FCC plans to rein in “gateway” carriers that bring foreign robocalls to US

  News
image_pdfimage_print
Drawing of a robot holding a telephone.
Getty Images | Juj Winn

The Federal Communications Commission hopes to reduce the number of illegal robocalls from overseas with an expansion of rules that require phone companies to implement Caller ID authentication technology and block illegal calls. “Eliminating illegal robocalls that originate abroad is one of the most vexing challenges the commission faces because of the difficulty in reaching foreign-based robocallers and the foreign voice service providers that originate their traffic,” the FCC said.

To make a dent in that problem, the FCC is proposing new requirements on domestic gateway providers that accept calls from outside the US. A Notice of Proposed Rulemaking (NPRM) adopted Thursday and released on Friday proposes requiring those gateway phone companies to implement STIR (Secure Telephone Identity Revisited) and SHAKEN (Signature-based Handling of Asserted Information Using toKENs) protocols, which verify the accuracy of Caller ID by using digital certificates based on public-key cryptography.

“This proposal would subject foreign-originated calls, once they enter the United States, to requirements similar to those of domestic-originated calls, by placing additional obligations on gateway providers in light of the large number of illegal robocalls that originate abroad and the risk such calls present to Americans,” the NPRM said. Gateway providers would be required to “apply STIR/SHAKEN caller ID authentication to, and perform robocall mitigation on, all foreign-originated calls with US numbers,” the FCC said.

International calling loophole

STIR/SHAKEN is already widely deployed in the US on IP networks due to separate requirements that apply to large phone providers. Another newly implemented rule prohibits phone companies from accepting calls from providers that haven’t met requirements to deploy STIR/SHAKEN or other robocall-mitigation methods. But the STIR/SHAKEN requirements don’t apply to all carriers yet.

“We don’t want international calling to become a loophole for our policies,” FCC Acting Chairwoman Jessica Rosenworcel said on Thursday at a commission meeting. “So today we are proposing that gateway providers in the United States—the companies that bring in calls from overseas—take action to stop this stuff from coming in from abroad. That means they need to use STIR/SHAKEN technology, register in our Robocall Mitigation Database, and comply with traceback requests to figure out where these junk calls are originating from overseas.”

The FCC said those traceback requests “are used to help block illegal robocalls and inform FCC enforcement investigations.” The NPRM also proposes a new call-blocking requirement. When the FCC notifies a gateway provider about an ongoing robocall campaign, the provider would have to conduct “a prompt investigation to determine whether the traffic identified in the Enforcement Bureau’s notice is illegal” and “promptly block all traffic associated with the traffic pattern identified in that notice.”

The NPRM seeks public comment on these proposed rules. Deadlines for initial comments will be 30 days after the NPRM is published in the Federal Register and 60 days after publication for reply comments. The docket is located here.

Who is the customer?

The FCC said its NPRM includes a proposed requirement “that gateway providers ensure foreign calls using US phone numbers are legally authorized to do so,” which would be similar to the “Know Your Customer” rules that apply to the banking industry. Adapting such rules to telephony is a little tricky, the NPRM explained:

Our rules currently require a voice service provider to “[t]ake affirmative, effective measures to prevent new and renewing customers from using its network to originate illegal calls, including knowing its customers and exercising due diligence in ensuring that its services are not used to originate illegal traffic.” This rule generally applies to originating providers and, under our proposed definition, gateway providers do not have a direct relationship with the call originator and instead receive calls from a number of upstream originating or intermediate providers. As a result, gateway providers may not have a “customer” to “know” for the purpose of complying with a “know your customer” requirement.

We believe, however, that extending “know your customer” obligations to gateway providers could benefit US consumers. First, we propose and seek comment on requiring gateway providers to confirm that a foreign call originator is authorized to use a particular US number that purports to originate the call. We then seek comment on whether, and how, to apply additional “know your customer” requirements to gateway providers to reduce the risk of illegal calls entering the US network, including who the gateway provider’s “customer” should be for this purpose.

Though STIR/SHAKEN is now common on the IP networks of large phone companies, carriers with 100,000 or fewer customers still have until June 30, 2023, to deploy the technology. The FCC in May asked for comment on a plan to make that deadline June 30, 2022, instead. Another problem is how to implement Caller ID authentication on TDM-based networks that use copper landlines. Because STIR/SHAKEN only works on IP networks, the FCC has said its rules “require providers using older forms of network technology to either upgrade their networks to IP or actively work to develop a caller ID authentication solution that is operational on non-IP networks.”

https://arstechnica.com/?p=1800615