More Fun and Craziness from the Second Phase of the US Consultation on Making Foreigners Do STIR/SHAKEN

Those of us who live outside of the USA find aspects of Federal Communications Commission (FCC) consultations to be confusing, such as their having two phases: the comment phase, which is for comments, and the reply comment phase, which is for comments that may also be replies but do not have to be. Reply-comments often say similar things to comment-comments, except the people submitting the reply-comments have a later deadline, allowing them to respond to what was said by people who complied with the comment-comments deadline. As a foreigner, I will not even venture a theory as to why the FCC splits consultations into phases; presumably some lawyer can spend half the day providing an explanation if you pay them $1,000 per hour. But you do not care about that; you just want to know what people said during the second phase of the FCC consultation on a proposal to force international carriers to contractually impose STIR/SHAKEN anti-spoofing technology on every other network they deal with.

And yes, I know lawyers would observe this consultation is not just about STIR/SHAKEN but also addresses other anti-robocall rules that might be imposed on gateway providers, but you would not have read this far unless you already had some idea what this consultation is about, and most of you want to know whether your telco will be compelled by some lawyerly FCC shenanigans to spend a lot of money on technology to validate calls. You may not like the idea of being listed in the FCC’s Robocall Mitigation Database (RMD) but that is cheap so nobody will put up strenuous resistance to proposals relating to the RMD. So here is your reliable and short summary of all the reply-comment responses to the FCC consultation about imposing anti-robocall rules on international carriers, neatly broken into six categories depending on who supplied the comments.

US politicians and political advocacy groups: hammer foreigners for the sake of Americans

US businesses with no overseas interests: politely hammer foreigners for the sake of Americans

US businesses with overseas interests: cooperate with foreigners instead of hammering them

Foreigners: hammering us will not work anyway

STIR/SHAKEN vendors and people with no technical expertise: STIR/SHAKEN is vital

Other people with some technical expertise: STIR/SHAKEN is not that vital

You may want to stop reading now, because the rest of this article discusses all twelve reply-comment submissions in more or less detail. You can just stop, go away, and do something more useful instead, because the US is making such a mess of imposing STIR/SHAKEN on the rest of the world that there is a good chance you will not live long enough to ever need to worry about it. On the other hand, you probably will need to be listed in the US Robocall Mitigation Database, which has emerged as a sensible way for everyone to show they are willing to reduce robocalls without pouring even more money into STIR/SHAKEN. So if you crave the entertainment of watching the slow unfolding of STIR/SHAKEN as the worst debacle in the history of global telecoms consumer protection, and if you are secure in your sanity, or if you have already lost your mind, then you may want to keep reading. I promise this article shares no new ideas that are also good ideas, but that is not my fault. I am merely the messenger, and can only be blamed if I introduce inaccuracies when summarizing the bad ideas of others. However, any inaccuracies I introduce can also be blamed on the way so many respondents chose to be artful when addressing (or ignoring) the drawbacks to their preferred remedies to nuisance robocalls that originate outside of the USA.

If you have already read my review of the comments submitted during the comment-comments phase of this consultation then you will be familiar with the name of ZipDX, a peculiar business that wants to be in charge of demanding traceback information on behalf of the USA. ZipDX feel so strongly about the ‘sanctity’ of US networks that they repeatedly rubbished the comment-comments submitted by international carrier BICS, without even waiting for the reply-comments phase to do it. ZipDX used the reply-comments phase to submit a second lengthy sermon on how to protect US networks which began with a spectacularly unhelpful choice of words.

Our approach is to keep things as simple as possible. Briefly our proposal… Leverages the huge investment in STIR/SHAKEN already made by industry and regulators…

What are they saying about a HUGE investment? The people who sell STIR/SHAKEN never seem to use that word when asked how much it costs. They are right not to, because all the guff surrounding this consultation cannot change one simple fact: the chances of STIR/SHAKEN being successfully adopted outside of the USA depends far more on whether it is cost-effective than the words in the rules written by FCC lawyers.

ZipDX then proposed a new plan that would apply different rules to telcos that only handle conversational two-way traffic compared to telcos that also handle the non-conversational traffic that occurs when a machine plays a recording. Enhanced anti-robocall obligations would only apply to those businesses that admit to carrying non-conversational traffic. How this might work in practice is beyond my intelligence. Whilst ZipDX are undoubtedly correct to observe that non-conversational calls will be shorter than conversational calls on average, there is no effective way to apply such a rule to specific calls, meaning all telcos need to protect against all abuses or else bad actors will simply move their traffic to the telcos with least controls whilst hiding bad traffic amongst good traffic. A two-tier approach could potentially grind out the very worst and the very smallest of the bad actors in the telecoms ecosystem, but only in a way which sees their illegal profits migrate to bigger telcos that are just as cynical whilst being more effective at exploiting gray areas. Furthermore, criminals change their methods whenever automated systems successfully detect their activities. So if systems are designed to apply a crude maxim that illegal calls are typically short, one of the easiest workarounds will be to simply make them longer.

ZipDX’s submission made much of the observation that illegal robocallers are liars but the pattern of the traffic they send does not lie because it is so predictable. It literally does not seem to occur to them that criminals also know how to lie by changing patterns of traffic too. Controls focused on high volumes of traffic that follow a narrowly-defined set of parameters will make the lives of criminals slightly harder, but they will soon adapt because their business model is to make money from crime. Complicating the profile of their traffic is far easier than giving up a life of crime and devoting themselves to honest toil instead. This weak proposal likely means ZipDX realized they made enemies through their original comment-comments submission, so are now trying to appear more reasonable and considered. Whilst their new proposal will meet less resistance, it would also fail in practice, as must be appreciated by fraud experts who have monitored how criminals have previously changed the profile of international voice traffic to avoid detection.

To be fair to ZipDX, their submission was far more intelligent than the stupidest response to this consultation. The least reasoned response was a bipartisan submission from all 51 State Attorneys General, which is quite an accomplishment when you consider the USA has only 50 states in total (the odd one out is the District of Columbia, which has an Attorney General but which is not a state). This very long list of lawyers with political ambitions all agreed that “universal implementation of STIR/SHAKEN by all voice providers in the call path is an important step that will provide increased protection for consumers against illegal spoofing”. In other words, 51 people elected by American voters agreed that foreigners should pay for stuff designed to make American voters happy.

The goal of the 51 Attorneys General might seem more plausible if there were not so many calls that originate and terminate in the USA which are still not verified using STIR/SHAKEN; only around a quarter of US calls have a STIR/SHAKEN signature. But the other problem with this aspiration is that it is a total fantasy. I doubt any of us will witness a day when Karl Racine, Attorney General of the District of Columbia (population: 690,000) is able to dictate terms to Xi Jinping, President of the People’s Republic of China (population: 1,411,779,000), no matter how many other Attorneys General stand with Racine. The biggest telcos in the world are Chinese, and they are being systematically driven from the USA because they are under the influence of people like Xi Jinping, General Secretary of the Chinese Communist Party. And if these lawyers did not mean for their audience to expect universal implementation of STIR/SHAKEN by all voice providers in the call path then they must be pretty lousy lawyers to have failed to have appreciated the full implication of these words when discussing international calls.

USTelecom, the organization which has been awarded the traceback work that ZipDX would like to do, reiterated the message of their previous submission by placing more emphasis on developing the RMD, whilst playing down the benefits that would accrue from imposing “the substantial costs” of STIR/SHAKEN on gateway providers. Their well-reasoned advice can be summarized as continuing down the path already outlined by the FCC but with less emphasis on STIR/SHAKEN.

YouMail, which sells analytics, recommends the focus for robocall prevention should be on using analytics to block robocalls, and that this will not happen unless the telcos who use analytics to block robocalls are given cast-iron guarantees that they will never be punished for blocking robocalls, even when they should not be blocking robocalls because the calls they are blocking are not actually robocalls. YouMail also make a reasonable point that governments cannot prescribe how analytics should work. However, this only raises further questions about the purpose of any rule that requires all telcos to use analytics if the regulators enforcing this rule cannot tell the difference between analytics that work and analytics that do not work.

TransNexus, which sells STIR/SHAKEN technology, wrote a short but agitated reply-comment about the need to make everyone buy STIR/SHAKEN, or whichever additional non-HUGE investment has just been added to the latest version of the STIR/SHAKEN protocols, which are just three years behind schedule. These people represent an industry faction that are such poor communicators that they thought it funny to make an irrelevant reference to 007 James Bond but are unable to educate most telcos about whether they need STIR, SHAKEN, or both.

TransNexus separately wrote a summary of the ‘recurring themes’ from other responses that claimed one of those themes was that “providers should do both robocall mitigation and SHAKEN”. They wrote this even though plenty of submissions expressed reservations about using SHAKEN and some others barely mentioned the technology. This bald faced lie about the popularity of STIR/SHAKEN amongst the reply-comments was especially peculiar given that a quarter of TransNexus’ reply-comment was devoted to criticizing Comcast’s comment-comment for not understanding the relationship between STIR and SHAKEN.

The GSMA, which sells conferences in non-pandemic years and would now like to sell more non-conference stuff, wrote a very short reply-comment which should have been a comment-comment because they were not actually replying to anything. This said the GSMA has new, but exceptionally vague stuff that will help with reducing robocalls. This new exceptionally vague stuff is offered instead of some older exceptionally vague stuff that the GSMA previously touted. The new stuff may be an improvement because it is new, or perhaps because the old stuff has been abandoned; they were also vague on this point.

The GSMA also astutely observed that one serious problem with the USA passing laws that set obligations for telcos in other countries is that those telcos may be in countries which have already passed laws that conflict with the new US laws. They finished their reply-comment by suggesting the FCC should meet with the GSMA so they can explain how much of the global industry is already using the GSMA’s exceptionally vague stuff, though they did not provide any specific examples of telcos that use it. I fear the FCC may not pay any serious attention to the GSMA’s proposal given that some other industry associations and big telcos said robocall problems would be solved by some new and vague technologies called STIR/SHAKEN, only to later be told that this technology can only succeed if the FCC finds a way to force every telco in every country to buy it. This is a major obstacle because the FCC does not have the power to effectively impose US law on every country, no matter how much they would like to, just as the GSMA observed.

The Enterprise Communications Advocacy Coalition, a mysterious organization that must be lobbying on behalf of somebody but fails to say who, and which cannot be very influential because they only spent USD29,000 on lobbying politicians last year, began their utterly terrible reply-comment with the following words:

It is a truth universally acknowledged that an immense share of the illegal calls that consumers do not want to receive originate outside of the United States.

This is just a roundabout way of saying they have no data on how many illegal calls originate outside of the USA but other people say foreigners are to blame so it must be true. However, opening with a statement about the horribleness of foreigners was just a ruse. The rest of their submission concerned all the things the FCC must definitely not do because of the risk the FCC will otherwise obstruct decent honest hard-working American businesses from doing things that sound remarkably like spamming millions of decent honest hard-working Americans.

The NCTA, the absurdly confusing acronym of the Internet & Television Association, wrote a very short reply-comment that said how much they agreed with the sensible comment-comments of USTelecom, T-Mobile and Comcast. Their submission was so agreeable and quoted the comment-comments of other respondents at such length that you have to wonder why they bothered replying at all.

The Voice on the Net Coalition, which represents a lot of big internet firms that also belong to every other coalition that already submitted a comment-comment to the consultation, submitted a reply-comment that agreed with the comment-comments submitted by those other coalitions. This only leads to two questions: why do big businesses pay multiple small lobbyists to all lobby for the same outcome, and does this strategy actually work in practice? I would have thought one really big coalition would be more persuasive than several smaller overlapping coalitions.

An unnecessarily long joint submission by two lawyers working for the Electronic Privacy Information Center and the National Consumer Law Center reminded me of all the reasons I fume about lawyers. Their submission made numerous references to US consumer law and statistics about abuses suffered by US residents but seemingly forgot they were responding to a consultation that also concerns people and businesses based outside of the USA. These two bodies are particularly concerned with human rights and protecting low-income Americans, but nothing in their tedious submission dealt with the costs of complying with US obligations, which would be high relative to the revenues of many telcos in low-income countries, and hence would ultimately become a burden for phone users in other countries. Nor did they consider the risk that overblocking would disproportionately affect calls made from abroad to first and second-generation immigrants living in the USA, a group that is overrepresented amongst low-earners. 20 pages were devoted to harping on about being tough on scam calls although STIR/SHAKEN was only mentioned twice, evidently because the authors lack the expertise to form an opinion on its use, even though this technology is central to the FCC’s proposals. The best advice for the FCC is that if they really want to protect human rights and defend the interest of low-income Americans they should ignore this submission and seek advice from people who care about these matters whilst also having some understanding of the world outside of the USA.

Verizon was generally in favor of imposing tough obligations and working with international partners, but were often scathing about the use of STIR/SHAKEN, warning it would be “burdensome” for gateway providers although for some it “would have no utility at all”. They referred to expenditure on STIR/SHAKEN costing “tens of millions of dollars” and questioned if “millions of dollars in payments to vendors” of STIR/SHAKEN would yield any benefit to consumers. A section of their response had the heading:

The Purported Benefits of Requiring Intermediate Providers to “Authenticate” Calls with STIR/SHAKEN Are Illusory and Can Be Better Achieved With Other Tools

This section went on to argue that C-grade attestation of many voice calls, the likeliest outcome if gateway providers were all forced to adopt STIR/SHAKEN, may actually downgrade the performance of some analytics engines. They also argued the rollout of STIR/SHAKEN to gateway providers would not help the traceback work done to identify the origin of calls, and would divert resources from more productive initiatives. Reading Verizon’s damning comments after reading TransNexus’ misleading summary of their comments made me question how much some US vendors of STIR/SHAKEN are prepared to distort the truth in order to promote sales of this technology.

Verizon also picked a fight with T-Mobile. In doing so, it was clear which of these telcos is 43.2% owned by Deutsche Telekom, and hence represents the interests of some powerful foreigners who chose not to respond directly to this consultation.

…the worst possible outcome for U.S. consumers would be T-Mobile’s proposal to mandate STIR/SHAKEN for “gateway” providers but to do nothing to require them – or any other intermediate service providers in the call path – to take any action to disrupt the chain of illegal robocalls destined for customers. Such a policy would create substantial burdens for those T-Mobile competitors that have substantial intermediate service provider operations without doing anything to stop the flood of illegal robocalls that reach U.S. consumers.

iBasis was the only international carrier to submit both a comment-comment and a reply-comment to this consultation, despite the focus of this consultation being the imposition of new rules on international carriers. They were also unique in pointing out a blindingly obvious but deeply inconvenient fact.

To date, only the U.S. and Canada are implementing STIR/SHAKEN. Thus, gateway providers are unlikely to receive STIR/SHAKEN compliant authentications.

iBasis were generally on the side of watering down FCC obligations, but were uniformly polite about all the FCC’s proposals. They highlighted AB Handshake as an alternative to STIR/SHAKEN which would allow US telcos to directly verify the origin of calls with the telcos that originated them, and hence not require the adoption of any new technology by intermediary carriers. However, I doubt this argument will be persuasive because Xi Jinping is both a communist and the President of China, a country with some really big telcos. The FCC’s opening gambit is to concentrate on bullying those foreign telcos that can most easily be bullied, such as iBasis, and to leave the bullying of other foreign telcos until later. Even with the support of 51 State Attorneys General, the FCC will not rush to impose any authentication technologies on difficult telcos like China Mobile (number of subscribers: 942mn). iBasis were also keen to exempt telcos who only carry conversational traffic from the most stringent anti-robocall rules, and they presented a similar argument to that given by ZipDX. However, this is an unrealistic attempt to reduce the regulatory burden that will fail for reasons that have already been discussed above.

The next move from the FCC will be so fascinating that I almost pity them. Any decision they make is bound to upset some parts of the telecoms industry, and may also upset other people too. If the FCC follows a realistic approach of the type advocated by USTelecom then they risk criticism from bellyaching politicians and consumer advocacy groups. If they stop pushing STIR/SHAKEN then they will anger the businesses that spent so much on developing the technology in the hope that it really would become universal. If the FCC imposes a long list of varied requirements then they risk delivering the suboptimal results that Verizon warns them about. My best guess is that this mess is so bad that the FCC will pursue the one option that satisfies nobody but keeps all other options alive: they will stall for more time. If they can delay, they buy the time that bodies like the GSMA would need to organically generate international support for solutions to problems that dominate the US regulatory agenda but which cannot be solved by the USA and Canada without the support of many other countries.

My prediction is that the FCC will choose to delay progress by stating they will withdraw the current proposals in order to rewrite them, and then will take their time over the drafting process. During this time, they will hope that events outside of their control will result in greater consensus during the next consultation. But what do I know? I am just a foreigner, and the FCC approach towards regulating the rest of the world without talking to the rest of the world is difficult for me to understand.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), an association of professionals working in risk management and business assurance for communications providers. RAG was founded in 2003 and Eric was appointed CEO in 2016.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press.

Related Articles

Get Our Weekly Newsletter by Email