7 Steps to Understanding the Paradox at the Heart of STIR/SHAKEN

Attention spans are short. Sometimes you must be succinct to explain a problem that otherwise turns invisible because people lose themselves in words before the end of the explanation. STIR/SHAKEN is complicated so people get bogged down in awkward jargon before they can step back to see what it really does. This is a shame, because the goal is straightforward and so is the motivation behind it. The goal is to know if the CLI, also known as the caller ID, is reliable. US politicians became motivated because voters were complaining about nuisance robocalls, many of which used spoofed CLIs. Some of these politicians may have been reluctant to impose new obligations on telcos, but then they saw the volume of complaints was not enough to motivate effective change within the telecoms industry. That is why US politicians made STIR/SHAKEN mandatory for US telcos. But in doing so, they may have lost sight of another decision already made by politicians, and which persists as an assumption despite STIR/SHAKEN conflicting with that assumption. Here is the essential governance paradox at the heart of STIR/SHAKEN, explained in seven simple steps.

1. The Most Competitive Telecoms Market Imaginable

During the last four decades, most governments have vigorously encouraged as much free market competition in both domestic and international telecommunications as possible. The reason was to harness competition to lower the prices paid by customers. The US is an outlier in this regard because most countries liberalized their markets by privatizing state-owned monopoly operators before introducing rival firms at a pace that did not overwhelm the incumbent. The US never had a state-owned monopoly though it did make strenuous efforts to prevent monopolistic business practices amongst privately-owned corporations. This resulted in an unusually byzantine regulatory environment compared to that found in most countries. However, the convoluted regulations stemmed from the single overarching goal of maximizing competition.

2. Competition Enables Fraud

Opposing a telecoms monopoly is equivalent to demanding rival telcos work together. If telecoms companies are not forced to interconnect at a fair price then they can hurt competitors by making it impossible for those competitors to deliver services which customers only want to purchase if they are free to communicate with phone users on other networks. But forcing telcos to interconnect means a telco may legally be required to provide its services to another business they would normally choose not to deal with because of reasons that have nothing to do with stifling competition. For example, some businesses only choose to trade with other businesses that share their ethical values. In contrast, telcos can be required to provide services to other telcos suspected of committing or encouraging fraud. Such a suspicion may be well-founded even though it cannot be proven in a court of law.

3. Ignorance Is Bliss

Telcos can profit from fraud even if they commit no fraud. This is because they can be paid the legitimate price for a service they provided even though one of the beneficiaries of that service is a fraudster. It can be impossible to distinguish in practice between a telco that knows it is profiting from somebody else’s fraud, a telco that profits from fraud without knowing the traffic is fraudulent, and a telco that knows how to reduce fraud but cannot do so because of rules that require them to provide services to others. This encourages skepticism. There is a general skepticism about whether telcos are voluntarily trying to reduce fraud as much as they might. At the same time, when a specific business is ejected from the telecoms ecosystem because of apparent unlawful behavior they will often argue they are the victims of anti-competitive business practices.

4. Not Everyone Can Have Keys to the Door

STIR/SHAKEN is built on a public key infrastructure (PKI). Digital certificates are associated with phone calls in order to determine the reliability of the CLI. Like any PKI, the keys for STIR/SHAKEN are bound to certificates following a process to register and approve telcos. Approval would be flawed if it could not also be revoked. Somebody has to decide who gets certificates, who does not get certificates, and when certificates will be revoked. How this works under the US version of STIR/SHAKEN can be difficult to understand, partly because of the number of separate bodies involved, and partly because they all lack experience. For example, we know there is a governance authority that sits at the very top of this process, but the people on this governance authority have not faced many difficult decisions so far. There is no experience of revoking a certificate. But whilst the details may not yet be certain, we still know somebody ultimately has to make decisions about who is in, who is out, and who was inside but will be thrown out.

5. Passing the Buck

Typically governments and their regulators decide who can provide telecoms services by issuing and withdrawing specific licenses or by imposing general conditions and then determining which businesses satisfy those conditions. US law now requires telcos to implement STIR/SHAKEN. Implementing STIR/SHAKEN means being given a key to the door. The governance of STIR/SHAKEN hence determines who is able to comply with the law. This results in a new way to prevent a business from lawfully handling phone calls, effectively denying them the legal right to provide services. A telco may be excluded from the STIR/SHAKEN ecosystem because it failed to satisfy its obligations, which includes failure to pay various fees owed to organizations involved in governing and delivering STIR/SHAKEN.

6. Who Watches the Watchmen?

The businesses best placed to identify and evaluate evidence of unlawful behavior are the biggest telcos. They have the relevant expertise and data. That is why their representatives dominate the STIR/SHAKEN governance authority in the USA. A bad actor can now effectively be shut out of the US telephony ecosystem if they cannot link their calls to a digital certificate. It is assumed that STIR/SHAKEN certificates will be revoked if they are used inappropriately. But government previously sought to prevent big telcos from exercising influence over who has access to the telecoms ecosystem.

7. Why the Paradox Is Eternal

Most scholars agree certain principles should be followed to reduce the vices of human beings. Independent scrutiny is one of those principles. But in some fields it becomes impossible to reduce risk through independent scrutiny. Sometimes expertise can be so unique that there is nobody else with sufficient expertise to usefully challenge decisions made by the foremost expert. Even if alternate experts can be trained in theory, they may not exist in practice, because nobody is training any more experts in that field. Telecoms fraud management is this kind of rarified field of expertise.

Because it concerns crime, the information needed to learn about telecoms fraud will not be shared widely. Voicing a suspicion can cause harm, so there is good reason not to voice suspicions, even though the voicing of a suspicion may encourage others to provide corroborative evidence of wrongdoing and thus increase the total sum of knowledge available to experts. Some of the crimes committed using telecoms services can start anywhere in the world, so the people identifying those crimes may have little knowledge of the circumstances that gave rise to the crimes.

Limited sharing of information between businesses means employees of big telcos will typically have much greater visibility of the market as a whole than employees of smaller rivals. A relatively tiny group of people employed by big telcos believe they have the data to identify wrongdoing that cannot be identified by anyone else, though they still may not be able to show proof that meets the standards required in a court of law. Meanwhile, governments who want telcos to do more to reduce fraud do not know how to make them more expert at tackling fraud. They just hand more influence to those who can successfully claim expertise, or who are appointed to represent the expertise of their business.

Governments may not trust big telcos to play fair, but they need big telcos to devote resources and expertise to the task of identifying rule-breakers in the telecoms ecosystem. Sometimes governments will try to encourage the sharing of fraud intelligence between telcos but they do not know how to incentivize meaningful and lasting improvements in the scale and quality of information that is shared. The sharing of intelligence is also stymied by suspicions that telcos engaged in fraud might also gain access to this intelligence, helping them to evade detection. Rules that say every telco must work together are not helpful when one of the telcos is the bad actor that other telcos are trying to put out of business.

Many of the worst rule-breakers are small. This is partly because there are more small businesses than big businesses. Crimes conducted by larger telcos are more likely to be noticed because of the greater attention paid to larger companies, and a larger workforce means it is more likely that honest employees will object to crimes committed by their colleagues. Governments may attempt to strike a balance between limiting big telcos and relying upon big telcos, but it will never be perfect. Taking power away from big telcos may risk more crime, whilst trusting big telcos to act like police means trusting them not to exploit their position for selfish monopolistic reasons. STIR/SHAKEN shifts the balance within the USA because of the role that big telcos must play in governing STIR/SHAKEN. Reducing nuisance calls necessitates a less perfect market for telecoms services though few will admit a trade-off has occurred.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.