Will Germany Reject STIR/SHAKEN?

Regular readers of Commsrisk will know the US government has concocted a plan, with the encouragement of some self-interested businesses, to force every telecoms network in the world to implement STIR/SHAKEN. You also know this plan is fanciful. The plan is so obviously deluded that many apprehend the reasons it will fail before they even learn what STIR/SHAKEN is. The self-deception began when an insular group of Americans decided that they know what the whole world needs without asking for input from anyone outside of their little cabal. At some point the fantasy will be broken, but that will not occur until one country exhibits some political courage by dropping the pretense that they will give serious consideration to mandating STIR/SHAKEN for their telcos. Will that country be Germany?

STIR/SHAKEN, for those of you who are trying to forget, is a combination of technology and governance protocols that can potentially identify whether a CLI has been spoofed. The technology can be made to work, though implementing it is expensive. The governance, however, is completely unworkable for cross-border calls, unless the USA and other countries decide that an extraordinary amount of power will be transferred from their governments to some unknown international body. That power is the authority to decide who can and who cannot make phone calls. Telcos already have that power, but rational for-profit businesses usually choose not to obstruct activities that generate revenue, which is why STIR/SHAKEN is about creating a framework where the decision to block will ultimately be taken away from individual telcos. Like any censorship issue, muddled thinkers will be in favor of increased restrictions when the focus is on excluding bad actors, but will have less to say when it becomes clear that the same powers could be used against anyone. This is especially poignant for the USA, which is actually addicted to spoofing CLIs and wants a mechanism that will allow big corporations to continue the practice. This is why the ultimate decisions about whose calls may be blocked will be important to any nation. Such a transfer of authority to a pan-national body is difficult to imagine for most governments; it is impossible to imagine the US government relinquishing that much control.

It hardly needs stating that China, home to some of the world’s most important telecoms suppliers as well as 1.4 billion people, will not follow the lead of the USA whilst also being subject to a trade war over the control of telecoms technology. However, the loose thinking of the architects of the global STIR/SHAKEN plan allows them to rationalize they have a stepwise strategy for rolling out STIR/SHAKEN across the planet that not only leaves China until last, but also seemingly does not require them to prioritize the implementation of STIR/SHAKEN in the majority of countries covered by the North American Numbering Plan. They will instead focus on rich Western countries, which is rather convenient for companies selling expensive technology. That is why the first country to dispel illusions surrounding STIR/SHAKEN will likely be a European country with the economic might and technological nous to challenge the hegemony of the USA whilst still being perceived to be an ally.

My homeland, the UK, is too politically weak to obstruct the roll-out of STIR/SHAKEN, so has opted to play for time instead. That is why American regulatory experts insisted the UK would commit to implementing STIR/SHAKEN this year but the employees of the British regulator have only vaguely mumbled about things that cannot be done now but which definitely/maybe/could be done in several years’ time. France has already chosen to implement STIR/SHAKEN, seemingly because nobody in France had the imagination to think of alternatives. Meanwhile, Germany is thinking of alternatives and has set about implementing controls over spoofing that the USA is incapable of emulating because of the aforementioned addiction to spoofing by big US corporations that utilize offshore call centers. Since the beginning of December, a new rule requires German telcos to check the A-number for inbound international non-roaming calls and to remove the CLI if it gives the appearance of originating in Germany.

I often refer to Germany’s new approach to tackling the spoofing of international calls as ‘the alternative to STIR/SHAKEN with no name’. People spend time thinking of names for their children, for their pets, and for products they want to sell. When people just have a good idea they get on with implementing it, not worrying about what the idea should be called. Germany is not alone in deviating from the US approach by first focusing on international calls that present a domestic CLI. Germany has been more timid than several countries because they will only remove the CLI of calls that fail to pass the new checks, whilst other countries will block all calls that fail their checks. Australia pioneered the approach of blocking international calls with a misleading domestic CLI. Whilst Americans predicted the UK would commit to STIR/SHAKEN this year, the biggest outcome from the British regulator’s discussions with industry has been to also require the blocking of international calls showing a domestic CLI. Several Arab nations including Bahrain, Oman, and Saudi Arabia are reportedly using the approach to more aggressively block calls by looking up data in HLRs to determine if a mobile phone number really is associated with an outbound roamer. Germany is not alone in using this ‘method with no name’ but there is a second reason to speculate that Germany will drive the adoption of a challenger to STIR/SHAKEN.

Although it has been little publicized, Deutsche Telekom is said to have performed trials in conjunction with A1 Telekom Austria of an out of band mechanism for verifying the origin of international phone calls. Successful implementation of an out of band verification mechanism would give Deutsche Telekom and any other telcos implementing the same method a clear alternative to STIR/SHAKEN but without the necessity to upgrade to IP networks end-to-end. In other words, it addresses the main reason why the UK regulator is hedging around a potential adoption of STIR/SHAKEN in 2025, because Britain will only have the requisite IP networks at that time. More importantly, it means it would be possible to verify international calls even if they come from countries that continue to rely on non-IP networks.

The trials of the new out of band verification method have been overseen by CBAN, an association of major international carriers that includes some of the biggest Chinese telcos as well as massive European-headquartered groups like Orange, Telefónica and Vodafone. It is telling that CBAN involves some of the key global players in voice communications but has almost no overlap with the membership of ATIS, the US body that developed the master plan for STIR/SHAKEN. ATIS insists it can lead the global development of STIR/SHAKEN because they are international in outlook but counting American multinationals like Microsoft and Google amongst their membership is no substitute for the glaring lack of representation from major foreign voice carriers. I expect that members of ATIS and other North American experts in call authentication are so unaware of rival work that reading this article will be how many of them first learn of the existence of CBAN and the trial of out of band verification for international calls.

It is an advantage for ATIS that their promotion of STIR/SHAKEN is backed by well-known American companies like iconectiv and Neustar that expect to turn STIR/SHAKEN into a global cash cow. In contrast, the competitors who developed the methods being tested within CBAN may be unfamiliar to readers. CodeB is a business incorporated in Malta whose website mostly explores the potential of blockchain. Those of you with a keen insight into the technology of online authentication will see many overlaps between the technologies and use cases that interest CodeB and the ways in which blockchains could also be used in conjunction with the digital signatures that are central to STIR. CodeB will face stiff competition, but a really good idea at the right price will sometimes outsell a weaker idea that costs too much. Their chances of success will be heavily influenced by whether they have the right backers to support the early adoption of their out of band verification product. Regarding their likely supporters, a good poker player should be able to spot the ‘tell’ in the following short video demonstration of CodeB’s verification technique.

Did you spot the ‘tell’ in the video? CodeB is a Maltese business but they made a video illustrating how they authenticated calls beginning +49, the country code for Germany.

Perhaps the worst mistake anyone can make in international telecoms is to assume all business can be reduced to technology, costs, and projected returns on investment. Culture and politics also exert a great influence on decision-makers within telcos. Germans care about privacy more than most other nationalities. They will also be reluctant to hand the oversight of calls to some international body whose interests may not align with the concerns of ordinary Germans. Germany is a member of the Western alliance but Germans are not entirely trusting of the USA. President Obama was able to quickly smooth over the ruction caused when Chancellor Merkel learned the US had spied on her phone, but that does not mean American corporations can take German public opinion for granted. The adoption of a technology like STIR/SHAKEN, which has the potential to be used for monitoring call patterns as well as blocking calls, will likely receive more scrutiny from the press and from political activists in Germany than could be expected from their counterparts in France and the UK. If Germany’s leading telco adopts a decentralized method of verifying calls then it will be even harder for advocates of STIR/SHAKEN to justify their centralized approach to distinguishing good calls from bad.

The big stick for US policy is to threaten foreign telcos with not being able to connect calls to the USA unless they adopt STIR/SHAKEN. That power underpins much of the confidence that the US law will be used to beat foreign telcos into submission. But whilst lawyers have a lot of influence over US politics, big corporations have even more. There is one more reason to speculate why Germany may halt the adoption of STIR/SHAKEN for international voice traffic. This year Deutsche Telekom increased their shareholding in T-Mobile US to 48.4 percent. The German giant evidently seeks to take direct control of the US business displaying their brand. US policy-makers need all their allies to support the trade war with China, so if one of the most important allies decides it has an effective alternative to authenticating the origin of voice traffic, and wants to use that authentication in conjunction with calls terminating on a US mobile network serving over 100 million customers, we shall see how much influence the supporters of STIR/SHAKEN really have.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.