Yesterday, the Federal Communications Commission (FCC) circulated a public draft of the Eighth Report and Order (R&O) on enhancing caller ID authentication rules. It will consider them at its November 21 Open Meeting. The R&O follows the proposed rulemaking in the 2023 Sixth Further Notice of Proposed Rulemaking and 2022 Fifth Caller ID Authentication Further Notice and considers the comments filed in the proceedings.

The draft Report and Order aims to address concerns surrounding the use of third-party services in implementing the STIR/SHAKEN framework, which is a critical tool in combating spoofed robocalls. While the FCC has progressively expanded the scope of providers required to implement STIR/SHAKEN, questions have arisen about the effectiveness and accountability of third-party authentication practices that are being used by some voice service providers instead of performing the tasks themselves. Questions have been raised as to whether the use of third-party authentication services complies with Commission rules.  The proposed R&O seeks to establish clear guidelines for third-party involvement in the authentication process and reinforce the responsibility of service providers in ensuring compliance with STIR/SHAKEN standards.

Currently, all voice service providers, all gateway providers, and certain non-gateway intermediate providers are required to implement STIR/SHAKEN in the IP portions of their networks, unless subject to an implementation extension. Providers that lack control over the network infrastructure necessary to implement STIR/SHAKEN, such as switches for voice service in the IP portion of their network, are exempt from STIR/SHAKEN implementation requirements. All providers, regardless of whether they are required to implement STIR/SHAKEN and the status of that implementation, are required to file certifications in the Robocall Mitigation Database (Database) stating, among other points, whether they have fully, partially, or not implemented STIR/SHAKEN in their networks, and if they have not, whether that is because they are exempt from having to do so or subject to an implementation extension under the Commission’s rules.

Overview of New Rules

If adopted, the R&O would:

• Define “third-party authentication” to provide a clear scope of the third-party authentication practices authorized and prohibited by the new rules.
  1. The FCC wants to define “third-party authentication” to refer to scenarios in which a provider with a STIR/SHAKEN implementation obligation under the Commission’s rules enters into an agreement with another party—a “third party”—to perform the technological act of signing calls on the provider’s behalf. This definition of third-party authentication would include, for example, the “hosted SHAKEN” and “carrier SHAKEN” solutions. It would exclude instances in which a provider with a STIR/SHAKEN implementation obligation authenticates its own traffic, and simply has a customer that is not the end user that initiated the call.
• Authorize providers with a STIR/SHAKEN implementation obligation to engage third parties to perform the technological act of digitally “signing” calls consistent with the requirements of the STIR/SHAKEN technical standards, subject to two conditions:
  1. The provider with the implementation obligation itself makes the critical “attestation level” decisions for authenticating caller ID information associated with its calls; and
  2. All calls are signed using the certificate of the provider with the implementation obligation—not the certificate of a third party.
• Explicitly require all providers with an implementation obligation to obtain a Service Provider Code (SPC) token from the Policy Administrator and present that token to a STIR/SHAKEN Certificate Authority to obtain a digital certificate.
• Require any provider certifying to partial or complete STIR/SHAKEN implementation in the Robocall Mitigation Database to have obtained an SPC token and digital certificate and sign all its calls with that certificate, either themselves or when working with a third party to perform the technological act of signing calls.
• Adopt recordkeeping requirements for third-party authentication arrangements to monitor compliance with and enforce the Commission’s rules.

Comments on the draft may be filed with the FCC before November 14. Contact us if you would like assistance filing the comments or determining how the new rules, if adopted, could affect your operations.

The CommLaw Group Can Help!

Given the complexity and evolving nature of the FCC’s rules, regulations and industry policies & procedures around Robocall/Robotext Mitigation and Compliance issues (e.g., STIR/SHAKEN, TRACED Act, FCC & FTC Rules & Regulations, US Telecom Industry group, ATIS, NECA, VoIP Numbering Waivers, Know Your Upstream Provider and the private sector ecosystem), as well as the increased risk of business disputes, consumer protection enforcement by state attorneys general, and even civil litigation, and anticipating the potential torrent of client questions and concerns, The CommLaw Group formed a “Robocall Mitigation Response Team” to help clients (old and new) tackle their unique responsibilities.

CONTACT US NOW, WE ARE STANDING BY TO GUIDE YOUR COMPANY’S COMPLIANCE EFFORTS

Jonathan S. Marashlian – Tel: 703-714-1313 / E-mail: jsm@CommLawGroup.com
Michael Donahue — Tel: 703-714-1319 / E-mail: mpd@CommLawGroup.com
Rob Jackson – Tel: 703-714-1316 / E-mail: rhj@CommLawGroup.com 
Ron Quirk – Tel: 703-714-1305 / E-mail: req@CommLawGroup.com 
Diana James – Tel: 703-663-6757 / E-mail: daj@CommLawGroup.com