Along with its Report & Order requiring voice service providers to implement the STIR/SHAKEN caller ID authentication framework in the Internet Protocol (“IP”) portions of their networks by June 30, 2021, the Federal Communications Commission (FCC) has recently released a Further Notice of Proposed Rulemaking (“FNPRM”) seeking public comments on various unresolved STIR/SHAKEN implementation issues. Initial comments are due May 15, 2020, and reply comments must be filed by May 29, 2020.
STIR/SHAKEN is a call authentication framework or protocol that allows carriers to determine whether caller ID information matches the caller’s actual telephone number. The solution accomplishes this through digital certificates. Telephone service providers obtain these certificates from certificate authorities that are trusted by other telephone carriers. The certificates then enable call recipients to verify that the calling number is accurate and that it has not been spoofed. A brief summary of the key open STIR/SHAKEN implementation issues discussed in the FNPRM follows.
Extending the STIR/SHAKEN Implementation Mandate to Intermediate Providers
To ensure that caller ID authentication information reaches call recipients, the FCC proposes extending its STIR/SHAKEN mandate to intermediate providers. The FNPRM proposes to define “intermediate provider” as “any entity that carries or processes traffic that traverses or will traverse the [Public Switched Telephone Network] at any point insofar as that entity neither originates nor terminates that traffic.” For authenticated calls, the FCC intends to require intermediate providers to pass through, on an unaltered basis, any Identity header they receive to the subsequent intermediate or voice service provider in the call path to ensure end-to-end authentication. We expect that an intermediate provider that fails to pass unaltered Identity headers would be subject to an FCC enforcement proceeding that could result in civil forfeitures and, in extreme cases, a loss of operating authority.
When an intermediate provider receives an unauthenticated call that it will exchange with another intermediate or voice service provider as a SIP call, the FCC plans to require “gateway” or “C” attestation to authenticate the call. Such attestation conveys that the provider has no relationship with the initiator of the call, but has recorded the entry point of the call into its IP network. This requirement would provide “a useful data point to inform analytics and allow for traceback of the call to the gateway source.”
Finally, the FNPRM ventures into non-IP traffic in two ways. First, it asks whether STIR/SHAKEN should be extended to non-IP infrastructure, proposing that the mandate be limited to IP portions of intermediate networks, consistent with the adopted rules for originating and terminating carriers. Some engineers have suggested, for example, that a TDM-based carrier without SIP capacity can use different trunk groups between its switch and a TDM to SIP converter. Trunk Group A could carry traffic that has Attestation Level A, etc. The converter can, in turn, send that traffic to a SHAKEN server and receive the token that, in turn, can be sent the SIP interconnection point.
Second, the FCC seeks comments on how to prevent the use of non-IP intermediate providers to bypass the STIR/SHAKEN mandate (e.g., how to prevent a gateway or originating voice service provider from concealing its identity as the source of a call by purposefully routing that call through an intermediate provider that uses non-IP technology).
Small Provider Exemption
The FCC proposes to give small providers an additional year to implement STIR/SHAKEN. The proposal defines small providers as those with less than 100 thousand subscriber lines, which should probably treat a cloud-based “seat” as a subscriber line. This is justified because, for instance, many Cloud Communications Alliance (“CCA”) members measure their size by “seats,” not subscriber lines.
The industry has not yet adopted specific standards and protocols that would allow maximum authentication for calls originating from enterprises where the originating provider did not assign the number being used in the caller ID. This is problematic for the CCA because its members’ customers are almost all enterprises.
Full authentication of international calls continues to pose significant challenges, most especially when they use U.S.-based numbering resources in their calling party information because the FCC cannot force foreign carriers to participate in the STIR/SHAKEN program. The FCC seeks comments on practical solutions for such calls and mentions technical industry guidance.
Prohibiting Line Item Charges for Caller ID Authentication
The FNPRM proposes prohibiting voice service providers from imposing additional line item charges on consumer or small business subscribers for caller ID authentication, as expressly required by the enabling statute. The FNPRM proposes to interpret “consumer” to refer to residential mass market subscribers. For small businesses, the FCC proposes to adopt the Small Business Administration’s definition of “small business” — which, in most cases, requires businesses to have less than 500 employees — but is open to defining small businesses in terms of the number of subscriber lines. The FCC seeks comment on whether the line-item charge prohibition should also be extended to other providers.
Importantly, the FCC also seeks comments on whether covered providers should be permitted to recover their caller ID authentication costs indirectly.
The CCA expressed concern that since some carriers have not or cannot implement caller ID authentication, legitimate calls may not always receive verification. As a result, they may be blocked or otherwise fail to reach the intended recipient. The FCC now seeks comments on this issue.
Access to Numbers
The FCC wants to keep bad actors from gaining access to numbering resources. Accordingly, it seeks comments on any changes that could help stop bad actors from obtaining numbers, such as certifications and/or know your customer obligations.
Jonathan S. Marashlian is Managing Partner with the law firm of Marashlian & Donahue, PLLC, The CommLaw Group.