Latest

Not a Silver Bullet? How STIR/SHAKEN Is Sold to International Markets

By Eric Priezkalns 28 Sep 2022

There is a recurring pattern to the way STIR/SHAKEN, a series of protocols for technology and governance intended to prevent the spoofing of CLIs, is being sold by some US business to regulators in other countries. To put it crudely, the pattern is: massive exaggeration of the efficacy of STIR/SHAKEN, up to the point when a country becomes committed to adopting STIR/SHAKEN and cannot reverse course, followed by an equally exaggerated insistence that STIR/SHAKEN is but one small component of a multi-pronged strategy for dealing with nuisance calls. This is disingenuous because even if STIR/SHAKEN is only one component, it will always be the most expensive component by far. That is why vendors of STIR/SHAKEN are spending money on lobbying regulators whilst nobody is lobbying for the cheapest methods to reduce nuisance calls.

This imbalance in lobbying is not going to encourage economically rational decisions about how to reduce the number of spam and fraudulent calls that subscribers receive. If you know that many methods will be needed, it would be sensible to focus on implementing the cheaper methods first, so you can measure the improvement they deliver, then recalculate if the remaining benefits would still merit the much larger investment required for STIR/SHAKEN. However, nobody will make much money from do not originate (DNO) lists or the automated blocking of inbound international calls that present a domestic CLI. That is why regulators are being pressured to commit to STIR/SHAKEN without first waiting to see how much benefit is delivered by cheaper techniques. Regulators, despite employing many economists, are not economically rational. They are a specialized branch of government and their motives are ultimately political. That is why they can be pressured into making wasteful decisions, partly justified by a loss of patience with telcos who allowed consumers to come to harm by refusing to voluntarily take protective action sooner.

When tackling the problems caused by lobbying it is vital to emphasize the cardinal issue: lies work because they are quick and simple. The truth is typically more complicated and can often be inconvenient, so it takes more effort to persuade people to pay attention to the truth. I have spent many years trying to present complicated issues in simple language so individuals can concentrate their attention where it is most needed. They say that practice makes perfect but some skills are never perfected, and nobody will ever be such an effective communicator that they will condense genuinely complicated topics so that even the laziest member of the audience will grasp the meaning of what was said. The philosopher Bertrand Russell enthusiastically sought to relate sophisticated ideas to popular audiences by appearing on television and writing for women’s magazines but he alluded to the ultimate communication challenge when be observed during A History of Western Philosophy that:

A stupid man’s report of what a clever man says can never be accurate, because he unconsciously translates what he hears into something he can understand.

I have recently taken to skewering the phrase “no silver bullet” at every opportunity because it is the quickest way to force people to examine flawed assumptions that underpin arguments for the use of STIR/SHAKEN. The phrase is an Americanism where the reader is supposed to understand that a silver bullet represents the concept of an immediately effective or magical solution to an especially difficult or intractable problem. As a consequence, the phrase is usually used negatively to indicate these solutions cannot be found in real life. The phrase has an outsized influence on US technologists because of a paper by Fred Brooks, a well-known American writer and software engineer. In “No Silver Bullet: Essence and Accidents of Software Engineering”, Brooks convincingly argued that software would not improve at the same rate as hardware because software engineers that initially obtain rapid gains from fixing ‘accidental’ complexity in their work would then have to work much harder to address the ‘essential’ complexity inherent to whichever problems their software needed to solve. It is easy to see why predominantly American engineers concerned with adapting IP networks to authenticate voice calls would be keen to emphasize that the STIR/SHAKEN protocols they developed are not a silver bullet. But disagreeing with the use of this phrase does not mean that I believe there are silver bullets. Highlighting the overuse of this phrase by proponents of STIR/SHAKEN is meant to give an impartial audience the room to ask themselves a series of other questions that have not been properly addressed, partly because nobody allows time to address them. Those questions are:

  • There are no silver bullets, but why are we talking about this bullet?

  • There are no silver bullets, but have we considered all the bullets that might be available?

  • There are no silver bullets, but are all bullets equally good or bad at hitting the target?

  • There are no silver bullets, but how might we rank bullets so we choose the best ones?

  • There are no silver bullets, but should we fire many low-grade bullets or fewer high-grade bullets?

  • There are no silver bullets, but if we need a combination of bullets then which combination is optimal?

  • There are no silver bullets, but if we need a combination should we fire them all at once, or should there be a sequence?

The defense of STIR/SHAKEN implied by insisting it is not a silver bullet should not be used to close down criticism of STIR/SHAKEN, but to open the door on a series of questions as to why so many people treat the merits of STIR/SHAKEN as conclusively proven. Just because the US government made a decision based on some advice it received does not mean all others should simply copy that decision. The US government adopts bad policies from time to time, or other countries might as well not bother with democracy and should just pick rulers on condition that they mimic US policy as far as possible. When the US adopts a policy for how to deal with an international problem, it is appropriate for other nations to question if it really is the right solution.

Perhaps the worst problem with the phrase ‘there are no silver bullets’ is that it gives the impression you can decide to use STIR/SHAKEN and then must accept the consequent results were optimal, without any critique whether the surrounding strategy was conducive to getting the maximum return from STIR/SHAKEN. France passed a law that said all calls need to be authenticated by the middle of next year, which has prompted French telcos to adopt STIR/SHAKEN to satisfy the law. Nobody seems to be in a position to explain why they think a law that applies to all calls could be satisfied by plans to implement a technology that will only be applied to calls transmitted on IP networks from end to end. Meanwhile, the neighboring Germans have a completely different rule which will come into effect before the end of this year. German telcos will be required to strip the CLI from any inbound international non-roaming calls that would otherwise present a German A-number. A parallel initiative has Deutsche Telekom experimenting with A1 Telekom Austria on the use of a new out of band mechanism for validating the origin of international calls. Neither the French nor German methods can be said to be silver bullets, but one has adopted a strategy built around STIR/SHAKEN, whilst the other has not, and it is valid to keep an open mind about which will prove more effective.

I should be careful not to tar all advocates of STIR/SHAKEN with the same brush. Jim McEachern of the Alliance for Telecommunications Industry Solutions (ATIS) has played a leading role in the development of SHAKEN, and we were both guests of Pierce Gorman of Numeracle for the third in the ‘Global Call Authentication Domination’ series of podcasts. There will be a link to listen to the show below, and I do encourage you to listen, not least because Jim is unusually careful and consistent with his choice of words. I credit Jim with having a clear vision for how he would like to see STIR/SHAKEN used to tackle spam and fraudulent calls. Jim is a reliable interlocutor who consistently seeks to avoid exaggeration whilst placing STIR/SHAKEN within a wider context of how he believes this tool should be used in practice. He has also consistently used the ‘no silver bullet’ phrase for many years, so my critique of that phrase might feel like an attack upon him. That is not the case, and I am sure Jim appreciates that the clear vision of a single person may be lost within the muddled policies that groups of people tend to deliver in practice. Jim is far from alone in defending STIR/SHAKEN using the ‘no silver bullets’ phrase, and some others are using it to excuse failure after they have previously over-promised what STIR/SHAKEN would accomplish.

Before you listen to the show, I want to draw attention to the careful way that Jim speaks during the show with the much less careful way STIR/SHAKEN is being sold by others. An unlikely coincidence means I received a message that illustrates the gulf shortly after completing the live show with Jim and Pierce. Walking through that message will serve a useful counterpoint, illustrating how salesmen and lobbyists may take the work of engineers and then make claims about their work that the engineers would not endorse. The following unsolicited message has been repeated in full, save for redacting the name and email address of the person who sent it. The message comes from a public relations business hired by Neustar, an American firm that has been aggressively selling STIR/SHAKEN worldwide. Neustar is also the employer of Jon Peterson, who is credited with being the leading architect of STIR. Though I was not expecting this message, and have had few dealings with Neustar in recent years, their PR firm must have identified Commsrisk as an opportunity to influence the market, not least because they jumped to conclusions based on my participation in activities like the Numeracle podcast instead of closely reading my many criticisms of how STIR/SHAKEN is being used and sold. I will interject throughout to elucidate how simple and attractive messages can be deeply misleading.

From: XXXX XXXXXX
Subject: EDITORIAL: As More Countries Consider International Authentication Standards, What Can Regulators Learn From STIR/SHAKEN?

Well, they might learn that it is expensive, that it has delivered poor results so far, that there are alternatives, and that even if you implement STIR/SHAKEN you then need to do hundreds of other things to get any value from it. But that is not the kind of learning being offered here.

Hi Eric, I wanted to share the below perspective with you from Neustar. Think it would be a good fit for your readership?

Best,
XXXX

The answer is: no, this would be a terrible fit for Commsrisk, unless I slice into this message in the way I am now doing. There are literally dozens of outlets that will gladly and uncritically repeat corporate propaganda because that is how they fill column inches and sustain their business models. You read Commsrisk, and I created Commsrisk, so we can have something different.

STIR/SHAKEN has gone international…

No, it has not. They still have not even worked out how to apply it to calls that pass between the USA and Canada, despite both of those countries now being many years behind schedule. The regulators in both of those countries originally set deadlines for implementing STIR/SHAKEN which would mean we should all have several years of data to evaluate the impact of STIR/SHAKEN by now. We do not have that data because only a minority of voice calls in either the USA or Canada are being signed per the STIR/SHAKEN protocols. None of those signatures can be used to verify calls that pass between the countries.

…with Canada adopting the standard to streamline authentication of international calls…

No, they have not. Years ago the Canadian regulator announced STIR/SHAKEN would be applied to calls that both originate and terminate within Canada. They have made hardly any progress with accomplishing that goal, and have made absolutely no progress with the so-called authentication of inbound international calls.

But why is the emphasis in this message on Canada? It is not because of some clever point about STIR/SHAKEN gaining international popularity, because the Canadians have been committed to implementing STIR/SHAKEN for the same length of time as the Americans. It is because Neustar landed a big STIR/SHAKEN contract in Canada, so they want to emphasize how much they know about Canada even though the US is a much bigger STIR/SHAKEN market and despite Neustar being a US-headquartered business.

…as part of a larger effort to protect consumers from robocalls, call spoofing and fraud.

There is a larger effort, but STIR/SHAKEN is the most expensive part of the effort by far. If we were measuring effort in dollars than most of the effort goes into STIR/SHAKEN and hardly any effort goes into anything else.

This makes perfect sense given that robocalls are an international problem.

What makes perfect sense? Everything so far is either intentionally misleading or else has nothing to do with finding an international solution. That two countries which sit next to each other both have incomplete domestic solutions does not mean they both learned how to implement a successful international solution. As pointed out previously on Commsrisk, there have been times when Canadian telcos have been frustrated because of the imposition of inappropriate decisions made in the USA. STIR/SHAKEN is being presented as an international solution although there has been negligible input from outside North America, and there are even telcos in Canada whose needs were not properly understood by people making important decisions about how STIR/SHAKEN should be implemented in practice.

But as other nations consider whether STIR and/or SHAKEN are viable call authentication processes for them…

That is an interesting way of putting it. What he means is that other nations have spent years not buying the thing that Neustar has been trying to convince them to buy. When you read through the claims made by companies like Neustar in the past you can only conclude they expected STIR/SHAKEN to have delivered far more substantial results in the USA and Canada by now. They then intended to use those results as a springboard for sales to other countries. What has really happened is that the sales prospects for STIR/SHAKEN have declined due to both delays and poor initial results in North America. So what they call ‘consideration’ should really be termed a growing skepticism about STIR/SHAKEN outside of North America.

…the U.S. and Canada provide a convenient example of what needs to be considered…

That is true, if the point of the lesson is to learn from the mistakes that have been made.

…when implementing call authentication standards, technology and…

And when failing to deliver a reduction in nuisance robocalls?

…interoperability between countries.

That was the bit that made me really angry. I defy any of the advocates of STIR/SHAKEN to justify the claim that the USA and Canada is in a position to teach other countries about making this technology interoperable, unless the goal of the lesson is to show how easy it is to over-promise and under-deliver.

Other parts of this sales spiel could be dismissed as common-or-garden hyperbole, but the insinuation that Neustar knows how to deliver interoperability is a lie. Making one or two demonstration calls is not the same as demonstrating the know-how needed to make STIR/SHAKEN interoperable across borders, any more than writing a standard shows you have the know-how to implement what is described in the standard. Many a plan that looks good on paper has proven unworkable in real life. If the knowledge written into a standard was all the knowledge required to make something work in practice then STIR/SHAKEN would not be years behind schedule and the FCC would not currently be engaged in its seventh round of proposing new rules for tackling robocalls.

I know there are some readers who respectfully disagree with my criticisms of STIR/SHAKEN and are more optimistic about the prospects for international adoption. But when we indulge respectful disagreement, which of you are reining in misinformation like this pretense that Neustar knows how to deliver international interoperability? Will you say their claim is true because a standard has been written, or admit it is false because having a standard is not the same as following it in practice?

Anthony Cresti of Neustar, a TransUnion company, is an industry leader in caller identification solutions,

Whilst Anthony Cresti may have some technological know-how, his current job is marketing. That much is made perfectly clear in his public profile:

…driving growth strategy and international business development for the Global Numbering Intelligence and Caller Identity portfolios

On the topic of marketing, I have a grudge against Neustar, and it stems from the ways big businesses like theirs exploit people like me for marketing purposes. We are all adults and we all work in business; you know that some of the content found on Commsrisk exists because companies are trying to sell something. There are good ways and bad ways to sell things. The good way involves keeping promises. The bad way involves screwing people when you see no immediate gain in keeping a promise. Jon Peterson has already received a mention in this article, and if maybe Jon Peterson was offered for an interview, then that would be interesting because he is a capable technologist who deserves to be questioned in order to improve decisions he may make in future and the influence he exercises. Also, he owes me the opportunity to grill him, just like Neustar owes me.

In 2019, when STIR/SHAKEN was still in its infancy in Canada, I invited Neustar to speak at a conference about the obstacles to success. They accepted my invitation to RAG Toronto, a conference that my nonprofit, the Risk & Assurance Group (RAG), organized in cooperation with Canadian operator TELUS. All the big Canadian telcos were represented, as were many telcos from other countries. It takes a lot of effort to pull these conferences together, and unlike Neustar, I do not do it for the money. I even waived the usual sponsorship fees for Neustar because the topic was important, and because they promised that Jon Peterson was going to speak. But he did not come. And nor did anyone else from Neustar. They could not be bothered because they had already sold STIR/SHAKEN to the Canadian regulator, so felt no need to ingratiate themselves further.

…a co-author of the STIR standards and a key contributor to the SHAKEN framework.

He does marketing. His profile says he is responsible for growing revenues. They send salesmen to do sales because their best technologists are too busy trying to fix the flaws with the technology they already sold.

He’d be able to offer your international audience some of the best practices…

No, he will not. Because it is not best practice to commit to spending an eye-watering amount of money on something that is many years behind schedule and which has failed to deliver any benefits so far. And if he cared about international audiences then he could have made the journey from his home in the USA to Toronto when Neustar were previously given an opportunity for free advertising to an international audience.

…and key factors to consider when implementing a national call authentication standard,

But my readers already get that from me. And the most important factor is not to believe a load of one-sided sales propaganda.

…as regulatory bodies in France, Brazil and other nations are working on currently.

As noted above, France is an interesting example. Do you think Neustar would have volunteered the crucial fact that the implementation of STIR/SHAKEN being undertaken in France cannot possibly satisfy a law which demands authentication for all calls, as opposed to the subset of calls this technology has been designed to authenticate? Jon Peterson is an expert on internet technologies. He wrote the STIR standards for the Internet Engineering Task Force. He started with the mindset that spam would be tackled by leveraging SIP signaling. So when asking why STIR/SHAKEN is not a silver bullet for the international problem of spoofed nuisance calls, I would begin by asking him if it was a fundamental mistake to assume an international solution should depend on SIP signaling from end to end? I would ask what led him to believe that the entire planet would upgrade infrastructure on a timely basis to deal with the current problem of spam and fraud, when we know it will take many years before most countries will complete upgrades to IP-only networks? And with so much money and effort being sucked up by STIR/SHAKEN, what was the thinking on how to protect ordinary people from harm in the meantime?

As for the state of play in Brazil… who knows any more? I already spend an insane amount of time checking misleading claims made by STIR/SHAKEN salesmen. But I am not paid to fly around doing international sales, so who knows if somebody is doing something with STIR/SHAKEN in Brazil? It was not that long ago that people said Australia was the next country to get STIR/SHAKEN, despite the lack of people in Australia who said the same thing, so now must I ask hundreds of Brazilians if one of them can substantiate this claim? All I know is that Brazil can be added to the long list of countries whose names have also been cited as being on the verge of adopting STIR/SHAKEN, despite all appearances to the contrary.

He’d be happy to share his thoughts in a contributed column for Inside Telecom…

Inside Telecom is another publication. But now you know how far ‘inside’ this industry that publication really is. And you also know that Neustar employ PR people that assume you are so keen to digest undiluted, unchallenged marketing hype that they cannot even be bothered to personalize their request for free advertising.

…or speak with you directly in an interview – what would make the most sense for your audience?

I was employed as a risk manager, and the most sense for my audience is an impartial appraisal of all the options for tackling nuisance calls, not the endless drowning out of all alternatives by a propaganda machine constructed for STIR/SHAKEN. And yet, ironically, I find myself disproportionately writing about STIR/SHAKEN too, just because some will think that claims which remain unchallenged may be reliable.

Debating whether a solution is a silver bullet is futile; the most important question is whether a solution would work, then to ask how well it would work, and then to ask how much it would cost. We base such deliberations not just on the theory of how it might work but observation as to what has already happened in practice. If the complaint is that there are no perfect solutions then we can still compare all the alternatives and make a considered choice. More has been spent and done to make STIR/SHAKEN real than on some of the proposed alternatives, but the first lesson to learn is that this has demonstrated that the proponents of STIR/SHAKEN underestimated how much more money and effort would still be needed to deliver an effective strategy for robocall reduction based on STIR/SHAKEN.

We should be striving to protect subscribers from fraud today, and not only to pour resources into some hypothetical future when the whole world only carries voice over IP networks and has agreed to adopt an approach developed by North American businesses with little consideration of the needs of other countries. It is plain wrong to default to one choice just because it is the choice that is most heavily advertised. I believe STIR/SHAKEN is presented as the default choice because of a failure to understand the international implications of relying on a technology that will not be supported by the infrastructure in the countries that are most likely to originate international spam and fraudulent calls in future.

I have been asked to speak a lot about these topics recently, even though I cannot claim expertise in these fields. These articles are provocative, but if I add anything to the debate it is because nobody has been applying fundamentally sound principles of risk management so far. That means evaluating costs and benefits in the context of uncertainty. That means evaluating against the goal, without any prejudice for or against the different methods of achieving that goal. I have tried to give advocates of STIR/SHAKEN fair opportunity to make their case, as demonstrated by Neustar’s invitation to speak at RAG Toronto. But some of the lesser, weaker advocates need to shut up now. They are less trustworthy than the best advocates for STIR/SHAKEN, and they only serve to drown out discussion of valid alternatives to STIR/SHAKEN. That is why a technologist like Jon Peterson would still be welcome to engage with the international audience via this publication. Marketeers need not apply.

The engineers that created STIR/SHAKEN appear to have done fine work, but the resulting tool may still prove as ill-suited to the task of reducing international spam and fraud as driving a Ferrari across a desert. It is possible to make technological advances that are rendered irrelevant because the timing is poor and the circumstances are not conducive to the success of the technology, and that is the point that few make about STIR/SHAKEN. There are bullets which are not silver bullets, and then there are bullets which are even less like silver bullets.

Arriving at a viable global strategy will require more time, and more thought, and more compromise than marketeers working for businesses like Neustar can ever enable. That is why I believe almost all the recent conversations I have had about STIR/SHAKEN conclude with the observation that there is a lot more that needs to be said. It is also why I was serious when I asked Jim McEachern why this industry is not looking to the International Telecommunication Union (ITU), an agency of the United Nations, to take the lead with establishing a global program of this nature. If it is because people who like the internet think there are better ways to govern the internet than by involving the ITU in decision-making then they are wrong. This problem is not about governing the internet, it is about who gets to make which phone calls, and many people will care about that even if they know nothing about the internet.

The communities that somewhat govern the internet have not developed the kinds of structures that are encompassing enough and nuanced enough to engage with many disparate countries in the kind of coordinated program needed to solve the global problem of voice spam and fraud. The previous US approach of building it first and assuming everyone will follow is not going to work this time. The reason we have such an enormous issue with CLI spoofing is because people build things first, then worry about the consequences later. Whilst US businesses will remain quick to promote STIR/SHAKEN by making unreliable claims and promises, arriving at a genuine global solution for spam and fraud will take a lot longer.

But let the debate continue! Criticism is necessary but even I can be civil. Solutions are rarely found by preventing discussion. So do listen to the following half-hour podcast, the third in the Global Call Authentication Domination series hosted by Pierce Gorman and Numeracle, with me and Jim McEachern debating how to validate the origin of calls on a global basis.

About the Author

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.

Related Articles