Comments on proposed SHAKEN, robocall mitigation rules

The FCC asked for feedback on a long list of proposed SHAKEN and robocall rules. They received lots of comments. Here’s a summary of individual comments and recurring themes.

Recurring themes

The FNPRM asked many questions, and understandably, filers generally commented on just a few topics. It’s difficult to know where stakeholders stand on every issue, but there seems to be agreement on some questions:

• Strong support for robocall mitigation by all and Robocall Mitigation Database filing by all
• Opposition to the 24-hour traceback response requirement
• Opposition to special treatment of non-conversational traffic
• Opposition to restricting use of NANP numbers with foreign-originated calls.

There were comments on both sides of a few questions, without a clear consensus:

• Many commented on whether third-party signing by a downstream provider should satisfy the originating provider’s SHAKEN obligation. However, some commenters seemed to be advocating for third party signing but did not grasp the distinction over whether the signer uses its own SHAKEN certificate or a certificate for the originating service provider. It seems that this issue requires further clarification.
• There were comments for and against requiring providers that rely on non-IP technology to either migrate to IP technology and/or implement one or more of the non-IP SHAKEN extensions. Some of the comments opposed to non-IP SHAKEN based their view on an incorrect understanding of how the non-IP SHAKEN methods work or their availability or maturity. It seems that this issue also requires further education.
• There were advocates for and against requiring intermediate providers to sign unsigned calls. Those in favor seemed to believe that more signing must be good, even at C-level attestation, while opponents felt that call authentication should be done at origination, where it adds value to the call authentication effort, and the ecosystem should allow this information to survive transit all the way to the terminating provider.

Comments

The FNPRM contains many questions and proposed rules. Understandably, some comments were lengthy. There were 261 pages of comments from 18 commentators, for an average of 14.5 pages per filing.

Here are summaries of each commentator. Each commentator headline provides a link to their comments filing.

ACA Connects – America’s Communications Association

• Many small facilities-based voice resellers lack control over the necessary infrastructure to implement STIR/SHAKEN. Therefore, they were not required to implement SHAKEN. However, they filed a certification in the Robocall Mitigation Database (RMD) in an abundance of caution to foreclose any risk that intermediate providers would refuse to accept their traffic.
• In their RMD filings, these providers certified—accurately—that all voice traffic that originates on their network is authenticated with STIR/SHAKEN.
  • The RMD filing portal does not provide any option for a provider certifying full STIR/SHAKEN implementation to explain its reliance on a wholesale provider.
• ACA would not object to a new requirement that voice resellers, notwithstanding their lack of implementation obligations, must file in the RMD. Their filing could include a confidential disclosure of any wholesale provider that authenticates some or all their calls.
• ACA is not convinced there is a need for formal robocall mitigation filings from facilities-based small voice service providers that are fully STIR/SHAKEN compliant and have not been identified as a source of illegal robocalls.
• If the FCC extends RMD filings obligations on such providers, it should allow 6 months from OMB approval.
• ACA believes that 24-hour traceback response deadline is unnecessary and unwarranted. Smaller providers may struggle to respond quickly, especially when receiving a request for the first time.
• Despite progress in developing standards, there does not yet appear to be a non-IP authentication solution that is proven to be effective in authenticating calls end to end.

Cloud Communications Alliance

• The FCC should not require intermediate providers to authenticate unsigned calls with STIR/SHAKEN. This would result in numerous C level attestations that provide no information on the authenticity of the number in caller ID and would not materially reduce illegal robocalls.
• The Commission should require non-IP providers to adopt commercially available alternatives to authenticate calls.
  • It’s important that intermediate TDM providers deploy a solution that allows a SIP-based originating provider to authenticate a call and have that authentication reach the terminating provider.
  • Implementation of a non-IP solution is not a substitute for converting TDM networks to IP. It’s a way to fill the current gap in the call authentication ecosystem created by the TDM networks and the reluctance or refusal of some TDM intermediate providers to upgrade their networks and provide IP interconnection.
• The Alliance supports extending the robocall mitigation plan and filing requirements to all domestic providers.
• The Commission should provide further guidance regarding robocall mitigation plans. A reasonable plan should:
  1. Confirm timely traceback response
  2. Outline process used to respond to traffic notification from the Commission
  3. Describe its vetting process
  4. Explain how it identifies and mitigates traffic it determines may be illegal.
• The Commission should not require all domestic providers to respond to traceback requests within 24 hours.
  • There’s no evidence that providers are generally failing to respond in a timely manner
  • There’s no justification for a rigid 24-hour rule that risks creating enforcement liability for legitimate actors.
• The Commission should not impose a strict liability standard for providers placing or processing illegal calls. Mitigation is not foolproof. Instead, the Commission should use a reasonableness standard.
• If a platform provider provides numbers to a reseller, the platform provider should be able to authenticate the call on the reseller’s behalf as an A attestation, otherwise a B attestation may be appropriate.

Comcast Corp.

• The FCC should require all intermediate providers to authenticate unsigned calls they receive.
• The Commission should extend other obligations to other classes of providers.
  • These obligations should be more uniform rules that apply to calls originated either in a foreign country or domestically.
• A “bring your own token” model, in which a third-party hosted SHAKEN service uses the certificate of the originating service provider to sign the call, presents a viable and effective solution.
• The Commission should clarify whether providers that are not required to implement SHAKEN because they lack control over the network infrastructure are required to file a certification in the RMD.

Consensus Cloud Solutions, Inc.

• Consensus Cloud Solutions lack control over the network infrastructure and cannot implement SHAKEN and is ineligible to obtain its own SHAKEN token.
• Those providing the telephone numbers and network infrastructure to support the Consensus eFax service should be permitted to authenticate its traffic with either an “A” or “B” attestation.
• Consensus supports the filing of robocall mitigation plans by providers in such circumstances.

Credit Union National Association, et al – Trade Associations

• The FCC should not impose new obligations on non-conversational traffic. This would result in further blocking of legitimate lawful calls.
• The Commission should require non-IP providers to use commercially available technologies to verify caller ID information. This requirement should apply to all non-IP providers in the call chain.
• The Commission should move cautiously before restricting foreign access to U.S. numbers. There are numerous legitimate uses of U.S. numbers in caller ID for calls that originate in foreign countries.

Electronic Privacy Information Center and National Consumer Law Center

• The FCC should require providers to achieve effective mitigation outcomes (not just reasonable steps) and hold providers strictly liable.
• Until the Commission implements strict liability, the rules should state that each provider in the call path of fraudulent calls is liable for calls that the provider knew, or should have known, were illegal.
• The Commission should automatically suspend from the RMD:
  • High-risk providers that enabled illegal calls
  • Any provider that fails to comply with Commission rules
  • Any provider affiliated with a previously suspended provider.
• The Commission should impose licensing and bonding requirements.
• The Commission should make tracebacks public.

INCOMPAS

• Supports proposal to extend call authentication requirement to domestic intermediate providers, with a deadline of at least 12 months.
• The Commission should secure commitments from voice service providers for IP interconnection to enable end-to-end caller ID authentication.
• Should not impose 24-hour traceback response.
• Ability for providers to investigate and mitigate is preferable to a more prescriptive blocking approach.
• Call blocking could be used to raise barriers to competition and discriminate against competitive providers.
• Support blocking bad-actor providers that fail to take appropriate steps to mitigate bad traffic.
• “Non-conversational traffic” is a subjective standard that would be inappropriate. Not all non-conversational traffic is bad.
• Providers that are unable to implement SHAKEN should be required to conduct robocall mitigation.
• Third-party caller ID authentication should be allowed to satisfy an originating provider’s obligation. The RMD should be modified to bring an originating provider into compliance.

NCTA – The Internet & Television Association

• Support requiring intermediate providers to authenticate unauthenticated calls they receive.
• A requirement for all providers, including those that have already implemented STIR/SHAKEN, to adopt a non-IP call authentication solution would be counterproductive.
• Support proposals to extend a general robocall mitigation standard to providers that have implemented SHAKEN, require all intermediate providers to submit a certification in the RMD, require all providers to submit a robocall mitigation plan if they have not already done so.

New York State Public Service Commission

• Strongly agrees with FCC proposal to extend robocall mitigation rules for gateway providers to also include intermediate providers.
• Does not believe that extending these rules to intermediate providers would be overly costly or burdensome. Evidence suggests that many gateway providers are also intermediate providers and thus have already implemented SHAKEN. As more providers implement SHAKEN, the technology will become more ubiquitous and less costly to implement.

Professional Association for Customer Engagement (PACE)

The Commission should not treat conversational and non-conversational call traffic differently for these reasons:

• Call length alone is not a reliable indicator of whether a call is illegal.
• Imposing enhanced obligations of providers that carry short duration calls would jeopardize billions of legal and important calls.
• Singling out non-conversational traffic for increased restrictions violates the First Amendment. Such restrictions would be content-based and cannot survive strict scrutiny.
• This proposed rule would not survive intermediate scrutiny either because it would restrict how callers place calls.
• The Commission lacks statutory authority to imposed heightened restrictions for short duration calls.
• Other proposals would be more effective, such as requiring all providers to have a robocall mitigation plan and encouraging providers to focus their robocall mitigation efforts on call characteristics that the Industry Traceback Group has identified.

RingCentral, Inc.

• The Commission should wait until after June 30, 2023, to assess the effectiveness of existing rules and recent actions before imposing new rules.
• The Commission should issue clear orders to block traffic that it has identified as illegal.
• Targeting non-conversational traffic would be unworkable and ineffective.
• The FCC should clarify that affirmative effective measures include terminating customers that originate illegal calls.
• RingCentral supports third-party authentication within the STIR/SHAKEN framework.

Satellite Industry Association

In their comments, the Satellite Industry Association listed reasons why the TRACED Act and STIR/SHAKEN mandate should not apply to some satellite voice service providers.

• Some satellite voice service providers rely on NANP resources for originating numbers. They should be subject to the STIR/SHAKEN requirements.
• Other satellite providers, however, rely principally or exclusively on non-NANP resources for their originating numbers. They should not be subject to STIR/SHAKEN requirements.
• Non-NANP Satellite VSPs have already implemented a caller-ID authentication technology that exceeds STIR/SHAKEN. Calls lacking accurate caller-ID cannot be terminated.
• Robocallers don’t use satellite service because the economics would not be viable.

Telnyx LLC

• Requiring intermediate providers to attest to unsigned calls might do more harm than good. Legitimate calls signed by the originating provider with A attestation but lost such authentication data because of non-IP networks could be inappropriately labeled or blocked.
• By flooding the SHAKEN ecosystem with C attestations, the FCC would significantly reduce the usefulness of SHAKEN metadata to both originating and terminating providers. Instead, the FCC should promote the adoption of IP technology.
• Telnyx is opposed to 24-hour traceback response requirement, prescribed robocall mitigation measures, and sector-specific requirements (e.g., additional requirements for VoIP providers).
• The Commission should not impose restrictions on the use of NANP numbers.
• Telnyx is opposed to differential treatment of conversational traffic.

TransNexus

• A third-party signing calls with its own SHAKEN certificate does not satisfy the SHAKEN requirements for upstream providers.
• The Commission should require providers that claim a SHAKEN implementation to:
  1. Be approved for SHAKEN by the STI Policy Administrator
  2. Obtain their own SHAKEN certificate from an STI Certification Authority
  3. Have their calls signed using STIR/SHAKEN with their own SHAKEN certificate.
• The Commission should phase out the non-IP SHAKEN exemption and require providers that rely on non-IP technology or interconnects to choose one or more of three options:
  1. Replace non-IP technology with IP technology that supports SHAKEN and non-IP interconnects with IP interconnects.
  2. ATIS 1000095
  3. ATIS 1000096

USTelecom – The Broadband Association

• The Commission should extend robocall mitigation expectations to all providers and contexts. All providers should implement a robocall mitigation program and certify it in the RMD regardless of their role in the call path or whether they’ve implemented SHAKEN.
• A significant portion of calls signed as C—and even as A or B—turn out to be illegal robocalls, often signed by a downstream provider using its own token. This undermines the accountability STIR/SHAKEN is intended to impose. It waters down reliability of attestation levels, reducing the potential analytical value of authentication information across the ecosystem.
• The Commission must clarify that while providers are free to rely on downstream providers to sign traffic on their behalf, those third parties should only sign with the originating provider’s token, except in limited circumstances.
• The Commission should clarify that, for the purposes of the STIR/SHAKEN standard, a “customer” means an end user and not a wholesale upstream provider. This will ensure that when intermediate providers do choose to sign traffic, they do not apply A- or B-level attestation when they do not know who the actual end user caller is.
• The Commission should not extend the requirement to sign unsigned traffic to intermediate providers. Because intermediate providers won’t know the end user, the proposed requirement will result in even more C-level attestations of limited value.
• Commission policy should drive providers and the market to seek A-level attestations.
• The Commission should not sunset the non-IP extension at this time.

Voice on the Net Coalition

• Opposed to 24-hour traceback response time mandate.
• Not opposed to blocking traffic, rather than investigate and mitigate, provided the order is clear that all traffic from an offending provider should be blocked.
• Opposed to restrictions on non-conversational traffic, which VON believes are unworkable and problematic.
• The Commission should require all voice service providers to take reasonable steps to mitigate illegal traffic.
• VoIP-specific requirements would be anti-competitive.
• Opposed to a strict liability regime.
• Strict limitations on use of U.S. caller ID on foreign traffic would harm U.S. businesses and consumers.
• Support third party authorization.

YouMail, Inc.

YouMail supports the following:

• 24-hour traceback response
• Blocking, rather than mitigate, traffic when notified by the Commission
• Affirmative effective measures to prevent new and existing customers from originating illegal calls.
• Implement and certify robocall mitigation regardless of whether they are intermediate providers or have implemented SHAKEN.

ZipDx LLC

• All providers should be required to authenticate calls.
• There is attestation inflation taking place. Providers are making millions of numbers available so callers can claim A-level attestation. Providers are applying B-level attestation when it is clear that they do not know the identity of the caller and should have applied C-level attestation.
• Prioritization of non-conversational traffic is appropriate. Providers that carry this traffic should certify in the RMD and accept strict liability.
• Signing on behalf of must be eliminated. An originating provider must have its calls signed with its own SHAKEN token. The call authentication framework crumbles without this.

TransNexus solutions

TransNexus is a leader in developing innovative software to manage and protect telecommunications networks. The company has over 20 years’ experience in providing telecom software solutions including toll fraud prevention, robocall mitigation and prevention, TDoS prevention, analytics, routing, billing support, STIR/SHAKEN and SHAKEN certificate services.

Contact us today to learn more.