Much consternation must have been felt by Twilio last week, after they received a cease-and-desist letter from the Federal Communications Commission (FCC), demanding they immediately prevent the origination of any further robocalls promoting an alleged scam run by a business called MV Realty. After three decades with Sprint and T-Mobile, I know that satisfying a regulator is often difficult, but communications providers of the stature of Twilio do understand the need to play by the rules. Failure to comply with the FCC’s letter could have led carriers to stop handling any of Twilio’s traffic within just 48 hours.
As Eric Priezkalns observed in his analysis, it would be a disaster if Twilio was disconnected from the US Public Switched Telephone Network (PSTN), not just for Twilio, but also for Twilio’s legitimate customers (which I assume are far and away in the majority). Likewise, it’s possible that PhoneBurner, a service provider customer of Twilio’s that was also named in the FCC’s cease-and-desist letter, has a predominantly legitimate customer base, although one customer, MV Realty, has alleged business and calling practices that provoked the FCC Enforcement Bureau into threatening draconian action. Given the gravity of the situation for Twilio, PhoneBurner, and their customers, one sincerely hopes that leading up to the cease-and-desist letter the genesis efforts of the US Telecom Association’s Industry Traceback Group (ITG) and the FCC Enforcement Bureau staff were sufficiently clear leading up to the cease-and-desist letter. Twilio and PhoneBurner should have perhaps been able to avoid this public warning.
I’ve worked with folks at Twilio, was a member of the ITG, and I have worked with FCC staff before. I’m sympathetic to all of them. I am especially sympathetic to the FCC’s efforts to cooperate with industry and to use their authority to influence effective mitigation of illegal robocallers by telecommunications service providers. However, my decades as an engineer also allows me a real appreciation for the challenges facing service providers: originating, routing, and delivering hundreds or thousands of calls arriving each second while monitoring and mitigating traffic in real time to assess, identify, and block bad actor fraud. It is not a trivial effort.
The FCC and the US telecommunications industry have both been very busy for most of the last decade collaborating on developing various technical and business process methods of mitigating illegal robocalling. The US Congress also contributed the Pallone-Thune Telephone Robocall Abuse Criminal Enforcement And Deterrence (TRACED) Act. This act authorized the FCC to issue mandates requiring US service providers to deploy STIR/SHAKEN call authentication. Much has been done, but much more work is needed. The FCC needs better, more surgical, tools so that subscribers can finally enjoy some material relief from illegal robocalling and so that service providers can reliably avoid potentially disastrous edicts from regulators.
I strongly agree with Eric’s assessment that the FCC is seemingly emphasizing the requirement for robust Know Your Customer (KYC) procedures. I think KYC is foundational. Zenith Electronics Corporation for many years used the advertising slogan, “The quality goes in before the name goes on.” This principle applies equally to manufacturing television sets, Calling Number and Calling Name display on phone calls, and STIR/SHAKEN call authentication. A database is only as good as the data it contains. Fraud risk management expertise may not always get incorporated into customer onboarding and validation practices which are critical to robocall mitigation. They provide a crucial first step for service providers wanting to avoid customer engagements that might draw the ire of federal regulators. Quality KYC and on-going Customer Due Diligence (CDD) practices are fundamental for protecting a business and a business’ customers. The seeming increased emphasis on KYC is appropriate and a hopeful sign.
It has a cumbersome name, but I am excited by the work being done by the Enterprise-Identity Distributed Ledger Technology (EI-DLT) working group of the Alliance for Telecommunications Industry Solutions (ATIS). They are investigating promising methods for verifying the identity of callers. These involve encoding verifiable identity information obtained by Local Organizational Units (LOUs) using accredited KYC processes of the non-profit Global Legal Entity Identifier Foundation (GLEIF). For those who are unfamiliar, GLEIF was established after the 2008 global financial crisis by the Financial Stability Board (FSB) of the G20, with the goal of making it easier to be certain about who organizations are doing business with. Companies in the role of LOU, such as Bloomberg and the London Stock Exchange, are authorized issuers of Legal Entity Identifiers (LEIs) to individuals, enterprises, and organizations who submit to identity validation processes that were initially established to meet Anti-Money Laundering (AML) regulatory requirements of the financial industry. Obtaining an LEI is inexpensive, often costing less than USD100, and they serve as globally-recognized identifiers whose standards are overseen by GLEIF. LEIs were created for the financial industry but organizations in other sectors are also adopting their use to streamline and improve onboarding and validation processes.
The ATIS EI-DLT working group (a sister group of the ATIS/SIP Forum IP-NNI task force that writes the SHAKEN standards) recognized that caller identity information available in various X.509 certificates used for STIR/SHAKEN call authentication might also be significantly improved using LEIs which identify companies whose identities have been validated using globally-accredited processes. A well-documented identity encoded in a globally-recognized identifier that is combined with one or more verifiable trust attributes could usefully differentiate legitimate from illegitimate robocalls. This would protect the calls made by legitimate callers from spoofing impersonation as well as labeling and blocking errors.
Assuming the EI-DLT working group is successful, regulators such as the FCC might one day be able to quickly identify not just a service provider (or intermediate aggregator of service providers like Twilio) but the actual robocallers themselves using STIR/SHAKEN call authentication enhanced with LEIs. Because the customers of outbound call centers include all sorts of enterprises, hospitals, politicians, et cetera, it is possible that STIR/SHAKEN call signatures will expose the layered identities in each call scenario. This would mean the terminating service provider, the called party subscriber, and the FCC would all see not just that the call used a telephone number but that it was being used by a call center company as authorized by their customer. The same method would also give everybody confidence that the identities of the call center and its customer had been reliably established and clearly delineated. Revocation of the LEI and/or LEI-integrated SHAKEN credentials could become another tool in the FCC’s toolbox so the FCC could deftly drain away the scum rather than having to resort to throwing the baby out with the bathwater.
The recent interest in STIR/SHAKEN encoding for GLEIF-accredited Legal Entity Identifiers (LEIs) is consistent with the FCC’s apparent emphasis on identity validation and documentation processes. Hopefully, Twilio’s unfortunate incident (to put it mildly) adds momentum to the work in the ATIS EI-DLT working group. Success would begin with outlining a possible integration and use of LEIs in STIR/SHAKEN call authentication in the US and beyond.
