STIR/SHAKEN has been years in the making, with legislative and regulatory backing. One of the…
Last week I asked, “How many laws does it take to stop a robocall” and since then, several people have asked for my specific critique of pending robocall legislation. The Subcommittee on Communications and Technology, which is part of the House Committee on Energy & Commerce, is holding a hearing on April 30. Their backgrounder lists SIX bills (re)introduced already this year, plus a “Discussion Draft” – and that’s just in the House!
HR946 (“Stopping Bad Robocalls”) and HR2298 (“ROBOCOP”) both call for implementation of STIR/SHAKEN. This is the area of greatest technical complexity – and the area that is most broken – so that’s where I’ll focus.
There’s quite a bit of overlap between the bills; they both mandate deployment of “call authentication.” HR2298 makes the important distinction between what’s required of ORIGINATING providers versus RECEIVING (often called TERMINATING in the industry) providers. HR946 omits this key item.
SHAKEN isn’t as simple as the bills imply. HR2298 calls for “an originating provider to enable…and each originating subscriber to use, technology that verifies…that the caller identification information …accurately identifies the originating subscriber.”
Per the technical spec, the current version of SHAKEN allows the Originating Provider to attach one of three levels of “attestation” to a call. Both Full and Partial Attestation indicate the Provider “has a direct authenticated relationship with the initiator of the call and can identify the customer associated with the initiator” but only Full Attestation indicates the Provider “has established a verified association with the calling party telephone number used for the call.” Gateway Attestation is an explicit declaration by the Provider that they don’t know who the “call initiator” is. It is up to each individual provider to decide what their practices will be to determine an “authenticated relationship” and a “verified association.”
Also, note that HR2298 directs “each originating subscriber to use” call authentication. But as currently defined, SHAKEN applies to service providers only, not to subscribers; there’s nothing to “use.” There are proposals on the table, but the law is way ahead of the practice on this point.
There’s a further complication that the legacy telephone network doesn’t even support SHAKEN. If users and providers on legacy networks get a pass, then that’s exactly where all the robocallers will go to continue their nefarious activities.
There’s no definitive way to reconcile what the proposed legislation dictates in the context of how the technology works. The bills have no mandates on levels of attestation or how they are determined or what it means to “use” SHAKEN or what to do when the technology isn’t available. We’re going to end up with a rancorous debate that ultimately ends up in the courts, with different jurisdictions rendering different decisions. And no end to the robocalls.
Perhaps most alarmingly, at least to some, is that HR2298 creates a Private Right of Action with respect to the requirements placed on originating and receiving providers. Heretofore, it was the call initiator that was subject to these penalties; under this law, every service provider can get sued by an individual (or class) claiming a violation, at $500 or $1500 per call. I’m all for holding providers accountable, but this is a dangerous step with the group benefiting the most being the attorneys on each side of the suits.
There’s a big disconnect between what lawmakers write and what makes real-world sense, especially in technologically complex and rapidly-evolving situations. When Congress is pedantic, the FCC has shown that it will abdicate its responsibility to perform technical and economic analysis, and just do its best to “do what the law says.” We end up with ineffective laws and regulations.
The law we need would direct the FCC to holistically address the proliferation of abusive calls and texts. It would give the agency not just the responsibility but also the AUTHORITY to regulate and punish all parties in the call path (including service providers as well as call initiators). The law should require that the FCC perform and publish a cost-benefit analysis for its initiatives, with priority given to rules that will mitigate the most harm at the lowest total cost. Given the moving targets and evolving technologies, the FCC should review and update the rules at least every two years, with performance metrics measuring effectiveness.
The FCC already has a rule-making process that solicits input from all stakeholders. That should be augmented with real workshops where experts and advocates meet and actively debate alternatives to find the best solutions.
Fixing robocalls is less about the rules and more about the process. If we make the right course adjustments, we’ll have fewer broken laws.