We're keeping an eye on regulatory updates on gateway providers, impacting international communications
International STIR/SHAKEN implementation
Adjusting from a Single-Country Perspective
Just because the United States is the first to deploy STIR/SHAKEN, does not mean it is a U.S. - specific technology.
When the STIR/SHAKEN standards were being defined, they were written as if from a single country perspective because it was intended to eventually be deployed abroad country-by-country. The scope of the standards was designed to consider each country’s individual needs and their number ownership. The standards can be tweaked to fit regulatory requirements and governance, while ensuring that at the protocol level it will work cross-border.
Currently, cross-border calls will not be blocked by terminating carriers and will complete either without attestation or with a Level C. The only call blocking that may results is not STIR/SHAKEN related, but may be the result of third-party call apps or analytics.
trusted cross-border Call Delivery
Establishing a Root of Trust
For a cross-border call to be STIR/SHAKEN verified, it must first be confirmed and signed with a certificate that can be traced back to a trusted Certificate Authority (CA) List held by its country. If the certification is not present on that list, the call fails.
When the Governance Authority & Policy Administrators are able to maintain a trusted CA List of the approved Certificate Authorities who issue the certificates in SHAKEN, it creates a trusted source for cross-border communications.
The Merging of CA-Lists
Because each country holds their own CA-List, if a call gets signed in a country using their CA List, when the U.S. receives the call, they must cross-check it with their own CA-List. If it is not on their list as well, the call will fail verification automatically.
To protect trusted communications, countries would need to merge their trusted CA Lists and create a bilateral agreement so that calls can pass verification and travel cross-border successfully.
There are going to be multiple solutions or mechanisms which need to be standards-based in order to intra-operate and have end-to-end capabilities, or else they won't work.
There is not going to be any single global deployment and there will be no global policeman who can mandate that everyone do it exactly the same way.
You must do everything possible to get calls signed or attested as close to the origin of the call as possible. Update trusted CA Lists in order to establish a root of trust that stems from the origination of calls.
Know Your customer
For continuous trust and reputation management of phone calls, there must be a KYC vetting process in place in order to verify that they are who they say they are and can legitimately sign calls.
Action from the FCC
The traced act
Pallone-Thune Telephone Robocall Abuse Criminal Enforcement and Deterrence Act
TRACED Act defines the need for a caller ID authentication framework (STIR/SHAKEN) in order to address consumer complaints and combat the origination of illegal robocalls.
While the TRACED Act does touch on the STIR/SHAKEN standards as a solution, tying it to regulations may complicate future amendments to the Act as well as the notion of having a single standard to address and meet the laws and requirements of various countries.
The 4th & 5th FNPRM's
Targeting Gateway Providers to Combat Illegal Robocalls
The 4th and Fifth Notices of Proposed Rulemakings (FMPRM) propose requiring gateway providers, who are the points of entry of illegal robocalls originating abroad, to implement STIR/SHAKEN and perform Robocall Mitigation on foreign-originated calls with U.S. numbers.
The FCC is seeking further comments on additional robocall mitigation requirement to ensure gateway providers take steps to prevent illegal calls from entering the U.S. network and further revisions to the information filers must submit in their Plans in the Robocall Mitigation Database.
As mandated by the Canadian Radio‑Television and Telecommunications (CRTC) Agency, by November 30th voice service providers must implement a phased version of STIR/SHAKEN that applies to the portion of a service provider's network that originates SIP traffic, transit SIP traffic, or terminating SIP traffic, not for all TDM calls.
5 Key differences
Canada has not yet implemented efficient inter-carrier call traceback procedures and does not have any Robocall Mitigation procedures currently in place
Major carriers in Canada are not generally using analytics engines and are not sending labels with the calls warning of ‘Spam’ the way they are aggressively doing so in the U.S.
"Gateway" providers is not a well-defined concept in Canada, as they aggregate traffic from many sources and may not be able to tell from the calling line ID whether it is an internationally originated call
The CRTC has not mandated any display of information such as a green checkmark or verstat parameter. They are only dealing with STIR/SHAKEN and not with what the consumer sees.
Canada only has a few rules around Know Your Customer (KYC)