STIR/SHAKEN Is ‘Full of Holes’; Top US Comms Lawyer Warns About Robocall ‘Fox in Charge of the Henhouse’

Sometimes the best way to learn is to listen to people who have genuine experience and who openly share it.

I’m Jonathan Marashlian and our firm has the distinct pleasure of representing a couple of companies that are helping the industry fight against the bad traffic that’s on their networks, and from that experience of representing companies like YouMail and Prescott-Martini, what really becomes very clear is that STIR/SHAKEN is not the answer. Maybe it was a very small incremental step in a positive direction but there are so many holes in the framework, from just a sheer technological standpoint, that in our experience representing clients who have found themselves having to defend against Federal Trade Commission CIDs — Civil Investigative Demands — Attorney-General CIDs and the like. We are seeing a lot of bad traffic from many of the members of the ITG itself… The ITG is the Industry Traceback Group. It’s basically USTelecom. USTelecom also happens to be the trade association that represents AT&T, Verizon, many of the big common carriers, ILECs [incumbent local exchange carriers], broadband companies.

So, again, not claiming that there is some inherent conflict of interest going on there, but, when you put the fox in charge of the henhouse there’s always room for some misdeeds.

Jonathan Marashlian (pictured) is a telecommunications attorney and Managing Partner at Marashlian & Donahue, PLLC, a firm that is so focused on law for the communications industry that they refer to themselves as The CommLaw Group. When a senior lawyer with such a thorough understanding of the US comms industry speaks so candidly then the rest of the world should pay attention. Anybody can hear what Marashlian had to say; he was talking on a March 22 program made by Broadband Breakfast, a media business that covers a broad swathe of topics that interest employees working in the US communications industry. Marashlian’s voice conveyed frustration as he went on to relate a recent experience of one of his clients.

…we just ran into an issue with a client that had Verizon shut down 160,000 of its DIDs [Direct Inward Dialing numbers] mistakenly because it made the mistake of thinking there was bad traffic on the client’s network, and it took over two hours to get those DIDs restored.

One of Marashlian’s key points was that wanting to do good is not enough. The telecoms industry has to concentrate on whether it is actually distinguishing between good traffic and bad traffic, whether that involves STIR/SHAKEN, a technology that has been touted as a means to prevent CLI spoofing, or whether it involves ensuring impartiality in decisions that will have serious consequences for businesses accused of carrying bad traffic.

Companies that are trying to do good can end up doing harm. The end result is further distrust of the network, further distrust and avoidance of answering phone calls. Phone calls are being blocked that shouldn’t be blocked…

Marashlian kept focusing on STIR/SHAKEN, the centerpiece of the FCC’s strategy for reducing scam and unwanted robocalls.

A lot of money has been spent by the industry on STIR/SHAKEN compliance; I’m not sure if the public is receiving the benefits of those investments.

He also kept raising the question as to whether the Industry Traceback Group, the organization trusted to run the effective monopoly on US call tracing that was demanded when the government passed the TRACED Act in 2019, can be trusted to be sufficiently impartial when determining which carriers are responsible for bad traffic.

Should the ITG be taken out of the hands of USTelecom and put into a more independent entity? What are the answers? We are all working our way through the morass of what’s been created over the course of the past couple of decades with bad telemarketing calls, bad calls, and now again, with bad robotexts…

Marashlian was one of several individuals who spoke to Broadband Breakfast on the theme of STIR/SHAKEN and robocalls. On the subject of scam and telemarketing calls, Margot Saunders, Senior Attorney at the National Consumer Law Center (NCLC) observed:

…even with the advent and the aggressive requirements for STIR/SHAKEN we have not seen a meaningful reduction in the number of these calls, which is really disappointing.

I have been disparaging about the NCLC’s lobbying of Congress and the FCC over the problem of unwanted robocalls. There is no doubt that the staff of NCLC care deeply about people who can least afford to be scammed. However, that does not give them the technical and commercial competence to propose solutions to the problem of scam robocalls, or to identify potential flaws with the solutions that others have proposed. NCLC submissions have tended to repeat bad advice supplied by others because they only have a superficial understanding of how the telecoms industry works. That they now express disappointment with changes they previously trumpeted is symptomatic of the collapse of the groupthink that surrounded the adoption of STIR/SHAKEN in the USA. They have an emotional attachment to wanting something that will reduce scam calls, but are too proud to admit they lack the competence to judge which methods might actually succeed.

The businesses which sold STIR/SHAKEN duped a wide coalition of interests into believing that half a billion dollars of expenditure would deliver tangible results. That coalition is fracturing because vendors made unrealistic promises about the efficacy of the technology. There has been a lot of backsliding, dissembling and guff about what is or is not a silver bullet but none of the people who now make excuses for STIR/SHAKEN would have made a penny from selling the technology if they had openly forecasted the results that have actually been obtained in practice. Their attempts to shift blame — by criticizing TDM networks for not being IP networks, by insisting the fault lays with unregulated foreigners, to only latterly admit that robust know-your-customer controls are needed before anyone can genuinely authenticate the source of a phone call — illustrate the extent to which they previously exaggerated what STIR/SHAKEN could accomplish.

Saunders’ spoke in a downcast tone representative of somebody who purchases snake oil on behalf of an ailing family member, then keeps clinging to irrational hope because they cannot find a competent doctor who speaks honestly about the patient’s sickness. The US problem with bad calls is now so severe because it has been encouraged by the patient’s bad choices, such as the cancerous US addiction to huge volumes of robocalls that are legal but still unwanted by the recipients.

…we’ve got FTC numbers that show that the number of complaints from consumers about losses have gone up from year to year, and the… amount of losses from Harris Polls, has also gone up. Recently, in 2021, the numbers… went from 59 million people suffering losses from unwanted robocalls, scam robocalls, to over 68 million. That’s a lot of people!

A pedant would criticize Saunders for once again being too credulous. The figures she quoted are shocking, but we should be cautious because the data that supports these figures is also sketchy. This is why it is a mistake to stylize arguments for or against technologies like STIR/SHAKEN by treating individuals like Saunders and groups like the NCLC as representative of the interests of the population. They do not know enough to represent the population. On the other hand, telcos may know enough but their employees may lack the motivation to speak, or their bosses may not want them to interfere with the 3D chess game of wasting half a billion dollars on a flawed consumer protection initiative in order to secure many more billions of dollars in government subsidies somewhere else.

The nadir of Saunders’ analysis for the Broadband Breakfast came when she echoed what the FCC has said about the economic damage done to telecoms because people refuse to answer their phones. Her observation is sound, but telcos do not need a consumer advocate to explain to them the long-term downturn in voice revenues, and the multiple factors that cause it, especially when that consumer advocate is just repeating what the FCC has said, and the FCC is just repeating what the telcos have already told the FCC. This demonstrates an overarching failure of leadership: the telcos know they have a problem but cannot work together to solve it; they look to the regulator; the regulator looks to vendors who only want to provide solutions if they are lucrative, not because they are effective; and then consumer advocates are wheeled out to justify a lot of ill-directed spending. As much as I criticize Saunders and the NCLC, telcos should look to themselves and ask why they are so incapable of addressing fundamental strategic issues that could turn consumers away from traditional dialed voice calls forever.

Benjamin Franklin observed that “experience keeps a dear school but fools will learn in no other”. Learning from the mistakes made with STIR/SHAKEN has proven to be bitterly expensive for the USA, not just because of the money wasted on the technology but also because of the cost of the scam calls that might have been prevented if the same effort had been directed elsewhere. However, there are factions who do not want the rest of the world to learn from the mistakes that have been made in the US. They pretend the US experience has been positive, and that other countries should copy it. They are wrong. It is better to implement ten cheap mitigations that each have limited impact today than to focus on one expensive mitigation that will not deliver any measurable benefits for years, if ever. That is because the expensive technical process of ‘authenticating’ a call is no kind of authentication if it just means attaching a digital signature to a call without anyone really knowing if the caller is legitimate, the phone number is legitimate, and that the call is legitimate. Saunders is one of those who is finally, slowly learning from the expensive school of experience:

…while the STIR/SHAKEN process requires rather strict and expensive and complex procedures… to require the authentication of the original caller is applying the correct caller ID to its phone number, that whole process is completely undermined…

Apply professional skepticism when watching this Breakfast Broadband episode, because each participant pushes messages that are biased towards their interests. This leads one of the interlocutors to make a truly idiotic suggestion that would only serve to incentivize even more fraud than ever before! But it is telling that one of the panel could only offer the meager defense that it is ‘too early’ to tell if STIR/SHAKEN has failed. No rational agent chooses to spend half a billion dollars and years of effort on systems that are so ineffective that we must then wait many more years to determine if the money has been wasted. Scam calls are an urgent problem today. We should be prioritizing mitigations that will have an instant impact, and other countries have seen dramatic reductions in the number of scam and spoofed calls by putting those methods first. Meanwhile, the sadly insular expertise within the US telecoms industry is not learning from the experience of other countries, and is having a hard time coping with the gulf between what they expected and what STIR/SHAKEN has delivered in practice. When groupthink leads to a decision as terrible as STIR/SHAKEN, the rest of us should question the process by which everyone in that group was selected, and why none of them spoke about the chances of failure until after the money was spent.

You can watch the STIR/SHAKEN episode of Broadband Breakfast below. The player is configured to begin with Jonathan Marashlian’s contribution, which starts 28 minutes and 10 seconds into the recording.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.