Reply comments on proposed rules for gateway providers

Twelve organizations filed reply comments on the FCC’s proposed robocall rules for gateway providers. We’ve summarized each filing and recurring themes across all filings.

This is the final round of comments, called reply comments, in the FCC’s proposed rules for gateway providers to do both robocall mitigation and SHAKEN. We reported on the initial round of comments here.

Here’s a list of the reply commentors, with links to their comment summaries.

Recurring themes

Twelve entities filed a total of 125 pages of comments. Here are some recurring themes that we noticed.

Some of the recurring themes we noted in the initial comments on the proposed rules reappeared in these reply comments, especially the notion that there should be one consistent, simple set of rules for all providers. This seems to be the theme with the broadest, strongest support.

Here are other recurring themes showed up in this second round of discussion:

• Providers should do both robocall mitigation and SHAKEN. Call authentication makes robocall mitigation work better, but it is not a substitute.
• Several commenters urged the FCC to engage with their regulatory counterparts in other countries to collaborate and cooperate.
• C-level attestation by gateway providers would not be very valuable or useful. This notion was supported with additional details in the reply comments.

Reply comments

Each reply comment filing is summarized below. You can click each filer name to view their filing.

Enterprise Communications Advocacy Coalition

• FCC should not impose costs and undue burdens on lawful callers and carriers.
• Other than blocking calls with unallocated, unassigned and invalid calling numbers, all blocking should be done by terminating carriers, with customer consent and opt-in, not gateway providers.
  • Gateway providers have no knowledge of either the originator or recipient.
  • Callers have no redress for blocking done by an intermediate provider.
• Commission must provide guidance as to what constitutes “reasonable analytics.”
• Gateway providers cannot know their customer if the customer is defined as the call originator.
• C-level (gateway) attestation has an important role in the SHAKEN environment.

Fifty-One (51) State Attorneys General

• Strong agreement with FCC’s proposed rules for gateway providers.
• The proposed SHAKEN implementation deadline, March 1, 2023, is too long. The deadline should be 30 days after the order is published in the Federal Register.
• The SHAKEN mandate should be imposed without extensions or exemptions.
• Gateway providers should be required to ensure by contract that the calling party is authorized to use the U.S.-based calling telephone number.
• Gateway provider should be required to provide a certification to the Robocall Mitigation Database (RMD). However, this should not provide safe harbor or immunity from current legal obligations under the Telephone Sales Rule or elsewhere.

GSMA

• The FCC should do more to educate its overseas counterparts on robocall mitigation.
• The GSMA’s WAGREE working group is developing templates for international roaming agreements.
• Some overseas providers are concerned about cooperating with traceback requests, which license or privacy laws in those countries would not allow.
• FCC collaboration with foreign counterparts could improve cooperation.
• The GSMA is working on a fraud information sharing platform and would like to brief the FCC on this project.

iBASIS, Inc.

• The FCC should not impose unique mandates on gateway providers. Instead, gateway providers should be required to register in the RMD and certify that they have implemented a reasonable robocall mitigation plan.
• Conversational traffic, such as wireless roaming calls, should be exempt from robocall mitigation measures.
• The Commission should not require gateway providers to authenticate calls, which would result in a flood of C-level attestations that provide no useful information. The traceback process doesn’t require C attestations and would gain little benefit from them.
• The Commission should enable permissive blocking with safe harbor protection.
• A reasonable mitigation plan for gateway providers would involve monitoring of high-volume traffic using NANPA calling numbers, investigating suspicious traffic, cooperating with traceback, and blocking traffic when appropriate.

National Consumer Law Center

• The FCC should make it clear that all providers in the call path will be considered liable for consumer losses resulting from scam calls and illegal robocalls transmitted through their network that they knew or should have known were illegal.
• The Commission should require public disclosure of substantiated traceback information.
• The Commission should declare that when providers continue to transmit illegal calls after notice from any source that the traffic is illegal, the providers will be automatically delisted from the RMD.
• The Commission should treat ongoing provider non-compliance as complicity with bad actors and ban such providers from participating in the telephone network.

NCTA - The Internet & Television Association

• Filed their comments specifically to address the proposal to require downstream providers to block calls from a gateway provider. Because gateway providers often transmit a mix of calls originating overseas and domestically, downstream providers should have safe harbor protection for inadvertent over- or under-blocking that results from efforts to comply with a blocking mandate.
• The Commission should not have special requirements for when a provider plays a certain role. Instead, the Commission should apply a straightforward, consistent approach to reduce operational complexities and avoid opportunities for gamesmanship by bad actors.

TransNexus

• We filed reply comments to reaffirm the availability of SHAKEN in non-IP networks and clarify participation requirements by providers that do not rely on non-IP network technology.
• SHAKEN has been extended to non-IP networks with the approval of two new ATIS standards, ATIS-1000095 (Extending STIR/SHAKEN over TDM) and ATIS-1000096 (SHAKEN: Out-of-Band PASSporT Transmission Involving TDM Networks).
• The out-of-band framework standard described in ATIS-1000096 is not “out-of-band STIR.” There are important differences between out-of-band STIR and the approved standard.
• Neither ATIS-100095 nor ATIS-1000096 place any new requirements on SHAKEN-compliant VoIP service providers that do not rely on non-IP network technology.
• Out-of-Band SHAKEN has been deployed by over 50 service providers in their real-world production networks.
• The Commission should phase out the non-IP SHAKEN extension.

USTelecom - The Broadband Association

• Any new rules should apply to all providers, not just gateway providers, to ensure a clear, consistent, streamlined approach.
• Gateway-specific requirements will be ignored by fly-by-night bad actors, create unintended consequences, and leave gaps in the regime while placing additional burdens on providers who already protect the network.
• The Commission should require that all providers submit certifications in the RMD and implement a robocall mitigation program.
• If gateway providers must sign unsigned calls, they generally would only be able to provide C-level attestation. Such attestation would provide almost no benefit at an extensive and disproportionate cost.
• The traceback process has become so quick and efficient that C-level attestations offer at best a marginal benefit.

Verizon

• The FCC should impose meaningful robocall mitigation obligations on all providers that handle calls with U.S. calling numbers.
• Every entity, regardless of location, that chooses to handle traffic with U.S. calling numbers should be required to step into a regime that ensures such traffic is not illegal.
• All service providers that handle calls with U.S. calling numbers must register in the RMD.
• The Commission should encourage the use of private sector-led reputation monitoring services.
• The Commission should actively consult and coordinate with foreign regulators.
• Many gateway providers are too far removed from the originating service provider.
• Bad actors will find ways to bypass providers that self-identify as gateways.
• C-level attestations do not help analytics, especially when analytics only considers verstat.
• C-level attestations don’t help with traceback. Robust participation in traceback would be better.
• SHAKEN by itself doesn’t stop robocalls. Providers should be required to do SHAKEN and robocall mitigation.

Voice on the Net Coalition

• Gateway provider definition should be the first intermediate provider in the call path of a foreign-originated call that receives the call at its U.S.-based facility before transmitting the call to another intermediate or terminating provider.
• It’s extremely difficult to determine when a customer is a foreign provider. IP addresses can be spoofed, and businesses can use virtual offices as local addresses.
• Gateway providers terminating calls to their customers should not be required to block calls.
• The Commission should not mandate additional blocking requirements until the analytics and redress process have been adequately tested.

YouMail, Inc.

• Analytics can be very effective, depending upon sample size, parameters measured, and algorithms used.
• The Commission should provide indexed-base safe harbor protection for gateway providers
• The Commission should clarify consistent rules about who’s responsible for blocking bad traffic.

ZipDX LLC

• These reply comments distinguish between conversational traffic and high-volume computer driven calling.
• Illegal robocalls are typically high-volume computer driven calls with short duration. Most change spoofed caller ID frequently to deceive analytics software.
• These patterns can be used to distinguish conversational traffic from high volume short duration traffic, where the illegal robocalls are. The regulatory framework should focus on high-volume short duration traffic, i.e., non-conversational traffic.
• A checkbox should be added to the RMD to indicate that the provider accepts non-conversational traffic.
• Providers should not accept non-conversational traffic from providers that have not checked the non-conversational traffic box in their RMD filing.
• The robocall mitigation regulation should be changed to say “Every provider must proactively and effectively mitigate illegal robocalls regardless of their role in the call without waiting from notification from the Commission or traceback consortium.”

TransNexus solutions