29.8k unique visitors in the last 3 days

UK Rejects STIR/SHAKEN; US Plan to Control Global Caller ID Now Dead

Respondents to a public consultation identified such severe flaws with the anti-spoofing protocols that the UK regulator had to abandon its previous support.

Ofcom, the comms regulator for the United Kingdom, yesterday announced it has abandoned the goal of imposing STIR/SHAKEN, the North American standards for governing calling line identification (CLI), also known as caller ID. The decision comes after a public consultation that commenced in April 2023 and which prompted a barrage of criticism from respondents. The news is a massive blow to North American businesses that had lobbied heavily for new regulatory burdens that would have guaranteed them a huge pay-out during the initial implementation phase followed by a guaranteed ongoing revenue stream. Ofcom gave three explanations for its dramatic u-turn:

  • Calls arriving from overseas displaying international numbers are unlikely to be fully verified. This is because overseas operators are not obliged to follow our rules on verification. To help address this issue, we proposed a process called ‘gateway attestation’ which would mean that, although the number associated with the call itself could not be verified, it would be possible to identify the operator who first introduced the call into the UK public telephone network. However, there is a risk that this approach is unlikely to sufficiently hinder scam calls that originate overseas, undermining the effectiveness of CLI authentication.
  • CLI Authentication (sic) on its own would not adequately address the risk of calls from abroad spoofing UK mobile numbers. This means there would be a need for a complementary process, running alongside CLI authentication, to ensure that calls from abroad displaying UK mobile numbers are from genuine UK roamers. Without this process, CLI authentication alone would not adequately address the problem of inbound calls spoofing UK mobile numbers.
  • CLI authentication would be complex, costly and time-consuming to implement. We believe that alternative measures may have the potential to reduce number spoofing effectively and more quickly.

Ofcom’s decision has effectively killed American hopes of dominating the validation and blocking of phone calls worldwide. Since the beginning of the decade, lobbyists from the USA have encouraged the belief that all foreign regulators would inevitably support ‘International SHAKEN’, a euphemism for handing control of decisions about the systematic blocking of telcos to algorithms maintained by North American businesses. The supposed justification for this enormous transfer of power is that this would prevent scammers spoofing CLIs. The persuasiveness of this argument hinged on the belief that other English-speaking countries in the Five Eyes international security alliance would immediately follow the lead of the USA and Canada by implementing cross-border blocking of phone calls based on whether one of the allied countries had digitally signed the call using the STIR protocol. However, rumors that the UK and Australia had already committed to implementing STIR/SHAKEN proved to be unfounded exaggerations. Just such a lie was repeated by the Australian press only a few weeks ago. The reality is that both Australia and the UK has witnessed greater falls in the number of consumer complaints about scam calls than the USA has. This is probably a consequence of Australian and British telcos adopting cheaper, simpler and more robust methods of identifying and blocking scam calls than those used by American telcos.

American advocates of International SHAKEN failed to emphasize that they fully intended to allow many businesses to continue spoofing CLIs just so they could charge fees for the ‘authentication’ of these businesses. This would occur even though the purpose is to deceive recipients of phone calls into believing there is a domestic origin for calls actually made from a foreign call center. The potential for abuse of a two-tier ‘authentication’ system of this type should have been obvious, but was ignored by North American regulators, despite the conspicuous failure to apply know-your-customer checks to spam-generating companies in the USA. Ofcom repeatedly hinted they would copy the US model, and they even engaged Richard Shockey, a leading American lobbyist and former employee of one of the biggest suppliers of STIR/SHAKEN technology, to write the initial plan and justification for imposing STIR/SHAKEN in the UK. However, disastrously poor results delivered by the US strategy for scam and spam reduction helped to turn professional opinion in Britain as telcos awaited the 2025 transition to IP networks that would have served as a vital enabler for STIR/SHAKEN technologies that depend on IP-based signaling. In the meantime, significant success was delivered by straightforward controls such as the blocking of inbound international calls that spoofed a UK domestic number. This fatally undermined the cost-benefit argument for the fragile technologies and processes required by STIR/SHAKEN despite clear indications that Ofcom had rigged its consultation to avoid a proper comparison of the expense of STIR/SHAKEN with alternative controls.

It is notable that Ofcom’s deliberations referenced major news that occurred since the launch of its STIR/SHAKEN consultation in April 2023, and which will already be familiar to regular readers of Commsrisk.

  • Ofcom explicitly referred to the June 2023 decision by ComReg, the Irish comms regulator, to reject STIR/SHAKEN.
  • They noted that France, the only country outside of North America to have adopted STIR/SHAKEN, is unable to enforce its STIR/SHAKEN rules because ‘more time’ is needed to make the technology work.
  • Without expressing support for the initiative, Ofcom chose to draw attention to the launch of the One Consortium, the cooperative program where international wholesale carriers seek consistent rules for call validation.

ComReg’s superb analysis of the weaknesses inherent to STIR/SHAKEN must have made painful reading for lobbyists. It would be tortuous for Ofcom to argue that STIR/SHAKEN could be a cost-effective way to reduce bad international traffic whilst a neighboring country argues the polar opposite. Britain’s nearest neighbor on the other side, France, has adopted STIR/SHAKEN but only as an indirect consequence of trying to satisfy a bad law written by inept politicians, so they never followed as transparent a decision-making process as usually demanded of European regulators. It hence served as a warning to Ofcom that France is finding it impossible to reimagine STIR/SHAKEN as a kind of fantasy solution that would deliver compliance with the unattainable objectives that have been written into the law. Ofcom is known to have had conversations with the leaders of One Consortium about coordinating regulations across countries. The One Consortium cannot afford to be openly hostile to STIR/SHAKEN because of the need to do business in North America, but the motivation for forming this group stems from the rapid increase in impractical and inconsistent demands being placed upon international wholesale carriers. One Consortium would have discouraged Ofcom from repeating and multiplying the consequences of mistakes already made by France, Canada and the USA.

The UK regulator will doubtless be concerned about the potential for a backlash from the lobbyists’ stooges in the British news media. It comes as no surprise that Ofcom buried the decision to reject STIR/SHAKEN on the same day as they announced an intention to “block more calls with spoofed numbers”. This latter measure is merely a tweaking of rules that are already supported by the best British telcos.

In this consultation, we are proposing to update our Calling Line Identification (CLI) Guidance to confirm that providers are expected to identify and block calls from abroad that use a UK geographic or non-geographic telephone number as a Presentation Number, except in a limited number of legitimate use cases.

The only other significant new proposal announced by Ofcom was that the UK should seek to extend the application of controls on inbound international calls so that the spoofing of outbound roamers can also be identified and blocked. This is an obvious enhancement that has already been touted and explored by regulators in various other countries, including Ireland. The fact that this improvement is only being pushed by Ofcom now shows how STIR/SHAKEN became a distraction from methods that should have received higher priority. When Ofcom engaged Richard Shockey in 2021 with the intention to copy the US strategy they would have believed the hype surrounding STIR/SHAKEN and assumed the UK had the potential to become one of the most advanced countries for protecting consumers from bad calls. Years of procrastination in the vain hope that the US strategy might eventually yield some vague signs of success have only led the UK to fall behind other countries that have proactively pursued more realistic methods of identifying and stopping harmful calls.

So much money could be made by STIR/SHAKEN vendors that they are unlikely to concede defeat yet. Years of aggressive lobbying have not paid off in the UK but other nations may still be influenced by the legitimate and illegitimate forms of persuasion available to rich corporations that have a track record of securing lucrative monopolies from regulators. However, I believe Ofcom’s decision is a death sentence for International SHAKEN. It is easy to see why even a good professional may get bogged down in detail about the governance and technology required by STIR/SHAKEN, and so failed to apprehend the reasons why neither was likely to be robust enough to deliver the enormous reductions in scam and spam calls that would have been required to justify an extortionate price tag. On multiple occasions I witnessed salesmen winning the argument for STIR/SHAKEN by talking at such tremendous length that nobody else had the opportunity to highlight any alternatives. Conventional business logic is that you try cheap solutions to problems before investing in expensive solutions, but a rapacious segment of the telecoms industry simply refused to allow any discussion of the costs and benefits of other methods. Ofcom’s decision means the vendors behind STIR/SHAKEN can no longer pretend it is the default choice for protecting consumers from scams. The UK is a powerful, rich country. It is allied to the USA. But it has rejected STIR/SHAKEN as a bad deal that should be set aside because there are better options available. And by doing this, it has proven that the arguments for STIR/SHAKEN were built on a foundation of deceit.

You do not need to understand anything about SIP signals or call tracing or KYC checks or public key cryptography to understand that a salesman can be dishonest. The salesmen for STIR/SHAKEN insisted that the UK would adopt STIR/SHAKEN. Some of them pretended that the UK already had adopted STIR/SHAKEN. They did not tell the truth. That is now obvious to everyone, no matter how little they understand about telecoms or fraud. So when it comes to restoring confidence in communications, it should be plain whose advice should never be trusted again.

Ofcom’s official decision on its CLI validation consultation can be found here, though I would only recommend it to professionals who are obsessed by this topic. The decision could easily have been summarized as ‘we are not going to do what we said we would do because it is expensive and it will not work’ but no regulator would ever choose to be that pithy about a policy u-turn. The result is a document that is peppered with weasel words about Ofcom potentially changing their mind in future despite referring to a string of respondents who pointed out the inherent shortcomings of STIR/SHAKEN. Whatever regulators may tell the press and public, the UK comms industry has comprehensively vetoed STIR/SHAKEN whilst simultaneously offering superior alternatives, and that is the essential takeaway from this consultation.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email