Calls with STIR/SHAKEN C-Attestation Now 5 Times More Likely to Be Robocalls than Unsigned Calls

A few weeks ago the politicians who run the US Federal Communications Commission (FCC) took turns to claim that forcing international carriers to apply a C-grade STIR/SHAKEN attestation to billions of inbound voice calls would make it easier to identify illegal robocalls. They rejected the testimony of US telcos who had implemented STIR/SHAKEN but considered C-grade attestations to be worthless. New data published by TransNexus, a provider of STIR/SHAKEN to US telcos, has since confirmed that calls with a C-grade STIR/SHAKEN attestation are far more likely to be robocalls than other calls that originate and terminate in the USA. C-grade attested calls are now five times more likely to be a robocall than a call which has not received any form of STIR/SHAKEN attestation.

It goes without saying that the FCC, the US comms regulator, is not being honest when they claim that applying C-grade STIR/SHAKEN certificates to many more calls will benefit the US population. The data from calls that originate and terminate within the USA already contradicted their claims before they approved the new regulation for inbound international traffic. The latest data from TransNexus shows that the US implementation of STIR/SHAKEN has been thoroughly perverted by scammers and that the integrity of STIR/SHAKEN is rapidly degrading. In September 2021, C-grade attested calls were twice as likely to be robocalls than calls with no attestation. By December they were three times as likely to be robocalls. And by May they were five times as likely to be robocalls. How long must this trend continue before the US regulator admits their strategy is failing?

TransNexus has data relating to over 100 US telcos. This means their sample is clearly large enough to be representative of all voice traffic within the USA. TransNexus presented precise statistics on the proportion of calls which were robocalls during May.

  • Overall, 8.91 percent of all calls they handle were robocalls
  • Only 2.87 percent of calls with an A-grade STIR/SHAKEN attestation were robocalls
  • 7.61 percent of calls with no attestation were robocalls
  • 35.53 percent of calls with a B-grade attestation were robocalls
  • 40.51 percent of calls with a C-grade attestation were robocalls

Let us examine what this means. To begin with, only those calls with A-grade attestations are fulfilling the promises made for STIR/SHAKEN by making it harder to connect robocalls. A-grade calls have been signed by the telco that originated them. In all likelihood, these reputable telcos would not have originated robocalls anyway, but if a robocall originated on their network then the actual origin would be apparent to others. However, STIR/SHAKEN was designed to allow for lower grades of attestation where the signature is not applied by the originating telco as the call commences. This fundamental flaw was incorporated into the design to suit businesses that want to manipulate the CLI presented to the recipient of a call but also want that CLI to be treated as trustworthy. These lower grades of attestation have been utterly corrupted by scammers. Instead of avoiding STIR/SHAKEN, businesses responsible for robocalls intentionally seek to have them attested because of the fundamentally mistaken belief, as promulgated by the FCC, that any grade of attestation is better than no attestation.

The robocall scammers have succeeded in perverting STIR/SHAKEN because there are hundreds of different ways to lie about what a business is doing but technologies like STIR/SHAKEN are blind to all of them. All STIR/SHAKEN does is to ensure a digital signature gets passed from one telco to another, so the CLI cannot then be changed by any of them. But the CLI might have been altered before the signature was applied. This is why C-grade attestation is so uniquely pointless: an intermediary carrier can discourage the CLI being changed after it leaves them, but knows nothing of changes to the CLI before it reached them.

Fraudsters have been so successful at infiltrating and undermining the purpose of STIR/SHAKEN that those calls which bypass STIR/SHAKEN are significantly less likely to be robocalls than calls which the FCC describes as ‘authenticated’ using STIR/SHAKEN. TransNexus are a biased interpreter of information because they sell STIR/SHAKEN technology to their customers, but this is how even they describe the systematic abuse occurring in the USA:

Signed robocalls showed explosive growth in May. In some cases, a SHAKEN attestation is becoming a marker for a likely robocall.

Fewer than one quarter of US calls receive a STIR/SHAKEN attestation, because of the limitations of that technology. Whilst its supporters insist it can now also be implemented on non-IP networks, that is not how the technology was rolled out in practice, with the result that STIR/SHAKEN is only applied to the minority of calls carried by IP networks from end to end. Despite this, the scammers have honed in on STIR/SHAKEN and deliberately pushed their traffic to IP networks in order to secure a B-grade or C-grade attestation. Given this outcome, I find it hard to understand arguments that the only thing that is needed to resolve this mess is to apply STIR/SHAKEN to many more calls. The scammers are already working within the framework provided by STIR/SHAKEN, so what difference would be made by applying that framework more extensively?

There is an absurdly utopian argument that expanding STIR/SHAKEN will inevitably lead to more A-grade attestations. And if I chose to learn Esperanto would that inevitably lead to Esperanto becoming the global language of “common brotherhood” as envisaged by its creator, Ludvik Zamenhof? Hoping the world will agree upon a common standard is not the same as being able to persuade the whole world to follow it in practice. The word “Esperanto” means “one who hopes”; Zamenhof’s hopes will never be realized. About 100,000 people speak Esperanto. If the US federal government insisted on Esperanto being taught in schools then the number of speakers would increase enormously. Some people in other countries might learn to speak Esperanto just to converse with Americans. But it still would not provide sufficient motivation for the whole world to change how we communicate. The plan for STIR/SHAKEN suffers the same defect.

US authorities can impose STIR/SHAKEN on US businesses, but few benefits accrue unless the whole world follows their lead. They have no way of motivating other countries to follow them. Their one hope was that STIR/SHAKEN would prompt a small reduction in robocalls within the USA, and this would tempt other national regulators to foist the same expensive burden on telcos they control. But there has been no reduction in robocalls since STIR/SHAKEN was made mandatory for larger US telcos, and the data from TransNexus shows us why.

If the FCC is incapable of identifying and punishing those US businesses that currently abuse STIR/SHAKEN then they have no chance of effectively becoming the police force for all calls made on the planet. They insisted on applying C-grade attestations to inbound international calls in the hope of imposing incremental burdens that would lay the technological foundations for all calls to eventually have an A-grade attestation. The only gap in their plan is a yawning chasm: few outside of the USA have anything to gain by implementing STIR/SHAKEN. To make matters worse, it appears that national regulators in countries like Australia have succeeded in reducing the number of robocalls received from foreign countries, but without suffering the great expense involved in implementing STIR/SHAKEN. This means they have even less reason to help the US by following their approach.

Insiders tell me that the USA has collectively spent half a billion dollars on STIR/SHAKEN so far. Add to that the cost of satisfying the new regulation requiring STIR/SHAKEN for international traffic, then the anticipated cost of extending it to the 75 percent of US calls which have been excluded so far because they are carried over TDM networks. The expenditure is running away but no benefits have been realized. This does not make for an appealing proposition to other countries!

The US is a mighty and successful country in many regards, but it can be defeated by problems that require a collective response. I hardly need to recount its struggles with mass shootings or highlight gaps in the provision of US healthcare. The US problem with robocalls has some similarities. Public debate gets bogged down in side issues of little importance. Others waste time proposing utopian schemes that could never be realized in practice. Ineffectual discussion and flawed policies are pursued because it is so hard to reach a consensus about addressing the fundamentals, such as deterring illegal robocalls by punishing the bad actors that are caught from time to time. Despite all the talk, not one expert offered a credible projection of the relationship between spending on STIR/SHAKEN and the number of robocalls received by US residents. In practice we see one of those lines keeps going up whilst the other remains stubbornly flat, and that cannot have been the intention.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.