Skip to content
Naked Security Naked Security

US Senate passes anti-robocalling bill

The TRACED Act was a slam dunk in the Senate, where it passed with an overwhelming 97-1 vote.

A portal has been partially opened that may, just maybe, eventually, lead the country out of its robocaller misery.

The endangered species known as a bipartisan bill sailed through the US Senate on Thursday. The bill, designed to fight illegal robocalling, passed with an overwhelming 97-1 vote, and now it’s headed to the House of Representatives. From there, it’s on to the desk of President Trump.

Senators John Thune and Ed Markey introduced the bill, which is titled the Telephone Robocall Abuse Criminal Enforcement and Deterrence Act, or the TRACED Act, in January.

Markey told reporters that robocalls are driving people nuts on both sides of the aisle:

There are no red robocalls, there are no blue robocalls. There are only robocalls that drive every family in America crazy every single day.

If the bill makes it through the House and is signed into law, it will empower the Federal Communications Commission (FCC) to inflict hefty new fines – as much as $10,000 per call – for illegal robocalls. The legislation would also increase the statute of limitations for bringing such cases, thereby giving FCC regulators more time to track down offenders.

The act would also create an interagency task force to address the problem, and it would push carriers like AT&T and Verizon to deploy call authentication systems, such as the pending STIR/SHAKEN call identification protocols, into their networks.

That’s now in the works: in September 2018, the Alliance for Telecommunications Industry Solutions (ATIS) announced the launch of the Secure Telephone Identity Governance Authority (STI-GA), designed to ensure the integrity of the STIR/SHAKEN protocols.

That move paved the way for the remaining protocols to be established. Verizon announced in March that it had begun deploying STIR/SHAKEN technology: an authentication standard designed to fight call spoofing by verifying that the number on caller ID is the number that actually placed the call. Verizon said at the time that in coming months it would begin deploying STIR/SHAKEN on interconnections with other major carriers, as well.

Around the same time, AT&T and Comcast said that they had exchanged calls using the protocols.


There’s been a bumper crop of legislation introduced to fight the scourge of illegal robocalls. According to The Hill, there were three hearings held during the previous Congress, and 13 bills were passed to curtail illegal robocalls.

The politics-focused media outlet called the TRACED Act the most significant one so far. It’s got the backing of all 50 state attorneys general, 35 of whom told the FCC in October 2018 that they were pulling their hair out over the enormous problem and that it was beyond the scope of what their states’ law enforcement agencies could cope with.

In February 2019, FCC Chairman Ajit Pai reiterated his call for a robust caller ID authentication system to be implemented this year. Earlier this month, Pai announced a new FCC initiative to fight illegal robocalls that would assure carriers that they’re able to automatically register customers for call-blocking service. At this point, customers have to do it themselves.

The proposed rule will be taken up for a vote next month.

Yes, it is getting worse

It’s not our imaginations: the robocaller plague is indeed getting worse. According to a report from YouMail, a company that makes robocalling technology for cellphones, there were 48 billion robocalls placed in the US last year. That’s an increase of about 57% from the 2017 estimate. Scams are taking up an enormous share of that, be they health/health insurance scams, interest rate scams, student loans scams, easy-money scams, search listing scams, home-related scams, travel scams, tax scams, business-related scams, or warranty scams.

Will STIR/SHAKEN save us?

Don’t count on it. At least, the protocols won’t do it all by themselves. STIR/SHAKEN – short for Secure Telephone Identity Revisited and Signature-Based Handling of Asserted Information Using Tokens – is a pair of network protocols that use digital certificates to ensure that the calls aren’t coming from spoofed numbers.

It doesn’t actually block spoofed numbers, though. The protocol doesn’t identify bad actors. Rather, it enables carriers to authenticate calls, after which consumers will be able to tell if a number is likely to be a robocall, and it gives the FCC a head start in tracking down the callers.

Back in November, Pai slammed carriers for dragging their feet on implementing SHAKEN/STIR. Some of those carriers, however, have reservations about the protocols.

Sprint, for one, told the FCC in October that the protocols will be helpful in fighting illegal robocalls, but it’s not a “complete solution.” Nor is it cheap. From its letter to the FCC:

Sprint is also concerned about the costs of implementing the certificate management requirements of SHAKEN and encourages the Commission and industry to explore more cost-effective alternatives to the central repository process originally contemplated in the development of SHAKEN.

Carriers have also complained that SHAKEN doesn’t tell them anything about the content of a call or whether it’s legal. From Sprint’s letter:

It just authenticates origination of the call path and the Caller ID information of individual calls.

Nor will it be useful without universal adoption, Sprint wrote:

Without universal adoption of SHAKEN from originating carrier to completing carrier, call authentication will not be passed to the terminating carrier.

T-Mobile concurred, among other carriers.

Regardless, legislation marches on

Senator Thune said that he hopes the House will take up the TRACED Act soon:

It will make life a lot more difficult for scam artists and help ensure that more scammers face punishment for their crimes.

The House, however, is working on its own bill, the Stopping Bad Robocalls Act (HR 946), which was introduced by Rep. Frank Pallone Jr., the chairman of the Energy and Commerce Committee.


Can you imagine the senator that voted against this bill? I imagine he is getting angry robo-calls right now!


97-1? I’m left wondering who was the 1, and what their issue was…


Here’s your answer: Rand Paul (R-Ky)

And there were two senators who didn’t vote.


To me this only highlights the problem of politics. We have a skyrocketing prison population, a 40 year old unwinnable war on drugs, can’t figure out immigration, but hey we can pass a bill to make something already illegal have a heftier fine. Also going to increase federal spending on what for the most part amounts to an inconvenience in most people’s lives.


The law in question is to get call source authentication, not punish robocallers. I would predict that this act would help to make filtering robo calls a lot easier, since you could no longer place calls that appear to be from families and friends of the target. It would also provide a way to target call filtering, since you could reject unauthenticated and blacklisted callers without an easy workaround for spammers.


This is probably just a article m e n t to pacify the public to be made to believe that something is going to be done. As the article is written with nothing but disclaimers, I believe these options will not work. If the phone companies wanted to they could trace the original collar all the way through different phone carriers without any problem. So I believe this article is a bunch of Bologna


These greedy carriers make plenty of money to put something like this in place. It’s about time. But they are correct if a carrier in a foreign country does not participate then the only choice might be to block any carrier that does not use such a technology. I’m fine with blocking any carrier that does not participate.


At least we’re headed in the right direction.

In the meantime, I wonder if we can get John Oliver to robocall Rand Paul while he still can since he apparently Senator Paul decided to vote against the bill. (source:


Does Sophos have any details on how the STIR/SHAKEN protocol is implemented? The ATIS website looks like it requires payment to get any details.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!