger management issues? Pranksters? Ill-behaved gamers? Hackers and low life? In short, all of the above and more. With VoIP in their hands, what could possibly go wrong? Since 911 swatting involves computing and network technology, it's worth our attention.


911 swatting seems to be the latest knot on the thread of mischief that began with telephone pranking that likely dates back as far as telephony itself. The “Upjohn? – Yes. – Then go back to bed” gag likely dates back to the days of Alexander Graham Bell. And anonymous threats of death or violence by assault, bomb, or other terrorist acts, have accompanied humanity throughout history. These two threads converge in bogus threats which are specifically created to alter or disrupt target behavior through fear, intimidation, harassment, or guile. This convergence is the deflection point for 911 swatting for it is mischievous behavior that can be claimed to be ambiguous with respect to violent intent. While it could be intended as a prank, it could also be intended as a legitimate act of terrorism. As such, 911 swatting seems to enjoy a special place in the anonymous prank-harassment-bullying-doxxing-terrorism spectrum. 911 elevates vitriol, hate, and vengeance to the level of likely violence with the unique spin that the source of violence is law enforcement. It is, if you will, an individualized form ochlocracy – where every malcontent becomes a dangerous mob unto him/herself.

VoIP is telephony on the cheap where the digitized messaging is offloaded to the Internet. VoIP is simply an extension of the TCP/IP protocol suite that enables voice communication: the payloads of the packets are audio encodings. As with other practical and useful Internet services/protocols (e.g., the world wide web/HTTP, HTML, email/SMTP, POP, IMAP, multimedia streaming/RSTP. SCTP) the magic takes place at the application layer. VoIP is a conjunction of protocols framed around a core that includes the Session Initiation Protocol (SIP) [12] for connection management and the H.323 family of protocols for managing the multimedia communication [13]. It should be mentioned that as we use the term, VoIP excludes incompatible proprietary standards such as Skype that offer similar network-based services.

Since the packet payloads are multimedia encodings, the overall theme of SIP is similar to HTTP, but with the notable exception that uniform resource identifiers may also contain phone numbers as USER IDs. As with other multimedia delivery oriented protocols, SIP is ambivalent with regard to transport layer protocols. For our present purposes we need only recognize that (a) VoIP uses IPv4 and IPv6 packet payloads as the carriers of the audio/video media encodings, (b) that there is a hardware/software connection between a computer or computer system and some media appliances that are compatible with telephony, and (c) that packet addresses will include telephone numbers. After that, VoIP may be thought of as just another packet-based application within the TCP/IP protocol suite.

Dedicated VOIP providers like Intermedia Unite, RingCentral, and Vonage work in this space, as do high tech companies such as Microsoft. All VoIP businesses offer suites of cloud-based services that can include such things as SMS messaging, call monitoring, voicemail-to-email conversion, video conferencing, etc. Such suites fall under the rubric of unified communications-as-a-service (UCaaS). When offered by traditional high tech companies, these suites are integrated with their existing products. Microsoft, for example, integrates their VoIP offering their Teams platform and Microsoft 365 infrastructure. Current cloud-based VoIP offerings are the fulfillment of the NSF-sponsored Global Schoolhouse Project that interconnected four K-12 classrooms in the U.S. and England [14][15] and Cornell University's CU-SeeMe videoconferencing platform, both of which date back to the mid-1990s. [16]


As VoIP is built upon TCP/IP, the latter's vulnerabilities carry over to the former and becomes enhanced. Where traditional Internet denial of service attacks might involve packet flooding to overwhelm the network interface cards, VOIP DOS attacks could use similar techniques to overwhelm VoIP routers and circuits with bogus VoIP phone calls. In addition, VoIP hacking has additional attack vectors such as toll fraud because, unlike Internet TCP/IP traffic, VoIP is a revenue-based service. In addition to DOS and theft of services, VoIP is in principle vulnerable to the same range of malware as the Internet itself, including those that result in data theft, impersonation fraud, eavesdropping, call tampering, and all sundry forms of malware. Needless to say, remediation is also similar. [17]

Of VoIP vulnerabilities, spoofing is the most directly relevant to 911 swatting. But where packet spoofing in TCP/IP would normally involve the use of inauthentic IP or MAC addresses to achieve stealth, with VoIP spoofing involves the use and manipulation of inauthentic caller IDs. It should be remembered that the Internet was not built around a robust security model that required authentication. And since packet crafting makes virtually every element of a packet header fungible, there's not much that can be done about it. The packet-fungibility-VoIP-ship set sail in the 1960s with the launch of TCP/IP long before VoIP was conceived. VoIP hacking for the most part is just the current manifestation of TCP/IP protocol bending.

In short, VoIP attack tactics follow familiar patterns including reconnaissance and scanning, topology mapping, active and passive fingerprinting, password detection, and so forth. Those familiar with the principles of network forensics will note the similarities with Enable Security's SIPVicious toolkit. [18]

In short, since VoIP is based upon the TCP/IP protocol suite, it is to be expected that it can be hacked, that user's personal information is vulnerable to misuse, that packets can be corrupted, users may find communication meta data unreliable, specifically including caller ID. Armed with spoofed caller IDs and source IP address, VoIP swatters are ready for business.


The Truth in Caller ID Act of 2009/S30 [19] makes it illegal for any person within the U.S. to “cause any caller identification service to knowingly transmit misleading or inaccurate caller identification information with the intent to defraud, cause harm, or wrongfully obtain anything of value ” [emphasis added] unless specifically exempted (e.g., law enforcement, court actions). In 2020, the Federal Communications Commission (FCC) used this law to fine a telemarketing company for spoofing caller IDs during political robocalls. [20] Unfortunately, the use of spoofed caller IDs to discourage call tracing and avoid call blocking are not specifically addressed in this legislation. Further. there is a logical problem with the structure of this legislation as it focuses on the intent of the source rather than the activity. One must ask what legitimate, lawful uses, if any, society should expect of caller ID spoofing. Crafting criminal law around the predicted intentions of criminals rather than the criminal conduct is a sub-optimal strategy. The same mistake of attempting to build in “intent” was made with Do Not Call legislation as exemptions were made for political calls, not-for-profit organizations, pollsters, surveyors and the like, who collectively proclaim their activity is a public service of indispensable social value. Attempts to frame unacceptable behavior around intent invariably disfavors the general public interest. The motivations behind this approach are motivated by political, economic, and parochial interests and not the welfare of society.

Subsequent to S30, the FCC introduced two rules that bear directly on the ability of law enforcement agencies to identify the source of 911 calls: Kari's Law and the RAY BAUM'S Act that took effect January 6, 2020. [21] Kari's Law required all new multi-line telephone systems (MLTS) to support 911 direct dialing with appropriate notifications and alerts to the particular branch location (e.g., front desk, security office) along with location and callback information. Ray Baum's Act required that every multi-line telephone system (MTLS) send a “dispatchable location” with every 911 call along with a call source ID to the public safety answering point (PSAP) (e.g., 911 call center) regardless of the technological platform used. This specifically includes, but is not limited to the installed MTLS base of legacy private branch exchange (PBX), central office exchange service (Centrex), and key telephone systems (KTSs) along with interconnected Voice over Internet Protocol (VoIP), internet-based Telecommunications Relay Services (TRS), mobile text, and hybrid systems. [22] While the original intent of Kari's Law and RAY BAUM'S Act was to facilitate emergency services response to legitimate threats to public safety, when viewed from the lens of S30, they can also be seen to apply to 911 swatting. Like all anti-crime legislation, they also have the unintended effect of motivating tech-savvy 911 swatters to step up their game.


That depends and the penalties are a moving target depending on jurisdiction. In California under Senate Bill 333, it is a misdemeanor crime to intentionally and knowingly make a false 911 call. This carries a penalty of one year in county jail and/or a $1,000 fine. But it is a felony crime to make a false 911 call if one knows, or should have known, that the emergency response will likely lead to great bodily injury or death. The penalty for this felony is up to 3 years in county jail and/or $10,000 fine plus reimbursement of reasonable costs to responding agencies. [23]

In Michigan under Penal Code Section 750.411a effective Jan 1, 2013 it became a misdemeanor crime to intentionally make a false report to a 911 operator or law enforcement which is punishable for up to 93 days' imprisonment and/or a $500 fine, but it is a felony crime if personal injury results which is punishable up to 5 years' imprisonment and/or $20,000. If death results, the punishment increase to up to 15 years' imprisonment and/or a fine up to $50,000. [24]

Other states (e.g., Minnesota, Florida) have followed suit with similar 911-swatting legislation. Connecticut and Nevada have expanded the legislative theme to anti-doxxing legislation [25] [26]. Although federal legislation has been proposed [27], as of this writing there is no federal statute that specifically relates to 911-swatting or doxxing. Whatever federal legislative protections are available are currently subsumed under laws relating to interstate threats, conspiracies, endangering public safety, compromising national security, etc. The state legislative reactions to 911-swatting appears to embrace the general theme that if no one is hurt, such a crime would constitute a misdemeanor; else, a felony. Some states (e.g., New York) subsume some swatting under existing laws that penalize a “depraved indifference to human life.” Although there are examples of successful federal prosecution of swatters and doxxers [28], for the foreseeable future any significant statutory relief is likely to be piecemeal, fragmented, and local. States have been more united in legislating the operational side of 911 laws, including VoIP, than the protection of privacy. [29]


We can add 911 swatting, VoIP swatting, and doxxing to our list of anti-social, cultural phenomenon at this point – along with social media disinformation campaigns, privacy-abusing apps and websites, the surveillance economy, etc. Interestingly enough, one of the earliest reports of 911 swatting was actually a hoax. [30] But it's not a hoax any longer, but rather very real, very dangerous, and on the rise. The problem is exacerbated by the fact that the hacking aspects are documented on the Internet. [31][32] There is no question that the current malaise deserves continued vigilance by the computing and networking communities.