Phone companies must now block carriers that didn’t meet FCC robocall deadline

  News
image_pdfimage_print
Smartphone screen displays
Getty Images | RobertAx

In a new milestone for the US government’s anti-robocall efforts, phone companies are now prohibited from accepting calls from providers that did not comply with a Federal Communications Commission deadline that passed this week. “Beginning today, if a voice service provider’s certification and other required information does not appear in the FCC’s Robocall Mitigation Database, intermediate providers and voice service providers will be prohibited from directly accepting that provider’s traffic,” the FCC said yesterday.

Specifically, phone companies must block traffic from other “voice service providers that have neither certified to implementation of STIR/SHAKEN caller ID authentication standards nor filed a detailed robocall mitigation plan with the FCC.” As we’ve written, the STIR (Secure Telephone Identity Revisited) and SHAKEN (Signature-based Handling of Asserted Information Using toKENs) protocols verify the accuracy of Caller ID by using digital certificates based on public-key cryptography.

STIR/SHAKEN is now widely deployed on IP networks because large phone companies were required to implement it by June 30 this year, but it isn’t a cure-all. Because of technology limitations, there was no requirement to implement STIR/SHAKEN on older TDM-based networks used with copper landlines, for instance. The FCC has said that “providers using older forms of network technology [must] either upgrade their networks to IP or actively work to develop a caller ID authentication solution that is operational on non-IP networks.”

The FCC also gave carriers with 100,000 or fewer customers until June 30, 2023, to comply with the STIR/SHAKEN requirement, though the commission is seeking comment on a plan to make that deadline June 30, 2022, instead because “evidence demonstrates that a subset of small voice service providers appear to be originating a high number of calls relative to their subscriber base and are also generating a high and increasing share of illegal robocalls compared to larger providers.”

“Too many loopholes”

Computer science professor Brad Reaves of North Carolina State University called STIR/SHAKEN “a good start” but told Marketplace that this won’t make a huge dent in the robocall problem yet:

There are just too many loopholes and ways to bypass this system. First of all, smaller providers currently aren’t being required to implement this new system. And so if you’re robocalling, you’re probably going to be moving to a smaller carrier. Another issue is there are certain providers who are providing US phone service, but for people located overseas. Those so-called “gateway providers” currently aren’t required to participate in the system, either. So if a call is coming from outside the United States, and a lot of people think that most robocalls are, it’s not going to have this identifying token attached to it.

The FCC last year authorized phone companies to block calls from certain “bad-actor upstream voice service providers” and took action against companies that act as “gateways” for foreign robocallers, but it is still a problem as Reaves pointed out. Reaves argued that something like the “Know Your Customer” rule that applies to the banking industry is needed in telephony to make more significant progress in fighting robocalls. 

As of yesterday afternoon, 4,798 companies had filed in the Robocall Mitigation Database. “All of the largest phone carriers have certified to implementation of STIR/SHAKEN standards on their IP networks. Many hundreds of other carriers have also certified to full implementation on their IP networks,” the FCC said. Phone companies that don’t fully implement STIR/SHAKEN across their networks “must describe the robocall mitigation steps they are taking to ensure they are not the source of illegal robocalls.” The FCC did not say how many companies failed to comply.

The US Public Interest Research Group (PIRG) analyzed the 3,063 filings that came in by September 3 and found that “17 percent (536 companies) said they’d completely implemented anti-robocall technology; 27 percent (817 companies) had partially implemented the technology; and 56 percent (1,710 companies) said they were not using the industry standard technology but rather are using their own methods to manage robocalls.”

Robocalls dropped slightly after June 30 deadline

Although PIRG’s report concluded that “the industry isn’t doing nearly as much as hoped to fight” robocalls, it said that robocall traffic has gone down since the STIR/SHAKEN implementation deadline on June 30. YouMail, a robocall-blocking service, calculates that “Americans have received over 34 billion robocalls so far this year, averaging roughly 4.3 billion robocalls calls/month, putting the country on a pace to hit roughly 52 billion robocalls for the year. However, since STIR/SHAKEN and new federal robocall mitigation rules took effect on June 30, we have seen 8.6 percent fewer robocalls/month.” The YouMail data goes through August.

STIR/SHAKEN implementation was required by Congress after then-FCC Chairman Ajit Pai’s voluntary compliance plan didn’t lead to widespread adoption. To make it easier to block calls from non-compliant companies, the FCC is providing an email alert service to notify phone companies of updates to the Robocall Mitigation Database.

“The FCC is using every tool we can to combat malicious robocalls and spoofing—from substantial fines on bad actors to policy changes to technical innovations like STIR/SHAKEN,” FCC Acting Chairwoman Jessica Rosenworcel said yesterday. “Today’s deadline establishes a very powerful tool for blocking unlawful robocalls.”

https://arstechnica.com/?p=1799376