Nearly all Companies in the “Call Origination-to-Call Completion” chain are impacted by a variety of federal laws, FCC’s Rules, and industry group policies implementing industry-wide measures intended to materially reduce the volume of unwanted and/or illegal robocalls plaguing American consumers of voice communications services.
The CommLaw Group publishes this Client Advisory as a “Guide” to the STIR/SHAKEN, Robocall Mitigation & Compliance Regime. Each Company covered by the Robocall Mitigation & Compliance Regime (hereafter referred to as “STIR/SHAKEN”) may be impacted differently, and thus may necessitate a thoughtful and strategic “Company-Specific” action plan to ensure compliance (and avoid having voice calls blocked or other economic and regulatory enforcement consequences).
Upon reviewing the following Advisory, should you have questions, concerns, or if you seek guidance with respect to your Company’s duties and options under the STIR/SHAKEN regulatory regime, please contact us! We are here to help!
The CommLaw Group’s STIR/SHAKEN Compliance Team
Robert H. Jackson
Jonathan S. Marashlian
What is STIR/SHAKEN?
STIR/SHAKEN is a technology framework designed to reduce fraudulent robocalls and illegal phone number spoofing. STIR stands for Secure Telephony Identity Revisited. SHAKEN stands for Secure Handling of Asserted information using toKENs.
The FCC has adopted rules requiring service providers to deploy a STIR/SHAKEN solution by June 30, 2021.
Why is STIR/SHAKEN so important?
Between 3 and 5 billion robocalls are made each month, and research suggests that more than 40% of those calls are thought to be fraud-related.
STIR/SHAKEN is an industry-wide initiative to restore trust in our voice communications. Its goal is to prevent fraudsters from scamming consumers and businesses through robocalls and illegal phone number spoofing, while making sure that legitimate calls reach the recipient.
This Client Alert provides a summary of key issues related to STIR/SHAKEN compliance along with new information related to robocall mitigation. This Alert also discusses the changing path to STIR/SHAKEN call authentication authority and “know your upstream customer” requirements.
Who Must Comply and When
The Federal Communications Commission (“FCC” or “Commission”) requires that all voice service providers (“VSPs”), with some exceptions discussed below, implement the STIR/SHAKEN caller ID authentication framework in the Internet Protocol (“IP”) portions of their networks by June 30, 2021.
The FCC defines a VSP for the purposes of STIR/SHAKEN, as any service that is interconnected with the public switched telephone network and that furnishes voice communications to an end user using resources from the North American Numbering Plan (”NANP”). This includes common carrier voice, interconnected Voice over Internet Protocol (“iVoIP”), one-way VoIP, fax transmissions and services, and over-the-top voice services (e.g., Skype, Google Voice). Resellers, while included in the VSP definition, do not have control over control over how the calls are transmitted. Hence, resellers should work with their facilities-based vendor to determine whether outbound calls will be authenticated and confirm that inbound calls will be verified before being presented for termination.
STIR/SHAKEN is a series of protocols and a governance framework that ensure caller ID has not been spoofed, in order to reduce the number of illegal robocalls. STIR/SHAKEN works by authenticating and verifying encrypted information used to attest to the accuracy of caller ID information. When a subscriber makes a call, an originating voice service provider (“OVSP”) adds a unique header to the network-level message used to initiate a SIP call (“SIP INVITE”). The OVSP uses an authentication service to create this “Identity Header” containing encrypted identifying information as well as the location of the public key that can be used to decode this information. When the terminating voice service provider (“TVSP”) receives the call, it sends the SIP INVITE with the Identity Header to a verification service, which uses the public key that corresponds uniquely to the OVSP’s private key to decode the encrypted information and verify that it is consistent with the information sent without encryption in the SIP INVITE. The verification service then sends the results of the verification process—including whether the decoding process was successful and whether the encrypted information is consistent with the information sent without encryption—to the TVSP.
Attesting to Subscriber’s Identity
STIR/SHAKEN relies on an OSVP’s attestation of a subscriber’s identity. Depending on which network a call originates, an OSVP can provide one of three different levels of attestation:
- Full or “A” Attestation. The OSVP can confirm: (1) the identity of the subscriber making the call; and (2) that the subscriber is using its associated telephone number.
- Partial or “B” Attestation. The OSVP can confirm the identity of the subscriber but not the telephone number.
- Gateway or “C” Attestation. The OSVP can confirm only that it is the point of entry to the IP network for a call that originated elsewhere, such as a call that originated abroad or on a domestic network that is not STIR/SHAKEN-enabled.
For trust in the VSPs that vouch for caller ID information, STIR/SHAKEN uses digital certificates issued through a neutral governance system. Each VSP receives its own certificate that contains, among other components, that VSP’s public key, and states that:
(a) The VSP is that which it claims to be.
(b) The VSP is authorized to authenticate the caller ID information.
(c) The VSP’s claims about the caller ID information it is authenticating can thus be trusted.
Key STIR/SHAKEN Players
(a) The FCC.
(b) Governance Authority (“GA”). A “Board of Directors” that influences policies and standards. The GA is made up of industry representatives from carries and equipment manufacturers.
(c) Policy Authority (“PA”). A “steward” selected by the GA that manages the enforcement of issuing tokens to carriers. To enable STIR/SHAKEN, a carrier needs to obtain a token from the PA to ensure it is an authorized service provider.
(d) Certificate Authority (“CA”). Trusted third parties approved by the PA that issue certificates to carriers wishing to originate calls. To ensure the requester’s eligibility, the CA validates the credentials of the requester with the PA.
STIR/SHAKEN Implementation Requirements
The FCC imposes three requirements on VSPs to in order to carry out its STIR/SHAKEN mandate:
- A VSP that originates a call that exclusively transits its own network must authenticate and verify the caller ID information consistent with the STIR/SHAKEN authentication framework.
- A VSP originating a call that it will exchange with another voice service provider or intermediate provider must authenticate the caller ID information in accordance with the STIR/SHAKEN authentication framework and, to the extent technically feasible, transmit that caller ID information with authentication to the next provider in the call path.
- A VSP terminating a call with authenticated caller ID information it receives from another provider must verify that caller ID information in accordance with the STIR/SHAKEN authentication framework.
First Requirement Details. A VSP must authenticate and verify the caller ID information of those calls that it originates and terminates exclusively in the IP portions of its own network. The most effective caller ID authentication system requires the application of STIR/SHAKEN to all calls, including calls solely originating and terminating on the same voice service provider’s network. A provider satisfies its obligation under this requirement so long as it authenticates and verifies in a manner consistent with the STIR/SHAKEN framework, such as by including origination and attestation information in the SIP INVITE used to establish the call.
Next Two Requirement Details. The next two requirements relate to the exchange of caller ID authentication information. A VSP that originates a call which it will exchange with another voice service provider or intermediate provider must use an authentication service and insert the Identity Header in the SIP INVITE and thus authenticate the caller ID information in accordance with the STIR/SHAKEN authentication framework. It further must transmit that call with authentication to the next voice service provider or intermediate provider in the call path, to the extent technically feasible.
Additionally, a VSP that terminates a call with authenticated caller ID information it receives from another VSP or intermediate provider must use a verification service, which uses a public key to review the information stored in the Identity header to verify that caller ID information in accordance with the STIR/SHAKEN authentication framework. A TVSP can only verify caller ID information that has been authenticated by the OVSP and transmitted with authentication, while an OVSP’s authentication has little value if the TVSP fails to verify that caller ID information.
Laying the Groundwork for STIR/SHAKEN
To ensure that a VSP can participate in STIR/SHAKEN, it must complete the following steps:
- Ensure its 2020 FCC 499-A Form is on file with the FCC.
- Obtain an Operating Company Number (“OCN”). This number registers your company within the National Exchange Carrier Association (“NECA”), and is an important prerequisite that allows you to obtain a STIR/SHAKEN token. Be sure to allow plenty of lead time, as carriers are reporting a backlog with this process.
- Obtain access to phone numbers from the North American Numbering Plan Administrator (NANPA) and/or the National Pooling Administrator. Follow the steps on the NANPA website.
Steps for STIR/SHAKEN setup:
- Register with the PA. This authority will verify that the VSP possess the information and permissions seen above. As of this writing, the PA is iconectiv.
- Register with a CA. This entity provides the VSP with a certificate after confirming that the VSP is registered with the PA. Neustar is an approved CA.
- Once a VSP signs up with a CA, the PA provides the VSP with a Service Provider Code (“SPC”) that’s tied to its OCN and/or Service Provider Identifier (“SPID”). The SPC token allows the VSP to request a certificate. This means that the VSP can finally request a certificate by sending its SPC token to its chosen CA along with a certificate signing request, allowing you to sign and authenticate calls under the STIR/SHAKEN framework.
STIR/SHAKEN Software Implementation
A critical step is the deployment of STIR/SHAKEN are the necessary software services that perform core functions associated with the specification, including STI-AS, STI-VS, SP-KMS, SKS, SI-CR:
- STI-AS – Authentication Server. This hosts the API that signs authentication requests made under STIR/SHAKEN. If a third party wants to know whether calls made by a VSP’s network are legitimate, STI-AS is the service that authenticates.
- STI-VS – Verification Server. If a VSP’s network needs to verify that a call made by a third party is genuine, the API within the server verifies its public key.
- SP-KMS – Key Management Server. This server interacts with the CA to receive certificates and the PA to receive tokens, then generates a public key pair to sign and verify requests.
- SKS – Secure Key Store. This is among the most important components of STIR/SHAKEN implementation, as it contains the key pair generated by the SP-KMS and serves it via the application server. If this server is ever breached, attackers could use these keys to make spam calls without being detected.
- STI-CR – Certificate Repository. This hosts public keys for verification purposes. These keys are freely available to third parties as a counterpart to the secure SKS.
These core functions all need to interact with one another in an orchestrated manner to properly sign and verify calls made under the STIR/SHAKEN framework. Since their interactions may require network upgrades and are complex, they need to be thoroughly tested.
Exemptions from STIR/SHAKEN
- Small Providers.VSPs with 100,000 or fewer subscribers lines have an additional two years, until June 30, 2023, to implement STIR/SHAKEN.
- VSPs Unable to Obtain SPC Tokens.VSPs that are unable to obtain the SPC tokens necessary to authenticate calls have an indefinite exemption from implementing STIR/SHAKEN until the provider is capable of obtaining a token. However, calls from this VSP may be authenticated by the next carrier in the chain of completion. Such calls are likely to receive a lower attestation level than the originating service provider could provide.
- Services Subject to Discontinuance.For services subject to a pending Section 214 discontinuance as of June 30, 2021, providers have an additional year, until June 30, 2022, to implement STIR/SHAKEN for the services, unless the service is discontinued before then.
- Non-IP Portions of Networks.The non-IP portions of a provider’s network have an indefinite exemption from STIR/SHAKEN implementation but are subject to other requirements discussed below.
- Case-by-Case Exemption.VSPs may petition the FCC’s Wireless Bureau for an exemption or extension for implementing STIR/SHAKEN on a case-by-case basis; the formal petition deadline has passed, but the Bureau may still consider new petitions.
Since STIR/SHAKEN does not work on non-IP networks, the FCC has implemented other requirements for those network portions to mitigate illegal calls. Specifically, by June 30, 2021, providers must either: (a) upgrade their entire network to IP; or (b) participate in the development of a call authentication standard for non-IP calls (either directly or indirectly through a trade group) and implement a robocall mitigation program for the non-IP portions of their networks.
If a VSP qualifies for one of the exemptions noted above, it must implement a robocall mitigation program on the exempted portions of its network. In other words, unless a VSP has implemented STIR/SHAKEN across its entire network, a robocall mitigation program is mandatory. It unlikely that any service providers will implement STIR/SHAKEN for all calls by June 30, 2021, so every service provider is likely to have to implement a robocall mitigation program.
Required Elements of a Robocall Mitigation Program:
- VSPs must take reasonable steps to avoid originating illegal robocall traffic (the FCC recommends the use of reasonable analytics);
- VSPs must commit to respond to requests from the Industry Traceback Group to trace suspect calls for mitigation efforts; and
- VSPs must cooperate in investigating and stopping any illegal robocallers (meaning that the provider must block calls or callers that are believed to be illegal).
Certification of STIR/SHAKEN Compliance
All VSPs must file certificates with the FCC proving the implementation status of STIR/SHAKEN on their networks. If STIR/SHAKEN is not fully implemented, the VSP must describe its robocall mitigation program, including: (i) the type of exemption it received; (ii) the specific steps it has taken to avoid originating illegal robocalls; and (iii) its commitment to fully and timely respond to all traceback requests and to cooperate in investigating and stopping illegal robocallers using its service.
Beginning 90 days after the date VSPs are required to submit their STIR/SHAKEN implementation certificate, intermediate and terminating voice service providers are prohibited from accepting calls from any provider that has not filed a certificate. In other words, the calls of a provider that has not filed a certificate will be blocked. Additionally, if the FCC determines that a provider has not implemented STIR/SHAKEN or a robocall mitigation program, as required by the rules, that provider may be subject to forfeitures and other penalties.
Know Your Customer
There is also growing pressure for every VSP to “know its customers.” Needless to say, there will be no acceptable excuse for tolerating a retail customer that engages in robocalling or Caller ID spoofing. Complaints and “strange calling patterns” on end user bills must be investigated and bad actor’s service terminated. VSPs must participate in the Industry Traceback Group program or risk being identified as a potential “bad actor.”
There is also considerable risk in ignoring wholesale customers and their upstream providers, including foreign carriers. This includes providers that participate in least cost routing programs. An easy step would be to investigate whether Traceback Group non-participant sends calls to the service provider and take any appropriate steps. Also, a VSP may wish to require by contract that all wholesale customers and their upstream customers to notify the provider if and when any Traceback Group non-participant sends calls to the service provider.
CONTACT US IF YOU NEED HELP!
The CommLaw Group’s STIR/SHAKEN Compliance Team
Robert H. Jackson
Jonathan S. Marashlian