The nation’s largest phone companies have met a federal deadline to deploy a new anti-robocall technology, but unwanted calls and scams will continue to be an annoying problem for Americans for the foreseeable future.
Federal Communications Commission Acting Chairwoman Jessica Rosenworcel announced Wednesday that “the largest voice service providers are now using STIR/SHAKEN caller ID authentication standards in their IP networks, in accordance with the [June 30] deadline set by the FCC. This widespread implementation helps protect consumers against malicious spoofed robocalls and helps law enforcement track bad actors.”
STIR/SHAKEN was deployed by large mobile carriers AT&T, Verizon, T-Mobile, and US Cellular. In March, the FCC denied petitions for a deadline extension from Verizon and US Cellular, saying that “the petitioners have failed to meet the high standard of ‘undue hardship.'” The Verizon petition was limited to a small portion of its fiber-based home phone network.
On the mobile side, “Verizon is now exchanging STIR/SHAKEN-enabled calls with wireless carriers that collectively represent around 80 percent of the US wireless industry,” Verizon said this week. “More than 135 million calls a day are currently being exchanged between Verizon and the participating carriers, with that number growing quickly.” It’s also deployed on IP-enabled wireline phone networks operated by Comcast, Charter, AT&T, Verizon, and others.
STIR/SHAKEN widely used “at last”
The technology by itself isn’t a robocall cure-all. Its deployment on landline phone networks is much sparser than on mobile networks because of the continued existence of copper landlines that don’t support STIR/SHAKEN. Additionally, some companies that carry a lot of robocalls aren’t yet required to follow the rules because of an exemption for carriers with 100,000 or fewer customers.
The STIR (Secure Telephone Identity Revisited) and SHAKEN (Signature-based Handling of Asserted Information Using toKENs) protocols verify the accuracy of Caller ID by using digital certificates based on public-key cryptography. Getting major US phone companies to adopt the technology is a significant milestone, as it ensures that STIR/SHAKEN will be used by both the sending and receiving carriers in many phone calls.
“At last, STIR/SHAKEN standards are a widely used reality in American phone networks,” Rosenworcel said. “While there is no silver bullet in the endless fight against scammers, STIR/SHAKEN will turbo-charge many of the tools we use in our fight against robocalls: from consumer apps and network-level blocking, to enforcement investigations and shutting down the gateways used by international robocall campaigns.”
The STIR/SHAKEN mandate was ordered by Congress after then-FCC Chairman Ajit Pai’s voluntary compliance plan didn’t lead to widespread adoption. The deadline applied to large mobile and wireline providers and required them to “implement STIR/SHAKEN in the Internet Protocol (IP) portions of their networks.”
STIR/SHAKEN itself doesn’t stop robocalls. But it is useful because, when the technology is fully deployed by carriers, it checks whether Caller ID is being spoofed. This can help customers spot scams and help carriers improve blocking tools.
“While STIR/SHAKEN will improve the quality of caller ID information, it does not mean the call itself is legitimate,” the FCC said. “This improved information will help verify the phone number from which the call was made—or flag that it is not verified—and help blocking services both at the consumer level and before the call reaches the consumer.”
The FCC provided limited exemptions to AT&T, Bandwidth Inc., Charter, Comcast, Cox, Verizon Wireless, and Vonage. But these exemptions were only available to carriers that met “early implementation benchmarks” and certified that they expected to implement STIR/SHAKEN by June 30. These providers are required to “file a second certification after June 30, 2021, stating whether they, in fact, achieved the implementation goal to which they previously committed.”
Landlines lag, small carriers exempt for now
Because of technology limitations, the June 30 requirement did not apply to the older TDM-based networks used with copper landlines. The FCC says its rules “require providers using older forms of network technology to either upgrade their networks to IP or actively work to develop a caller ID authentication solution that is operational on non-IP networks.”
“Given the large proportion of TDM-based networks still in use, we expect a significant number of calls to be outside the STIR/SHAKEN authentication framework in the near term,” the FCC said in an order adopted in September 2020.
The requirement also doesn’t yet apply to small phone companies because carriers with 100,000 or fewer customers were given until June 30, 2023 to comply. The FCC is seeking comment on a plan to make that deadline June 30, 2022 instead because “evidence demonstrates that a subset of small voice service providers appear to be originating a high number of calls relative to their subscriber base and are also generating a high and increasing share of illegal robocalls compared to larger providers.”
Because many companies are sending unwanted calls, the FCC is letting telecoms block all calls “from bad-actor upstream voice service providers that pass illegal or unwanted calls along to other providers, when those upstream providers have been notified but fail to take action to stop these calls.”
Robocall Mitigation Database
The FCC in April also launched its Robocall Mitigation Database and requires voice providers “to inform the agency of their robocall mitigation efforts, including their STIR/SHAKEN implementation status.” Providers that don’t comply could have their calls blocked, as the FCC explained in this week’s announcement:
Beginning on September 28, 2021, if a voice service provider’s certification does not appear in the database, intermediate and voice service providers will be prohibited from directly accepting the provider’s traffic. To date, over 1,500 voice service providers have filed in the database. Over 200 voice service providers have certified to full STIR/SHAKEN implementation and hundreds more have certified to partial implementation—generally certifying to full implementation on the IP portions of their networks. Those certifying to anything short of full STIR/SHAKEN implementation must describe the new steps they are taking to ensure they are not the source of illegal robocalls.
Unfortunately, robocalls originating from overseas remain a stubborn problem. Multiple US agencies have worked on this problem; the Department of Justice last year sued small voice providers that allegedly connected hundreds of millions of fraudulent robocalls from Indian call centers to US residents, and the FCC has pressured US-based carriers that act as “gateways” for foreign robocalls to block them.
Gap in AT&T network
There’s a STIR/SHAKEN gap in at least one large network. In December 2020, AT&T told the FCC that it “recently discovered that a small volume of calls entering AT&T’s network on its wholesale VoIP platform (AT&T VoIP Connect Service or ‘AVOICS’) and terminating to AT&T VoLTE customers use network elements that cannot retain the SHAKEN header information and thus cannot be verified.” The FCC later noted that “by AT&T’s own admission, it will not be capable of fully implementing STIR/SHAKEN on its wireless network by the June 30, 2021, deadline.”
AT&T told the FCC that the AVOICS problem affects “approximately four percent of AT&T’s VoLTE traffic” and that it expected to move up to half of the affected traffic to the “STIR/SHAKEN-enabled portions of its network” by June 30. On June 22, an AT&T press release said the carrier is now “blocking or labeling more than 1 billion robocalls per month,” and that it is using STIR/SHAKEN to improve the blocking and labeling “with extra data for detection and accuracy.”
https://arstechnica.com/?p=1777987