WASHINGTON, December 13, 2019 – The industry group that is hammering out technical standards governing an anti-robocall framework announced Thursday that that the STIR/SHAKEN framework will launch on Monday, December 16, 2019.
The launch of STIR/SHAKEN calling verification service won’t be final word in ending robocalls. But the much-anticipated milestone does represent a significant achievement for the creation of an entirely new framework governing authenticated telephony.
The rampant rise of robocalls have made person-less phone calls uniquely despised. The widespread disgust associated with time-wasting, distracting and fraudulent calls highlights the one thing that Republicans, Democrats and independents can all agree upon: Government must stop robocalls.
Indeed, the announcement of Monday’s launch of the STIR/SHAKEN framework by the Secure Telephone Identity Governance Authority (STI-GA) is merely one of three forums in which the battle against robocalls is being waged.
“The successful launch of STIR/SHAKEN by the industry-led STI-GA is a major step in the fight to mitigate illegal robocalls and Caller ID spoofing,” STI-GA Chair Linda Vandeloop said Thursday.
In addition to the for-now-voluntary STIR/SHAKEN standard, legislation mandating the use of STIR/SHAKEN by the providers of telephone service is likely to be passed by Congress within the next week.
Even if legislation isn’t passed, Federal Communications Commission Chairman Ajit Pai has done everything possible to rally responsible telephone providers against robocalling – up to and including Thursday’s $10 million fine against an allegedly illegal robocaller.
The origins of STIR/SHAKEN call authentication framework
STIR/SHAKEN is an industry-developed system to authenticate caller ID and hence address unlawful telephone call spoofing. It is designed to confirm that a call actually comes from the number indicated in the Caller ID, or – alternatively – at least to attest that the call entered the U.S. telephone network through a particular voice service provider or gateway.
STIR stands for Secure Telephony Identity Revisited, and is a standard developed by the Internet Engineering Task Force. The loosely-form acronym SHAKEN stands for the “Signature-based Handling of Asserted information using toKENs.”
It is this latter standard that has been the subject of intensive negotiation among telephony engineers in the STI-GA, which was formed to develop STIR/SHAKEN, as well as the non-profit telecom standards organization Alliance for Telecommunications Industry Solutions.
Importantly, the STIR/SHAKEN framework only works on the internet protocol-based telephone networks, including Voice over Internet Protocol services, to which most enterprise callers have migrated.
Estimates vary widely, but a significant chunk of traffic of calls on the public switched telephone network – perhaps as much as half — remain non-IP-based calls. Robocallers, however, almost all use VoIP.
The fundamental idea behind STIR/SHAKEN is that, using public key cryptography, a telephony provider would “provide assurances that Caller ID information transmitted with a particular call is accurate,” according to the FCC’s June 7, 2019, declaratory ruling on robocalls. “Once an originating or gateway provider has implemented these standards, it should sign, or attest to, all IP-based calls originating on its IP-based network or entering the network through its gateway.”
There are three levels of attestation: Level A, or full attestation; Level B, or partial attestation; and Level C, or gateway attestation.
Level A is easy. When a customer using a telephony provider’s network originates a call, and the telephony provider knows that number is associated with a legitimate customer, the provider passes the Level A attestation to the receiving telephone network.
Level C is also pretty straightforward: It refers to the minimal level of attestation that is expected when, for example, a foreign-originating call enters the gateway to a U.S.-provider’s telephone network. The domestic telephone carrier would pass the “Level C” attestation to the terminating carrier, or the carrier of the person who receives the phone call.
Key determinations about attestation of STIR/SHAKEN have yet to be made
In announcing the availability of the calling number verification service, the industry groups STI-GA and ATIS were mum on one of the major issues still in dispute in regard to Level B attestation.
In other words, the rules that govern partial attestation – when the signing voice service provider has not established a verified association with the phone number, but has some other kind of direct relationship with the customer in question – have not yet been made clear.
Beginning on Monday, December 16, however, voice service providers can register with iconectiv, which is the Secure Telephone Identity Policy Administrator, to obtain credentials in order to acquire STI certificates from approved Certification Authorities.
These certificates will be used to authenticate Caller ID, inform customers if the Caller ID was spoofed and to facilitate tracing calls back to their origin.
“Setting SHAKEN into action completes a major milestone in an initiative that brought the industry together through ATIS to find a solution to address the formidable challenge of illegal robocalling,” said ATIS CEO Susan Miller. “This development advances a top industry priority critical to restoring consumer trust in the voice network.”
ATIS and the policy body STI-GA recommended that service providers read the Service Provider Guidelines before registering for the call verification service online. Once registered, service providers will be able to access a list of Certification Authorities that can assign digital certificates used to sign calls and authenticate Caller ID.
If industry self-regulation of robocalls falters, legislation is likely to mandate telephony rules
On Wednesday, December 4, 2019, on a 417-3 vote, the House approved passage of S. 151, the Pallone-Thune “Telephone Robocall Abuse Criminal Enforcement and Deterrence Act,” or the TRACED Act, sponsored by House Energy and Commerce Committee Chairman Frank Pallone, D-N.J., and former Senate Commerce Committee Chairman John Thune, R-S.D.
The revised legislation built upon Thune’s TRACED Act, and effectively requires the implementation of the STIR/SHAKEN technology that is still under development. On December 4, the House incorporated some element of Pallone’s prior H.R. 3375, the Stopping Bad Robocalls Act – and which had not mentioned or mandated STIR/SHAKEN.
The House-passed bill, which now awaits passage by the Senate, “require[s] a provider of voice service to implement the STIR/SHAKEN authentication framework in the internet protocol networks of the provider of voice service” within 18 months of the passage of the legislation.
There are, however, many reasons why certain call spoofing may be legitimate. At a June forum on the subject, Rebecca Thompson, the head of government affairs at Twilio, illustrated several examples. These include protecting Uber riders’ numbers, womens’ shelters and crisis counseling lines preserving safety and privacy. She also pointed out cases of legitimate robocalls, including notifications from schools or emergency providers, that could potentially be blocked.
The TRACED act includes a provision requiring the FCC to develop rules, no later than one year after passage, that would create a safe harbor “establishing when a provider of voice service may block a voice call based, in whole or in part, on information provided by the [STIR/SHAKEN] call authentication framework.”
Pai attempt bully-pulpit regulation and enforcement, even before TRACED Act’s passage
The legislation will give the FCC authority to prosecute robocallers that it might otherwise lack.
In a speech at an anti-robocall symposium on November 22, 2019, Pai said that while he was grateful for industry efforts to implement STIR/SHAKEN, “the reality is were are only seven weeks away from the end-of-the-year deadline, and we are not yet seeing sufficient implementation by all major voice providers.”
He continued: “To any carriers out there who might not be treating this deadline with the urgency it deserves, I am putting them on notice now: at my direction, Commission staff is actively working on developing regulations to make this happen. If industry doesn’t get the job done on time, I will not hesitate to call an FCC vote on these new rules.”
Even without authority to go after carriers who dally in implementing a still-incomplete STIR/SHAKEN, the FCC is taking enforcement action against robocallers using the authority granted from other legislation.
Indeed, on Thursday, the FCC imposed a $9,997,750 fine in issuing a “notice of apparent liability” against Kenneth Moser and his telemarketing company Marketing Support Systems.
The FCC said that he apparently made more than 47,000 unlawful spoofed robocalls over a two-day period by spoofing the telephone number assigned to another telemarketing company when transmitting prerecorded voice calls against a political candidate shortly before California’s 2018 primary election.
Moser, who was in the business of providing political robocall services, spoofed the number of another company that provides robocalling services to political candidates. The spoofing generated many complaints from consumers who received the calls, and a cease-and-desist letter from the candidate against whom the calls were allegedly made.
The California Secretary of State referred a complaint about the matter to the FCC’s Enforcement Bureau, and which used the Truth in Caller ID Act has the basis for the fine.
In addition to finding that Moser apparently violated the Truth in Caller ID Act, the FCC’s Enforcement Bureau found that Moser sent more than 11,000 prerecorded voice messages to wireless phones, without consent, in violation of the Telephone Consumer Protection Act’s.
The Enforcement Bureau found that Moser also violated the TCPA’s requirement that prerecorded messages include the phone number and identity of the entity responsible for initiating the call. As a result, the Bureau also issued a citation for TCPA violations.
About the author:
Drew Clark, the Editor and Publisher of BroadbandBreakfast.com, is a nationally-respected telecommunications attorney at The CommLaw Group. He has closely tracked the trends in and mechanics of digital infrastructure for 20 years, and has helped fiber-based and fixed wireless providers navigate coverage, identify markets, broker infrastructure, and operate in the public right of way. Additionally, see a related advisory laying out some of the salient issues with SHAKEN/STIR that may be of interest to many providers of telecommunications and Voice over Internet Protocol (VoIP) services.