There was no public process on who should run the [STIR/SHAKEN] governance authority for Canada, or what its operating model should look like. The CRTC just handed the role over to an incumbent-built organization without any public consultation. From its inception, the CST-GA ignored the original CRTC directive that SHAKEN/STIR “should be implemented by Canadian telecommunications service providers (TSPs)” and instead insisted that only carriers with access to numbering resources should be allowed to participate. Now the smaller carriers were really in a kafkaesque situation – they had a regulatory obligation to implement STIR/SHAKEN but were now being told by the governance authority they could not participate.
You normally have to participate in the conferences of the Risk & Assurance Group (RAG) to learn what was said, because attendees talk freely and much of the conversation is too sensitive to be shared openly. However, Matthew Gamble, Principal at Int13 Consulting and Vice Chair of the Internet Society Canada Chapter, has chosen to publish the full text of the short talk he gave at RAG New Orleans about Canadian regulations for the STIR/SHAKEN anti-spoofing protocols. Gamble has spent years valiantly trying to explain to the Canadian Radio-television and Telecommunications Commission (CRTC), Canada’s comms regulator, how their approach has gone awry and is prejudicial to smaller telcos. The CRTC may refuse to listen but you should, because the same mistakes could be made in any country contemplating how to reduce robocalls. Gamble argues persuasively that a toxic combination of political posturing about necessary deadlines for consumer protection with bureaucratic neglect of important practical details meant smaller IP-centered telcos could not implement STIR/SHAKEN when they would otherwise have been early adopters.
Recently I have been working with a startup voice service provider in Canada who doesn’t even have a single piece of physical equipment – everything is cloud based. This lack of facilities doesn’t make these non-LECs lesser or inferior telecommunications providers. It absolutely makes sense for a business to focus on where it can add value rather than overbuilding traditional physical services. These providers are examples of companies that are the leading edge, driving innovation and new service delivery models – and to bring this full circle – have been left out in the cold since 2017 when it comes to SHAKEN/STIR.
Serious problems can occur when high-level decision-makers only want responsibility for high-level decisions, whilst assuming somebody else will take care of all the technical and operational details needed to realize their ambitions. Experienced risk professionals working in the comms sector will appreciate the gulf between saying what you want at a high level and translating that into the specifics of how systems will perform in practice, especially when technology needs to be applied across multiple telcos that each work differently.
One warning – which I have to admit was on the money – I raised on behalf of the VoicePeering project. This was the concern that the ATIS forum and FTC Robocall Strike Force had limited SHAKEN/STIR only to carriers with operating carrier numbers. If Canada adopted a similar model, we warned, it could leave smaller players out of the framework. Taken to the logical conclusion, leaving smaller telcos out of the process would lead to a two tiered world – those who can sign and those who cannot. If this came to pass, the result would be dire – businesses and consumers would eventually be forced to migrate away from smaller providers and years of gains and innovation from competitive service providers would be lost.
Zeal for consumer protection can lead to unrealistic deadlines, even if nobody is empowered to make necessary decisions that will safeguard the interests of existing customers. This problem became acute in Canada because the Alliance for Telecommunications Industry Solutions (ATIS), a standards body which describes itself as international but which is actually dominated by US businesses, had made a decision which was sensible in the context of the US telecoms ecosystem but which would be damaging if also followed in Canada.
…In a 2018 decision, the CRTC ignored the concerns and issues raised by everyone and instead set an implementation date of March 2019. Industry be damned they said, we’re going to give consumers what they want.
After that decision, the implementation of SHAKEN/STIR was referred to the CRTC Interconnection Steering Committee (CISC) for implementation planning – where the technical is intertwined with regulatory and any decision moves at the speed of snail. With a pending implementation date, we again raised the point about access to certificates for smaller carriers and we were told that was a policy decision and out of scope for a technical body. For the technical implementation the larger carriers were sticking by the ATIS/FCC guidance that only carriers with OCNs could participate. Not our problem they said, this is what the ATIS standard calls for. Our fears of a two tiered world were starting to become real.
Repeated submissions to the CRTC finally forced the regulator to allow smaller telcos to become active participants in STIR/SHAKEN, but the time that was wasted meant these telcos would now need to spend more.
A decision in the Mitel application came in Aug 2021 and finally smaller players were allowed to obtain certificates. TSPs were finally out of their Kafkaesque situation around obtaining certificates, but were now faced with the high capital costs of having to upgrade network equipment in a very short time frame to comply with the SHAKEN/STIR deadline of November as well as the costs of joining the CST-GA.
A cursory review might lead observers to believe both Canada and the USA are following the same approach to implementing STIR/SHAKEN as part of a strategy for reducing robocalls. A closer examination reveals there are significant differences in the costs borne by smaller telcos with no explanation for why Canadian telcos are required to spend so much more than their southern neighbors.
While the true costs are shrouded in NDAs, industry sources indicate the yearly fee for CST-GA membership starts in the $15k range for non-carriers, regardless of the size of the organization. For a smaller TSP this fee could be a significant portion of revenues in a year. Contrast this with the United States, where the GA fees are based on revenues, with the smallest providers paying only $825 USD per year. Why the discrepancy? The costs with managing signed certificates is a solved problem from a technology perspective with one of the largest signing systems being given away for free. How does managing the administration of an organization in a country 1/9th the size cost such a magnitude higher?
After Gamble gave his presentation, he joined a high-powered panel which includes some of the most respected authorities and academics currently working on the problem of nuisance robocalls (pictured, with Gamble second from left). They discussed the international context but it is vital to understand that platitudes about needing to work together to protect phone users cannot substitute for the detailed implementation decisions that will need to be made by each individual nation seeking to reduce robocalls. These decisions can fundamentally bias the market in ways that may seriously disadvantage some existing telcos.
As the telecoms industry steps down the road of authenticating CLIs and blocking calls it will concentrate power in some hands, with the result that some telcos may find their calls are not connected, or they are forced to pay an unfair price just to remain in business. The issues raised cannot be addressed by simply waiting for regulators to act wisely. Each telco needs to protect its own interests. That begins with technical and fraud experts in telcos obtaining reliable information and a balanced understanding of the pros and cons for each method that can be used to reduce robocalls. Those telcos that fail to take an active interest in robocall prevention may find themselves locked out of important conversations when they occur, with the risk they will eventually be locked out of the telecoms ecosystem entirely.
You can read the full text of Gamble’s presentation, “A Kafkaesque Nightmare – The History of STIR/SHAKEN and Small Carriers in Canada”, by looking here.