UK Regulator Hints at Considering STIR/SHAKEN

I have been writing about telecoms risk for a long while, and because this is an international topic I take pride in being able to switch between American English and British English. The differences are not just down to spelling. The cultures also use different phrases. Even jargon can vary. Nobody in the UK has ever owned a cellular phone, and nobody in the US has ever been ex-directory. If you pay attention, the words people use can sometimes reveal who has influenced them, and where their knowledge comes from. One memorable example was when people started referring to CDRs as ‘metadata’, following the leaking of secret US court orders. So now you know what I mean when I observe that during the last month I have never heard so many Brits referring to caller IDs. British industry insiders normally talk about CLIs. The context in which caller IDs are now routinely mentioned is always the same: tackling imposter frauds by preventing spoofing.

The latest joint report about nuisance calls from Ofcom, the UK comms regulator, and the UK’s Information Commissioner’s Office (ICO) was even-handed, but did suggest an increased willingness to consider the adoption of STIR/SHAKEN. Their press release noted how nuisance calls ramped up at the end of 2020.

Ofcom and the ICO saw complaints about nuisance calls and messages fall in 2020. However, both also noted a surge in complaints from September/October to December 2020 compared to the same period in 2019.

We saw an 83% increase in the number of complaints between October and December 2020 compared with the same months in 2019. Similarly, the ICO saw a 27% rise in complaints between September and December 2020 compared to the previous year.

Their report was similarly balanced. They refused to jump to conclusions about whether the increase in nuisance calls would be sustained or if it merely represented a temporary blip as fraudsters compensated for call centers being closed by the pandemic during most of 2020. The possible adoption of STIR/SHAKEN is mentioned, along with reasons why it would not currently be effective.

In the USA, where more calls are carried over VoIP networks, the Federal Communications Commission (FCC) has mandated that phone companies introduce caller authentication by 30 June 2021, using a particular technical standard called STIR/SHAKEN. The implementation of CLI authentication in the UK using this approach will take more time as it is only effective when voice services are migrated to IP, which is due to be completed in the UK by the mid-2020s. We are working with industry to explore whether some aspects of CLI authentication could be introduced sooner.

One difficulty the authorities face is managing public expectations when the BBC has a track record of seeking to generate hysteria about private sector businesses that represent a long-term existential threat to the BBC’s taxpayer-funded model. The BBC Money Box podcast recently shared a special investigation into number spoofing, based on the not-so-special technique of recording a scam call that anyone might have received. Graeme Biggar, Director General of the National Economic Crime Centre at the National Crime Agency, was invited to comment on the problem for the utterly predictable reason that he was bound to want more resources to be devoted to preventing fraud. To Biggar’s credit, he was also balanced in his analysis, stating:

If we had a technical solution to it, we would absolutely put it in place… There isn’t a silver bullet that would just stop the spoofing of phone numbers in the way that we heard in that call. No, there isn’t an answer. Trust me, if Ofcom and the phone companies had a technical way of stopping this happening, they would jump at it. They are working very hard to try to find ways to do it.

The BBC showed their usual interest in impartiality by writing up this interview with the headline:

Phone companies ‘must do more’ to stop fraud calls

Having monitored the progress of STIR/SHAKEN in North America, I am now bracing myself for a public relations onslaught in the UK. The reason for this is straightforward: STIR/SHAKEN generates lots of revenues for its suppliers. My back-of-an-envelope calculation is that an Ofcom decision to make STIR/SHAKEN mandatory in the UK would be worth upwards of USD100mn in revenues for suppliers of the technology during its first year. This is extrapolated from an analysis of ‘implementation and initial annual recurring operating costs’ for adopting STIR/SHAKEN in the USA, as published in a report by the FCC, the US regulator. The new bureaucracy required to oversee STIR/SHAKEN could also become a lucrative source of income for those appointed to work for it, with the US governance authority voting in November 2020 to impose an 18 percent increase in the mandatory annual authorization fees paid by the largest telcos.

With so much money at stake, it is no surprise that the businesses which profited from the roll-out of STIR/SHAKEN in North America are planning to re-sell their experience to every country they can. A reliable source informs me that Ofcom is already receiving advice from Richard Shockey, a consultant and the Chairman of the Board at the SIP Forum. Regular readers will know I have complained to ICO about GDPR privacy violations by the SIP Forum after realizing that the people who run the SIP Forum are too busy profiting from the protection of people’s privacy to spend money on protecting people’s privacy. Shockey does not even seek to hide his confidence that Ofcom will mandate STIR/SHAKEN for UK telcos, commenting on LinkedIn that:

The UK is next.

Perhaps Shockey knows something the British public does not, though it is customary for Ofcom to at least pretend to listen to the responses to a public consultation before making expensive decisions like these. I already know a lot of Ofcom employees have listened to Shockey’s webinars about STIR/SHAKEN because of the way the SIP Forum leaked their email addresses. Intentionally public information also suggests a consultation may be in the pipeline; an entry in Ofcom’s plan of work for 2021/22 states:

Number authentication. We will undertake a programme of work to achieve greater trust in caller IDs and support tackling of nuisance and scam calls.

It is interesting that at least one Ofcom employee has also started referring to CLIs as caller IDs…

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.