The Federal Communications Commission is putting the hammer down on phone companies and communications providers that can, in some way, be linked to the scourge of robocalls. After more than a year of FCC jawboning amidst an industry-wide move to combat the problem, on December 31, 2019, President Trump signed bipartisan legislation (see the TRACED Act below), giving the FCC more concrete powers against robocalling. This week the agency has begun implementing provisions of the law that would “trace back the origin of suspected unlawful robocalls.”
The FCC’s latest steps are only one of nearly a half-dozen cross-agency and industry-wide actions under way to combat robocalling. And all of these measures are taking place in an environment in which significant questions remain about the STIR/SHAKEN framework for authenticating internet-protocol phone calls.
The industry group that hammered out technical standards governing the ungainly-named STIR/SHAKEN (it stands for “Secure Telephony Identity Revisited/Signature-based Handling of Asserted information using toKENs”) said in December that it had launched verification services for obtaining the cryptographic tokens that will allow phone calls to be authenticated.
Everyone concedes that it will take time for telephony providers to be able to provide assurances that the caller ID information transmitted with a call has not been spoofed.* But for now, the FCC – as well as other federal agencies – are taking aim against foreign robocallers. And that will have immediate impact on so-called “gateway” providers of VoIP traffic originating outside of the United States.
On Tuesday, the FCC called on All Access, Globex, Piratel, Talkie, Telcast, ThinQ, and Third Base to assist in identifying and blocking robocalls Each of the letters said that their company “is being used as a gateway into the Unites States for many apparently illegal robocalls.” The letters then encouraged the company to “take measures to prevent the flow of apparently illegal traffic originating outside” the U.S. and asked a series of enforcement-related questions.
The letters also cite the Pallone-Thune Telephone Robocall Abuse Criminal Enforcement and Deterrence Act (“TRACED Act”), S. 151, that sailed through Congress last year to nearly unanimous-acclaim. Among many provisions, the TRACED Act requires the FCC, with 90 days of its passage, to “issue rules to establish a registration process for the registrations of a single consortium that conducts private-led efforts to trace back the origin of suspected unlawful robocalls.” FCC Chairman Pai also announced that he had on January 28 circulated draft rules implementing this Section 13(d) of the TRACED Act to his colleagues on the Commission.
It is more important than ever for companies to understand the end-to-end call authentication technology known as STIR/SHAKEN that is at the heart of efforts to reduce unlawful robocalling, as well as the new expectations the FCC has for voice information service providers with significant numbers of foreign customers.
Indeed, the TRACED Act formalizes many of the rules proposed over the last year by industry and government sources including the Alliance for Telecommunications Industry Solutions (ATIS) and the Session Initiation Protocol (SIP) Forum. In July 2019, the FCC gave broad discretion to telecommunications providers to block unwanted calls automatically or via customer opt-in. That “Safe Harbor” provision has now been become law via §4(c) of the TRACED Act. However, the new act does not make the offering of call-blocking services by providers compulsory.
The FCC last year also called for voluntary implementation of STIR/SHAKEN Caller ID protocol by all providers by the end of the year. The TRACED Act defines STIR/SHAKEN in §4(a)(1), and §4(b)(2) makes implementation of this protocol compulsory for all providers of voice service within the next 18 months. The privately developed framework allows providers to attach authentication tags to each phone call which attest to the call’s identity as it moves between providers to its destination. It is particularly important for voice service providers with foreign customers to implement the STIR/SHAKEN protocol as, under new FCC policy, providers may face civil penalties for conveying the calls of bad actors, or even just failing to exercise due diligence in identifying and blocking unlawful calls.
Participation in government efforts against unlawfully spoofed robocalls is no longer voluntary and service providers that have delayed compliance now face stiff penalties for continued inaction. The FCC has signaled it expects not only rapid implementation of anti-robocall technology by the industry, but also enthusiastic cooperation. As mentioned above, Section 13(d) of the Act calls for the consortium of private-led trace-back efforts. These private-led efforts should focus on “fraudulent, abusive, or unlawful” traffic.
In the letters to the seven companies, Enforcement Bureau Chief Rosemary C. Harold asked six questions, falling into two broad categories regarding the nature of each provider’s customer base and its ongoing efforts to combat unlawful robocalling.
First, what procedural and technological methods does the company use to identify unlawful or suspicious calls, and to ensure the authenticity of Caller ID information associated with foreign call traffic? What actions has the company taken in the last six months to “terminate or restrict” suspected unlawful foreign traffic?
Second, what percentage of the company’s business comes from foreign sources, and does the company advertise its services abroad?
The FCC’s letters and regulations circulated to commissioners followed both the Department of Justice’s January 28 announcement of two lawsuits in the Eastern District of New York against voice service providers that are alleged to have facilitated hundreds of millions of fraudulent robocalls to American consumers and the Federal Trade Commission’s January 30 announcement of letters it sent to 19 unnamed VoIP providers warning that assisting and facilitating illegal telemarketing robocalling is against the law. The FCC Enforcement Bureau’s letters are part of a coordinated effort with Justice and the FTC.
Providers which carry foreign phone traffic are clearly being put on notice. They must be prepared to answer these questions in a rapid and thorough manner. It is no longer appropriate to allow potentially unlawful foreign traffic to proceed through to American customers without scrutiny, much less with a revenue-sharing agreement with a robocall generator. Instead, companies are expected to track and attest, within the limits of technology, to the authenticity of the calls they carry, and to take action to inhibit such traffic which proves suspicious or misleading. The TRACED Act specifies the framework for making such identifications, and carves out a safe harbor to formally protect those providers who act to restrict and terminate spoofed robocalls by bad actors.
Major carriers, including T-Mobile, Verizon, and Bandwidth, Inc., have announced within the last week their progress implementing STIR/SHAKEN in accordance with the TRACED Act. These companies report success in initial, limited-scope rollouts of the Caller ID tagging technology, and emphasize the need not only for gradual deployment, but also inter-company cooperation in order to guarantee a robust and standardized anti-spoofing system.
The CommLaw Group can help your company comply with the expectations of the TRACED Act, the FCC’s implementation and enforcement of the law, as well as actions taken by other government agencies. Whether your company is already well-versed in these issues or needs support from the ground up, please contact Rob Jackson at firstname.lastname@example.org or 703-714-1316 or Drew Clark at email@example.com or 703-714-1323 to schedule a consultation or discuss your concerns.
* It is important to note that there a number of circumstances where a call is legitimate even though the calling number has been altered. For example, a company’s outside salesperson may use the company’s main telephone number as caller ID information.