Via Electronic Filing
Ms. Marlene H. Dortch, Secretary
Federal Communications Commission
445 12th Street, S.W.
Washington D.C., 20554
Dear Ms. Dortch:
STIR/SHAKEN is a means to an end, not an end in itself. The point of STIR/SHAKEN is not to sign and verify calls and then pat ourselves on the back for having done so. The point is to have the identity of the caller accurately and securely transmitted to the call recipient as a means of combatting unwanted robocalls and providing tools for call recipients to decide whether to answer a call. In fact, the acronym STIR states that explicitly: Secure Telephony Identity Revisited. The TRACED Act that mandates carriers to implement STIR/SHAKEN requires voice services providers to “ensure the calling party is accurately identified.”1
The Commission and industry have spent years debating and designing the standard, and have just recently added delegated certificates to the standard,2 which allows for the identity of the caller to be established all the way back to the caller and not just to the vouching of the originating voice service provider. The delivery mechanism for verified identities and authorized use of numbers has been approved by the ATIS IPNNI Task force through the secure use of delegated certificates. To fulfill the underlying goal of STIR/SHAKEN, terminating voice service providers and devices makers must display the information to the recipient about the caller that is securely and accurately generated upstream.
Numeracle is concerned that carriers and their analytics partners will impose barriers to the transmission of end-to-end caller identity by adding non-standards based requirements, obstacles, or charges that prevent the identity of the caller from being displayed on the call recipient’s device.
The TRACED Act’s guidance is clear:
Accurate identification.--Not later than 12 months after the date of the enactment of this Act, the Commission shall issue best practices that providers of voice service may use as part of the implementation of effective call authentication frameworks under paragraph (1) to take steps to ensure the calling party is accurately identified.3
The Commission delegated the drafting of best practices to the North American Numbering Council (“NANC”) and its Call Authentication Trust Anchor (“CATA”) working group. The best practices have received widespread support.4 The proposed best practices are designed to be flexible“to ensure carriers have the flexibility and speed to respond to evolving issues.”5 The CATA working group recognizes the need for innovation to drive the implementation of accurate identification of call originators. The TRACED Act contains a requirement that the FCC designate a single entity to traceback robocalls.6 The FCC’s original authorization of STIR/SHAKEN delegated authority to a single governance authority. But, conspicuously, the section of the TRACED Act that requires that call authentication frameworks ensure that the calling party is accurately identified is not assigned to a single authority to serve as a gatekeeper, suggesting that Congress intended that a variety of solutions could arise within the STIR/SHAKEN framework. The CATA Best Practices draft likewise concludes:
Originating Service Providers should use a third-party validation service when they cannot or choose not to independently perform TN Validation.Third-party vetting services may be particularly useful in the case of enterprise customers that acquire telephone numbers from multiple telephone number service providers.7
The working group concluded that “[u]ltimately, VSPs should have the discretion to develop their own subscriber vetting program, which may include some combination of the practices summarized in this section, based on the types of subscribers they serve. Subscriber vetting should parallel the way VSPs enforce their acceptable use polices and terms of service.”8 That discretion includes the ability to hire an expert third-party vetting service, such as Numeracle, to verify the identities of legal callers and enable them to use delegated certificates through the infrastructure of the STIR/SHAKENGovernance Authority, Policy Administrator and Certificate Authorities.
The CATA working group’s best practices are not part of the STIR/SHAKEN standard, but rather creates an entry point in the STIR/SHAKEN data flow for verified identity information. Although the CATA Best Practices draft does not contain the phrase “know your customer,” which has become a term-of-art among those entities working to combat unwanted robocalls, the best practices are the endpoint of years of debate leading to this consensus about how voice service providers are expected to know their customer.
Delegated certificates are now part of STIR/SHAKEN standard. The TRACED Act requires implementation of STIR/SHAKEN. Accordingly, voice service providers must accept delegated certificates in the same manner as they accept other types of certificates. Terminating voice service providers do not have the option to refuse delegated certificates nor to charge for receipt and display of the information they contain. Delegated certificates are the method to deliver the results of the CATA’s know-your customer best practices.
Figure 1. represents the implementation of the CATA working group best practices by the originating service provider to attest to the accuracy of caller identification. Verified callerIdentification attached via delegated certificates traverses the STIR/SHAKEN framework to the subscriber device as delivered by the terminating service provider.
Accurately presenting identification info as required also means that Rich Call Detail (“RCD”) should be the vehicle through STIR/SHAKEN for caller identification information. Otherwise, the call recipient will see the originating phone number and the name from a CNAM system that is known to be flawed and inaccurate. Instead, the caller’s identity should flow from caller to recipient unaltered through delegated certificates and RCD through the existing STIR/SHAKEN framework.
A terminating voice service provider that receives but does not display the data it receives about the caller has not “fully implemented” STIR/SHAKEN and the requirement that “the calling party is accurately identified.”9 The Commission has defined term “authenticate caller identification information.”10 Display of a mere phone number is not identifying the caller as phone numbers come and go but identities do not. A fair reading of the TRACED Act requires display of accurate identifying information about the caller in real time as the call is delivered, not in a call log or separate system, such as a web portal with call histories.11 What is to be gained by accurately identifying a caller but withholding the identity information from the subscriber when transmitted via the mandated STIR/SHAKEN caller authentication framework.
Numeracle believes that implementing delegated certificates as a means of passing verified caller identification information to the call recipient is not only required by the TRACED Act and its support of the STIR/SHAKEN standard, but also is the best means for the Commission to accomplish its goal of empowering consumers to receive the calls they want while not being bothered by illegal and unwanted robocalls.
To this end, third-party vetting services such as Numeracle must:
In addition, third-party vetting services should:
Rebekah Johnson, CEO
1 Pallone-Thune Telephone Robocall Abuse Criminal Enforcement and Deterrence Act, S.151, 116th Cong., at §4(b)(7) (2019) (TRACED Act).
3 TRACED Act at § 4(b)(7).
4 See Comments of CTIA, US Telecom, NCTA, and PACE, Docket No. 20-324.
5 http://nanc-chair.org/docs/CATAWGReport-August2020DRAFT.pdf Section 1 (“CATA Best Practices”).
6 TRACED Act § 13(d).
7 CATA Best Practices section 2.5.
8 CATA Best Practices section 3.1.3.
9 TRACED Act at § 4(b)(7).
10 “Authenticate caller identification information. The term ‘authenticate caller identification information’ refers to the process by which a voice service provider attests to the accuracy of caller identification information transmitted with a call it originates.” 47 C.F.R. § 64.6300(a).
11 The TRACED Act mandate to identify the calling party accurately requires more than mere transmission of the date to the terminating carrier. The information must be displayed to the customer at the time of the call.If the carriers are limited by device capabilities, they have the obligation to require their device manufacturers to support the mandatory requirements.