FCC deadline for STIR/SHAKEN caller ID authentication nears

robocall
In May, YouMail Robocall Index estimated 4 billion robocalls were placed nationwide in the U.S., compared to about 3 billion in May 2020.(Getty Images)

The wireless industry is working to combat robocalls and Wednesday, June 30, marks the FCC deadline for carriers and other voice providers to implement STIR/SHAKEN caller ID authentication technology.

STIR/SHAKEN is a protocol that helps digitally authenticate phone numbers to verify that a call is indeed coming from the number shown on a caller ID. It’s a technology used against illegal spoofing, a technique robocallers sometimes use in order to appear like a call is coming from a legitimate number, before the call reaches consumers.

STIR is the technical protocol and SHAKEN is the U.S.-Canada governance management framework on top.

The Federal Communications Commission (FCC) already authorized operators to automatically block illegal robocalls and in March of 2020 mandated voice service providers and intermediate service providers deploy STIR/SHAKEN framework in their IP networks and certify by the June 30 deadline.

Some groups, such as smaller service providers (less than 100,000 subscribers), get extensions and they have a couple more years, with a mid-2023 deadline. However, Bill Versen, president, communications market and CMO for TNS noted that even if they have an extension, all providers must show efforts to ensure robocalls don’t originate on their networks and they need to file documentation showing that with the FCC’s Robocall Mitigation Database.

Those that don’t “may be subject to appropriate enforcement action,” the FCC notes.

RELATED: FCC requires carriers to deploy STIR/SHAKEN caller ID authentication

Ahead of the deadline, industry participants cited progress and general preparedness.  

AT&T recently said it’s now blocking or labeling more than 1 billion robocalls per month, with fraud calls blocked before reaching subscribers’ phones, and suspected spam labeled as such so users can choose whether or not to answer.

“We intend to meet all the components of the June 30 deadline, including STIR/SHAKEN benchmarks, continued support for the Industry Traceback Group, and a strong program to keep illegal robocalls from originating on our network,” an AT&T spokesperson said.

In March T-Mobile said it was the first to implement STIR/SHAKEN with all major U.S. network providers, while Verizon started exchanging STIR/SHAKEN-enabled calls with AT&T, T-Mobile, and Comcast. Verizon on Wednesday confirmed it has met the FCC's mandate to sign calls with STIR/SHAKEN. It said more than 135 million calls a day are currently exchanged between Verizon and other participating carriers. Also on Wednesday, T-Mobile announced filings to certify that it has completed the implementation, with all calls originating on the T-Mobile network 100% STIR/SHAKEN-compliant.  

Iconectiv has the role of industry and policy administrator for SHAKEN, acting as the authority to ensure that different parts of the authentication process itself is trustworthy (more from iconectiv’s here).

At the end of March, more than 100 carriers had been processed to be approved to obtain SHAKEN certificates. There are currently 278 providers registered, according to Bob Grant, director of Product Management at iconectiv, who called participation by telephone companies “exceptionally important in stopping illegal robocalling at the source.”

“Companies that choose not to participate in STIR/SHAKEN could potentially run the risk of becoming a conduit for fraudsters to put illegal traffic onto the network,” Grant said via email. He anticipates voice service providers will continue to join the STIR/SHAKEN ecosystem even after the deadline has passed as they work to comply with the caller ID authentication rules.

RELATED: Wireless industry readies as STIR/SHAKEN deadline approaches

TNS’ Versen said that for larger providers working towards the June 30 deadline, the company is “already seeing tangible results.”

TNS provides call analytics solutions for robocall protection.

“TNS data shows more than one-third of the total calls going across carrier networks in December 2020 were self-signed by a voice service provider ensuring the caller was verified, up from 21% in January 2020,” Versen said.

Smaller providers

While smaller providers have until June 2023 to implement STIR/SHAKEN, they still need to document efforts to reduce robocalls that originate on their networks. That includes progress within the newly created FCC Robocall Mitigation Database.

“This is significant because TNS data showed nearly 95% of high-risk calls originated form non-Tier 1 carriers last year, and that is why there is particular focus from the FCC on how to identify and address the subset of smaller providers at the greatest risk for generating high volumes of unwanted robocall traffic and having them comply by June 2022,” Versen said.

That combined with enforcement and industry innovation in branded calling (imagine a company’s logo accompanying a call) and advanced call analytics “should result in further gains in robocall mitigation,” he added.

RELATED: FCC questions carriers on status of free robocall blocking tools

Jamie Gibson, VP of Technology for Ribbon Communications, which provides platforms and services including IP and optical networking for communications companies, said they’ve had several conversations over the last few weeks with partners and potential clients.

“Based on these conversations and the months of planning leading up to the deadline with customers, we feel like the industry is generally prepared for June 30,” Gibson said via email.

But smaller service providers still need to make moves.

“Even if a service provider has a STIR/SHAKEN extension, they still must act,” Gibson said, noting requirements for robocall mitigation plans.

Missing the deadline, concerns for foreign providers

While generally ready, there is likely a group of voice service providers that won’t meet the deadline, according to Gibson.

“While these providers won’t notice a difference on July 1, if they remain non-compliant they will be unable to send traffic to other operators starting September 28, 2021,” Gibson said. “It’s currently unclear what will happen between the two dates, although the FCC has indicated that non-compliant voice service providers may be subject to appropriate enforcement action, without providing any concrete details.”

Gibson said the FCC could also determine the efforts aren’t enough to mitigate robocalls, and indicated the agency is leaving it up to service providers, without providing specific plans or thresholds for effectiveness.

A June 24 ex parte filing (PDF) shows AT&T voiced concern about the September 28 date. It has to do with a provision that prohibits U.S. intermediate and terminating voice providers from accepting traffic directly from any foreign service provider not in the FCC’s robocall mitigation database.

The carrier expressed strong support for a CTIA petition to reconsider part of the FCC’s order.

AT&T’s EVP of federal regulatory relations Joan Marsh cited challenges of placing requirements on carriers outside of the U.S. that might not be familiar with FCC systems or used to reviewing technical documents in English.

Marsh said CTIA’s worry that foreign service providers who interconnect with the U.S. would likely not register on time “appears to be becoming a reality.”

“Despite AT&T’s extraordinary efforts to educate its foreign service provider partners, as of June 23, 2021, approximately only 20 percent of foreign providers that use telephone numbers that pertain to the U.S. to send voice traffic to AT&T subscribers in the U.S. have successfully registered in the FCC’s Robocall Mitigation Database,” AT&T says in the filing, which recommends a conditional extension to the September date or risk legitimate calls getting blocked.

Iconectiv’s Grant indicated calls internationally are a continued effort, saying the company is available to share best practices and collaborate with the ecosystem as additional countries explore verification standards.

“While the U.S. is the first country to deploy STIR/SHAKEN, robocalling is a global problem and will require global adoption,” Grant said. “An important piece of the puzzle to remember is that calls come in from and go out to other countries. By verifying phone numbers and having caller ID information accurately displayed, it is expected that consumer confidence in calls will go up.”

Ribbon’s Gibson called the deadline “a solid first step” but added that “bad actors continue to evolve how they use technology to make these nuisance calls at an increasing rate.”

In May, YouMail Robocall Index estimated 4 billion robocalls were placed nationwide in the U.S., compared to about 3 billion in May 2020.

“We expect the results and successes from this mandate to spur on additional requirements for service providers that will help decrease fraudulent calling and improve the experience for wireless subscribers,” Gibson said. “At the end of the day, it's all about restoring faith and trust in the network and phone call.”

On Tuesday the FCC released its second report (PDF) on call blocking tools for consumers.

Updated with additional Verizon information on meeting the FCC mandate. Information added on T-Mobile certifying all calls.