What is your role at Numeracle? Why is it important/unique to the industry at this time?
One element of my role as a Distinguished Member of the Numeracle Technical Staff is to pay attention to the continued development of call authentication standards, just as I had done during my time at T-Mobile and Sprint, to represent Numeracle in that space while developing intellectual property for the company.
What’s important about my role is that it's the first time a telecommunications engineer with a background in call authentication has joined an organization dedicated to assisting enterprises and contact centers. I believe, just as Numeracle does, in the need to protect the delivery of legitimate, wanted, and critical communications.
As a data network design engineer, I didn’t enjoy building things that prevented or stopped communications. The industry is trying to find the people behind illegal robocalls to prevent or stop them, but the solution needs to both stop illegal bad traffic and promote good traffic.
What I can offer the industry through Numeracle is having been a telecom engineer steeped in STIR/SHAKEN call authentication knowledge who is also dedicated to the proposition that we should be promoting legitimate callers, and that's what Numeracle does. We work on reputation and promoting good calls so critical communications can happen.
How have you responded to the needs in the telecom industry that have helped define your current role?
When I first met Rebekah, Numeracle's Founder & CEO, it was at an ATIS SIP Forum Joint Task Force meeting. I was impressed by how vocal she was about needing to protect enterprises and call centers because the work we were doing to stop the bad calls was also going to stop those good callers.
Working in a carrier environment, the idea that you're harming the calls of your important or largest customers/enterprises, made people stop to reevaluate what we were doing and how to ensure we protect wanted communications. That resonated with me, and Rebekah and I continue to be very aligned on what we need to do to help the industry.
You have extensive industry experience and knowledge. What was your role in developing and writing the STIR/SHAKEN caller ID authentication standards?
I attended virtually every meeting of the ATIS SIP Forum Joint Task Force on IP-NNI, starting in 2013. At that time, there was increased scrutiny from the FCC and FTC about robocalls getting out of control and what needed to be done about it. The group decided to focus on combatting illegal number spoofing and use authentication methods to identify the originating service provider as our analytics recognized it was service providers admitting the illegal calls into the US.
But what we didn't have yet was the origination information. As a terminating service provider, you'd see the bad calls, but you wouldn't know who they came from without trying to do some sort of traceback, which is why the Industry Traceback Group became so important.
The most direct impact I had on the development of the SHAKEN standard was a contribution that I wrote on attestation. My comment was that attestation had to be kept simple because if it’s too complex, it will be impossible to implement and operate. What I wrote was reasonably compelling because it is what we did.
So we kept it to four values, where outside of A, B, and C-level attestations, the remaining value was: there's no attestation whatsoever. This decision came about because there was a lot of concern over how the verifier or recipient of the authenticated call might interpret the various statuses. There’s danger in saying ‘if it’s verified, it’s a good call.’
In retrospect, I think attestation has maybe caused more trouble than it's worth because of this issue of truly knowing who it is that originated the call. Do you really know anything about their reputation? Are they trustworthy? These are still questions we are working on solving, especially when considering the number spoofing issue and how to scale this sort of solution globally.
What were some of the challenges initially constructing the authentication standards?
Initially, the biggest challenge was coming up with an agreeable framework that could work in conjunction with the Governance Authority, the Policy Administration, and the Certification Authority, which service providers and government could both accept.
There is some evidence that most of the illegal traffic comes into the US through small VoIP providers. So to tackle that challenge, we had to put together a framework that the industry and the government could live with. It's worth noting that the FCC put it in their Report and Orders that they're allowing the industry to develop and implement solutions, but if they find that the industry is not doing what needs to be done, they may take a more direct role.
The Governance Authority and the Policy Administration are promulgated by the industry and operated by the industry, so we're sort of self-administered and self-regulated. Coming up with something that the FCC felt was going to achieve what Americans needed was the hardest challenge.
Do any challenges, gaps, or issues remain for the industry to move forward in the adoption of call authentication, and how do you think they will be addressed?
We talk about call authentication not being a silver bullet because, as it currently stands, it can't be applied to every communications channel because of how it's standardized and how it's regulated. There are lots of gaps in trust information associated with communications beyond just voice communications; messaging, SMS text messages, and email all have this issue.
As far as call authentication, STIR/SHAKEN is a US-based initiative to gauge if it's possible to materially decrease illegal robocalling by identifying originating service providers that are admitting bad calls and stopping them from doing that. This implies service providers are deploying STIR/SHAKEN and the FCC and State Attorneys General can bring enforcement action against them that’s going to be effective.
The other problem is at the global level. Is it okay to only have STIR/SHAKEN in place in the United States, or do we need something else to address global call authentication? In my opinion yes, we do. The biggest hurdle is trying to set up complementary public key infrastructure like the Governance Authority, Policy Administrators, and Certificate Authorities in 250+ countries, which is not practical.
Even if we did, it could result in rogue certification authorities that issue certificates or gaps in delegate certificates that you can't trust. There's work going on to try and get around those problems, but a lot more needs to be done to firm that up. The bottom line is we need to be able to capture, distribute and make available trust information associated with callers. The first place to focus on is enterprises and call centers, because they source the majority of robocalls causing the problem in the first place, before we can take this down to individuals.
How do you feel Numeracle’s network of partners will allow you to use your influence and knowledge in the communications industry in new ways?
What I've liked about working at Numeracle is that I'm getting a much better understanding of the problems our customers need to be solved so their communications can proceed. I’m also enjoying our collaboration across the partner ecosystem to utilize rich call data to promote the capturing and distribution of trust information associated with callers.
We need to keep looking at the work that we've done with our partners, and recognize that, whatever the evolution is, we're making sure we work together on it so that we're still benefiting from our partnerships and our relationships. We want tighter integration over time and we want to lower the barrier of entry for enterprises and call centers to be able to use this technology.
Do you have any predictions around consumer trust in communications this year, considering the progress being made towards deterring international scam traffic, the advancements of branded calling technologies, and innovation around verified messaging on the horizon?
In terms of predictions around consumer trust and communications this year, I think that overall trust in the voice channel is probably not going to increase very much because robocalling hasn't decreased very much yet. There seems to be an increase in more untrustworthy communications via SMS and email and both of those seem to be getting worse.
The advancements in branded calling technologies are definitely the biggest thing on the horizon in terms of being able to help people. It comes back to having good information about origination and being able to communicate that information in the call signaling. That's the trickiest part right now.
With delegate certificates, there are holes in that approach, and it needs patching up before it can be usable on a larger scale but I expect to see progress in the next year that will resonate with people as other branded calling technologies emerge. The more that these technologies get introduced and used, the better it is for the consumers because that improves trust.
I'm not an expert in this channel, but the innovation around verified messaging is still in its initial phase. The IETF, which wrote the STIR part of STIR/SHAKEN, has an authentication standard proposed for SMS messaging but it is not entirely suitable because the protocols and the infrastructure are not in alignment with that standard. The standards suggest using SIP to send and authenticate the messages but that's not how the architecture works in real life. There is still a lot of work and thought that needs to be put into this before it rolls out, but there is a lot of potential for innovation.
Is there anything else worth noting that you’d like to add? Give us a fun fact!
I am excited about our upcoming Tuesday Talks Podcast live session with Eric Priezkalns to continue our series on global call authentication. He understands a lot of the international challenges better than I do. As a telecom engineer tasked with working on and writing network designs, one of the things that you find out is anybody can do a network design or write a protocol. But what distinguishes good work from bad work is how it scales.
When we were working on the STIR/SHAKEN standards, what was a concern to me was being able to scale up what we were doing with call authentication, specifically with certificate and key management. With the certificates we use, there is a public key used by anyone trying to verify a call and a private key held by the person who signs the call, encoding precious identity data. These keys need to therefore be kept safe because if they're compromised they have to be replaced, and this is not an easy issue to manage on a global scale.
Rogue Certification Authorities are also issuing certificates you can't trust, and we could see the same sorts of problems with delegate certificates, which are still being ironed out as a solution. This means that a STIR/SHAKEN solution based on certificates is challenging to grow globally. I'm looking forward to the ongoing conversations with Eric on the podcast because I think we'll be able to explore this area of trust based on authentication and verification using keys and certificates and contemplate if there better ways to accomplish this that will scale better.
About Pierce Gorman
Pierce’s voice has been influential in shaping the standards, architecture, and deployment of technologies critical to the continuous advancement of the telecommunications industry. He most recently served as Principal Engineer of Systems Architecture at T-Mobile, responsible for voice architecture development for VoIP robocalling protection and STIR/SHAKEN call authentication design and standards development. During his 30-year tenure at Sprint in senior design roles, he drove cooperative development and implementation of next-generation voice and VoIP signaling, routing, and services architecture.
Pierce’s contributions to the industry also include membership in four ATIS working groups, all three of the FCC's North American Number Council (NANC) Call Authentication Trust Anchor (CATA) working groups, the Secure Telephone Identity (STI) Governance Authority (GA) Technical Committee as the representative from T-Mobile, and the Cellular Telecommunications and Internet Association (CTIA) Technical Committee in support of the Registered Caller branded calling initiative. He has also actively participated in the US Telecom Association (USTA) Industry Traceback Group (ITG), SIP Interconnection Working Group hosted by NTCA, and the Internet Engineering Task Force (IETF) Secure Telephone Identity Revisited (STIR) working group.