UK STIR/SHAKEN Consultation Begins

If you live in the European Union or Latin America then you could be forgiven for believing that the UK’s comms regulator, Ofcom, had already decided that STIR/SHAKEN would become mandatory for British telcos in 2025. Personal experience has shown me that an extraordinary number of professionals outside of Britain have been persuaded that this falsehood is a fact. That is not because Ofcom devotes resources to communicating their plans outside of the UK. This disinformation has been spread by salesmen and pseudo-experts working to increase the profits of American vendors of STIR/SHAKEN, a technology designed to prevent the spoofing of phone numbers, and hence supposedly useful when seeking to reduce spam and scam calls, although results in practice have been dismal. Advocates for STIR/SHAKEN have long realized that the best way to convince regulators to make STIR/SHAKEN mandatory is to first persuade them that every other regulator will also make it mandatory. For all their public bluster, national comms regulators are mostly staffed by people who do not know how to accomplish their goals, so they mitigate the risk of making a bad decision by copying from other national comms regulators whenever possible. That becomes problematic when one national comms regulator makes a terrible decision but still wants every other regulator to follow their lead for political reasons, as is the case with the US Federal Communications Commission (FCC) and their decision to impose STIR/SHAKEN in 2021.

Regular readers of Commsrisk will hardly need reminding that since the 2021 adoption of STIR/SHAKEN in the USA, the number of bad US calls has risen a lot despite repeated promises that it would fall, that some classes of calls signed using STIR/SHAKEN are much more likely to be bad calls than traffic with no signature, and that telecoms-enabled fraud in the USA is continuing to rise, with even the favorable projections now reduced to predicting fraud reductions may begin in two years from now. This is the level of ‘success’ delivered by a technology that was already years behind schedule because of technical hitches, does not work for calls that cross international borders, and which cost half a billion dollars to implement in the USA. In summary, STIR/SHAKEN is the biggest boondoggle in the history of telecoms fraud management and the UK’s regulator is only considering it because they lack the courage to consistently place the needs of the British public above those of lying selfish bastards who make unrealistic promises about expensive tech just so they can profit from its sale. I could go on, and I usually do, but with so much dishonesty surrounding STIR/SHAKEN it is necessary to be succinct in order to cut through the lies spread by an army of liars. Their ranks are swollen because of the money that vendors expect to make not just from the initial deployment of STIR/SHAKEN in rich Western countries like the UK, but also because they expect to charge rent for the continued use of this technology for the rest of time.

Here are the essential facts about Ofcom’s new consultation concerning whether to mandate STIR/SHAKEN for British telcos. Some of these facts can also be obtained through other channels, but this analysis will spare you any hype about the benefits that STIR/SHAKEN is supposed to deliver.

  • Ofcom’s consultation was announced on Friday, April 28. Fridays are bad days for making announcements if you want to get press attention. This particular Friday was one of the worst; many Brits will have enjoyed an extended weekend break because of a public holiday on May 1. It seems unlikely that staff working for the UK’s national media regulator would have been unaware of this.
  • Ofcom minimizes references to STIR/SHAKEN in the first half of their consultation document, presumably because they are worried about British journalists doing a Google search and noticing the worsening reputation of STIR/SHAKEN in the USA, but this ‘CLI authentication’ proposal is a copy-paste of the US approach to STIR/SHAKEN apart from some tinkering concerning the number and arrangement of bureaucratic entities that will be tasked with administering it. That is unsurprising given that Ofcom paid one of the leading US STIR/SHAKEN lobbyists, a former employee of one of the businesses that has most to gain from an international roll-out for STIR/SHAKEN, to produce a report that was essentially the first draft of their proposal.
  • The format of this Ofcom consultation deviates from the norm. Since the late 1990’s, British regulators have all been legally compelled to perform a cost-benefit analysis before imposing expensive new obligations. This change to the law was motivated by the new Labour government’s fear that some businesses were engaging in ‘regulatory capture’ by persuading regulators to mandate the purchase of expensive systems and services which would not be justified by an impartial appraisal of the resulting economic benefits to the public. Ofcom has dodged this requirement so far by splitting their STIR/SHAKEN consultation into two parts, of which this is just the first phase. They explicitly refer to the regulatory impact assessment as occurring in the next consultation; ‘impact assessment’ is a synonym for the mandatory cost-benefit analysis. Regulators use various tricks to rig cost-benefit analyses to get the outcome they want. For example, the FCC’s arguments for STIR/SHAKEN have heavily relied upon the classic fraud management deception of comparing all the losses caused by all kinds of bad traffic to the cost of fraud prevention methods that would only reduce some kinds of bad traffic. The FCC is so relaxed about using this trick that they are now consulting on their eighth consecutive rule-making proposal that cites the same gross total for the harm they intend to reduce using methods to prevent illegal calls. Seemingly nobody has noticed that if you implement eight batches of improvements, resulting in eight batches of additional costs, then you should produce eight separate estimates of the benefits delivered by each batch.
  • In all likelihood, Ofcom are choosing to be vague about the proposed costs and benefits during the first part of their consultation to test the strength of resistance to STIR/SHAKEN within telcos whilst discretely eliminating all the alternatives to STIR/SHAKEN so there will never be a proper assessment of how the alternatives would compare in terms of costs or benefits. One obvious reason to rig the analysis is that STIR/SHAKEN would cost orders of magnitude more than every other option. A straight comparison between the cost of STIR/SHAKEN and the cost of alternatives would lead to the rejection of STIR/SHAKEN because Ofcom does not know how to estimate the benefit that might be delivered by any particular approach; they can only talk about the level of consumer harm in general, and not the extent to which harm might be reduced any specific consumer protection strategy. Contrary to how these issues are presented to the general public, there will always be some employees in the private sector who benefit from additional expenditures imposed upon their employer; if STIR/SHAKEN becomes mandatory then network engineers are guaranteed additional budget. It is notable that Ofcom only likes to speak to network engineers about this proposal, and has made no serious effort to engage with fraud managers, many of whom will ultimately report to their company’s CFO. Choosing not to present a detailed cost-benefit analysis at this stage means Ofcom can wait to see what data is presented in favor of their proposal without committing to a head-on war with telco CFOs should the holders of the purse-strings decide to challenge the engineers within their company.
  • The deadline for responses is June 23. The foreign businesses pushing STIR/SHAKEN and the lobbyists engaged by them have been honing their arguments and building up to this for years. British critics have less than 9 weeks to decide how they will respond to the plans, whilst knowing that telcos will be reluctant to be portrayed as resisting new consumer protection regulation, especially given the extent to which British journalists have already demonstrated their bias.
  • No mention is made of the alternative to STIR/SHAKEN being developed at a British university at a cost to British taxpayers. Ofcom must be aware of this alternative; their consultation does refer to the output of a UK parliamentary committee that also received expert testimony about this British alternative. This is a shame as the British alternative could generate income for British businesses instead of American businesses, could potentially be implemented worldwide far sooner than most countries’ networks would be ready to implement STIR/SHAKEN, and is capable of working across operators and borders in circumstances when STIR/SHAKEN cannot.
  • Ofcom’s proposal is based on a biased 2021 report that recommended they ‘proceed with all deliberate speed’ towards appointing a like-for-like copy of the US governance structures for STIR/SHAKEN despite the author acknowledging that the UK’s networks would not be capable of usefully implementing this technology before 2025. The report was written at a time when there was far less real-world data about the results that STIR/SHAKEN would deliver in practice, and so relies upon overly optimistic projections of what would be achieved in the USA.
  • The American author of the 2021 report was so convinced that Ofcom had decided to impose STIR/SHAKEN, despite the absence of any cost-benefit analysis, that he announced on social media that the UK would be the ‘next’ country to implement STIR/SHAKEN on March 3, 2021, a full three months before his report was completed.
  • Whilst Ofcom paid in 2021 for biased external recommendations for how STIR/SHAKEN could be implemented in the UK, they have not used the subsequent two years to commission impartial independent research into the actual results delivered by STIR/SHAKEN in the USA (which are poor) and Canada (which are even worse). To illustrate the importance of basing decisions on accurate and current data, note that Ofcom’s paid-for research told them in June 2021: “…there has been considerable success among several sectors of the United States Service providers. Nearly 90% of all voice calls that originate and terminate between providers of Mobile Access networks are now compliant.” However, the current reality is starkly different to this upbeat assessment of how quickly STIR/SHAKEN would be applied to US calls. An April 2023 blog by TransNexus, a US STIR/SHAKEN provider, reported that: “the percentage of signed calls at termination… has been hovering around 24% for a long time. In recent months, we’ve observed this number increasing by about 1% per month, reaching 28.3% in March.” The desire to promote statistics relating to mobile-to-mobile calls between major US mobile networks is indicative of a deliberately biased selection of data. Scammers who work in call centers use softphones and the FCC routinely complains that carriers of international VoIP traffic are disproportionately to blame for illegal calls. Calls originated using mobile phones on domestic mobile networks are the easiest to verify using STIR/SHAKEN but they are least pertinent to a risk-based analysis of how to reduce crime.
  • It is notable that Ofcom’s consultation document repeatedly refers to their proposed system being used to automatically block bad traffic although US telcos still do not use STIR/SHAKEN to automatically block calls because of the fear that this would result in interference with legitimate calls. Much of the early propaganda for STIR/SHAKEN emphasized its potential for improving the accuracy of blocking algorithms but this has not been realized in the USA.
  • Ofcom outlines an argument for the benefits of STIR/SHAKEN that concentrates on surveys of the public that ask how often they have received spoofed calls. No allowance is made for the benefits delivered by other anti-spam and anti-scam methods they have pushed British telcos to adopt; a call that has already been prevented using an existing method cannot also be prevented by the future installation of STIR/SHAKEN.
  • Ofcom’s consumer-led argument for the benefits also ignores the single most important limitation of STIR/SHAKEN: it does not work for calls that cross borders, not least because national regulators cannot mandate authentication at source for telcos that fall outside of their jurisdiction. A consumer that says they have received a spoof call will not distinguish between calls that originated in the UK and calls that originated overseas, whilst the worst crimes they suffer will generally involve talking to scammers situated in foreign call centers. Even in the best case scenario, a British deployment of STIR/SHAKEN will only deliver a reduction in spam and scam calls originating within the country, and will have no impact on calls originating elsewhere, especially as British telcos are already blocking foreign-originated calls that spoof UK numbers. Asking the British public about their historic experience of receiving calls, knowing that this included many foreign-originated calls they can no longer receive, is a way of inflating the calculation of the potential benefits of STIR/SHAKEN whilst obscuring the reasons why the harm caused by foreign-originated calls is not relevant to the STIR/SHAKEN cost-benefit analysis.
  • Ofcom’s consultation document provides no hint about the cost of implementing STIR/SHAKEN in the UK, even though they should easily have the resources to make this calculation. Based on the US experience, I expect the initial deployment of STIR/SHAKEN for all UK voice traffic would cost around GBP100mn (USD126mn) in total.
  • Ofcom implies that the GBP100mn implementation cost of STIR/SHAKEN may be absorbed by telcos instead of being passed on to consumers in the form of an approximate GBP1 price rise for every annual phone bill. Their hope is ludicrous given that Ofcom is currently permitting British telcos to raise their prices at a rate that is well above the current level of inflation, which is itself at sky-high levels. The eye-watering price rises already permitted by Ofcom are so contentious that various members of parliament have signed a parliamentary motion that condemns them.

I will provide a point-by-point examination of the information and disinformation in Ofcom’s consultation documents in due course. However, I have little confidence that the right decision will be made. The decision to employ a biased advisor in 2021, and to publish his out-dated work as part of the justification of their plan, gives us a profound insight into Ofcom’s intentions. The motivation for implementing STIR/SHAKEN stems from consumer perceptions rather than consumer protection. Those perceptions are then manipulated to suit the goals of lobbyists. Regulators answer to politicians, politicians answer to voters, and voters trust their gut when they simply do not know enough to understand a decision.

Telco executives will likely be cynical in their response; why risk public ire by opposing a nominal consumer protection initiative when they can simply endure the additional waste, knowing the regulator will permit higher price rises as compensation for not making a fuss? The current regulatory priority for European telco CEOs is to end the parts of net neutrality that prevent them demanding subsidies from big US tech firms. British telco CEOs are not going to fight over GBP100mn of spending on consumer protection tech if they believe it will jeopardize a potential windfall of billions of dollars from companies like Netflix and Google. Consumer protection advocates and generic anti-fraud know-it-alls will argue for the promised benefits of STIR/SHAKEN without admitting they lack the technical and commercial competence to judge if it will deliver any benefit in practice. The BBC will dredge up some cybersecurity professor at a British university (but not the professor working on the British alternative to STIR/SHAKEN) and he will present himself as an expert even though he has never done any actual research on telecoms fraud and all of his knowledge of STIR/SHAKEN comes from a single New York Times article he read years ago. Much of my career has been spent watching Ofcom careerists prioritize the decisions that are most likely to further their own careers. Consumer protection matters little when the goal is to issue a press release that makes the regulator look tough. The public expects businesses to put profits ahead of all other considerations, but they rarely have the nuanced insight required to determine if the businesses lobbying for more consumer protection are really on their side.

9 weeks will elapse from the opening to the close of this consultation. If the proponents of STIR/SHAKEN win then they will rapidly switch to persuading the next national regulator that they must adopt STIR/SHAKEN because it has been adopted in the UK. That is why some of them were lying about the UK having already decided to adopt STIR/SHAKEN. If they lose, it will be a major blow to their plan to make global telephony subservient to US business interests in a fashion that mimics how the governance of the global internet is currently dominated by US businesses. If you want to influence the future of whose phone calls are permitted and whose are blocked, not just for the UK but for the whole planet, there will rarely be a more significant opportunity than this consultation.

The webpage for Ofcom’s STIR/SHAKEN consultation is here, the consultation document is here, the response form is here, and the June 2021 report that Ofcom commissioned from an American lobbyist is here.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.