The tentative agenda for the next open meeting of the US Federal Communications Commission (FCC) addresses a problem they have glossed over for five years.
Caller ID Authentication on Non-IP Networks to Block Robocalls — The Commission will consider a Notice of Proposed Rulemaking that proposes to develop a framework for evaluating whether non-IP caller ID authentication solutions are developed and reasonably available, as required by the TRACED Act, proposes to conclude that certain existing solutions satisfy those requirements, and proposes to require that providers that continue to rely on non-IP networks implement non-IP caller ID authentication solutions.
In English, this means the US comms regulator is finally addressing the long-standing flaw with the adoption of STIR/SHAKEN, a series of technology and governance protocols for governing and attaching validation data to phone calls. This flaw was caused by two factors.
- STIR/SHAKEN was made mandatory for IP networks in the USA without the government giving any serious consideration to methods for exchanging validation data across non-IP networks.
- In the right circumstances, US telcos make more profit by carrying traffic across non-IP networks, so have no incentive to replace them.
I try to write in plain English about these matters to counteract deliberate manipulation of information presented to the public about rules and technologies that are supposed to protect them from harm. The motivation for STIR/SHAKEN was profit; it established the foundations for transferring data about business brands in order to increase the effectiveness of telemarketing. This is not a secret within the communications sector. Market research companies do not produce reports on “robocall mitigation and branded calling” because it was a mere coincidence that billion-dollar businesses developed technologies that serve both purposes at the same time. That is the root of my complaint with STIR/SHAKEN: it skewed regulatory activity by placing too much priority on generating profit instead of unambiguously prioritizing consumer protection. There are ways to stop scam calls that are cheap, effective but unprofitable. If businesses within the communications sector are lobbying for more expensive ways of tackling scam traffic then it is because they are motivated by profit, not because they are looking for the most effective way to protect the public. Consider that there are many kinds of impersonation fraud; not all of them involve the impersonation of a big business brand. So whilst the FCC will not say it, a decision to tackle spoofed calls on non-IP networks would represent a reversal of the FCC’s historic pro-business stance. This ironically comes after the switch from Democrat to Republican leadership of the FCC in the wake of Donald Trump’s return to the White House.
The timing is also interesting because of what it tells us about the way the communications industry collaborates on ‘global’ solutions. It has often been intimated that the FCC is one of many national regulators that belongs to the Global Informal Regulatory Antifraud Forum (GIRAF), part of the One Consortium initiative to develop a consistent transnational strategy for tackling scam communications. Whatever the true status of their involvement with GIRAF, the FCC’s role in the international order is clear: they intend to set rules for others to follow, not to emulate methods successfully used elsewhere. They do this by letting client companies lobby foreign regulators on their behalf. Everybody needs to work towards a common approach, and as the US regulator has already determined its approach, then every other regulator will need to be educated about the benefits of the US approach. Put simply, the USA intends to dictate.
Meanwhile, the GSMA launched a rival to STIR/SHAKEN last year that transmits data independently of the phone network, so that it will work equally well whether a call is carried by IP networks, non-IP networks, or a combination of the two. This service, entitled GSMA Call Check, is not as well-known as STIR/SHAKEN but that is hardly surprising. The motive for STIR/SHAKEN is to make money from marketing; businesses will spend a lot more on advertising a marketing service than they will ever spend on a service that only exists to prevent fraud. That also explains why many more Europeans with no knowledge of the communications sector will complain if they are not protected by STIR/SHAKEN than has welcomed the success of ECC Recommendation 23(03), the recommended European anti-spoofing method that has delivered results in the UK that are at least as good as the results attained in the USA. The USA refuses to consider adopting an anti-scam control of the same type as ECC Recommendation 23(03), despite it being a tremendous success in such varied countries as India and Australia, because of how much it would interfere with business objectives. This reiterates the pattern of profits being given a higher priority than protecting the public from crime.
There is no evidence that the FCC’s interest in call validation over non-IP networks is motivated by the competitive threat of GSMA Call Check, but the development of out-of-band (OOB) methods to transmit call validation data is not new either. OOB validation strikes at the philosophical heart of a STIR/SHAKEN proposition that was designed with telemarketing revenues in mind. If validation can be done OOB, why ever bother with using in-band SIP signaling to transmit the same kind of validation data? The American argument is that a SIP-based method is better when it works, and this is especially pertinent when considering how to present larger amounts of data (such as brand logos) on a timely basis (to persuade a consumer to pick up a telemarketing call). That is like telling a farmer to purchase a Ferrari instead of a Land Rover because the Ferrari will be faster on the motorway. The time saved on the motorway does not outweigh the uselessness of the Ferrari when the farmer needs to drive across a bumpy field. The cheaper vehicle is slower on the motorway, but can be used to drive to places that the Ferrari cannot reach. And so the need to protect consumers from scam calls carried across all kinds of networks was given a lower priority than spurious claims about the benefits consumers will receive when calls are exclusively carried by IP networks. Those benefits relate to enhanced marketing, not enhanced consumer protection.
Much of the confusion about how to protect the public comes from another marketing gimmick. The combination of STIR and SHAKEN is itself a marketing contrivance. STIR is a method for transferring data on IP networks in SIP headers. SHAKEN is a method for governing which businesses will be trusted to make calls. Explained like this, it becomes obvious that you can have STIR without SHAKEN, and SHAKEN without STIR. It would be perfectly possible to send encrypted information OOB to satisfy the same purpose as SHAKEN but that would beg an important question: why is the whole world being pressured to accept the governance structures of SHAKEN when they concentrate power in the hands of a small number of US corporations? The question contains the answer. Americans do not trust foreign businesses to sell to them, but they trust American businesses to sell to everybody everywhere. Other nationalities may see things differently.
A decentralized OOB method of validating calls lends itself to control being localized at the terminus of a call instead of with an international committee that will almost certainly be dominated by Americans. On the other hand, any Europeans who get on to a centralized governance committee will be paid for their time, so that may appeal to some. I expect there would also be a token Asian on the committee, but Africans will be out of luck. And if you do not believe what I am saying, check the nationalities of the people who get the opportunity to speak to GIRAF on behalf of this global industry. The population of the USA is 4.2% of the world, but American businesses speak on behalf of global communications a lot more than 4.2% of the time.
People accuse me of being a conspiracy theorist, which is a strange accusation when I point out such obvious facts about the nationalities and motives of people who insist that they are best placed to decide how to protect everybody everywhere. There is nothing peculiar about observing that people are motivated by financial gain and that the unchecked pursuit of profit can result in sub-optimal outcomes for the public. The bias I write about can be found in the original US laws and regulations for call validation. A lot of people offer interpretations of what the US strategy for protecting consumers from spoofed calls is supposed to be, but the bias towards one specific method, which only worked over IP, was inherent from the very beginning. That bias is written into the TRACED Act, which was signed into law by Trump at the end of 2019. At the time I warned…
…telcos around the world should keep a close eye on developments in the US because of the likelihood that they will be pressured to support the same methods.
The new law made a fundamental mistake, or was rigged in favor of specific business interests, depending upon how you interpret it. Here is where the issue lied:
…the [Federal Communications] Commission shall–
(A) require a provider of voice service to implement the STIR/SHAKEN authentication framework in the internet protocol networks of the provider of voice service; and
(B) require a provider of voice service to take reasonable measures to implement an effective call authentication framework in the non-internet protocol networks of the provider of voice service.
If meant sincerely, that had to be the stupidest sequence imaginable. First, make every telco with an IP network adopt a specific series of protocols for the technology and governance of calls, then expect everyone else to devise something which is kinda like the first thing but does not involve IP and where nothing is said about governance. Balkanizing methods to detect spoofed calls guaranteed that billion-dollar businesses would invest in the STIR/SHAKEN market, which is easy to monetize because of the telemarketing angle, whilst spending hardly anything on developing the ‘other’ framework. Americans have had to wait over five years for the FCC to finally talk about closing the gap in consumer protection controls that was created by a bad law.
A full 9 months after this law was passed, the FCC still had nothing better to offer than the same broken fork between a specific solution using IP and the vague hope of a second framework. Per the Second Report and Order in the Matter of Call Authentication Trust Anchor:
…we interpret the TRACED Act’s requirement that a voice service provider take “reasonable measures” to implement an effective caller ID authentication framework in the non-IP portions of its network as being satisfied only if the voice service provider is actively working to implement a caller ID authentication framework on those portions of its network. A voice service provider satisfies this obligation by either (1) completely upgrading its non-IP networks to IP and implementing the STIR/SHAKEN authentication framework on its entire network, or (2) working to develop a non-IP authentication solution.
And in 2025 we still get the same language from the FCC. The FCC paper explaining their ‘tentative consideration’ of OOB call validation says the following.
Since we propose to conclude that available non-IP caller ID authentication frameworks are effective, we propose to modify this rule to state that a provider with a non-IP network satisfies the “reasonable measures” requirement by either (1) completely upgrading its non-IP networks to IP and implementing the STIR/SHAKEN authentication framework on its entire network, or (2) implementing one or more effective non-IP caller ID authentication frameworks. We propose to make similar modifications in section 64.6303 for gateway providers and non-gateway intermediate providers receiving calls directly from an originating provider. We believe this approach would continue to promote the IP transition, which is the most effective method for achieving caller ID authentication on phone networks and obviates the need for providers to implement non-IP caller ID authentication frameworks.
I cannot be alone in noticing why (1) and (2) do not represent a binary choice. STIR is for transmitting data, SHAKEN is for governing it. All calls will need consistent governance from end-to-end as they cross over multiple types of network. So when the FCC writes like this, they mean you can have SHAKEN (the governance) with STIR (a technology) or you can have SHAKEN (still governance) with some other technology. They did not include the word ‘SHAKEN’ when describing the second option, but that is because they take SHAKEN for granted. So the only real choice here is between switching the network to IP and using STIR, or not changing the network and finding an OOB method that effectively does the same thing as STIR.
Per Hanlon’s razor, the well-paid lawyers with ultimate control of FCC decisions may not understand the words in the FCC’s documents. Even if that is true, other countries still need to be careful not to conflate governance with technology, so they can make the best governance decisions for their circumstances. Partly this is because the FCC is using SHAKEN to outsource governance decisions to US corporations. Much like US politicians choose to complain about the censorship decisions of Facebook and Twitter, whilst refusing to write unambiguous censorship laws that could be followed consistently, the FCC is outsourcing decisions about blocking communications traffic so they cannot be held accountable for those decisions. That is bad practice. And it is a really good reason for foreign regulators to not outsource the same decisions to the same US corporations as the FCC, unless they want the same US entities to make decisions for their populations too. It took time for most national authorities to understand why they might want to deviate from American norms for what people see online, and how to do that in practice. It would be inexcusable for regulators tasked with overseeing the combined world of the internet and telephony to make the same mistake again.
There is no serious prospect of the whole world upgrading to IP-only networks any time soon. Promoting OOB SHAKEN within the USA will revitalize attempts to sell SHAKEN as the inevitable governance model for international calls. The biggest political advantage for demanding SHAKEN in conjunction with IP networks is that it centralizes control in the USA, the part of the world that already has most control over the internet. The Internet Engineering Task Force (IETF) is responsible for STIR and is nominally multinational, but check the nationalities of the people who wrote the STIR standards, and check the nationalities of the companies they work for. The Alliance for Telecommunication Industry Solutions (ATIS) routinely says it is international but a quick glance at their membership is sufficient to end that fiction. Control is important if you want to prevent foreign countries blocking traffic that Americans consider to be legitimate business calls. They talk about legitimacy a lot, as if American laws and culture have determined what is legitimate everywhere. Perhaps they will in future, like they already have for the internet; that is why I explain these issues in depth. Perhaps the majority of Europeans, Asians and Africans want Americans to decide what will be allowed because that is easier than making decisions for themselves. However, it is a shame that Europeans who have started to believe their children should have their smartphones removed because of what they may access through the internet also tend to believe that STIR/SHAKEN is just a kindly technology with no implications for the governance of communications that we may or may not be allowed to receive.
Perhaps most American advocates of STIR/SHAKEN simply do not think through the international aspects of governance, but when I hear about American lobbyists salesmen engineers outnumbering the locals in European decision-making forums then their motives must be questioned. There are many kinds of crimes that occur over networks, but there is no other topic that is guaranteed to motivate so many Americans to enthusiastically dictate instruct advise how to protect the populations of other countries.
Anyone who disagrees with my analysis is welcome to consider how I use plain language versus the way language is used by the FCC and other advocates of STIR/SHAKEN. I never refer to technology delivering call “authentication” because it is not possible to authenticate a call if no human being has taken any responsibility for checks concerning the identity of the person making the call. As you can see from the text above, the FCC routinely talks about mandating the authentication of calls. They say this despite having no mandatory know-your-customer (KYC) rules. The FCC sometimes pretends they have a KYC rule because it is another gaping hole in their strategy. They deliberately confuse the notion of a specific check of a user’s authenticity with ‘authentication frameworks’ that are incomplete in practice, just as they had a framework for calls that went over IP networks but a five-year hole in their stance for calls over non-IP networks. However, the truth about the FCC’s rules may receive a more rigorous examination soon. The FCC has threatened to fine US CPaaS provider Telnyx for connecting scam calls but Telnyx’s rebuttal is that they cannot violate KYC rules if there are no KYC rules to violate.
US businesses openly intend to lobby the regulators belonging to GIRAF to only have voluntary guidance for KYC, with no mandatory KYC rules that might be enforced in practice. Note again how the supposed need for everyone to work worldwide to consistently protect the public from scams then leads to businesses telling regulators not to impose rules that would protect the public from harm because the US regulator does not impose rules that would protect the public from harm. This is consistent with every aspect of the US strategy so far, which is effected by client companies acting in concert with a weak and overly-politicized government agency. The absence of any KYC requirements makes a mockery of the notion that calls will ever be authenticated. Without KYC, it is a lie to say a call has been authenticated. In the absence of any KYC rules, a call received with validation data attached cannot be considered trustworthy because no other telco has reason to suppose voluntary KYC expectations were adhered to. Telcos that actually have robust KYC rules will turn potential customers away, so they should want their competitors to be held to the same high standard. I am appalled that US businesses intend to lobby foreign regulators against KYC rules on the illogical grounds that every telco can simply be trusted to impose equally rigorous KYC checks. This absurd notion directly contradicts extensive experience of how scammers get their calls connected in practice. It is one of the reasons that promoting robust KYC rules for bulk communicators is one of my editorial priorities for this year.
European friends are heartened by the news that the FCC is now considering OOB methods for validating calls. They believe it is an opportunity to break the STIR/SHAKEN stranglehold exerted by big US businesses, and will open a path for a much cheaper OOB method like GSMA Call Check to be rapidly adopted worldwide. I think they are wrong to be optimistic. The detail of the FCC’s paper shows they are only considering how to realize OOB SHAKEN, and are not interested in any other frameworks involving the OOB exchange of validation data. I interpret the sudden need for validation of calls over non-IP networks, a full five years after the notion was vaguely included in a badly-written and arbitrarily-enforced law, as a response to the damage done to the USA’s international ambitions. Otherwise, it is difficult to explain why the FCC also thinks it is vital to ‘streamline’ the new process for approving the mandatory OOB validation methods, per their choice of words. Half a decade elapsed with no regulatory progress whatsoever; why do regulatory decisions suddenly need to be streamlined?
The USA’s influence was undermined by the evident gap between the promises made about STIR/SHAKEN and what the US anti-scam strategy actually delivered in practice. One ongoing flaw with that strategy is the promise to authenticate calls in the absence of any enforceable KYC rules. The breakdown in the transfer of validation data when calls are conveyed by IP networks is another obvious flaw, but is more of a risk to American businesses because it is possible for countries to favor alternative technologies that address the same gap, such as GSMA Call Check. Data from STIR/SHAKEN provider TransNexus shows that US traffic has been migrating towards non-IP routes. This was predictable to anyone who understands why bad actors adapt and exploit changing circumstances. But the FCC has always said its anti-scam strategy is working, even when statistics have shown the opposite to be true. They needed to do something about scam traffic over non-IP networks before it destroyed any remaining credibility for the governance model they have been pushing other countries to adopt.
I may be wrong. I hear that TransNexus deserves a lot of credit for showing that validation data can be carried OOB, and that there was considerable resistance from businesses which opposed any OOB solution. But I remain unconvinced about the sincerity of the motives of the FCC and many other US businesses. Regular readers of Commsrisk will be aware of how little is done to really punish American scammers, how the FCC bypassed its legal obligation to report on anti-scam enforcement action, and how the US government does not impose sanctions on Cambodian scam compounds even though they can be seen from outer space. I keep being told by people who claim to be expert in consumer protection that the only thing preventing the end of scams is the lack of a technology to validate international calls from their origin to their destination, by which they mean the worldwide implementation of SHAKEN, whether in conjunction with methods that carry data in-band or out-of-band. That does not sound correct to me. A lot more could be done now. It can be done without waiting for global end-to-end call validation, but the USA is choosing not to do those things. So whilst the adoption of an OOB validation method would be a welcome improvement that addresses an obvious flaw in the US anti-scam strategy, I remain suspicious of the motives behind it.



