Many SHAKEN certifications, few authorized providers

The deadline for filing robocall mitigation certifications in the FCC Robocall Mitigation Database (RMD) is now behind us. The number of SHAKEN certifications is surprisingly large, considering the number of SHAKEN authorized providers. Let’s have a look at what it tells us.

Overview

As of September 29, 2021, here’s a breakdown of filings by implementation type for all filers:

ImplementationCountPct
No STIR/SHAKEN2,47642%
Complete STIR/SHAKEN1,34623%
Partial STIR/SHAKEN1,20520%
N/A (intermediates)89215%
Total5,919100%

RMD Filings by Implementation, All Filers

Notice that 2,551 providers (43%) filed certifications for either a complete or partial SHAKEN implementation.

Here are the numbers for service providers in the U.S. only, not counting intermediate providers:

ImplementationCountPct
No STIR/SHAKEN2,04746%
Complete STIR/SHAKEN1,23728%
Partial STIR/SHAKEN1,13026%
Total4,414100%

Here’s a graphical illustration of these numbers:

RMD Filings by Implementation, U.S. Non-Intermediate Providers

RMD Filings by Implementation, U.S. Non-Intermediate Providers

Notice that 2,367 (54%) of U.S. providers, not counting intermediates, filed certifications for either a complete or partial SHAKEN implementation.

There’s a whole lot of SHAKEN out there. Or is there?

chart

Authorized SHAKEN service providers

The U.S. SHAKEN Policy Administrator (STI-PA) maintains a list of SHAKEN Authorized Service Providers. As of September 29, 2021, there are 359 service providers on this list.

That’s a big difference: 2,367 in the RMD, versus 359 listed by the STI-PA.

Comparing the two lists, we can account for some of this difference right away. Here are a few examples:

  • Lumen is on the STI-PA list once. There are 76 RMD filings for CenturyLink.
  • TDS Telecommunications is on the STI-PA list once. There are 109 RMD filings for providers with TDS as another DBA name.
  • Verizon is on the STI-PA list once. There are 84 RMD filings with Verizon as another DBA name.

These three examples listed are the largest examples. Combined, they add 269 providers to the count of SHAKEN authorized providers. This takes us from 359 to 538 SHAKEN authorized providers.

There are other examples of multiple providers with 5-10 providers per other DBA name.

The STI-PA list is more consolidated, while the RMD, although it allows for consolidation, has many separate filings for members of a parent company.

However, there don’t seem to be enough to get from 538 to 2,367. Reviewing the list of providers that claimed a complete SHAKEN implementation in the RMD, we struggle to match some of them with an authorized SHAKEN provider on the STI-PA list.

Does a provider have to be a SHAKEN-authorized provider to claim a SHAKEN implementation in the RMD?

The rules

Here’s what we know:

  1. In the First Order on SHAKEN, paragraph 25, the FCC requires providers to implement SHAKEN.
    • The Second Order provided four SHAKEN implementation extensions, but the RMD filings we’re examining did not take the extensions.
  2. Paragraph 36 of the First Order defines SHAKEN as ATIS-1000074, ATIS-1000080, and ATIS-1000084.
  3. ATIS-1000080 provides standards for the SHAKEN governance model. Section 5.2.1 of this standard requires the STI-PA to issue SPC tokens to service providers authorized to do SHAKEN.
  4. ATIS-1000080, section 5.2.3, requires these service providers to use SPC tokens to obtain SHAKEN certificates, which they then use to sign calls they have authenticated.

If a service provider isn’t authorized to do SHAKEN by the STI-PA, how can they claim a SHAKEN implementation in the RMD? They can’t sign their calls.

Maybe someone else is signing calls for them?

Downstream SHAKEN signers

If a downstream service provider signs unsigned calls they receive, can the upstream Originating Service Provider (OSP) claim a SHAKEN implementation?

If the intermediate provider uses the SHAKEN certificate of the OSP, then that seems reasonable. The downstream provider is acting as an outsourced SHAKEN signing service.

However, if the downstream provider is authenticating calls using their own SHAKEN certificate, not a certificate issued to the OSP, then we struggle to understand how the upstream OSP can claim a SHAKEN implementation. They have not joined the SHAKEN ecosystem per the governance model described in ATIS-1000080.

This situation seems at odds with the SHAKEN governance model standards and the FCC SHAKEN rules.

It will be interesting to see how this plays out.

TransNexus solutions

We offer STIR/SHAKEN and robocall mitigation solutions in our ClearIP and NexOSS software platforms. We can make your STIR/SHAKEN deployment a smooth process.

In addition, we help service providers with all aspects of STIR/SHAKEN deployment, including registering with the Policy Administrator and filing their certification with the FCC.

Contact us today to learn more.

Request information

* required

This information will only be used to respond to your inquiry. TransNexus will not share your data with any third parties. We will retain your information for as long as needed to retain a record of your inquiry. For more information about how we use personal data, please see our privacy statement.