As expected, the FCC has recently released a Report & Order (the “Order”) requiring all voice service providers to implement the STIR/SHAKEN caller ID authentication framework in the Internet Protocol (“IP”) portions of their networks by June 30, 2021. This action marks a key milestone in the Commission’s arduous efforts to crack down on robocalls, attempts to impersonate government officials over the phone to defraud consumers, and other forms of illicit voice traffic. The FCC specifically estimates that the benefits of eliminating the time lost and other inconveniences caused by illegal scam robocalls will likely exceed $3 billion annually, and expects the new rules to increase consumer trust in the legitimacy of caller ID information, encouraging them to answer calls from unknown numbers. These changes will, in turn, benefit various businesses, including healthcare providers, especially during the current COVID-19 pandemic.
STIR/SHAKEN is a call authentication framework or protocol designed to enhance the integrity of the originating call identifying data sent across networks. It is an industry standard designed to enable service providers to cryptographically sign calls in the Session Initiation Protocol (“SIP”) header, thus, allowing carriers to determine whether caller ID information matches the caller’s actual telephone number. The solution accomplishes this through digital certificates. Telephone service providers obtain these certificates from certificate authorities that are trusted by other telephone carriers. The certificates then enable call recipients to verify that the calling number is accurate and that it has not been spoofed. As the Order points out, the widespread adoption of STIR/SHAKEN “will reduce the effectiveness of illegal spoofing, allow law enforcement to identify bad actors more easily, and help voice service providers identify calls with illegally spoofed caller ID information before those calls reach their subscribers.”
The Cloud Communications Alliance (“CCA”) filed comments in this proceeding, highlighting, among other issues, that only carriers with their own Operating Company Numbers (“OCNs”) and direct access to numbers can currently participate in the framework. In response, the FCC expresses interest in collaborating with the CCA and its members to resolve these problems expeditiously.
Under the new rules, all originating and terminating voice service providers must fully incorporate STIR/SHAKEN into all components of their voice networks that support SIP transmission. They must also exchange calls with authenticated caller ID information with the providers with which they interconnect. In complying with these obligations, providers must specifically satisfy the following three requirements:
- A voice service provider that originates a call that exclusively transits its own network must authenticate and verify the caller ID information consistent with the STIR/SHAKEN authentication framework;
- a voice service provider originating a call that it will deliver to another voice service provider or intermediate provider must authenticate the caller ID information in accordance with the STIR/SHAKEN authentication framework and, to the extent technically feasible, transmit that caller ID information with authentication to the next provider in the call path; and
- a voice service provider terminating a call with authenticated caller ID information it receives from another provider must verify that caller ID information in accordance with the STIR/SHAKEN authentication framework.
The STIR/SHAKEN mandate applies regardless of the volume of originating illegal robocalls on a particular network. Thus, a demonstrated absence of unlawful originating traffic will not excuse your company from implementing STIR/SHAKEN. However, voice providers who lack control over the network infrastructure necessary to implement STIR/SHAKEN, i.e., pure resellers of another provider’s network, are exempt from the mandate.
Along with the Order, the FCC has also issued a Further Notice of Proposed Rulemaking (“FNPRM”) addressing various unresolved questions concerning the full adoption of the STIR/SHAKEN framework, including implementation exemptions and deadline extensions. We will cover this FNPRM in a separate advisory.
Failure to comply with the new STIR/SHAKEN rules could subject your company to steep fines and/or other sanctions. If you have any questions about your STIR/SHAKEN obligations, please contact Robert H. Jackson, Esq. at (703) 714-1316 or firstname.lastname@example.org, or Michal J. Nowicki, Esq. at (703) 714-1311 or email@example.com. Mr. Jackson has been involved with the regulatory aspects of telephone numbering and network operations issues since the early 1990s, both in-house as an executive director for US West (now a part of CenturyLink) and as legal counsel to hundreds of telephone companies and VoIP service providers. He has served on a working group of the North American Numbering Council and as a participant in the Industry Numbering Committee of ATIS (the Alliance for Telecommunications Industry Solutions).