Evaluating Robocall Mitigation Programs
The FCC’s Second Report and Order in Docket 17-97 mandates that Voice Service Providers implement a Robocall Mitigation Program (RMP) for all calls not authenticated with STIR/SHAKEN. While the Order does not prescribe exactly what the RMP must do, they say it must include “the specific reasonable steps the voice service provider has taken to avoid originating illegal robocall traffic as part of its robocall mitigation program.” Each provider has to include this information in a certification filed in the FCC’s new Robocall Mitigation Database.
The FCC has not indicated whether or how RMPs will be judged, but that has not stopped ZipDX from going through the plans and offering our assessment. We have established the following objective criteria to evaluate the adequacy of these plans.
- Low: If the nature of the provider’s service is such that customers are intrinsically limited in the number of concurrent calls they can place, and the calling telephone number is assigned by the provider, then it is unlikely that illegal robocalls would originate via this network. Mobile operators (serving exclusively mobile handsets) and rural LECs (serving residential and business customers over their own outside plant facilities) could fall into this category.
- High: A provider that offers IP-based (over the public internet) call origination at high volumes, and/or allows customers to provide their own caller-ID values, and/or accepts traffic from foreign sources falls into this category.
- Medium: Providers that are neither “low” nor “high” are deemed “medium” risk. This includes RLECs and CLECs that offer SIP trunking to enterprise customers.
If a Provider’s Service Risk is low, their RMP must explain why (along the lines indicated above). Otherwise, the RMP must address EACH of the following elements, scored from 3 (best, with thoroughness and quantitative specificity) to 0 (not mentioned in a meaningful way):
- Know-Your-Customer: Explicit, thorough list of items examined to vet customer legitimacy (web site, references, social media, regulatory and state filings, physical address, business purpose, description of traffic, how consent is obtained when consent is required); additional scrutiny of foreign customers
- Call Volume: Limits on simultaneous calls and calls-per-second, established commensurate with KYC findings
- Caller-ID: Constrained appropriately; specific values verified and white-listed to ensure customer is using only values assigned to them or used with express permission
- CDR Monitoring / Call Duration: Routine monitoring of customer traffic with special scrutiny of short-duration calls (must use white-listed caller-IDs which must be periodically tested even if previously verified)
- Traceback / Action: Acknowledge FCC requirement to cooperate with traceback; specify what actions are taken (specific metrics) when tracebacks are reported
As part of our evaluation, we may capture notes about a given plan, including:
- Redacted: Scoring will depend on the degree of redaction. Entirely redacted results in a score of all zeroes. Minimal (e.g,, contact info for a manger) will not affect scoring. Redaction of substantive metrics affects scoring if the sufficiency is indeterminate (we will assume the worst).
- Foreign Language: If we are able to accurately interpret the plan, we will score it accordingly; otherwise, it will be deemed inadequate.
- Third Party: If the plan incorporates the services of a third party, we will score it according to information readily available regarding that party. If the information is not available, or the third party offers a variety of services and/or is configurable with various metrics, and those details are not included in the RMP, it will be scored assuming the worst.
- Exemplary: We will note plans that are particularly comprehensive and likely to be most effective.
- Flawed: Plans that include erroneous information (such as “all political calls are legal”) will be noted.
Several VoIP providers have entered into agreements with enforcement agencies regarding steps those providers must take to avoid originating illegal robocalls. See, for example:
- Federal Trade Commission Settlement with Alcazar Networks
- Vermont Attorney General Settlement with Strategic IT Partner
The following show sample Robocall Mitigation Programs we have drafted and how they would be scored.
W1T is a mobile operator serving 60,000 customers across the state of Anystate. Our radio access network connects to mobile handsets. For our own subscribers (with an W1T SIM), we authenticate the caller using 3GPP (or higher) standards.
Caller-ID is always the subscriber’s mobile telephone number as assigned by our network. A subscriber can place no more than one call at a time, with the exception of conference calling, which permits a six-way conference. To detect SIM-boxing, we analyze CDRs nightly; our Fraud Team assesses those subscribers with the lowest Average Call Duration and those with the highest number of calls in a day.
Roamers are handed off to their native network for authentication and call placement.
The W1T Fraud Team responds to all traceback requests within 4 hours, with a target of 95% of requests answered in 2 hours. Any subscriber placing a call resulting in a traceback is investigated and subject to immediate termination if we have sufficient proof (e.g., a recording) to deem the call illegal. Related subscriptions associated with the same subscriber/account may also be terminated.
W1T is subject to a STIR/SHAKEN implementation extension because we have fewer than 100,000 subscribers. We are waiting on our switch vendor to provide S/S capability in a new software release currently scheduled for 2Q 2022.
ASSESSMENT: W1T is deemed LOW RISK – a less-detailed RMP is sufficient and is not scored.
R2T is a Rural Local Exchange Carrier serving 2,500 residential and small business subscribers in Nowheresville, all via copper outside plant that we own. In addition, we provide competitive local exchange service to medium businesses in adjacent communities via T-1s leased from the incumbent providers.
Our largest customer has 94 trunks (so they can place at most 94 simultaneous calls). All our customers are subject to an Acceptable Use Policy and will incur significant charges if they place an excessive number of calls and/or use an unusually large number of minutes.
Caller-ID for R2T RLEC customers is always assigned by our switch. For our CLEC customers, we either assign the Caller-ID or screen what they provide against a list of numbers we have assigned to their service.
R2T has never received a traceback request. If we do, we will respond immediately and investigate the source.
We are subject to a STIR/SHAKEN extension because we have fewer than 100,000 customers.
ASSESSMENT: R2T is deemed LOW RISK – a less-detailed RMP is sufficient and is not scored.
S3T is an interconnected VoIP provider offering hosted PBX and SIP trunking to enterprises of all sizes. Our customers are exclusively business end-users; we do not offer services to other telephone service providers or individuals. Our customers interconnect with us over the public internet using their own broadband service.
Know Your Customer:
Each S3T customer must provide a physical business address, business registration, and name and contact information for at least one responsible individual. The business must have a web presence and contact email must be a domain dedicated to the business. The business must be registered in a US state or territory. Payment must be via credit card or US bank transfer. We cross-check and verify all these items and refuse to serve customers that are in any way suspicious. We do not serve foreign customers.
All callers are limited in the number of outbound calls they can initiate per minute and the number of concurrent calls allowed. These limits are set on a customer-by-customer basis based on conversational calling expectations given their business profile. A medium-sized business with 50 employees would be allowed 20 simultaneous calls and would be able to initiate 10 calls per minute.
We provide our customers with their telephone numbers (DIDs); customers can port their numbers to S3T if they choose. All outbound calls must use a Caller-ID from that customer’s pool of numbers assigned by us. The only exception is forwarded calls; in these cases, the call must include a DIVERSION header that contains a number assigned to that customer by S3T. These conditions are checked by our switch before the call is sent onward.
S3T assesses each customer’s traffic on a weekly basis. We examine a set of metrics (number of call attempts, answer seizure ratio, average call duration, fraction of calls shorter than 60 seconds), looking for: (a) signs of automated dialing; (b) significant change from that customer’s historic usage. Any anomalies result in immediate engagement with the customer to obtain a thorough, definitive explanation. If not resolved within 7 business days, the customer’s service is suspended.
S3T responds promptly to all traceback requests. Any traceback results in an immediate detailed analysis of the initiating customer’s CDRs for the past 30 days, followed by engagement with the customer to explain anomalies in the CDRs as well as the specific traceback example. If we do not receive satisfactory explanation within 72 hours, the customer is suspended. A customer that is the subject of three tracebacks in 90 days is permanently banned from our platform, unless the traceback examples are shown with certainty to be legal and compliant.
Because we cannot today get an SPC token, S3T is subject to a STIR/SHAKEN implementation extension. S3T does not have direct access to numbering resources; we get our numbers via another wholesale provider.
S3T is deemed MEDIUM RISK. They have provided sufficient detail, in the context of their business as described, to rate a 3 in each of the assessment categories, earning a total score of 15.
D4T is a non-interconnected VoIP provider offering termination services including support for dialer traffic. We serve end-users as well as VoIP aggregators and intermediate providers. Our platform is reachable worldwide via the public internet.
Know Your Customer:
Each D4T customer must provide a physical business address, business registration, and name and contact information for at least one responsible individual. The business must have a web presence and contact email must be a domain dedicated to the business. US businesses must show registration in a US state or territory and provide a US tax ID and must have a current D&B listing in good standing. Service Providers must have a current FCC 499A registration. Payment must be via credit card or US bank transfer. Foreign customers must send proof of identity (photograph of passport and utility bill). All customers must keep on file with us a current description of the type of calling they do. Customers claiming to be calling with consent must explain how that consent is obtained. We obtain sample recorded messages and verify that they comply with TCPA and TSR requirements. D4T cross-checks and verifies all these items and refuses to serve customers that are in any way suspicious.
Conversational traffic and dialer traffic must be segregated; we do not permit customers to mix traffic on the same trunk. Foreign aggregators are not permitted to send any dialer traffic. Foreign dialer traffic must be sent directly to D4T by the originating call center and must have an associated US-based sponsor that takes responsibility for the calls. All callers are limited in the number of outbound calls they can initiate per minute and the number of concurrent calls allowed. These limits are set on a customer-by-customer basis based on the calling description they have on file with us. New customers are limited to 30 calls per minute and 20 concurrent calls; these values are increased progressively as we gain additional experience with the customer and always with extensive CDR monitoring (see below). Volume of calls placed with consent of the called party must be consistent with the manner in which consent is obtained. Dubious claims are rejected and the customer is terminated.
Callers are only permitted to use Caller-ID values that are assigned to the caller, or for which the caller has explicit permission from the number assignee to use. For dialer traffic, the customer must provide D4T with a list of the Caller-ID values they will use. D4T vets each number on the list before adding it to our switch. Calls that are not on the list for that customer will not be processed.
D4T assesses each customer’s traffic separately on a daily basis. We examine a set of metrics (number of call attempts, answer seizure ratio, average call duration, fraction of calls shorter than 60 seconds and shorter than 120 seconds). Traffic received on trunks designated for Conversational traffic must meet appropriate metrics (at least 20% of completed calls must be longer than 120 seconds). When dialer traffic is identified on a conversational trunk, the customer is notified; if the traffic continues for 72 hours, the customer is suspended. D4T also looks for significant change from that customer’s historic usage. Any anomalies result in immediate engagement with the customer to obtain a thorough, definitive explanation. If not resolved within 7 business days, the customer’s service is suspended. For Dialer trunks, D4T identifies for each customer the Caller-ID values that they are using for their calls (which must be on the allowed list of vetted numbers for that customer). Our fraud team randomly calls a subset of numbers being used to ensure they are answered as expected per the customer’s business description. D4T has a zero-tolerance policy regarding fraud. If fraud is detected, the customer is permanently banned from our network.
D4T responds promptly to all traceback requests. Any traceback results in an immediate detailed analysis of the initiating customer’s CDRs for the past 30 days, followed by engagement with the customer to explain anomalies in the CDRs as well as the specific traceback example. If we do not receive satisfactory explanation within 72 hours, the customer is suspended. D4T has a zero-tolerance policy regarding fraud. If a call is identified (via a recoding) to be blatantly fraudulent, the customer sending us the call is permanently banned from our network. A customer that is the subject of three tracebacks in 90 days is permanently banned from our platform, unless the traceback examples are shown with certainty to be legal and compliant. We also require our Service Provider customers to add a D4T email address to their profile in the traceback portal operated by the Registered Consortium. This allows us to receive immediate notification of any tracebacks for that customer associated with a downstream other than D4T. We monitor those tracebacks and insist that they are satisfactorily resolved, or we charge them against the customer as if they had transited D4T.
Because we cannot today get an SPC token, D4T is subject to a STIR/SHAKEN implementation extension. D4T does not have direct access to numbering resources; we get our numbers via another wholesale provider.
D4T is deemed HIGH RISK. They have provided sufficient detail, in the context of their business as described, to rate a 3 in each of the assessment categories, earning a total score of 15.
D5T is a non-interconnected VoIP provider offering termination services including support for dialer traffic. We serve end-users as well as VoIP aggregators and intermediate providers. Our platform is reachable worldwide via the public internet.
ASSESSMENT: D5T is deemed HIGH RISK because they accept dialer traffic. While in certain cases dialer traffic is legitimate, it is more often used unlawfully.
Know Your Customer:
D5T thoroughly vets all its customers by collecting a wide variety of data including contact information, financial history and registration with appropriate authorities. We refuse service to any provider that does not pass our checks.
ASSESSMENT: D5T gets a rating of 1 for mentioning KYC. A rating of 2 requires additional detail about the information that will be gathered for each customer. A rating of 3 requires a comprehensive list (including web site review, acceptable payment types, the precise regulatory filings, email address discriminators, physical business location, business description and type of calls made) with acceptance / rejection criteria. If consent from the called party is required, customer must explain how the consent is obtained and justify volumes. Recorded messages must be checked to ensure compliance with TCPA and TSR requirements.
D5T limits the rate at which new customers can place calls. We use a third-party service that rejects calls that are deemed likely illegal robocalls.
ASSESSMENT: D5T gets a rating of 1 for mentioning rate limits. If a third party is used, the specific functions that they perform and criteria that they apply should be listed in this RMP. A higher rating (2 or 3) will be earned if the RMP enforces a specific limit for each customer, and describes how that limit is determined.
D5T does not permit callers to use invalid numbers or 911 as their Caller-ID. If we get a traceback report, we immediately block the ANI for any future calls.
ASSESSMENT: D5T gets a rating of at most 1 for mentioning Caller-ID. No caller should be using 911 or an invalid number as their Caller-ID; the fact that a caller would even attempt this indicates that there is something wrong and none of their calls should be accepted until the issue is resolved. Blocking an ANI is generally not effective, since many robocallers randomize their caller-IDs and it is trivial for them to work around any block. A higher rating will be earned if the RMD describes how D5T ensures that customers use ONLY Caller-ID values that they own or are authorized to use; how those numbers are verified as being authorized; and how this list of allowable numbers is enforced.
D5T subscribes to a third-party service that scrutinizes our CDRs on a monthly basis. It can detect suspicious patterns like calling the same number repeatedly, which we will then investigate.
ASSESSMENT: D5T earns a rating of 1 for mentioning CDR Monitoring. Details of how the third-party service operates should be included in the RMD. CDR monitoring should happen nightly and should analyze call duration and Caller-ID usage. A detailed description of the criteria used and the action to be taken will earn a higher rating.
D5T responds promptly to traceback requests. We have a team assigned to this function. They investigate the source of each request. We do not tolerate illegal robocalls and will suspend or terminate offenders as appropriate.
ASSESSMENT: D5T earns a rating of 1 for mentioning traceback and indicating that they investigate. All providers are required by regulation to cooperate with traceback. Higher scores will be earned for details regarding an investigation, including the time-frame in which it will be completed, the criteria used to evaluate a source, and the specific actions to be taken based on findings. “As appropriate” should be replaced with an explicit explanation of the process and its potential outcomes.
Because we cannot today get an SPC token, D5T is subject to a STIR/SHAKEN implementation extension. D5T does not have direct access to numbering resources; we get our numbers via another wholesale provider.
This part of the plan is not rated.
This is a poor plan and earns a score of 5. It offers no assurance that it will be effective. If D5T is in fact more diligent and prudent than is reflected in this plan, the RMD should be revised. The RMD is not only a guide for third parties (including regulators and downstreams) about how D5T behaves, but it should also provide guidance to D5T staff regarding what is expected of them.