Moment of Truth for US Anti-Spoofing Strategy

Insiders tell me that the US telecoms industry has collectively spent half a billion dollars on implementing STIR/SHAKEN, the twin anti-spoofing protocols that allow a digital signature to be appended to a voice call so the terminating network can confirm the CLI is consistent with the call’s real origin. After several delays, STIR/SHAKEN finally became mandatory for the IP networks of all larger US telcos on June 30, though most did not wait for the eve of the deadline before they implemented the technology. Advocates have repeatedly touted STIR/SHAKEN as the solution to the plague of illegal robocalls that harass US phone users, only to later tone down their promises after the technology was bought and sold. It is not hard to find advocates for a new technology when its market grows from zero to half a billion dollars within a few years because of regulatory demands. Within the telecoms industry you can find endless chatter about why STIR/SHAKEN is such a good approach, so long as you are not expecting anyone to provide a cost-benefit analysis. But now there will be nowhere left to hide: either the number of US robocalls will fall or it will not. None of the measures have shown any fall in the number of robocalls yet.

You can see the shift in the argument in the press release issued by the Federal Communications Commission (FCC), the US regulator, to herald the June 30 deadline.

FCC Acting Chairwoman Jessica Rosenworcel today announced that the largest voice service providers are now using STIR/SHAKEN caller ID authentication standards in their IP networks, in accordance with the deadline set by the FCC. This widespread implementation helps protect consumers against malicious spoofed robocalls and helps law enforcement track bad actors…

“At last, STIR/SHAKEN standards are a widely used reality in American phone networks,” said Rosenworcel. “While there is no silver bullet in the endless fight against scammers, STIR/SHAKEN will turbo-charge many of the tools we use in our fight against robocalls: from consumer apps and network-level blocking, to enforcement investigations and shutting down the gateways used by international robocall campaigns. This is a good day for American consumers who – like all of us – are sick and tired of illegal spoofed robocalls.”

Note how half a billion dollars has been spent on a technology which is now only positioned as an enabler for other solutions, and not the ‘silver bullet’ that you might expect when committing so much money to a consumer protection initiative. It is too soon to jump to conclusions, but one repeated failing of the telecoms sector has been the tendency to equate being expensive with being successful. Obviously vendors are glad to generate revenues from costly projects, but too often the people who buy their technology are also lauded as making the right decisions, just because people in positions in power do not want to admit large amounts of money were wasted on technologies that delivered mediocre results compared to the promises that were made. So whilst it is still possible that STIR/SHAKEN will deliver a measurable reduction in the number of robocalls received by US consumers, I am loathe to allow much time to pass before we examine the results. The FCC is working with the vendors behind STIR/SHAKEN to aggressively lobby for its adoption in other countries. That means it would be foolish to simply ignore the impact that STIR/SHAKEN has had on the US market whilst continuing to believing in promises made by its backers. If the impact of STIR/SHAKEN has been negligible so far, then when will it be non-negligible? The answer to that question should be considered alongside the cost of adopting the technology as part of any rational analysis on how to protect customers. It is not enough to rely on promises about the benefits of technology when we are in a position to identify a deviation between those promises and what has been accomplished in reality.

The shift in focus towards ‘turbo-charging’ other tools was predictable, as the US strategy has increasingly emphasized cheaper ways of tackling illegal robocalls. In June the FCC announced that they would give corporate entities a streamlined process to report suspected robocall and spoofing violations. This comes approximately a year after the first appointment of an official ‘traceback consortium’ that has sole responsibility for tracing the origin of illegal calls. The annual appointment is meant to be a competitive process, with the result that the incumbent USTelecom group is being challenged by ZipDX to be the monopoly provider of traceback services during the year ahead. The FCC also issued its second annual report on robocall blocking tools at the end of June, with Rosenworcel hailing the “increasing availability of robocall blocking tools for consumers” although there were plenty of tools listed in the previous report, and the second report showed neither a significant increase in the availability of blocking apps nor reason to believe their use has significantly altered the number of robocalls that consumers still receive. On the contrary, the report showed that the number of consumer complaints about robocalls has risen in 2021 relative to 2020.

The most interesting aspect of this poorly-named report on blocking tools is that the FCC is also obliged to use this same report to communicate progress with the implementation of STIR/SHAKEN, but they choose to hide that part at the back. This year’s report managed to say absolutely nothing about whether the noted increase in the numbers of telcos using STIR/SHAKEN could be correlated to a reduction of either the number of robocalls or spoofed calls that were connected to customers. The conclusion of the second annual report was so anodyne that it could have been copied word-for-word from the first annual report, begging a question about when the FCC expects to be able to shift from saying that more bad calls were blocked to saying fewer bad calls were received by consumers.

Experience has trained consumers to not answer unidentified calls because they are often spam or fraud, so legitimate callers are suffering. The Commission has devoted significant resources to fighting illegal and unwanted robocalls and the industry has made tremendous strides in providing tools for consumers to block unwanted and illegal calls. This Second Call Blocking Report summarizes information from voice service providers and third-party analytics companies and concludes that they offer improved call blocking services to their customers through updated analyses of potentially illegal calls and more blocking tools. More illegal and unwanted calls are blocked by voice service providers at the network level and with opt-in and opt-out tools offered to customers. The Commission recognizes that despite these advances, more work needs to be done and remains committed to working with the industry and other government agencies to eliminate unwanted and illegal robocalls.

Last week I promised that Commsrisk would devote more coverage to hard data as opposed to subjective opinion. The reported ‘success’ of STIR/SHAKEN has been uniformly subjective so far. There has been a sharp contrast between the enthusiasm with which some parties previously cited frighteningly large measures of the number of robocalls suffered by US consumers and their lack of interest in data following the adoption of technology that was supposed to reduce the total. One problem with relying on data is that it necessarily involves looking to the past. Salesmen and politicians often spin stores about changing circumstances in order to focus attention on their forecasts about the future, and not the extent to which their past predictions proved reliable. Commsrisk has been at its best when highlighting the deviation between the claims made at one point in time and what the data subsequently showed to be true. This will keep happening because it is natural for salesmen to overpromise, and because politicians are all ultimately salesmen too. A good risk manager should take this into account when gauging whether money is being spent on the most effective risk mitigation possible, or whether the telecoms industry is heading for a future where billions of dollars will be collectively spent on adding signatures to voice calls without anyone being able to show any demonstrable benefit to ordinary consumers.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.