STIR/SHAKEN has been years in the making, with legislative and regulatory backing. One of the…
Once upon a time, long ago, Americans trusted the telephone network. When the phone rang, it meant a person – probably someone you knew, but most certainly someone that knew you – was calling. Decades later, when caller-ID was invented, the number displayed really was the number of the caller.
That was because the network was “closed.” Only trusted, legitimate entities could put calls on the network. Telephone companies passed calls between each other only after lengthy, regulated interconnect agreements were reached, and physical, cabled connections were put in place.
Then deregulation occurred and the internet got invented and the cost of computing dropped like nobody’s business. Anybody could pay one of the existing phone companies a negligible sum and become part of the club. It was a free-for-all, and network chaos ensued. Computers were making more calls than people. Caller-ID became meaningless.
And here we are today. Illegal robocalling is rampant, annoying everybody and apparently defrauding thousands of innocent victims weekly if not more frequently.
The FCC has come to the rescue with two recent orders. Most detailed is the Second Report and Order in their Call Authentication Trust Anchor (17-97) docket. This Order stipulates implementation of the STIR/SHAKEN (S/S) protocol, and introduces two new elements: the Robocall Mitigation Database (RMD) and the Robocall Mitigation Program.
That Order, adopted on Sep. 29, 2020, is complemented by another one: the Fourth Report and Order in the Advanced Methods to Target and Eliminate Unlawful Robocalls (17-59) docket. This Order is more general and broadens the first by requiring every provider to take affirmative, effective measures to prevent new and renewing customers from using its network to originate illegal calls, including knowing its customers and exercising due diligence in ensuring that its services are not used to originate illegal traffic.
Both orders go into effect in 2021. Here’s a quick synopsis of the impact of S/S and the RMD:
With some exceptions, all providers are required to implement S/S. As this protocol is phased in, call recipients will see an indication with each call showing an authentication level for the caller-ID. It can range from “the caller is authorized to use the caller-ID that you see” to “we don’t know anything about the caller-ID.” The first variant is potentially useful – it says you CAN trust what you see (but it’s only telling you about the caller-ID – it doesn’t say that you can trust the CALLER). The second variant is equivalent to what we have today – the caller-ID (and the caller) might or might not be trustworthy. With the initial rollout of S/S, there will still be many legitimate calls that, due to technical and operational limitations, fall into that second category. The utility of S/S will increase over the next several years, and eventually we’ll grow increasingly suspicious of calls that don’t indicate the highest level of authentication.
In the meantime, the RMD shows great promise. The FCC is establishing a database where each provider will register and affirm that they are taking appropriate steps to mitigate robocalls. A second provider will not be permitted to accept calls from a first provider unless that first provider is in the RMD. This starts to restore the notion of a closed network, where participants must meet minimum requirements before their traffic can be accepted by others. And the FCC will have a powerful tool, in the form of delisting from the database, when a provider’s efforts to exclude illegal traffic are found to be deficient.