Calls with STIR/SHAKEN C-Attestation Almost 6 Times More Likely to Be Robocalls than Unsigned Calls

Before we go any further, it is important that you do not confuse this piece with a previous Commsrisk article that had a similar title. On June 7 the news was that:

Calls with STIR/SHAKEN C-Attestation Now 5 Times More Likely to Be Robocalls than Unsigned Calls

In May there was a 5.3 to 1 ratio between US robocalls that had a C-grade STIR/SHAKEN attestation and US robocalls that had no attestation. In June the ratio is 5.8 to 1. So this month’s news is not just that one billion bad calls received an attestation per the expensive new system that is the centerpiece to the US strategy for reducing robocalls, but that the scale of the failure grows worse each month.

In September 2021, C-grade attested calls were already twice as likely to be robocalls than calls with no attestation. By December they were three times as likely to be robocalls. Last month I asked how long this trend must continue before the Federal Communications Commission (FCC), the US comms regulator, admits the core of their anti-robocall strategy is failing. The US public deserves an answer, but they are not getting that answer because nobody working in the mainstream media or politics is holding the regulator to account.

The FCC and other supporters of STIR/SHAKEN often use the word ‘authenticated’ to describe a call that has been signed and attested per STIR/SHAKEN’s technology and governance rules. They may try to excuse this misleading language by claiming authentication has a very particular meaning in this context, per the technical way in which they use the word. But that meaning deviates from the common understanding of the word. It is plain that a system that ‘authenticates’ a billion bad calls per month is not a system that performs reliable authentication per the ordinary use of this word.

To recap, STIR/SHAKEN is a combination of technologies and governance protocols that are meant to prevent the spoofing of a CLI. The method involves applying a digital signature to a voice call so the authenticity of the CLI can be checked by the telco which terminates the call. It is common for the CLI of a nuisance robocall to be spoofed in order to disguise the true origin of the call. The theory behind STIR/SHAKEN is that warning users about mismatches between the CLI shown on their handsets and the CLI when the call was signed will help users to avoid nuisance robocalls. However, the approach has not worked. FCC rules mean approximately one-quarter of US calls receive a STIR/SHAKEN attestation, implying they can be trusted, but these calls are actually more likely to be robocalls than calls with no attestation.

Last week the FCC congratulated itself for closing a ‘loophole’ by demanding STIR/SHAKEN be implemented by more US telcos. The FCC were playing with words; the so-called loophole was the simple fact that smaller telcos had been allowed more time to implement STIR/SHAKEN because they were more likely to struggle with paying for the expensive technology. The real loophole is apparent for anyone who examines objective data about the signing of calls using STIR/SHAKEN. Many robocalls are given a B or C-grade attestation, which means the signature was not applied by the telco that originated the call when it was dialed. This creates a loophole because the value of signing a call is lost if the signature is applied by a business that does not know, or care, where the call really came from. An astonishing amount of US robocall traffic is now being driven through this loophole and the FCC is not offering a solution to this problem, except for the vague hope that if every telco in the world implemented STIR/SHAKEN then every call could, in theory, receive an A-grade attestation.

This data on the relationship between attestation and robocalls comes from TransNexus, one of the certificate authorities in the US STIR/SHAKEN ecosystem. TransNexus has a vested interest in seeing STIR/SHAKEN succeed in the USA and replicated in other countries. It is to their credit that they continue to be transparent about the problems with STIR/SHAKEN in the US even though this will damage the prospects of selling the same technology overseas. TransNexus clearly believe the technology is sound but has been corrupted by the way it is being used in practice. They repeated their criticisms of the current US strategy in their most recent monthly blog of STIR/SHAKEN statistics.

The remarkable thing… is that almost 40% of calls signed B or C were robocalls. As we’ve reported in previous months, many of these calls were signed by a downstream intermediate provider using their own SHAKEN certificate.

In this scenario, the upstream Originating Service Providers (OSPs) claim a SHAKEN implementation in their Robocall Mitigation Database (RMD) filings. However, they have not been approved to do SHAKEN by the STI Policy Administrator, so they really aren’t doing SHAKEN. As Figure 1 illustrates, they aren’t doing robocall mitigation either.

The downstream provider evades accountability too. It signs robocalls with attestation levels that acknowledge that it really doesn’t know anything about these calls.

TransNexus has a valid criticism of how STIR/SHAKEN is currently used in the USA. We can separate their point from a wider question about the chances of the FCC’s strategy working on a global level. Focusing on the USA or on technical details may blind otherwise sensible professionals to the glaring flaw in the FCC’s strategy. A simple analogy highlights the problem. Phone traffic moves across borders and people move across borders. When people move across borders we usually – but not always – expect them to show a valid passport. The FCC can succeed in their ambitions if all voice traffic headed for the USA must have a valid passport attached. But the passports will prove nothing if they are handed out at the border, as the traffic arrives. Only a passport that was issued at the origin can be considered reliable. That means every telco in the world would have to be capable of issuing a passport for every call in the world, even if most of their calls are not going to the USA. The hope that these companies will all incur enormous expense for zero benefit is absurd. It is made even more ludicrous by the current US context, where the US authorities keep demonstrating they are unwilling or incapable of punishing rogue businesses that operate within the USA.

TransNexus is openly accusing US businesses of failing to satisfy their legal responsibility to reduce nuisance robocalls. Despite this, there is no sign of the FCC doing anything to clamp down on these businesses, even though STIR/SHAKEN means they now have data which shows them who is failing. In early 2021 the FCC announced the creation of a ‘Robocall Response Team’ composed of over 50 key members of staff. But in July 2021 we are still waiting to see them respond to a serious flaw with their current strategy that has been clearly and publicly explained by one of the businesses central to the implementation of STIR/SHAKEN in the USA. The data does not lie; it is just being ignored.

Instead of addressing a critical issue with how STIR/SHAKEN is used in practice, the FCC is putting most of its energies into pushing for STIR/SHAKEN to be implemented more extensively, even if that means attaching useless C-grade signatures to billions more calls. US politicians seek to win short-term favor from voters by saying how much they support the FCC’s strategy, despite its increasingly evident failings. Journalists are even worse, mindlessly copying what they read in FCC press releases without once checking the contrary data published elsewhere. They all choose to go along with misinformation pumped out by the FCC, who are gaslighting the public by pretending the total number of robocalls is falling. FCC Commissioner Geoffrey Starks demanded during a hearing in May that STIR/SHAKEN be extended to international carriers and supported his argument by claiming:

…positive signs are that the numbers [of robocalls] are trending downwards from last year.

Compare what Starks said to the following data from the YouMail Robocall Index, the most reliable measure of robocalls in the USA. The blue shows the billions of robocalls that US consumers have suffered each month since STIR/SHAKEN became mandatory for larger US telcos, and the red is the trendline.

The USA does not have to fail at reducing nuisance robocalls. Australian authorities recently announced a 50 percent reduction in reports of scam voice calls since they imposed a new code of practice in 2021. Australia has not adopted STIR/SHAKEN but their telcos and regulator are obviously doing something right. The sooner the FCC and other responsible parties in the USA step back from their bluster and their theories about how to reduce unwanted calls, and instead base their decisions on what the data is actually telling them, the sooner they will learn from past mistakes and settle upon a strategy that really works.

It now seems clear that a toxic mixture of ideological bias and sheer laziness means US politicians and journalists will not use the data presented by TransNexus to hold the FCC to account. People might disagree about the correct way to remedy the flaw at the heart of STIR/SHAKEN but it is insanity to continue as if nothing is wrong. Ordinary Americans will go on suffering because of the intransigence of decision-makers who do not want to admit that mistakes were made and efforts need to be redirected elsewhere. But if the situation continues to deteriorate as it has, the eventual admission of failure will be even more painful when it comes.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.