US Hypocrisy on International Cooperation Shown in FCC Vote to Impose STIR/SHAKEN on Foreign Calls

Politicians never want to admit the need for a u-turn. Reversing a failed policy causes embarrassment by highlighting the incompetence of the people trusted to make important decisions. This leads politicians to put their own careers ahead of the needs of the public they are supposed to serve. And nothing is worse for a politician than trying to gain popularity by positioning themselves as a world leader, only to realize the rest of the world is stubbornly refusing to follow their lead. Thursday’s unanimous decision by the four Commissioners of the Federal Communications Commission (FCC) to impose the enormous cost of STIR/SHAKEN on telcos carrying foreign-originated calls to the USA has proven:

  • The US comms regulator is run by politicians
  • It does not matter to them if current policies are failing, because what really matters is never admitting to failure
  • Effective policies already pursued by other countries will only be prioritized after more time and money is wasted on failure

To reiterate the three most important facts about STIR/SHAKEN:

  1. It is a series of technologies and policies designed to reduce unwanted and fraudulent robocalls by preventing the spoofing of A-party numbers
  2. Implementing STIR/SHAKEN is expensive, costing “tens of millions of dollars” per US telcos who were mandated to adopt it
  3. It has delivered lousy results since it became mandatory in the USA, with many robocalls obtaining the so-called ‘authentication’ of STIR/SHAKEN

STIR/SHAKEN will not help to reduce cross-border robocalls because the technology is only effective if the call is certified from its origin to its destination without any lapses between. The USA, the world’s mightiest economy, is not even capable of performing this task for three-quarters of all calls that originate within the USA. Canada is the only other country in the world that has notionally agreed to applying STIR/SHAKEN to cross-border traffic, and progress towards assuring calls passing between the USA and Canada has been negligible. Deployment of STIR/SHAKEN in the USA and Canada has fallen well behind original expectations because extra time was needed to address glitches with the technology and its governance. Other governments show little enthusiasm for mandating STIR/SHAKEN, and the vendors of the technology know it is unlikely that telcos will purchase STIR/SHAKEN voluntarily because it only delivers a benefit if the telcos they interconnect with have chosen to implement it too.

Despite the obvious strategic flaws, the FCC wants US consumers and the global telecoms industry to believe STIR/SHAKEN will become standard for all calls originating anywhere on the planet. The anti-robocall order approved by the FCC on Thursday furthers this plan by imposing the use of STIR/SHAKEN on many calls originating outside of the USA, even though the FCC knows there will be no meaningful benefit as none of those calls will have received STIR/SHAKEN certificates at their origin. The FCC is caught in a trap of their own devising. They do not just recommend the use of STIR/SHAKEN to other countries; they imply global adoption is necessary for the technology to succeed. They are right, in a way, because any benefits generated by STIR/SHAKEN can only stem from its use end-to-end. This is fatal to the business case for STIR/SHAKEN because so little is gained by having expensive end-to-end assurance for a minority of calls whilst the majority of calls remain as likely to be fraudulent as they ever were. That point is underlined every month the US robocall figures remain stubbornly high, despite STIR/SHAKEN being made mandatory for the IP networks of all larger US telcos at the end of June 2021. A partial roll-out of STIR/SHAKEN across anything less than the entire path of a voice call delivers trivial benefit at significant cost, meaning that US plans to tackle robocalls at a global level have always been predicated on the most implausible ‘big bang’ technology implementation in the history of telecommunications. What we see instead is the FCC trying to keep STIR/SHAKEN vendors motivated through the progressive addition of new burdens on US telcos in the hope this steady creeping expansion will eventually encourage foreign regulators and telcos to join some hypothetical cross-border STIR/SHAKEN ecosystem.

One irony lost on the FCC is that the peculiar way that US telecoms has been regulated compared to other countries means US-based telcos have been able to generate good profits whilst having little incentive to develop, acquire or invest in international groups of operators. When ranked by subscriber numbers, none of the largest international groups are headquartered in the USA. If the FCC could pressure a single group like Vodafone, América Móvil, Telefónica, VEON, MTN or Orange then they could potentially make great strides in encouraging end-to-end implementation of STIR/SHAKEN between countries. The order passed on Thursday does lean on US telcos to do more in the international sphere, but it cannot go far because of the limited reach of US telco executives and boardrooms. Instead of identifying and dealing with this weakness, it appears as if nobody in the US industry has the diplomatic skills and business connections to persuade any of the big international groups to implement STIR/SHAKEN across all its operations. They instead prefer to tell themselves that businesses like Microsoft and Google provide sufficient multinational engagement. This partly explains the crude and ineffective methods being used by the FCC to insinuate STIR/SHAKEN into international voice traffic, though the FCC must also be bemused that none of the businesses which successfully lobbied them to make STIR/SHAKEN mandatory have been able to repeat that trick with other regulators.

It would be bad enough if fraudsters simply evaded the notional control imposed by STIR/SHAKEN by ensuring their calls are handled by networks that cannot meet the requirements of STIR/SHAKEN. However, criminals have also learned how to infiltrate the use of STIR/SHAKEN within the USA. They successfully ensure their traffic receives a STIR/SHAKEN attestation, although this will only grant the calls a lower-grade partial attestation. Their calculation is that a partial attestation appears safer than no attestation. The converse is true; STIR/SHAKEN has been so thoroughly perverted in practice that US calls with these lower-grade attestations are now much more likely to be spammy robocalls than calls which have no STIR/SHAKEN attestation. These issues must be obvious to the FCC given the information resources they can call upon. They choose to ignore them because the FCC cannot admit to the American public that their plans are failing in practice. Although they always knew the plan was to begin by imposing STIR/SHAKEN solely within a US context, the FCC is now seeking to deflect responsibility by shifting blame to foreigners.

Not many tuned in to watch the livestream of the open meeting where the FCC imposed STIR/SHAKEN on international voice traffic. YouTube’s counter showed no more than 29 viewers at any point during the 16 minutes spent by FCC staff and Commissioners discussing the topic, even though it was the first item on the meeting agenda. This shows the cognitive dissonance between the seriousness of telecoms fraud and how much attention it receives in practice. Barely anyone in the world chose to spare a quarter of an hour to listen to four supposed leaders of the US telecoms industry talk about a topic which, per their own organization’s reports…

  • …is the top source of complaints received by the FCC for the last five years in a row
  • …costs US consumers at least USD13.5bn annually
  • …is the subject of “active dialogue and cooperation with [the FCC’s] international counterparts”

If other countries really intended to copy the FCC’s master plan then more people would take an interest in the extent of progress made by the FCC. Though hardly mentioned in the meeting, the official order that was approved on Thursday also invites comment about other ways to reduce robocalls that have previously not received serious consideration. A regulator does not seek comments on a potential Plan B or Plan C if Plan A is going well. Nevertheless, the order approved on Thursday reiterates the same ambitions that have been repeatedly expressed by the firms who created STIR/SHAKEN and have been lobbying regulators to mandate it ever since.

We anticipate our expansion of the STIR/SHAKEN regime today may spur other countries and regulators to also develop and adopt STIR/SHAKEN, further increasing the standards’ benefit.

Notice the incoherent wording in this quote, even though it comes from a document which must have been reviewed by a dozen well-paid lawyers. A person anticipates what will happen, not what may happen. The English word ‘may’ reveals the FCC’s lack of confidence, even as they pretend other regulators will copy their approach. A person can only anticipate an outcome if they consider it probable, and not if they think it improbable. The tension between the two possible meanings of this sentence comes from an organization that is suffering groupthink. What would spur the adoption of STIR/SHAKEN by other regulators would be hard data showing it is making a difference in the USA, but the FCC cannot provide that. Having looked at the data about the results delivered by STIR/SHAKEN so far, the FCC’s order also raises the prospect of adopting other, cheaper ways of reducing robocalls that could have easily been implemented independently of any decision about STIR/SHAKEN.

You know you are not getting the full story when just 16 minutes of high-level pontification is deemed adequate to summarize the content of an FCC order that is so lengthy that FCC Chair Jessica Rosenworcel spent a full 60 seconds just listing the names of the people she thanked for writing it. After reading the full text of the order, and listening to what the Commissioners said about it, I can assure you that the story being pushed to the public is different to the detail of an emergent strategy that the FCC will not want people to notice. The text of the order shows they are preparing for policy u-turns, but will seek to present them as continuations of the same plan. But before I broach the alternative robocall mitigations finally being given consideration, it is worth spending some time observing how this group of politicians continues to misinform the public. 16 minutes was still sufficient for the Commissioners and their underlings to present a series of half-truths and falsehoods about the contents of the order and the results delivered by the FCC’s anti-robocall plan so far.

It is telling that a group of lawyers, all reading from pre-prepared scripts, made statements to each other that consistently abused the meaning of the word ‘authentication’ in a way designed to mislead the public. Jerusha Burnett, Attorney Advisor of the FCC’s Consumer Policy Division, said the following about the FCC’s order:

It also requires gateway providers to provide STIR/SHAKEN caller ID authentication to all unauthenticated foreign-originated SIP calls…

This is not true per any normal interpretation of the word ‘authentication’. If you send me a photograph of somebody’s ID, and then I attach a digital signature to that image so the image cannot be changed after this signature was added, that does not mean I authenticated the ID. I just initiated a control that prevents tampering with the image from that point forward. The control does nothing to prevent or detect tampering that occurred beforehand. To say the CLI of a call has been ‘authenticated’ means being able to show the number represents the truth. The FCC know this is impossible for downstream recipients of an unauthenticated call but insist on describing STIR/SHAKEN as a process that can ‘authenticate’ the call at any time. This ignores the commercial realities that led the US industry to make STIR/SHAKEN so complicated in comparison to simpler and more effective controls adopted elsewhere. Big US businesses want to be able to say a corporate number represents the authentic origin of a call in situations dissimilar to using a domestic phone which has one and only one number associated with it. The flaw should be obvious: if an enterprise can intentionally mislabel the origin of a call for supposedly legitimate commercial reasons, then a criminal enterprise can do the same for illegitimate reasons.

Burnett was not guilty of an accidental slip of the tongue when she spoke about authenticating what cannot be authenticated. The next FCC lawyer who spoke misused the word ‘authenticate’ in exactly the same way. Jonathan Lechter, Attorney Advisor to the FCC’s Competition Policy Division, said this of the order:

First, it proposes requiring US intermediary providers to authenticate unauthenticated SIP calls…

Does a falsehood become true if multiple lawyers repeat it? Representatives of the FCC should stop telling the US public that a call has been authenticated just because a digital signature was attached to it. That they misuse language shows they do not want to be transparent about STIR/SHAKEN’s most significant weakness. Even so, this weakness is obvious to telcos that use STIR/SHAKEN. FCC lawyers do not use metaphorical inverted commas to indicate the difference between real authentication and so-called ‘authentication’. I have to use them in this article to avoid misleading you. Verizon also used them in a written submission to the FCC explaining why the application of STIR/SHAKEN to international carriers would be a waste of money:

The Purported Benefits of Requiring Intermediate Providers to “Authenticate” Calls with STIR/SHAKEN Are Illusory and Can Be Better Achieved With Other Tools

Politicians tend to change the meaning of words when it suits them, and they also tend to rewrite history for the same reason. Several individuals spoke about the FCC ‘continuing’ the work already done to reduce robocalls, but nobody seemed to notice blatant discontinuities in that work. For example, Lechter noted that the order…

…seeks comment on non-IP authentication methods

That is an odd way of putting it, given that the main reason STIR/SHAKEN can only be applied to a minority of US calls is because so many calls pass over a non-IP network at some point. When STIR/SHAKEN was made mandatory the FCC chose to gloss over this severe limitation by pretending that telcos with non-IP networks could choose whether to upgrade to IP networks or else devise their own non-IP methods of authenticating the origin of voice calls. The FCC might as well have said many telcos with non-IP networks had a choice between going bankrupt or independently inventing a fantasy technology that everyone else would have to agree to use. The FCC does not really need comment on non-IP authentication methods because they have been anticipating (in the true sense of the word) the development of this technology for many years. They have had to anticipate it for many years because the promised development of non-IP STIR/SHAKEN also fell well behind expectations. The only comment the FCC want to hear about non-IP authentication is that non-IP STIR/SHAKEN has finally been delivered by the same companies that lobbied to make STIR/SHAKEN mandatory for IP networks. When the FCC hears that message, US telcos can anticipate being mandated to hand over even more money to those suppliers.

FCC Commissioner Brendan Carr was the first of the four current Commissioners asked to comment on the new order. He gave a short political speech which would have delivered a high score in robocall bingo, including phrases like:

  • I almost never answer my phone
  • whac-a-mole
  • make sure the squeeze is worth the juice
  • aligning our actions with the international community

Whilst he did not say much, at least Carr only took 80 seconds to say it. If he had spoken for another minute then he might have offered some insight on what he thinks international alignment means, beyond some US government appointees trying to dictate policies they want other countries to follow. However, at least Carr was succinct. This contrasted with Commissioner Geoffrey Starks who spent the next four minutes campaigning to succeed Jessica Rosenworcel as Chair of the FCC. Presumably nobody told him how few people were watching the livestream.

Now is not the time to take our feet off the gas because, according to YouMail, there were 3.9 billion robocalls placed last month…

The Commissioner has clearly been briefed about the best sources of data to quote, and YouMail’s Robocall Index is the most reliable measure of robocall activity across the USA. But the problem with politicians who live by the statistical sword is that statistics can skewer them too.

…but positive signs are that the numbers are trending downwards from last year.

That is a lie. Starks wants to get away with the old political game of insisting there is a need for much more government action because things are really really bad whilst arguing the government has consistently made things better. The FCC has been prone to repeating this trick for a while now, but it becomes less effective each time they repeat it. Here is the chart showing the number of robocalls per YouMail’s Robocall Index in every month since STIR/SHAKEN became mandatory at the end of June 2021 (in blue) and the trend line for these numbers (in red).

The only kind of person who thinks this signifies a clear downward trend is a politician squinting at the figures in a desperate attempt to see evidence of their own success.

Critically, gateway providers’ networks are the point of entry for foreign-originated robocalls, which is where the vast majority of these robocalls originate… so I support requiring gateway providers to apply STIR/SHAKEN caller ID authentication…

Note how Starks repeats the misuse of the word ‘authentication’.

…to unauthenticated foreign-originated SIP calls…

If you were interested in the vast majority of robocalls, then why focus so much money on a strategy that only works for SIP calls? Starks can see imaginary trends wherever he likes, but he has no influence over the rate at which foreign countries will implement IP networks. Fraudsters will just ensure robocalls are always hidden amongst billions of other calls that did not originate on IP networks, unless the FCC intends to instruct telcos to weight their blocking algorithms so that unsigned calls are more likely to be blocked than signed calls. And if they do that, then it is only a matter of time before somebody in the overly tame US press finally asks the only black FCC Commissioner why he sees no risk in pushing US telcos to block a higher proportion of calls from majority-black countries.

…while STIR/SHAKEN is effective alone, it is not enough…

Even by the standards of a politician, this ranks as a bizarre statement. STIR/SHAKEN is much more expensive than all the other methods of reducing robocalls that the FCC has contemplated. In what sense does the data show STIR/SHAKEN is effective, given the number of recent robocalls that Stark referred to at the beginning of his speech? And if STIR/SHAKEN is not enough, why is the FCC always racing ahead with the most expensive part of their plan whilst taking an age to ‘seek comment’ on other, cheaper methods that appear to have worked for other countries?

If we are not able to enforce our rules then we are fighting with one hand behind our backs so I support the requirement that gateway providers respond to traceback requests within 24 hours…

It is not surprising that one of the Democrats on the Commission would refer to enforcement. Starks and Rosenworcel, who is also a Democrat, repeatedly bashed former FCC Chair Ajit Pai by saying he was weak on enforcement. It made political sense for them to attack Pai because he was a Republican. Their point was valid; enforcement of anti-robocall rules has been a key weakness for US authorities over many years. However, the main thrust of their argument about enforcement was that law breakers do not get punished after they are caught. For example, these were Starks’ comments about an important robocall prosecution in 2020:

The threat of large fines as a deterrent means nothing if we systematically fail to actually collect on them, including coordinating with the Department of Justice. That means better follow-through on the entire life of an enforcement action. We must work harder to ensure on the back end that our enforcement efforts reap actual, measurable results, and then be transparent about how we’re doing to put violators on notice that we mean business. Otherwise, we’re just creating more headlines.

I could not agree more. The problem is that Democrats have had the legislative and regulatory upper hand since the beginning of 2021 and there has been no tangible progress on tackling a problem that Rosenworcel and Starks previously identified as vital to reducing robocalls. Just a few weeks ago an Indian businessman called Muhammad Khan who admitted to facilitating millions of illegal robocalls was effectively let off a huge fine because he said he could not afford it. The FCC sent a letter to Khan on April 3, 2020, telling him not to spread COVID-19 scam calls. Two whole years passed before the US Department of Justice (DoJ) announced they had settled the case with Khan. That settlement referred to a notional USD3.3mn penalty even though the DoJ had no intention of collecting it. Khan was not even banned from running telcos. So why is Starks now pretending that tougher enforcement has something to do with reducing the number of hours it takes a telco to respond to a traceback request, when previously he said enforcement meant punishing the people responsible for robocalls? It is another politician’s trick: when they fail to deliver on promises, they pretend they were promising something else.

Perhaps the other twenty-something YouTube viewers were impressed with Starks, but if there was a popularity poll for FCC Commissioners then Nathan Simington would get my vote. Like Starks, Simington had nothing useful to say, but he completed all his remarks in less than 30 seconds. By saying almost nothing, Simington misled listeners less than his peers.

FCC Chair Jessica Rosenworcel kept grinning whilst listening to the other Commissioners, which gives you a better indication of her character than reading a transcript of her prepared statement. She keeps saying how much she cares about robocalls hurting ordinary Americans but beams like a Cheshire cat about the positive publicity she generates by tackling the issue. Political division amongst US journalists means they fail to properly scrutinize decisions made by bodies like the FCC if it cannot be presented as a simplistic fight between Democrats and Republicans. The US press is not interested in the detail of the order passed by the FCC, and Rosenworcel knows it. Being a politician, she had already orchestrated the story that she wanted the press to repeat that day, even though it had nothing to do with the content of an order imposing additional obligations on telcos carrying foreign voice traffic.

What they see as evidence of continuing success, I see as evidence of ongoing failure. The FCC goes out of its way to congratulate itself for passing new rules that target foreign-originated phone calls, just a few weeks after the DoJ levied no meaningful punishment on a foreign law breaker, but they think they are making progress because they have pieces of paper saying yet more US lawyers will help them enforce the law? What exactly are these 36 State Attorneys General actually doing that they were not doing before? If signing a Memorandum of Understanding with the FCC is so important to the fight against robocalls, where is the data showing these states receive fewer robocalls? They cannot show the data because there is no data to suggest that the states who signed these agreements are any less prone to robocalls than the states which have not.

If your opening position is that robocalls will only be reduced through international cooperation then it looks bad that you need to devote years of effort just to agreeing to coordinate resources within your own country. I wanted to make this point before analyzing what Rosenworcel said on Thursday to draw further attention to the cognitive dissonance between how the FCC places blame for robocalls and how it claims to be making progress to reduce robocalls.

Robocalls are aggravating. What’s worse is when we crack down on these junk calls, the scam artists behind them find new ways to reach us…

Whoever taught Rosenworcel to repeat this platitude should be ashamed of themselves. A dodgy businessmen like Muhammad Khan is not engaged in a sophisticated new scam. The very fact that so-called experts keep saying robocalls can easily be prevented by identifying huge spikes of anomalous traffic shows that fraudsters have not needed to change their methods. They might need to set up a new company or employ a new front man to run it, but some of the other methods mentioned in the FCC’s order which were not meaningfully discussed during this meeting indicate the FCC genuinely believes they can significantly reduce fraud by looking for patterns of traffic that fraud managers have long treated as indicative of fraud.

…and increasingly that means robocalls are coming from overseas

Where is the data to support this assertion about the ratio of robocalls that originate abroad versus those that originated in the USA? It cannot be found anywhere in the FCC’s official output. Rosenworcel vaguely referred to ‘one study’ saying two-thirds of robocalls come from outside the USA. This leads to a few observations:

  • If the proportion of robocalls from overseas is rising, but the total number is unchanged, this means the FCC must believe they have been successful in reducing the number of robocalls that originate within the USA. If that is true, why are they shy about telling us exactly how much they estimate they have reduced robocalls?
  • The FCC has to show the benefits delivered by a new regulation like this will outweigh the additional burdens placed on telcos. However, this latest order relies upon on an old estimate which says the total cost of robocalls to US consumers is USD13.5bn per annum. The same estimate has already been used to justify the previous wave of expenditure on STIR/SHAKEN. But if that expenditure delivered a significant benefit, then the old estimate should no longer be accurate. If the FCC genuinely believes their rules have reduced the number of robocalls received by US consumers, why are they not estimating the benefit delivered by STIR/SHAKEN so far, and extrapolating from that to the benefit they expect will be delivered through increased use of STIR/SHAKEN? The remarkably vague analysis of the benefits to be delivered by the FCC’s new order is that it will represent a “large share” of USD13.5bn. They did not say how big the share would be; they offered no numerical analysis or target; they only said the benefit would be “large” relative to this historic estimate of the cost of robocalls.
  • It was entirely predictable that telecoms criminals would move operations to other countries if they could no longer execute them within the USA. Why is the FCC acting like they only recently discovered the number of robocalls from overseas might increase? Why has so little effort been put into negotiating agreements with foreign governments so foreign businesses who originate the bulk of robocalls are punished by the legal authorities in their own countries?

Then FCC Chair Jessica Rosenworcel repeated the same lie as everyone else in the FCC.

…we’re making gateway providers… use STIR/SHAKEN call authentication technology…

The FCC is programmed to lie about call authentication from the well-paid lawyers at the top to the well-paid lawyers at the bottom. They all seek to intentionally mislead the public.

Even the US consortium responsible for tracing the origin of robocalls told the FCC that a partial attestation of a foreign-originated call is a waste of money because it provides no assurance about where the call really came from. If one or two people in the FCC misspoke then it might indicate they did not fully understand the technology they were talking about. Everyone in the FCC misuses the word ‘authentication’, which shows they are engaged in a deliberate deception, probably because they want to avoid the political backlash which would be generated by admitting large amounts of money were spent on ‘authentication’ technology which cannot authenticate most calls. They seek to pretend their latest order will lead to many more calls being authenticated although US telcos have comprehensively explained why adding a C-grade attestation to a call that may have already passed through multiple telcos will not increase confidence in the reliability of the CLI presented to consumers.

Rosenworcel tried to score as many political points as she could from an issue that clearly upsets many US voters. But come the end of her speechifying, she included just one brief and unusually unguarded comment that harked back to complaints she often made about her predecessor as FCC Chair.

We also need more tools from Congress to catch those behind these calls, including the ability to go to court directly and collect fines against these bad actors, each and every one of them.

Rosenworcel has been consistent on this point. But she used to be more forceful in expressing the need for reform. The following quote is from a statement Rosenworcel made on June 10, 2020.

Over the last several years the FCC has levied hundreds of millions in fines against robocallers just like the folks we have here today. But so far collections on these eye-popping fines have netted next to nothing. In fact, it was last year that The Wall Street Journal did the math and found that we had collected no more than $6,790 on hundreds of millions in fines. Why? Well, one reason is that the FCC looks to the Department of Justice to collect on the agency’s fines against robocallers. We need them to help. So when they don’t get involved — as here — that’s not a good sign.

Despite these problems, this notice has my support. I appreciate the work of our Enforcement Bureau to build a case against this fraud. I only wish that we had a whole-of-government effort to not only announce a big fine but do what is really meaningful — and that’s collect.

It is easy to criticize the failures of the Department of Justice when that government agency is run by your political opponents. Since the change at the top of the US government, Rosenworcel’s message has changed. Now she wants more power for the FCC, instead of demanding a whole-of-government effort. That is why the FCC avoided any mention of the case of a telco owner who spread millions of COVID-19 scam robocalls, even though it was settled by the Department of Justice just two weeks ago. That fraud was identified and that person brought to justice using the tools and rules that were already in place two years ago. However, the verdict of the US justice system was to impose no real punishment upon him.

The FCC is now going after legitimate intermediate carriers because they will pay their fines, unlike the real bad actors. This is a no-lose scenario for politicians who can take the credit if the telcos ramp up their efforts to reduce the robocalls, and can act tough on crime if the telcos are punished for failure. Suppose a telco fails to respond to a traceback request within 24 hours? Fine the telco and issue a press release about getting tough on robocalls. The telco failed to submit a mitigation plan to the US database? Fine the telco and issue a press release. The telco failed to do all the things listed in the mitigation plan that it filed? Fine the telco and issue a press release. The telco failed to slap a meaningless C-grade certificate on calls received? Fine the telco and issue a press release. The FCC is going to generate so much publicity about ‘cracking down’ on robocalls that lazy mainstream tech journalists will see no reason to discuss the lack of any measurable reduction in the numbers of robocalls received. Meanwhile, the bad actors who were already being identified by US authorities will continue to avoid any punishment.

There is some hope that after the politicians have won their plaudits, some genuine improvements may occur without the public noticing. No politician will want to draw attention to them because they could have been done before, and at a fraction of the cost of STIR/SHAKEN. Lurking in the detail of the FCC’s new order are proposals for robocall mitigations where the US regulator openly talks about copying methods already used by other countries. For example, they say they could tell US businesses not to use US numbers for calls which originate in call centers that are not actually located in the USA. Precedent for rules like these can be found in Australia, Singapore and South Korea. This is such an obvious way to reduce the abuse of US phone numbers that it is shameful that the FCC has not pursued this option already. Even though Democrats like to bash big business for not doing enough to protect consumers, they do not want to draw attention to the long period over which US companies received support from both political parties for the continued offshoring of jobs to cut costs and fatten corporate profits. Instead of just employing workers in the USA, too many companies preferred an approach where somebody in a country like the Philippines was making a call on that company’s behalf, whilst a US phone number was displayed as the A-party per the recipient’s handset. Big US businesses need a messy boondoggle like STIR/SHAKEN to square a circle that allows them to spoof their own phone numbers whilst pretending that no criminals will ever be able to do the same.

There is a theory of American exceptionalism which says the USA is a uniquely special country. Democrats tend to think only Republicans believe in American exceptionalism, but you can sometimes detect its influence upon Democrat thinking too. The US allows big companies to pretend they operate within their borders whilst taking advantage of lower wages and weak labor laws in other countries. Their authorities want citizens to believe spammy robocalls come from abroad, even whilst they fail to levy any meaningful punishment on US citizens caught spreading illegal robocalls. Vested interests lobby for a system to ‘authenticate’ those robocalls whilst also allowing them to attach US numbers to many calls that did not really originate in the USA. Their leaders talk about alignment with other countries, and they say they anticipate other countries will use STIR/SHAKEN too, even though those countries played no role in formulating STIR/SHAKEN, have no influence over how the technology will develop in future, are offered no role in its governance, and have no companies that can supply STIR/SHAKEN. The US comms regulator signals to other national regulators that they should create new markets for a technology which US telcos have described as “burdensome” and as offering “no utility at all”. The FCC does this whilst brushing aside concerns voiced by big US telcos who question the benefit to consumers of making “millions of dollars in payments to vendors” of STIR/SHAKEN.

Global telecoms is beautifully, and frustratingly, global. The way US authorities have mishandled international cooperation in the field of telecoms fraud management represents the worst aspects of American exceptionalism. But what else can you expect from the leaders of a country where 10 percent of unwanted robocalls are legal just because they were made by politicians?

Robocalls will not be defeated without widespread international cooperation. US leaders know this. Their problem is that they have neither the constitution, the culture, the legal framework, the business environment, the charisma, acumen, resolve or motivation to cooperate with counterparts in other countries. STIR/SHAKEN is a case study in how a narrow group of people devised a supposedly global solution for telecoms fraud without listening to foreign voices. There are plenty of American voices they also choose to ignore. They talk about international communications, but live within a bubble of their own creation.

However, I sense there is a growing number of US professionals who have realized their country has taken a wrong turn. There were many submissions by US experts in advance of this order which asked the FCC to perform a u-turn on its policy of extending the rollout of STIR/SHAKEN. The leaders of the US traceback consortium appear to be much more conscious of the need to work with foreign telcos than the diehards of STIR/SHAKEN who have dominated policy so far. There are even suppliers of STIR/SHAKEN who are now actively working to determine how to deliver interoperability between multiple authentication methods. This will be the only way to cross the enormous divide between the expensive technology deployed in the USA and the more cost-effective techniques that most other countries will choose to adopt. And whilst a lot of money and hype will continue to be poured into STIR/SHAKEN, the FCC will quietly compensate for STIR/SHAKEN’s weaknesses by copying better and cheaper robocall mitigation methods that have already been proven to work elsewhere.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.