Federal Communications Chairman (FCC) Ajit Pai wrote to telephone service providers on Monday, slamming them for their lousy efforts on blocking robocalls and saying that a year from now, he expects that we can all get back to actually answering our phones without finding we’ve been tricked by illegally spoofed caller IDs.
Here’s Pai, quoted in an FCC release:
Combatting illegal robocalls is our top consumer priority at the FCC. That’s why we need call authentication to become a reality – it’s the best way to ensure that consumers can answer their phones with confidence. By this time next year, I expect that consumers will begin to see this on their phones.
What the FCC wants to see is a robust call authentication system to combat illegal caller ID spoofing. Some phone service providers are “well on their way” to implementing such, Pai said, thanking AT&T, Verizon, T-Mobile, Comcast, Bandwidth.com, Cox, and Google for their efforts.
But there are laggards, and that includes seven big names. On the list of Pai scoldees are phone providers that apparently don’t yet have “concrete plans to implement a robust call authentication framework,” Pai said. His letters asked those carriers – CenturyLink, Charter, Frontier, Sprint, TDS Telecom, US Cellular, and Vonage – to answer a series of questions by 19 November.
Those companies are dragging their feet when it comes to implementing the new STIR (Secure Telephone Identity Revisited) and SHAKEN (Secure Handling of Asserted information using toKENs) protocols, Pai said. Those are frameworks that service providers can use to authenticate legitimate calls and identify illegally spoofed calls.
There has, actually, been progress on this front.
In September, the Alliance for Telecommunications Industry Solutions (ATIS) announced the launch of the Secure Telephone Identity Governance Authority (STI-GA), designed to ensure the integrity of the STIR/SHAKEN protocols. That move paved the way for the remaining protocols to be established, and it looks like STIR/SHAKEN is going to be up and running with some carriers next year.
Last month, 35 state attorneys general told the FCC to please, by all means, pull the plug on robocalls. The AGs said that the situation is beyond what law enforcement can handle on its own. The states’ respective consumer protection offices are receiving and responding to tens of thousands of consumer complaints every year from people getting plagued by robocalls.
Reuters reports that robocall blocking service YouMail estimated there were 5.1 billion unwanted calls last month, up from 3.4 billion in April.
SHAKEN/STIR isn’t expected to be a cure-all, but it could be a big help. From Pai’s press release:
Under the SHAKEN/STIR framework, calls traveling through interconnected phone networks would be ‘signed’ as legitimate by originating carriers and validated by other carriers before reaching consumers. The framework digitally validates the handoff of phone calls passing through the complex web of networks, allowing the phone company of the consumer receiving the call to verify that a call is from the person supposedly making it.
The questions that Pai put to the carriers that don’t yet have a concrete STIR/SHAKEN plan:
- What is preventing or inhibiting you from signing calls today?
- What is your timeframe for signing (i.e., authenticating) calls originating on your network?
- What tests have you run on deployment, and what are the results? Please be specific.
- What steps have you taken to work with vendors to deploy a robust call authentication framework?
- How often is Charter an intermediate provider, and do you intend to transmit signed calls from other providers?
- How do you intend to combat and stop originating and terminating illegally spoofed calls on your network?
- The Commission has already authorized voice providers to block certain illegally spoofed calls. If the Commission were to move forward with authorizing voice providers to block all unsigned calls or improperly signed calls, how would you ensure the legitimate calls of your customers are completed properly?
Ars Technica’s Jon Brodkin notes that some of these carriers have registered reservations about SHAKEN/STIR.
Sprint, for one, told the FCC in October that the protocols will be helpful in fighting illegal robocalls, but it’s not a “complete solution.” Nor is it cheap. From its letter to the FCC:
Sprint is also concerned about the costs of implementing the certificate management requirements of SHAKEN and encourages the Commission and industry to explore more cost-effective alternatives to the central repository process originally contemplated in the development of SHAKEN.
Carriers have also complained that SHAKEN doesn’t tell them anything about the content of a call or whether it’s legal. From Sprint’s letter:
It just authenticates origination of the call path and the Caller ID information of individual calls.
Nor will it be useful without universal adoption, Sprint wrote:
Without universal adoption of SHAKEN from originating carrier to completing carrier, call authentication will not be passed to the terminating carrier.
T-Mobile concurred, among other carriers. From its filing to the FCC:
First, SHAKEN/STIR can only provide a positive affirmation of the source of a given call. It cannot provide confirmation of the opposite – that is, that a call is definitively ‘bad’ or fraudulent. This is particularly true where calls are carried by international providers that do not participate in SHAKEN/STIR and send calls to the United States through wholesale partners.
T-Mobile also touched on an issue raised by the 35 state AGs, who noted that it’s tough to prosecute calls that travel through a maze of smaller providers: If the caller can be found at all, they’re usually located overseas, making enforcement difficult. On the part of the carriers, T-Mobile said, protocol adoption has to happen outside the US to include international carriers in order to have a real effect on the “onslaught of fraudulent calls.”
In spite of these points, Pai is threatening action if SHAKEN/STIR isn’t implemented within a year:
I am calling on those falling behind to catch up… If it does not appear that this system is on track to get up and running next year, then we will take action to make sure that it does.
Anon
I don’t like Pai one bit and I don’t know if SHAKREN/STIR is the solution but I love this effort. It is long over due. I get so many robocalls that I keep my phone on do not disturb permanently and I basically never answer it.
CC
Imagine if it was your work phone and you have no choice but to answer. :(
Jim Gersetich
While some of the foot-draggers’ comments have validity, none of them are sufficient reasons for not implementing this. I hope the FCC follows through on these threats, because the current situation is unacceptable.
Epic_Null
Even without overseas adoption, STIR/SHAKEN will be a bit of a relief since spoofing local area numbers would be more challenging.
cakmn
This story talks about robocalls and about spoofing, yet seems mostly focused on robocalls. These are two different things, although they can be combined. I really don’t understand why number and ID info can so easily be spoofed. My understanding has been that spoofing is actually legal. There are multiple web-based services that allow anyone to spoof caller ID info for a small fee per call. These services should be made illegal and shut down. it would save us all a lot of bother and trouble, especially since scammers began spoofing caller ID info to appear to be local, and seemingly recognizable as known businesses and friends, rather than some random number from wherever.
Lisa Vaas
There are both illegal and legal uses of both robocalling and spoofing. The FCC gives an example of legal spoofing being a doctor who wants to use her own phone to call a patient but wants her office number to display.
Brian T. Nakamoto
It probably opens a can of worms, but I would appreciate the option as an end-user to block or send non-end-to-end SHAKEN/STIR compliant numbers to voicemail. The idea is to encourage adoption as it went with DKIM/SPF where eventually the large email service providers started to require implementation of the standards.
JW_Anonymously
To the carriers: What is your cost for transmitting 5.1 billion (and growing) unwanted calls per month? Think of the wasted energy costs for each unwanted transmission let alone the wasted bandwidth. It seems you would be self-motivated to fix the problem given the wasted operational costs impacting your bottom lines.
Anonymous
Here it is 3 years later (2021) and I’m getting more spoofed calls than ever before. STIR/SHAKEN is a half-baked protocol that does nothing to actually reduce scam calls.
There was a simple solution to this plague but the FCC wouldn’t hear of it.
We’re all painfully aware of CAPTCHA… which is a program that protects websites against bots by generating and grading tests that humans can pass but current computer programs cannot.
It’s simply a challenge-response test used in computing to determine whether or not the user is human.