FCC asks whether to revise SHAKEN mandate extensions

The FCC Wireline Competition Bureau (WCB) issued a public notice asking for comments on SHAKEN implementation deadline extensions. The WCB wants to know whether these extensions should be kept, extended, or cut short. What brought this up? What’s next? Let’s have a look.

SHAKEN extensions

In the First Report and Order on SHAKEN (WCB 17-97), the FCC required voice service providers to implement SHAKEN by June 30, 2021. In the Second Report and Order, the FCC provided four extensions to this deadline:

1. Small voice service providers with fewer than 100,000 subscriber lines got a two-year extension.
2. Service providers that cannot obtain a certificate due to the Governance Authority’s token access policy got an extension until they are able to obtain a certificate.
3. Voice services subject to section 214 discontinuance got a one-year extension.
4. Non-IP portions of a provider’s network got an extension until a solution for such calls is reasonably available.

Revisiting these extensions

Why is the WCB asking about these extensions now? The TRACED Act requires it.

REVISION OF DELAY OF COMPLIANCE.—Not less frequently than annually after the first delay of compliance is granted under subparagraph (A)(ii), the Commission—

1. shall consider revising or extending any delay of compliance granted under subparagraph (A)(ii);
2. may revise such delay of compliance; and
3. shall issue a public notice with regard to whether such delay of compliance remains necessary, including—
   1. why such delay of compliance remains necessary; and
   2. when the Commission expects to achieve the goal of full participation as described in subparagraph (D).

—TRACED Act, Section 4F

Request for comment

In their Public Notice, the WCB asked about three of the four extensions:

1. Small providers
2. Providers that cannot obtain a SPC token
3. Services scheduled for Section 214 discontinuance.

The public notice did not mention the fourth extension, which deals with calls that rely on non-IP networks.

For each of the three extensions mentioned, the public notice asked similar (but not identical) questions. Are these extensions still necessary? Have things changed? Should the extensions be extended further?

Recent developments

There are a few important recent developments related to SHAKEN extensions:

• In November 2020, the STI Governance Authority announced that the qualifications for SHAKEN certificates would be changed. Service providers would no longer be required to have access to number resources. Instead, they must certify with the FCC that they have implemented SHAKEN and/or has a robocall mitigation program. This new policy became effective in May 2021.
  • This removed the basis for the second extension. Service providers now can get certificates.
• In May 2021, the FCC issued a Third Further Notice of Proposed Rulemaking on SHAKEN, which proposed cutting the extension for certain small providers that originate an especially large amount of traffic from two years to one year.
  • This would make the first extension unavailable to some small providers.
• In July 2021, the ATIS Non-IP Call Authentication Task Force approved two new technical standards and a technical report on SHAKEN on non-IP networks.
  • This removes the basis for the fourth extension. Service providers that rely on non-IP networks or interconnections can use standards-based methods to “extend call authentication to TDM networks in a way that ensures SHAKEN compatibility.”

A few observations

Certificate access

Let’s take the easy one first: with the change in service provider eligibility rules, the extension for access to certificates became unnecessary. Further, the way the extension was written into the rules, “until such provider is able to obtain a certificate,” caused the extension to cancel itself when the eligibility rules changed.

Participation

In paragraph 17 of the Third FNPRM, the Commission observed that 154 providers have obtained SHAKEN certificates. As of September 8, there are 359 authorized providers.

There are many service providers that have certified SHAKEN implementations in the Robocall Mitigation Database (RMD). Excluding foreign and intermediate providers, as of September 8, 2021, here are the numbers:

A glaring weakness in the SHAKEN ecosystem

You may have noticed that there are lots more service providers that claimed either a partial or complete SHAKEN implementation in their RMD filing (775 + 494 = 1,269) versus the number of SHAKEN-authorized providers (359). What’s going on?

We’ve noticed this too. In our July STIR/SHAKEN statistics blog post, we reported that about 1.6% of calls received were signed with partial attestation (B). Many of these calls were signed by downstream providers that were signing calls for their upstream service provider customers. In some cases, the downstream provider was using their SHAKEN credentials, not the SHAKEN credentials of the upstream provider that originated the call. Here’s the surprising part: almost 8% of these calls were identified as robocalls using call analytics!

This explains much of the disparity between the number of service providers claiming a SHAKEN implementation in the RMD versus the number approved for SHAKEN by the Policy Administrator.

It also exposes a glaring weakness in the current SHAKEN ecosystem. A service provider can originate robocalls, have a downstream provider sign their calls with partial attestation, and certify a complete SHAKEN implementation in the RMD. They don’t have to do robocall mitigation. Neither does the downstream provider signing the calls.

It will be interesting to see whether this tactic holds up.

Small providers

Setting aside these cases, there still are many service U.S. providers doing SHAKEN: 359, and counting. Many are small providers. They found ways to overcome burdens and barriers to SHAKEN implementation.

We have direct experience with this. TransNexus provides SHAKEN solutions to many service providers, and many are small. They wanted to implement SHAKEN because they did not want to position their business at a competitive disadvantage to larger carriers. Their customers want call authentication and robocall prevention too.

While we appreciate and respect the concerns for burdens and barriers raised by legislators and the Commission, we believe that full participation in the SHAKEN ecosystem is well within reach for service providers of all sizes. Many of our customers agree; you can check out a few of their testimonials on our STIR/SHAKEN page.

SHAKEN for TDM

The Commission’s omission of the non-IP extension from their public notice is interesting. The TRACED Act requires the Commission to discuss “delays in compliance.” We’re not sure why the non-IP extension was not mentioned.

Anyway, there’s good news on this subject. Non-IP SHAKEN has been possible for quite some time. In the Second Report and Order, the Commission said they would not move forward on this until standards are approved and solutions are reasonably available. As of July 2021, these conditions have been met.

Watch this space.

TransNexus solutions

We offer STIR/SHAKEN and robocall mitigation solutions in our ClearIP and NexOSS software platforms. We can make your STIR/SHAKEN deployment a smooth process.

In addition, we help service providers with all aspects of STIR/SHAKEN deployment, including registering with the Policy Administrator and filing their certification with the FCC.

Contact us today to learn more.