This is how the US Federal Communications Commission (FCC) described a USD2mn fine they proposed for a telco that used STIR/SHAKEN to spoof the phone number of an innocent party when making calls that maliciously mimicked the voice of President Joe Biden.
Lingo Telecom Faces Enforcement Action for STIR/SHAKEN Violations that Facilitated Misuse of Generative AI Technology Related to the 2024 New Hampshire Primary
It is ironic that a regulator chooses to mislead the public about rules it supposedly put in place to protect the public from being misled. Contrary to the FCC’s press release, it appears that everybody responsible for these calls did everything required to comply with the STIR standard issued by the Internet Engineering Task Force (IETF) and the SHAKEN standard issued by the Alliance of Telecommunications Industry Solutions (ATIS). Lingo Telecom also complied with the FCC’s mandate to implement STIR/SHAKEN for their IP network. They paid a STIR/SHAKEN Certification Authority to provide the certificate used to create the STIR/SHAKEN signatures that were attached to calls. The Certification Authority followed the requirements imposed by the national Policy Administrator for STIR/SHAKEN. No technical aspect of STIR/SHAKEN was violated. STIR/SHAKEN worked exactly as it was designed to work. The problem is that STIR/SHAKEN was never designed to check anything, despite the FCC and fans of STIR/SHAKEN repeatedly choosing to mislabel it as a form of ‘authentication’ for phone calls.
If garbage is fed into STIR/SHAKEN, then garbage will come out of STIR/SHAKEN. STIR attaches the garbage, and SHAKEN guarantees that the recipient can prove who attached the garbage, but neither can tell the difference between garbage and reliable information. An accurate statement of Lingo Telecom’s transgression would focus on their complete indifference to performing the know-your-customer checks that are vital to eradicating fraud, but which are neither specified by STIR nor by SHAKEN. The distinction is important. At a technological level, STIR/SHAKEN was designed for use on IP networks because the data that comprises the signature is communicated in the header of a SIP INVITE. But bothering to check the identity of a customer has nothing to do with SIP signals or IP networks. It needs to be done by human beings who are conscientious in their work. A lie is a lie whether transmitted over an IP network or a non-IP network. The requirement to check a customer’s identity comes before any method that is subsequently used to transmit identity data over any kind of network. Put simply, it should not matter whether a telco spoofs a CLI on an IP network, a TDM network, or any network. It does not matter if ‘authentication’ data is conveyed using SIP signals, as in-band DTMF tones, or by carrier pigeon. Somebody should check the identity of the dialer first. If no KYC checks are performed, the potential harm to the recipient of the calls is the same in each scenario.
The FCC noted in their press release that this was the first time they had proposed a fine of this type.
The Federal Communications Commission today proposed a first-of-its-kind enforcement action related to the spoofed, deepfake illegal robocalls that targeted potential New Hampshire voters prior to the January primary. Lingo Telecom transmitted these calls, incorrectly labeling them with the highest level of caller ID attestation and making it less likely that other providers could detect the calls as potentially spoofed. Lingo Telecom faces a $2 million proposed fine for apparent violations of the Commission’s caller ID authentication rules.
It took several paragraphs before they finally mentioned the KYC checks that are really needed to protect phone users, and which were not implemented by Lingo Telecom.
Lingo Telecom failed to follow “Know Your Customer” principles by applying the highest level attestation — signifying trust in the caller ID information — to apparently illegally spoofed calls without making any effort to verify the accuracy of the information. Caller ID authentication using STIR/SHAKEN standards is an essential tool, mandated by the Commission, which serves as a digital identifier for each call to empower tracebacks of suspicious calls, inform robocall blocking tools, and support more reliable caller ID information for consumers.
Lingo Telecom’s failure to implement KYC checks was made especially absurd by the extent to which they had complied with STIR/SHAKEN. Their failure was bound to be identified in this instance. Their compliance with STIR/SHAKEN would have made it easier to trace the calls back to them and then to demonstrate they had not checked if anyone had the right to use the phone number presented to recipients. But notice how the FCC is only proposing a USD2mn fine for a telco that undermined the sole reason for implementing STIR/SHAKEN, which was supposed to guarantee that American recipients of phone calls can always trust the CLI shown to them. What is the point of the US telecoms industry spending half a billion dollars on implementing STIR/SHAKEN to restore trust nationwide if a telco can decide to render it pointless at the cost of just two million dollars? The US authorities have repeatedly shown themselves incapable of collecting fines from small scammer telcos who simply claim to be unable to pay, then disappear. The people who run these telcos then set up a new corporate entity to exploit the same weaknesses in fraud prevention as before.
Per data published by TransNexus, a STIR/SHAKEN Certification Authority, fewer than 30 percent of the calls received by Americans have an A-grade STIR/SHAKEN signature attached. But that is still a lot of calls each day. I find it improbable that in the nearly three years since STIR/SHAKEN became mandatory, only one of the 7,000 US entities listed in the US Robocall Mitigation Database has been found to have inadequate KYC controls. The political nature of this particular case shows that the FCC is inconsistent with enforcing its own rules. When a scammer impersonates the President of the USA then a fine gets issued. But per their own report to Congress, the FCC only proposed fines for scam call violations on four occasions between the beginning of 2022 and the end of 2023. One of those also related to a political disinformation campaign which tried to use robocalls to suppress voter turnout.
STIR/SHAKEN does not stop fraud. The only way to stop fraud involves enforcing laws and putting fraudsters in prison so they cannot continue to cheat others. In the meantime, far too little attention has been paid to implementing and mandating the KYC controls that would inhibit fraudsters from gaining such easy access to systems that automatically generate calls. STIR/SHAKEN has proven to be a massive distraction from the process improvements that would have done so much more to protect ordinary Americans from liars. Instead of changing direction and specifying tough mandatory KYC obligations for all US telcos, the FCC continues to hide behind the smokescreen of technology because they cannot admit to having previously set the wrong priorities.



