On the heels of the TRACED Act, the Federal Communications Commission, on March 31, 2020 issued, an Order requiring all originating and terminating voice service providers (including two-way and one-way outbound VoIP services) to implement STIR/SHAKEN in the IP portions of their networks by June 30, 2021 with limited exceptions. STIR/SHAKEN allows voice service providers to verify that the caller ID information transmitted with a particular call matches the caller’s number. It is designed to mitigate practices by which bad actors insert fake numbers into caller ID and pretend to be calling from local numbers or from agencies such as the IRS.
The CCA filed comments leading up to this Order pointing out, among other issues, that only carriers with their own Operating Company Numbers (OCNs) and direct access to numbers can currently participate in the framework. In response the FCC states that it looks forward to working with the STIR/SHAKEN governance authority and the Cloud Communications Alliance and its members to determine how best to resolve these issues expeditiously.
STIR/SHAKEN consists of two primary components: (1) a set of technical standards and protocols for inserting authentication tokens in SIP headers as set forth in a series of ATIS technical documents; and (2) an industry-led governance structure that issues trusted certificates to qualifying voice providers and that enables authentication at the originating end and verification at the terminating end of the call. The framework currently only works in IP networks. The Order defines implementation as compliance with the primary technical documentation released by ATIS (ATIS-1000074, ATIS-1000080, and ATIS-1000084) and available at the STIR/SHAKEN governance authority website, https://www.atis.org/sti-ga/.
The order imposes three specific requirements:
(1) a voice service provider that originates a call that exclusively transits its own network must authenticate and verify the caller ID information consistent with the STIR/SHAKEN authentication framework (Note that implementation for solely on net transmissions need only be consistent with, rather than in accordance with, the STIR/SHAKEN framework. This difference in language is designed to reflect that not all requirements applicable to exchange between carries may be needed to authenticate in network transmissions.);
(2) a voice service provider originating a call that it will exchange with another voice service provider or intermediate provider must authenticate the caller ID information in accordance with the STIR/SHAKEN authentication framework and, to the extent technically feasible, transmit that caller ID information with authentication to the next provider in the call path; and
(3) a voice service provider terminating a call with authenticated caller ID information it receives from another provider must verify that caller ID information in accordance with the STIR/SHAKEN authentication framework (Note that the requirement on terminating carriers to verify incoming calls on its IP network applies even if the voice service provider is not able to authenticate its own originating calls.)
Despite the mandated deadline, a number of open issues remain to be resolved before all voice providers can fully participate. A number of these issues are teed up in a further notice of rule making attached to the Order.
Enterprise Calls. Industry has not finalized standards and protocols that would enable the highest level of authentication for calls originating from enterprises where the originating provider did not assign the number being used in the caller ID. This is a critical issue for CCA members given they serve enterprises almost exclusively. The FCC declined CCA’s suggestion to set a deadline for industry to resolve the issue stating its belief that the June 30, 2021 deadline will provide sufficient incentives for prompt resolution. The FCC also seeks comment on whether to extend the deadline for some or all enterprise calls if standard are not set.
Access to Certificates. The framework contemplates that voice providers will obtain the necessary credentials to participate from authorized certificate authorities, which could be internal for larger providers or a third party. As noted above, however, currently only providers with OCNs and direct number access are authorized to obtain certificates.
TDM Networks. Industry must still develop an authentication framework for TDM networks. One possibility is an out-of-band work around that will deliver certificates over a separate signaling network. The TRACED Act requires providers to take reasonable measures to implement an authentication framework, either STIR/SHAKEN or an alternative, on their non-IP networks. The FCC seeks comment on what reasonable measures entail and proposes that it require providers to directly or through a representative participate in a standards development process.
Small Provider Exemption. The FCC seeks comment on a proposal to grant small providers an additional year beyond June 2021 to implement SHAKEN/STIR. It proposes to define small providers as those with less than 100,000 subscriber lines. One issue for CCA members is whether this definition reasonably defines a small provider. Many CCA members define their size relative to “seats” not subscriber lines. Are seats and subscriber lines reasonably equivalent or should the FCC establish a separate definition to capture smaller over-the-top VoIP providers that serve enterprises.
IP Interconnection. The lack of IP interconnection remains a barrier to end-to-end implementation of STIR/SHAKEN. The FCC seeks comment on whether to extend the implementation deadline due to lack of IP interconnection.
Intermediate Carriers. The Order only applies to originating and terminating providers serving end users. Many calls, however, traverse one or many more intermediate providers. Fully implementation of STIR/SHAKEN requires transmission of the authentication information across these providers, to the extent technically feasible. The FCC seeks comment on requiring intermediate providers pass call authentication information in the IP networks.
International Calls. The treatment of international calls continues to be an issue because they may not be able to receive a high level of authentication. The FCC seeks comments on ways to address such calls and notes that industry has drafted some initial technical guidance.
Call Labeling. CCA raised concerns that the bigger carriers that have begun to implement STIR/SHAKEN will label calls signifying number verification. However, since may providers either have not or cannot implement the framework, (e.g., because of enterprise calling or use of TDM networks), legitimate calls may not receive verification, potentially resulting in adverse treatment by called parties. The FCC seeks comment on this issue.
Access to Numbers. The FCC seeks comments on any changes that might be useful in preventing bad actors from obtaining access to numbers, including, for example, certifications or know your customer obligations.
Comments on open issues are due May 15, 2020 and reply comments are due May 29, 2020.