FCC has more questions about STIR/SHAKEN
The Commission is requesting more feedback on STIR/SHAKEN third-party signing. They will vote at their next meeting to launch another FNPRM process. This article reviews some of their key questions. Let’s have a look.
There are two sets of rules up for a vote at the Commission’s open meeting on March 16, 2023:
- Sixth Report and Order. These rules were originally published for discussion with the Fifth Caller ID Further Notice in May 2022. The Commission received comments and reply comments on the Fifth FNPRM. Now they will vote to put these rules into effect. We covered these rules in our previous article, FCC previews new SHAKEN rules.
- Sixth Further Notice of Proposed Rulemaking. This is a new set of rules for STIR/SHAKEN. The Commission will vote on March 16, 2023, to launch this FNPRM, which begins a process to collect comments for the Commission’s consideration.
In this article, we turn our attention to the Sixth FNPRM. The primary issue for rulemaking involves third-party signing by a downstream provider.
Third-party caller ID authentication
The Commission invited discussion of third-party signing in their Fifth FNPRM and received comments and reply comments from several entities.
In their Sixth FNPRM, the Commission wrote that the record is not sufficient for them to decide on policy. They have asked for more comment on third-party signing and whether any changes should be made to the Commission’s rules to permit, prohibit, or limit their use.
The Sixth FNPRM includes many questions about third-party signing. Here are some of the key questions:
- What types of third-party signing arrangements are being used?
- Can a third-party signer authenticate calls with an A- or B-level attestation in keeping with the ATIS standards? If so, what information must be shared?
- How is third-party signing related to technical solutions described in the 2021 Small Providers Report published by the NANC?
- Benefits and pitfalls of third-party signing?
- Should the Commission amend its rules to explicitly authorize third-party signing?
- Should the Commission clarify that, for STIR/SHAKEN rules, a “customer” means an end user and not an upstream provider?
- If the Commission explicitly authorizes third-party signing, should it also require third parties to sign calls using the originating provider’s SPC token?
- Should the Commission prohibit providers from certifying to have implemented STIR/SHAKEN in the Robocall Mitigation Database unless their calls are signed with their own SPC token, whether directly or through a third party?
- Are there security concerns implicated by a provider sharing its SPC token with another entity for signing calls?
- What are the costs and benefits of the Commission explicitly authorizing or prohibiting third-party signing?
- Should the Commission address third-party signing via rulemaking or a declaratory ruling?
- Would the Commission have the legal authority to impose rules on third-party signers?
Clearly, the Commission wants to develop a thorough discussion and record on third-party signing. In addition, the FNPRM seeks input on a few other issues.
Eliminate the implementation extension for providers that cannot obtain an SPC token
Since the STI Governance Authority changed its token access policy, is this extension still necessary? Could the Commission eliminate this extension and accommodate rare cases with standard waiver provisions?
Digital equity and inclusion
The Commission invites comment on any equity-related considerations, if any, related to the proposals and issues discussed in the Sixth FNPRM.
Our thoughts
We think that the Commission’s existing orders already require that originating voice service providers (OSPs) must authenticate their calls with their SHAKEN certificate. Having a call signed by a downstream third-party provider using the third-party provider’s certificate does not satisfy the originating provider’s obligation.
We believe that it’s fine for an originating voice service provider to have its calls signed by a third-party signing service if the service uses the OSP’s SHAKEN certificate to do so.
These ideas seem consistent with the STIR/SHAKEN standards. This approach closes the downstream provider loophole that many providers are exploiting to evade accountability for originating or transiting illegal robocalls. Many robocalls are signed with B- or C-level attestation by downstream third-party providers using their SHAKEN certificate.
TransNexus solutions
TransNexus is a leader in developing innovative software to manage and protect telecommunications networks. The company has over 20 years’ experience in providing telecom software solutions including toll fraud prevention, robocall mitigation and prevention, TDoS prevention, analytics, routing, billing support, STIR/SHAKEN and SHAKEN certificate services.
Contact us today to learn more.
Our STIR/SHAKEN products:
- Work with your existing network
- Support SIP and TDM
- Affordable, easy to deploy