Four Guiding Principles for Call Authentication Deployment

The FCC recently issued their proposed call authentication rules for comment, which are based on STIR/SHAKEN as mandated in the TRACED Act. The TRACED Act essentially mandates carrier deployment by June 30, 2021, though the FCC is proposing some extensions of the deadline in limited cases. It can be predicted with certainty that during an interim period there will be mix of carrier deployment timelines and inter-working issues will arise both before and after the deadline. For example, we know that time-division multiplexing based calls (i.e., non-STIR/SHAKEN authenticated calls) may be classified by a terminating STIR/SHAKEN-enabled carrier in a manner similar to unauthenticated, spoofed calls. Such concerns are not insurmountable; if we have tools to manage issues during this interim period, then we can tolerate some uncertainty.

Although call blocking using analytics is distinct from call authentication, there is a close relationship between call blocking and call authentication. Even though STIR/SHAKEN does not require using analytics to block calls, the results of the STIR/SHAKEN validation may be an input used by the analytics platform to determine whether a call qualifies as an illegal robocall for blocking. Call authentication provides an additional data point that can help in stopping illegal robocalls during the interim period. However, as we have seen, blocking calls using analytics is not perfect, and has the potential for exacerbating problems.

Minimizing the Impact of Errors During Early Deployment

There are four guiding principles that can significantly help minimize issues during the deployment of STIR/SHAKEN, particularly in the early phases. These principles will not prevent all types of problems from occurring, but they can minimize the impact of errors and allow an orderly migration path forward.

1. Notification When a Call is Blocked. Explicit notification by a carrier should inform the caller whenever a call is blocked. This should include providing both an audio intercept and a SIP error code to the caller so that regardless of whether the caller is a human or computer dialer, both are informed when a call is blocked. The notification should provide the caller with contact information for the terminating service provider to report an erroneously blocked call. Without knowing when calls are incorrectly blocked, future errors cannot be prevented. Mistakes by a carrier or analytics provider can be accepted to a certain extent; ignoring them and repeating them call-after-call cannot be tolerated.

2. Redress for Erroneously Blocked Calls. Carriers should offer effective and timely redress mechanisms for handling reports about calls being blocked in error. The functions of Notification and Redress go hand-in-hand; one cannot be effectively offered without the other.

3. Fully Authenticated Calls Should Not Be Blocked. Terminating carriers receiving “full” or “A” level attestation on calls should presume those calls to be legal and should not block those calls using predictive analytics. Fully authenticated calls, if suspicious, can be quickly traced back to their originating carrier and originator. Such calls should be presumed legitimate and should be investigated; then, if deemed necessary, these calls can be blocked in the future. Analytics should be used for potentially blocking only “B” (partial) and “C” (gateway) level attested calls. These calls should not receive the same presumption of legitimacy. Since “B” and “C” level calls cannot be unambiguously distinguished between various types of calls (i.e., both a domestic call from a TDM network and an international scam robocall can appear as “C” level attestation), analytics may have a continuing role in defining how these calls should be treated.

4. Authorized Numbers Should Receive “Full” or “A” level Attestation. Enterprises, upon providing evidence to their originating carrier of authorization to use a number by business agreement or other evidence (even if the number was not provided by that carrier to the enterprise), should be eligible to receive “A” level attestation. This aspect is explicitly memorialized in the ATIS standard, though it only describes an optional policy that carriers may adopt. Encouraging carriers to adopt this policy would address a persistent problem (called the ‘enterprise problem’) that involves enterprises using the same calling party number on calls offered to multiple originating carriers. Because fully authenticated calls are easily ‘tracked and traced’, such enterprises will subject themselves to scrutiny if they employ questionable calling practices.

A Near-Term Solution for a Complex Situation

Yes, there are myriads of details and issues that remain to be worked out in the coming months and years regarding STIR/SHAKEN deployment. Yes, there will be situations where calls may be invalidly blocked using predictive analytics. But, being able to identify and correct such mistakes using notification and redress functions (and thus help improve the accuracy of analytics) is something most everyone would agree is a desirable goal. There also will be situations where fully authenticated calls may be determined to be, in fact, illegal in some manner. However, STIR/SHAKEN technology can now quickly identify these callers and their originating carriers. Recent FCC actions have shown how regulators and the industry can quickly minimize their impact. Finally, there are enterprises that require use of multiple carriers and cannot tolerate their fully authorized numbers receiving less than “A” level attestation. While more complex solutions to this ‘enterprise problem’ are being discussed in standards, the existing standard allows a suitable solution for the near future. This solution does not require any slow down of the STIR/SHAKEN deployment.

Adopting these four principles will go a long way to facilitate STIR/SHAKEN deployment and calm the anxiety and concerns over various call originators as to how their calls will be treated. Carriers, too, can receive safe-harbor treatment if they adopt these principles. Industry and regulators are urged to adopt these guidelines to ease the transition into the STIR/SHAKEN environment.

The opinions presented here are those of Karl Koster, and not necessarily those of Noble Systems. The contents should not be construed as legal advice nor as comments reflecting any regulatory position of Noble Systems.