Reply comments on proposed SHAKEN and robocall mitigation rules

The FCC received reply comments on proposed rules for SHAKEN and robocall mitigation. Here’s a summary of individual comments and recurring themes.

Recurring themes

Here are some recurring themes that we noticed among the comments:

  • There was strong support for the proposal that all domestic providers should implement and certify robocall mitigation programs and plans.
  • Momentum seems to be moving in favor of requiring non-IP providers to either convert to IP or implement a non-IP SHAKEN extension. There seems to be two factors driving this:
    1. It would enable the originating provider’s authentication, which is the most informative, to survive transit all the way to the terminating provider. This is better than having intermediate providers sign unsigned calls, which wouldn’t add much value. There’s a growing realization that it’s much more valuable to have calls signed at the source rather than somewhere in the middle of the call path.
    2. IP-based providers don’t have to do anything to support these non-IP methods. They face no additional burden whatsoever.
  • Several commentors noted that, just because a provider receives several traceback requests, that doesn’t mean that they’re a bad actor. This argues against publishing traceback data or imposing strict “three strikes’ penalties.
  • Several commentors raised the “attestation inflation” issue as a cause for concern.
  • There was an even split on the third-party signer question: does a third-party signer, using its own SHAKEN certificate, satisfy the originating provider’s SHAKEN obligation?
    • Opponents: This third-party signing arrangement undermines accountability and usefulness of attestation levels and provides a path for illegal robocalls.
    • Proponents: Third-party signers can always cut off originating providers that originate or transmit robocalls.

Comments

There were 126 pages of reply comments from 14 filers. Here are summaries of each. There were some thoughtful comments offered, and you can click the link to read that organization’s filing.

American Bankers Association

  • FCC should not restrict use of U.S. numbers for calls originated outside of the U.S.
  • FCC should not impose additional requirements on providers that carry non-conversational traffic.
  • FCC should require providers that use TDM to implement an alternative technology to verify the authenticity of calls that travel on TDM networks.
  • FCC should restrict any display of data on call recipient’s phone for unverified calls.

ACA Connects – America’s Communications Association

  • Many facilities-based small broadband providers resell voice service from an underlying provider. FCC should distinguish these arrangements from complicit providers that enlist downstream providers to sign their calls to thwart accountability.
  • Does not object to the FCC requiring providers that lack control over the infrastructure necessary to implement SHAKEN to file certifications in the Robocall Mitigation Database (RMD).
  • Forfeitures for failure to block calls should not extend to providers acting in good faith.
  • FCC should maintain “reasonable steps” standard for robocall mitigation programs and should not impose more prescriptive mandates.
  • FCC should not impose a hard-and-fast 24-hour deadline to respond to traceback requests.

Cloud Communications Alliance

  • All providers should prepare and file in the RMD reasonably detailed robocall mitigation plans.
  • FCC should phase out the non-IP network exemption.
  • Rather than impose authentication obligations on all intermediate providers, the Commission should instead require all providers to prepare and file robocall mitigation plans and phase out the non-IP network exemption.
  • The Commission should reject arguments to hold providers strictly liable for illegal calls.
  • Mandatory blocking should be limited to providers that are directly connected to the bad actor.
  • Traceback requests are not indicative of noncompliance. The Commission should not base regulatory obligations or enforcement without regard to good faith efforts that the provider may have undertaken upon receiving notice.
  • The Commission should allow third-party authentication.
    • Third-party signers should be required to have sufficient trust and information to provide an A or B attestation.
    • There’s a SHAKEN standard for delegate certificates that enables entities to obtain an A attestation without having to obtain a token from the STI-PA or a certificate from an STI-CA.

Electronic Privacy Information Center and National Consumer Law Center

  • The Commission’s current methodology relies too much on individual enforcement actions rather than on automated, systemized responses.
  • Multiple providers each year decline to respond to traceback requests, with no apparent consequences.
  • Many RMD plans contain clear and serious compliance errors, e.g., blank pieces of paper, plans for another provider, and the RMD instructions document.
  • It must become more costly for providers to continue transmitting illegal robocalls than it is for them to not transmit them.
  • The Commission should establish a more automated protocol for suspending serial violators from the RMD.

Fifty-One State Attorney’s General

  • The Commission should expand to all domestic providers the requirement to implement both STIR/SHAKEN and robocall mitigation practices, including:
    • 24-hour traceback response
    • Mandatory blocking following Commission notification
    • General mitigation standards
    • File a mitigation plan in the RMD.

INCOMPAS

  • Supports the Commission’s proposal to extend the general mitigation standard and robocall mitigation plan filing requirements to all domestic providers.
  • VoIP providers should not face a higher burden to meet the Commission’s “reasonable steps” standard.
  • The Commission should not automatically suspend providers from the RMD based on the volume of traceback requests they receive.
  • The FCC may not be able to subject foreign providers to FCC jurisdiction.

NCTA – The Internet & Television Association

  • The Commission should encourage providers to transition to IP interconnections and reject suggestions that it require non-IP call authentication.
  • Should providers with IP-based networks be required to support or implement non-IP authentication solutions, they would be doubly burdened and forced to incur unnecessary costs as a result of another provider’s failure to transition to IP.

NTCA – The Rural Broadband Association

  • Smaller rural operators are staring down an “authentication to nowhere” problem:
    • The vast majority of their calls are routed through TDM tandem switches that are owned and operated by other carriers.
    • Any SHAKEN information provided in calls disappears as they transit these TDM tandem switches.
  • The TRACED Act included provisions to exempt non-IP facilities from call authentication requirements.
    • The FCC provided a non-IP SHAKEN exemption that required operators to participate in standards body efforts to develop a non-IP standard for call authentication.
    • The “Shaken Out-of-Band” and “Shaken over TDM” standards have emerged from the standards body process and meet the requirements for a non-IP standard that is “reasonably available.”
  • The FCC can address the call of Congress to authenticate all voice calls by adopting the non-IP standards.
  • If the Commission declines to adopt non-IP standards, then it must adopt “network edge” rules that enable rural carriers to enter into IP interconnection agreements that preserve existing constructs for the apportionment of transport and other interconnection costs.

Satellite Industry Association

  • Non-NANP satellite voice service providers:
    • Do not constitute a viable threat vector for illegal robocalls
    • Cannot obtain tokens to sign their calls
    • Are already configured to ensure delivery of accurate caller ID information.
  • Therefore, the Commission should provide a SHAKEN exemption for Non-NANP Satellite VSPs.

TransNexus

  • The Commission should not allow a downstream provider’s SHAKEN authentication, using its own SHAKEN certificate, to satisfy an upstream provider’s SHAKEN obligation. Instead, the Commission must require providers that claim a SHAKEN implementation to be approved for SHAKEN by the STI-P, obtain their own SHAKEN certificate from the STI-CA and have their calls signed using SHAKEN with their own SHAKEN certificate.
  • The TRACED Act directs the Commission to grant a delay of required SHAKEN implementation until a call authentication protocol has been developed for non-IP calls and is reasonably available. These conditions have been met. Therefore, the Commission must phase out the non-IP SHAKEN exemption and require providers that rely on non-IP technology or interconnections to either convert to IP technology or implement one or more of the approved standardized SHAKEN extensions for non-IP call authentication.
  • Despite increased SHAKEN participation, the percentage of signed calls received at termination remains stuck at around 24%. This is because of the non-IP exemption.
  • Non-IP SHAKEN extensions do not require any action by providers that do not rely on non-IP technology. Their SHAKEN deployments will continue to work as is.
  • The working group that developed non-IP SHAKEN standards has completed this work. The standards are published, and these methods are reasonably available and implementable. Therefore, providers that rely on non-IP technology can no longer satisfy the Commission’s requirement that they participate in a working group that is working to develop a non-IP solution—that time has passed.

USTelecom – The Broadband Association

  • The Commission should require that all voice service providers, including those who have fully implemented SHAKEN, implement a robocall mitigation plan for all traffic they originate and transit.
    • Intermediate providers should conduct due diligence regarding upstream providers from whom they accept traffic.
  • Originating providers should be expected to have a token, which can be used by downstream providers or other third parties if they sign traffic on behalf of the originating provider.
  • Other proposed approaches will detract from more productive efforts and should not be pursued, such as:
    • Traffic segmentation
    • “Three strikes” rule
    • Traceback publication
    • Intermediate providers signing unsigned traffic
    • A mandate for non-IP caller ID authentication solutions
    • Prescriptive traffic monitoring and segmentation approaches.

Verizon

  • The Commission should use the Industry Traceback Group to identify service providers that routinely accept traffic they know or should know is illegal, and then take enforcement action against such service providers.
  • The Commission should reject proposals such as the “three strikes” rule.
  • As illegal robocallers are deterred from using aggregators that specifically cater to their traffic, they may route their traffic via larger providers with bilateral gateway relationships. Simply cutting off a foreign service provider after a few illegal calls may cause significant disruptions and harm consumers.
  • The Commission should prioritize enforcement against originating providers that fail to sign their traffic, or that sign with As or Bs but do not know the identities of the callers. (Verizon’s honeypot data indicate that approximately 9% of illegal traffic is signed with A or B attestation.)
  • The Commission should encourage industry to develop global, scalable Know Your Customer tools so every service provider can implement effective robocall mitigation.
  • The Commission should not require intermediate providers to sign unsigned calls. At best, it would have marginal benefit.
  • The overarching objective for call authentication is to ensure that service providers use SHAKEN to elevate trust in calls, which should be accomplished by promoting A attestations.

Voice on the Net Coalition

  • The Commission should reject proposals broadly targeting VoIP providers that will introduce regulatory uncertainty and unnecessary burdens without any likelihood of reducing illegal robocalls.
  • Could providers evade the high-risk non-facilities-based provider category requirements by operating a piece of network equipment?
  • Would these strict criteria for high-risk providers be applied retroactively?
  • The Commission should not restrict the use of U.S. NANP numbers for foreign-originated calls.
  • If the Commission allows third-party authentication with the signer’s certificate, small providers could enter contractual agreements with third-party signers to attest to the user’s identity and right to use the number.

ZipDX LLC

  • Voice service providers take responsibility for authenticating each call with their own SHAKEN certificate.
    • The originating provider can outsource the signing to a third party, but that third party must apply the originating provider’s certificate.
  • Attestation criteria must be followed. Attestation levels A and B indicate that the signer can confirm the identity of the subscriber making the call.
  • The biggest call authentication issue with robocalls is that they are not being signed by the originating provider despite existing rules.
  • Intermediate carriers should sign unsigned calls. It’s less desirable than requiring non-IP providers to implement a SHAKEN-over-TDM solution, but the requirement should be in place.
  • Providers should face strict liability for illegal calls after they’ve been notified by the Commission.
speech bubble

TransNexus solutions

TransNexus is a leader in developing innovative software to manage and protect telecommunications networks. The company has over 20 years’ experience in providing telecom software solutions including toll fraud prevention, robocall mitigation and prevention, TDoS prevention, analytics, routing, billing support, STIR/SHAKEN and SHAKEN certificate services.

Contact us today to learn more.

Request information

* required

This information will only be used to respond to your inquiry. TransNexus will not share your data with any third parties. We will retain your information for as long as needed to retain a record of your inquiry. For more information about how we use personal data, please see our privacy statement.