Last fall I posted, "Shouldn’t Neighbor Spoofing Be Illegal? Wait! It Already Is!" Most telecom…
Earlier this month, USTelecom’s Industry Traceback Group, alongside the Communications Fraud Control Association, hosted a panel discussion featuring enforcers from the FCC, the FTC, and the Indiana and Vermont Attorney General’s offices. The video is here. Each of these agencies has brought actions against Voice Service Providers for facilitating illegal robocalling.
Most, if not all, states have laws in which providers can become ensnared. The FTC has a specific section in its Telemarketing Sales Rule (see here) pertaining to “provid[ing] substantial assistance or support to a seller or telemarketer.”
The FCC has numerous rules, including 47 CFR § 64.1200(n)(3): A voice service provider must Take affirmative, effective measures to prevent new and renewing customers from using its network to originate illegal calls, including knowing its customers and exercising due diligence in ensuring that its services are not used to originate illegal traffic.
In this context, the definition of “voice service provider” includes intermediate providers. Note that the rule specifically says “using” and “used” – meaning that this rule can be read to include not just the Originating Provider, but any provider involved. That encompasses providers downstream from the originator, as well as providers of telephone numbers. (If the FCC intended to limit (n)(3) to just the originating provider, they presumably would have said “customers from originating illegal calls on its network” and “ensuring that it does not originate illegal traffic.”)
What does “affirmative, effective measures” mean? We’ve discovered some popular misconceptions and present this partial list of what it does NOT mean:
- Accepting traffic only from providers that are registered in both the FCC’s 499A Filer Database and Robocall Mitigation Database. Anybody can register in these databases with a few keystrokes and mouse-clicks. There is no vetting of these registrations. Perpetrators of fraud are fundamentally lawbreakers, and they think nothing of lying on the filing forms for these databases. NOT EFFECTIVE.
- Accpeting calls only from domestic customers. Foreign robocallers are adept at registering as a USA corporation or LLC and obtaining a USA address and even a tax ID. Plus many illegal robocalls start right here at home. NOT EFFECTIVE.
- Blocking calls from invalid, unassigned, wireless, toll-free, or any other ANI category. Callers can change their ANI selection algorithm in minutes. As they become aware that a certain ANI or set of ANIs are blocked, they simply move to something else. NOT EFFECTIVE.
- Blocking calls from ANIs on a Do-Not-Originate list. The caller ceases using the blocked ANIs and finds others, as above. NOT EFFECTIVE.
- Blocking calls where the first 3, 4, 5 or 6 digits of the ANI match the called number – or all 10 digits match. Again, the caller will just pick a different ANI. NOT EFFECTIVE.
- Blocking ANIs associated with specific tracebacks. Once more, the caller moves on to another ANI. NOT EFFECTIVE.
- Responding to every traceback request. Responding to a traceback is important, but it is a REACTIVE measure, NOT AFFIRMATIVE. When a provider gets a traceback request, it says that whatever robocall mitigation measures are in place, they are NOT EFFECTIVE.
- Signing every call with STIR/SHAKEN. Signing an illegal call does nothing to stop it. STIR/SHAKEN proponents have long acknowledged that the technology is not a robocall mitigation solution; it is one tool among many. NOT EFFECTIVE.
Some of the steps above may be worth doing, but even all of them in combination do not comprise an affirmative, effective set of robocall mitigation measures. Several of them will result in blocking of legitimate calls (assuming some of the traffic is in fact legitimate). If you are not using call metrics on a customer-by-customer basis to ensure all calls are conversational, you are leaving yourself open to illegal robocalling. Non-conversational traffic needs special handling, including only allowing specific, pre-arranged ANIs and deploying on-going monitoring with rapid takedown of any source of non-compliant traffic. Screening on a call-by-call basis is NOT EFFECTIVE.