FCC previews new SHAKEN rules

The FCC published new STIR/SHAKEN rules up for a vote in their meeting on March 16, 2023. Here’s an overview.

Highlights from the report and order

Here are some of the notable rules we found in the report-and-order:

  • Require the first non-gateway intermediate provider in the call path to authenticate, using STIR/SHAKEN, unauthenticated caller ID information for the SIP calls they receive directly from an originating service provider.
  • Require all providers to take reasonable steps to mitigate illegal robocalls and file mitigation plans in the Robocall Mitigation Database (RMD).
  • The Commission will take enforcement action, including delisting from the RMD, against any provider whose certification is deficient or who accepts calls directly from a provider not listed in the RMD.
    • Expedited delisting for deficient filings in the RMD
  • Increased forfeiture penalties.
  • Additional RMD information will be required:
    • Whether the filer is a voice service provider serving end users, a wholesale provider originating calls on behalf of other providers, or a voice service provider without a STIR/SHAKEN obligation;
    • The filer’s OCN, if it has one.
  • Satellite providers that don’t originate calls with NANP numbers don’t have to use STIR/SHAKEN.
    • Small satellite providers have an ongoing extension from TRACED Act obligations

Next steps

At their meeting on March 16, 2023, the commissioners will vote to approve the Sixth Report and Order. This will establish these rules in law and set compliance dates for them to take effect.

Our thoughts

We were surprised by the final version of the STIR/SHAKEN requirement for intermediate providers. The initial proposal in the fifth FNPRM on STIR/SHAKEN was easy to understand: any intermediate provider must sign an unsigned call.

The version in the report and order requires a non-gateway intermediate provider to sign unsigned calls only if it is the first non-gateway intermediate provider in the call path. What happens when they receive a call from an upstream provider that does both, that is, originates some calls and is an intermediate provider for others? How does an intermediate provider know if it was the first intermediate provider in the call path?

The report and order addressed this question in footnote 73, stating that intermediate providers should know whether they receive calls directly from an originating provider because they have contracts with upstream providers. However, the comments they cited to support this claim were discussing know-your-customer vetting best practices, not call-by-call identification of the originating service provider role.

The Commission has previously been careful to frame its rules on a call-by-call basis. The intermediate signing rule breaks from this pattern. Now, intermediate providers must treat upstream providers on an entity basis instead.

Updated March 9, 2023: USTelecom addressed this issue in an ex parte notice that they filed with the Commission. Here’s how USTelecom suggested that the Sixth Report and Order should clarify this rule:

Providers may […] require their upstream provider to sign any traffic it originates and represent and warrant that it does not originate any unsigned traffic it passes on. Consistent with the Draft Order’s rejection of a strict liability standard, the Commission should make explicit that providers are deemed in compliance when they take such steps and have no reason to know, and do not know, that their upstream provider is sending unsigned traffic it originated.

End of update

To be clear, we’re not big advocates of STIR/SHAKEN signing by intermediate providers anyway. Intermediate providers typically don’t know anything about the caller or the calling number. If they sign a call, they should provide a gateway C-level attestation. However, this is of limited usefulness in preventing illegal spoofing because it does not authenticate a caller’s verified association with the calling number.

As we’ve noted many times in our monthly STIR/SHAKEN statistics blog posts, there are many robocalls signed with C-level attestation. Clearly, this does nothing to help prevent illegal spoofing.

It would be much better for the Commission to focus on originating voice service providers, those who know the caller and can sign their calls with full A-level attestation. This provides the best, most useful information for preventing illegal robocalls. It would hold them accountable for their STIR/SHAKEN attestations.

Here’s the full text of the Report and Order and FNPRM.

newspaper

TransNexus solutions

TransNexus is a leader in developing innovative software to manage and protect telecommunications networks. The company has over 20 years’ experience in providing telecom software solutions including toll fraud prevention, robocall mitigation and prevention, TDoS prevention, analytics, routing, billing support, STIR/SHAKEN and SHAKEN certificate services.

Contact us today to learn more.

Request information

* required

This information will only be used to respond to your inquiry. TransNexus will not share your data with any third parties. We will retain your information for as long as needed to retain a record of your inquiry. For more information about how we use personal data, please see our privacy statement.