Fans of STIR/SHAKEN, the standards for CLI validation that the USA would like to impose worldwide, are not having a good start to the year. There have been desperate attempts to con Australians and French into believing the UK is adopting STIR/SHAKEN even though the news is that Britain has rejected STIR/SHAKEN. The statistic that was used to justify the half-billion dollar cost of STIR/SHAKEN to the US economy is the YouMail Robocall Index, which showed in January that the number of robocalls received by Americans is almost the same as they received in July 2021, when STIR/SHAKEN first became mandatory. YouMail says this is because the increase in good robocalls has perfectly offset a reduction in bad robocalls. Others may question if receiving a robocall every second day can ever be a good thing, and why the distinction between good and bad robocalls was never mentioned before STIR/SHAKEN went live. I have become a tad cynical as a result of the tactics used to mis-sell STIR/SHAKEN. But even I was not prepared for the latest mishap associated with STIR/SHAKEN. AT&T, who recently announced they have created a new revenue stream from STIR/SHAKEN by selling to enterprises the ability to place their logos on robocalls, and their rivals at Verizon are now being sued because they implemented STIR/SHAKEN. The lawsuits contend that both US telcos infringed intellectual property rights in filings submitted to a Texas court last week.
Before we examine the plaintiff’s case, let us step back and remind ourselves about what it means to manage risk. It does not mean we should all rush to give as much money as possible to one particular group of people because they say they can answer a question. We should instead be versatile and broad-minded enough to recognize there will be a variety of ways to tackle the wide range of problems that crop up in real life. The main difference between me and most advocates of STIR/SHAKEN is that I never believed that the challenge of scam calls must be tackled by the world donning a straitjacket combination of network engineering, internet jiggery-pokery and elitist top-down bureaucracy devised by US corporations without any input from the rest of the planet. This lawsuit is another illustration of the reasons why. There are intellectual property rights in STIR/SHAKEN and they have not been given up. The intellectual property has owners, but you are unlikely to be one of them, and the owners are unlikely to be controllable by your government either. This is because the owners of those rights will be supported by US law and by an American culture that devotes a lot of resources to enforcing property rights, even against foreign governments. Unlike other methods to tackle scam calls, the owners of the intellectual property in STIR/SHAKEN can charge rent to anyone relying on their ideas, which increases the risk of making their approach mandatory across the whole planet. The experience of STIR/SHAKEN in the USA has demonstrated that the point in time when regulators will appreciate STIR/SHAKEN is an expensive flop is way past the point when the mistake can still be reversed without an enormous loss of face. Once the decision is made, you are committed to paying the price forever.
The lawsuits against AT&T and Verizon were brought by RightQuestion LLC, an entity controlled by Bjorn Markus Jakobsson, a security researcher with a history of pursuing redress for infringements of his patents. Apple and Samsung are amongst the companies he has sued in other cases, so Jakobsson has experience of navigating the US legal system. Samsung settled with Jakobsson in 2021, whilst the case involving Apple is ongoing. Jakobsson’s lawsuits typically relate to security technologies where he has been named as the inventor on the patents. He has also previously sued businesses that supply solutions designed to protect consumers from email scams; the methodology of STIR/SHAKEN is based on the crude and flawed assumption that techniques which have been applied to email and the web can be usefully re-applied to voice calls. We can hence infer that if Jakobsson succeeds with his lawsuits against AT&T and Verizon then every other telco that relies on his contribution to STIR/SHAKEN will also become a target for further lawsuits.
I will concentrate on the details of the lawsuit against AT&T for brevity. Their case has the potential to cause maximum embarrassment because the head of the US governance authority for STIR/SHAKEN is also an employee of AT&T. RightQuestion has demanded a trial by jury and is represented by a team of seven attorneys. Their complaint states that AT&T has infringed the following three patents, all of which describe methods to check the authenticity of a CLI, otherwise known as caller ID.
STIR/SHAKEN is explicitly identified as the patent-infringing technology in RightQuestion’s filing.
RightQuestion seeks damages and other relief for AT&T’s infringement of RightQuestion’s patent rights relating to call-authentication technology known as “STIR/SHAKEN,” a suite of protocols and procedures intended to combat caller ID spoofing on public telephone networks.
The complaint argues that AT&T is not just directly infringing the patents through their own implementation of STIR/SHAKEN, but is responsible for inducing others to infringe the patents too.
AT&T has indirectly infringed and continues to indirectly infringe one or more claims of the ’009 patent by inducing infringement by others, such as AT&T’s customers and end-users and other voice-service providers, in this District and elsewhere in the United States, to implement and/or use the STIR/SHAKEN protocol in an infringing manner… For example, AT&T’s customers and end-users and other voice-service providers infringe via their use of the AT&T Networks to access and use the networks of such other providers that support STIR/SHAKEN. AT&T induces such direct infringement through its affirmative acts of making, using, selling, offering to sell, and/or importing the AT&T Networks and their components and supporting the STIR/SHAKEN protocol over the AT&T Networks.
The plaintiff wants both compensation and enhanced damages.
RightQuestion requests the following relief from this Court…
…Compensatory damages in an amount according to proof, and in any event no less than a reasonable royalty, including all pre-judgment and post-judgment interest at the maximum rate allowed by law and including an accounting of all infringements and/or damages not presented at trial.
…An award of enhanced damages.
…A declaration that this case is exceptional and an award of reasonable attorneys’ fees.
Given that the names of seven attorneys have been filed as representing RightQuestion, they likely feel some confidence in their chances of success.
Cases like these can rumble on for years, unless the defendants opt for the expensive route of agreeing to a quick settlement. So now, any telco considering whether to implement STIR/SHAKEN should consider the potential cost of the royalties owed to Jakobsson as a patent holder, and the potential damages if the telco is inducing others to infringe his patents. AT&T and Verizon may ultimately pay Jakobsson to keep settlement deals confidential, but the absence of publicity does not eliminate the risk to other telcos. Settling with AT&T and Verizon would not prevent Jakobsson from issuing similar demands to other telcos, wherever they may be.
Supporters of STIR/SHAKEN have been unwilling to have an honest, transparent discussion about the costs of implementing it. But they still demand that regulators impose those poorly-defined costs on every telco globally. RightQuestion shows there are other liabilities that should be listed with the costs associated with STIR/SHAKEN. It is time to stop pretending that a small clique of American internet engineers and numbering specialists have performed a thorough evaluation of all the pros and cons of using STIR/SHAKEN. They have neither the qualifications nor the competence to do that without a lot of outside assistance. So if your telco believes their sales pitch and commits to using STIR/SHAKEN, then your telco’s legal team needs to evaluate all of the risks. Nobody else will do it for you.
Some regulators have an almost negligent attitude towards the unexamined costs of STIR/SHAKEN. The flimsy cost-benefit argument presented by the US Federal Communications Commission (FCC) cited the number of robocalls per the YouMail Robocall Index, but without the distinction between ‘good’ and ‘bad’ robocalls that the FCC and YouMail only started mentioning recently. The FCC will not be covering the legal bills of AT&T and Verizon. At a time when telcos seek savings by making staff unemployed, can you afford to take a similarly flippant attitude to the ongoing costs associated with STIR/SHAKEN? Or are you hoping, like AT&T, to offset those costs by placing other technologies on top of STIR/SHAKEN so you can sell branded robocall services to your enterprise customers? The latter model might be successful in a country like the USA and for a telco like AT&T, whose customers include big corporations that expect to phone ordinary Americans every other day. It is not an approach that is suitable for the culture and economy of every country.
The businesses behind the American strategy want every telco in the world to pay for STIR/SHAKEN because this will make it easier for US corporations to make telesales calls to everybody on the planet. That is a different kind of price that some cultures may not want to pay, just as some cultures see many downsides to the ways Americans have set the tone for what we see on the internet. STIR/SHAKEN introduces many liabilities. Make sure you understand them all.
If you want your legal team to monitor progress with these lawsuits then tell them RightQuestion v. AT&T is civil action 2:24-cv-00094 in the Eastern District Court of Texas. RightQuestion v. Verizon is civil action 2:24-cv-00091.



