Every entity on Earth and every person on the planet should know with certainty with whom they are communicating electronically.
Let’s start by asking five questions:
If the answer to any of those five questions is a “No,” our industry—and the Commission—still has work to do.
To put it bluntly, STIR/SHAKEN has not lived up to expectations. That’s not to say that the technology is unsound; rather, the public has expected it to solve problems it was not designed to solve; numerous gaps remain that prevent STIR/SHAKEN information from transmitting reliably from end to end; and we have not yet seen widespread adoption of improvements—such as Rich Call Data (“RCD”)—that will enable STIR/SHAKEN to do what we all want it to do. We want to know who’s calling; we want the good calls to come through; and we want the bad calls to stop, get blocked, or at least accurately be labeled as spam. We are not there yet. STIR/SHAKEN does not tell us who is calling, nor was it designed to do so. Congress has given the Commission the necessary tools to finish the job. If the Commission decides otherwise, its report back toCongress should identify the areas where more legislative authority is needed.
Numeracle’s comments in response to this Public Notice had originally been much more extensive, but the Commission’s release of the FNPRM on Caller Identification echoed much of what Numeracle was going to submit here.2 The Commission is recognizing the importance of identity verification, transmission, and display. Numeracle will reserve a more detailed response on identity issues for its response to the FNPRM.
STIR/SHAKEN is conceptually sound. Numeracle strongly supports the technical underpinnings of the call authentication framework. But after nearly four years of mandated deployment, the ecosystem still fails to deliver consistent, verifiable, end-to-end information across all networks, all devices, and all calls.
The FCC’s Public Notice accurately observes that effectiveness depends not only on originating attestation but on the complete chain of identity transmission. That chain remains broken in predictable, well-understood ways:
The result is a system where the presence or absence of a STIR/SHAKEN signature is often irrelevant to call treatment decisions. Consumers still cannot reliably distinguish legitimate callers from bad actors. And legitimate callers—particularly callers conveying sensitive information such as healthcare institutions, schools, and financial services providers—continue to experience erroneous blocking and spam labeling despite full legal compliance and compliance with the “best practices” of companies doing spam labeling. STIR/SHAKEN is a great mechanism for tracing calls back to the signing voice service provider, but on its own, it accomplishes little else.
STIR/SHAKEN is the foundation for a house. But the house hasn’t been built. And key parts of the foundation, such as a reliable end-to-end pathway, remain missing or dysfunctional. The promise of STIR/SHAKEN has always been that it could form the foundation upon which a trustworthy caller identity ecosystem could be built. But a foundation does not constitute a house. Critical elements of the structure remain incomplete or missing:
What’s missing is ubiquitous end-to-end STIR/SHAKEN as the foundation for Rich Call Data. For the objectives to be realized, implementation must be by all the carriers, all the devices, all the pathways, and all of the time.3 Without this requirement, authentication data will continue to be inconsistent, incomplete, and unreliable for downstream analytics, enforcement, traceback, and consumer display.
STIR/SHAKEN is an unconfirmed assertion by the originating service provider as to its relationship with the caller and the caller’s telephone number. It does not identify:
Consumers want to know who is calling, not whether a call was signed. The three pillars of trust in electronic communications are: 1) identity verification; 2) secure, reliable delivery of identity information; 3) display to the recipient of the communication. The Commission’s goal should encompass these three pillars. Doing this enables all sorts of good things to happen:
Getting to 100 percent signed calls and delivery is the missing part of the foundation required to enable these structures to be built on top.
The global telecommunications industry is moving toward verified identity, a conceptNumeracle has been advocating for seven years. Multiple proof of concept tests are underway at the international level. In the United States, the Commission and industry have created core parts of the necessary technology: KYC requirements, STIR/SHAKEN, device display capabilities, even an earnest effort to implement RCD on a voluntary basis through CTIA’s Branded CallingID initiative. It’s time to put them all together.
Secure verified identity presentation should not be just a premium service for wealthy companies looking to measure their ROI on each answered telephone call. Instead, it should be the basic way we communicate. Reliably vetted and authenticated callers should get enhanced protection from accidental labeling and blocking even where there is no call branding information being presented. We should always know who is calling. The technology exists to make this happen. Industry has partially adopted it. The Commission has the authority to make it happen.
The TRACED Act states that the call authentication framework should “ensure the calling party is accurately identified.”4 While this goal is described as a subject of “best practices” rather than FCC rules, the Commission should be mindful that accurate identification of the calling party is an essential element of an effective call authentication framework that is mandated by the TRACED Act. STIR/SHAKEN alone cannot meet this standard.
This is the central failure of the current framework: authentication alone does not equal identification. Without reliable, universal, authenticated identity data, STIR/SHAKEN cannot meaningfully advance the consumer experience or materially reduce scam and fraud incidents.
Numeracle strongly urges the Commission to explicitly recognize that verified identity frameworks and CNAM cannot co-exist. CNAM is a caller-ID service that delivers the calling party’s name to the recipient’s device based on the terminating carrier looking up the incoming telephone number in one of many competing and unsupervised CNAM databases and displaying the associated name. If the telephone number is spoofed, the name is still displayed. CNAM, while it can be useful when accurate, has absolutely no security. Let's put this in perspective with a real-world analogy. Imagine if your local bank operated like the telephone system. Anyone could walk in, claim to be you, and conduct business and withdraw cash using just your account number, without ID verification, no signature matching, no security questions, no face recognition. The bank would simply trust that whoever presented your account number was actually you. That's essentially how caller ID works: anyone can present any phone number, and the system trusts the assertion without verification.
With CNAM, there are no checks to ensure that the name matches the owner of the telephone number. None. This is problematic because all of industry’s collective efforts to have a verified name presented are undermined if anyone can get any name added to their phone calls. Ending CNAM must go hand-in-hand with deployment of verified identity presentation. CNAM fundamentally contradicts every principle of verified identity:
CNAM was a great system for over 25 years and was designed and implemented prior to the days of deregulation and open competition. In those days, CNAM was tied to physical wires that went from one phone to another and a limited set of regulated phone companies controlled access to physical phone lines and phone numbers. In the days of competition, VoIP, deregulation, and a fast-moving market, the control over phone number and physical infrastructure has been given up for consumer flexibility, features, and speed. MaintainingCNAM while attempting to build a modern, authenticated identity ecosystem is like building a secure bank vault and leaving the door unlocked.
Due in large part to the lack of verified identity information carried over reliableSTIR/SHAKEN capable pathways, terminating voice service providers continue to rely on spam labeling analytics as a primary tool to combat illegal and unwanted robocalls. Unfortunately, the accuracy of these spam label determinations continues to be lacking by some providers—both under inclusive (failing to label bad calls as spam) and over inclusive (labeling legal, wanted calls as spam). STIR/SHAKEN has done little to help this process. Spam labeling alone will not solve the fraudulent call problem we all face.
The daughter of the undersigned is 22 years old and is applying to medical school. She is a member of the generation that rarely makes voice telephone calls, instead preferring messaging,Snapchat, or video messaging tools like FaceTime. But she could receive a regular old-fashioned voice call any day from an admissions office, and she does not want to miss it.
Recently, however, she has been receiving upwards of ten spam telephone calls per day offering $65,000 loans. She never consented to receive these calls. She has blocked individual numbers, but each call comes from a different spoofed telephone number. She has asked to be put on the callers’ do not call list, but to no avail. Her wireless provider, in conjunction with its analytics engine provider, flags about half of the calls as scam or spam. She turned on the feature to block scam calls and route spam calls to voicemail, but about half still ring through as they come from a new telephone number each time.
She was at her wits end with these constant spam calls and said, “Dad, you work in this industry. Can’t you of all people make it stop?” Sadly, I told her that I was powerless to stop the spam calls while still allowing important calls to come through. Our industry has collectively been trying to solve this problem for nine years, but even a simple, known problem like this is currently unfixable. STIR/SHAKEN in its current form cannot prevent “snowshoe spoofing” by persistent illegal callers like the one described above. Consumers commonly receive numerous unwanted calls daily from rotating numbers. STIR/SHAKEN offers no way to identify the calling entity, only its asserted number. Thus:
Currently, we are in a perpetual state of whack-a-mole where illegal callers seek out the weakest links in the system. Verified identity with RCD over STIR/SHAKEN will help immensely once legitimate callers are identified and consumers can then confidently block calls from callers unwilling or unable to identify themselves. The mechanism of a bad actor being “kicked” off a carrier, and moving to another carrier is effectively killed in its tracks when originators are forced to positively verify their identities that would be the same across multiple providers. In this case, consumers and network operators could in fact block specific identified callers regardless of the chosen phone number or carrier. Consumers could also block unidentified callers once we have a critical mass of legitimate callers using verified identity technologies.
The Commission’s STIR/SHAKEN mandates and industry’s best efforts have thus far not solved the scenario described above—nor many other similar scenarios where we collectively have failed to enable legal, wanted calls to go through while accurately blocking, labeling, or diverting unwanted and illegal calls.
What if most callers were accurately identified on a consistent basis? Call recipients could then reasonably choose to block callers unwilling or unable to identify themselves. The analytics engines’ determination of “spam,” “scam,” and “unwanted” would be dramatically improved if they had accurate data as to who was originating a call. A bank could tell its customers to ignore telephone calls purporting to be from the bank unless the verified identity indicators of an identified call were presented.
As to the scenario presented above? My daughter could block unidentified callers if she could reasonably rely on legitimate callers—such as real businesses and, yes, medical school admissions offices—identifying themselves and have that identity transferred through the call path to her device. The illegal scam callers offering loans presumably would not be willing to identify themselves as doing so would lead to easy trappings for law enforcement, traceback, and network level blocking. Everybody wins with verified identity—except the illegal callers.
STIR/SHAKEN is not broken; it is incomplete. The core technology works. The core concept is sound. What remains is to finish the job:
The steps above will finally allow consumers to see and trust who is calling—not just a telephone number or a spam label of dubious accuracy. The Commission has the authority to do this today. The technology exists. Industry is ready. And consumers desperately need the benefits of authenticated identity to become realized.
Keith Buell; General Counsel and Head of Global Public Policy
