US Proposes Another Change to STIR/SHAKEN Implementation Dates

There have been many delays to the North American roll-out of STIR/SHAKEN, the technology which either promises to end all CLI spoofing or which will have marginal impact depending on who you talk to. These delays have been caused by original projections of the development of STIR/SHAKEN proving to be wildly overoptimistic whilst the cost has remained too high for smaller telcos. The Federal Communications Commission (FCC), the US regulator, is canvassing opinions about another potential change of schedule, but this time they are proposing to bring the deadline forward for smaller telcos who originate a suspiciously high number of calls.

Current US rules state that telcos which service fewer than 100,001 subscriber lines will not need to implement STIR/SHAKEN for their IP networks until 30th June 2023. The FCC has suggested imposing STIR/SHAKEN obligations a year earlier for a subset of those telcos that originate ‘an especially large amount of traffic’. The FCC evidently believes that they can use a ratio to determine which telcos must be promulgating spam because the number of outbound calls is too high relative to the number of subscribers.

The FCC’s Notice of Proposed Rulemaking states:

…in our preliminary view it is appropriate to tailor our alteration of the extension as narrowly as possible to those small voice service providers most likely to originate unlawful robocalls…

The notice goes on to suggest several different ways of defining who is originating ‘especially large’ numbers of calls.

We seek comment on whether we should exclude from the full extension a small voice service provider that originates an unusually high number of calls per day on a single line. For example, USTelecom proposes that we exclude from the full extension a small voice service provider that originates more than 500 calls per day for any single line in the normal course of business.

Instead of examining the average number of calls over time, should we look at small voice service providers that reach a call threshold on a single line on a single day? Would this approach provide additional certainty and reduce the possibility for gaming? Rather than looking at the average number of calls on a single line, should we look at an average—or other measures—across a larger number of lines? If so, what call volume metric should we use and why? For example, could we look at the number of calls per line averaged over all lines or those lines with more originating than terminating calls?

We seek comment on whether we should shorten the extension for small voice service providers that receive more than half their revenue from customers purchasing services that are not mass market services, as suggested by USTelecom. Do commenters agree that the proportion of revenue from non-mass market services is a good proxy for identifying small voice service providers that are likely to originate an especially large amount of traffic and, therefore, likely to originate unlawful robocalls?

Should we shorten the extension for those small voice service providers that offer certain service features to customers commonly used for unlawful robocalls, such as the ability to display any number in the called party’s caller ID, or to upload and broadcast a prerecorded message?

There is also some uncertainty about whether to make exemptions for certain kinds of customers, begging the question of whether spamming will be tolerated from some businesses but not others.

If we adopt a numerical threshold of calls, we seek comment on whether we should exclude calls from certain entities that have a valid business reason to make a large number of calls, so that certain calls would not count toward any numerical threshold we establish. For example, should we exempt calls from doctor’s offices, schools, or businesses such as insurance companies? Would a small voice service provider be able to determine whether its customer fell within any of the categories we adopt?

It is obvious that the FCC should crack down on companies that let their customers choose a bogus phone number to appear to be the origin of calls, and also allows them to create recorded messages with the intention that they be repeated often. It is also obvious to focus on businesses that originate millions of such calls whilst seemingly having very few subscribers. However, such a crackdown could just as easily have occurred without spending a penny on STIR/SHAKEN. If a bank robbery takes place and I see somebody walking away with a large bag of money over their shoulder then I do not need to search everybody on the street in order to identify suspects.

The FCC’s new proposal follows the creation of their ‘Robocall Response Team’, whose role appears to be to devise new ways of defeating robocall spam. However, the absence of any truly new ideas is creating an air of desperation, and I now wonder if their role is to cover up the deficiencies of the STIR/SHAKEN plan followed thus far. Acting FCC Chair Jessica Rosenworcel issued a statement alongside the new rulemaking proposal that emphasized how the FCC is cracking down on businesses that appear to spread spam, as further underlined by warnings being issued to two more telcos threatened with disconnection if they do not take immediate action. Rosenworcel also lists all the other actions the FCC is taking, but her team of “over 50 attorneys, economists, engineers, and analysts from four bureaus and two offices” seemingly have nothing new to offer but more promises that STIR/SHAKEN will succeed eventually.

With just a little over a month until the deadline for implementing STIR/SHAKEN amongst all the big US telcos, I get the impression that STIR/SHAKEN is going to be a multimillion dollar flop, instead of being the game-changer promised by the suppliers and technologists who have profited from it. Panic is creeping into US plans to stem the tide of robocalling, as evidenced by this push to impose STIR/SHAKEN more extensively despite there being no sign of robocalls falling amongst those telcos that have already implemented the technology. Supporters of STIR/SHAKEN know that when a large enough amount of money has been spent on a technology project then they cannot allow it to be seen to fail. The stench of failure would have consequences for their reputations as advisors and suppliers, and hence for their future profits.

I would not be surprised if the FCC keeps repeatedly tinkering with its STIR/SHAKEN rules over the next year, before changing direction and blaming other countries for not implementing it. Repeatedly shifting focus and blame is one way to justify an enormous amount of expenditure on a technology project that made grand promises which were never kept.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.