Rebekah Johnson: Welcome to Tuesday Talk, a live discussion series where we shed light and bring truth to emerging topics in the communications industry. I’m Rebekah Johnson, Founder and CEO of Numeracle, and I'll be co-hosting today’s session with Ed Antecol, VP of Professional Services and Legal Counsel at COMsolve Inc. It's great to have you here with us today, Ed, welcome.
Ed Antecol: Thanks, Rebekah, it’s great to be here.
Rebekah Johnson: As you know, we only bring experts to the show. And with this series that we have regarding cross-border STIR/SHAKEN challenges, we cannot afford to have voices who are not the experts. Ed, I can't even approach or even attempt to cover the vast background that you have on why you are the subject matter expert on STIR/SHAKEN when it comes to dealing with the cross-border situation between Canada and the U.S. I'm super excited that we're going to focus solely on Canada today, which is also one of my favorite places to vacation to, but it’s unique in the challenges around STIR/SHAKEN.
So, Ed, if you would for the audience, give us a little bit of your background.
Ed Antecol: I’ve been around in the telecom space for well over 40 years. I’ve held different positions at the different carriers, both large and small, across the country. I have held executive positions as VP Regulatory at AT&T Canada and as VP Regulatory and VP Carrier Services at Freedom Mobile and Shaw Communications, so I've been involved with some of the largest telecom providers in the country. For the last few years, I've been at COMsolve Inc., which is an interesting company because it provides a lot of the support services for the Canadian telecommunications industry. COMsolve has been fulfilling the role of the Canadian Number Administrator (CNAC) for almost three years now and that's the Canadian equivalent of NANPA (North American Numbering Plan Administrator). One of my groups is responsible for giving out CO codes and other point codes and the like.
Separate and apart from this role, COMsolve’s Professional Services Group has had many engagements helping smaller providers meet their regulatory obligations across a wide range of telecommunications requirements including Local Number Portability, Number Resource Management, Interconnection, and compliance with Mandatory Consumer Safeguards. Assisting with Regulatory Compliance is our business. We're not a legal firm and we don't give out legal advice. We strictly help companies meet their regulatory obligations.
Additionally, I should mention that COMsolve recently chaired a CRTC (Canadian Radio‑television and Telecommunications), which is the Canadian equivalent of the FCC. We chaired a CRTC-sponsored Canadian Industry Sub-Working Group on Call Traceback and worked on helping the carriers get together and develop Call Traceback procedures and procedures between themselves.
We also co-chaired a Canadian Sub-Working Group on the implementation of STIR/SHAKEN and that work has led directly to some implementation guidelines for the first phase of implementation of STIR/SHAKEN in Canada, which is expected to launch on November 30th of this year.
I should also mention that COMsolve is offering a cloud-based STIR/SHAKEN-centralized signing and signature validation service to small providers that can't justify building their own capabilities in an ever-changing environment. We can help support them for part of the STIR/SHAKEN problem with a simple cloud-based solution that takes your call signing certificate and produces the PASSporT you embed in your SIP invite.
Rebekah Johnson: Yes, I was at COMsolve, where I met Ofir several years ago in San Diego at one of the ATIS events. I spoke before the group and afterward, he found me in the lobby and asked me to come over and talk. Ever since then, between Numeracle and COMsolve, it's been a great relationship with educating each other on what's happening in the U.S. versus what's happening in Canada. We've had this benefit to watch each country grow and watch each country go through the challenges that we have, even from a regulatory perspective or at the compliance level with the carriers.
But we’re not mirror images of each other either. So it would be really helpful for this audience, of which the majority of them are in the U.S., to know what are the rules? What are the deadlines? We forget that other countries are implementing STIR/SHAKEN and there might be something unique and challenging to other countries based on their infrastructure and how they’re established from the enforcement side.
Ed, can you give us the lay of the land in Canada as it relates to STIR/SHAKEN?
Ed Antecol: I mentioned before that our regulator has mandated an initial STIR/SHAKEN implementation by November 30th of this year. We’re behind the U.S. in terms of our launch date and we’re also behind the U.S. in terms of progress when it comes to implementing efficient intercarrier call traceback procedures as well.
Additionally, analytics and associate call labeling are not widespread in Canada. The major carriers are not generally using analytics engines and are not sending labels with the calls warning of ‘Spam’ the way they are aggressively doing so in the U.S.
Rebekah Johnson: Can we pause on that for a second before you go any further? Because I think it's important to note that in the U.S. we went with the approach of implementing analytics. It’s is essentially somewhat of an identity type of solution to try to identify who's calling and then present why and then identify who's fraud and not.
I thought it was interesting and like the way that Canada took their approach of not going forward with the analytics yet and getting an identification framework in place first. I think they'll probably go back to analytics at some point and I think it would make sense at that time.
Ed Antecol: There’s a limited amount of analytics happening to detect specific types of fraud and it was done with CRTC approval by one particular carrier because, under our Telecommunications Act, it is illegal for a carrier to interfere with the content of a telecommunications session. That would include blocking or discouraging the communication. The carriers have been very slow to adopt analytics engines without a regulatory blessing.
Rebekah Johnson: I would make the point that despite that fact, there are a lot of Canadian companies who are originating calls from Canada into the U.S. and they are being impacted by the analytics. We wouldn’t say that any other company in Canada is not affected by analytics because the carriers are not implementing analytics, but they are if they're going cross-border into the U.S., then the analytics do become a problem. I just wanted to make that little point.
Ed Antecol: I think most of the analytics are happening at the terminating end of the call so the Canadian call centers that are calling south of the border risk having their calls tagged as ‘Spam’ and therefore failing to reach their intended audiences. Most of that activity is happening with the engines situated in the U.S.
Rebekah Johnson: Would you talk about the Governance Authority? You can go down to that level.
Ed Antecol: Canada will catch up because robocalling and spam calling issues, including number spoofing is as big a problem in Canada as it is in the U.S. Our regulator says it's the number one complaint they get and I'm sure it's the same in the U.S. There's no reason to suspect it's less of a problem in Canada, it’s just that attempted solutions are a little further along in the U.S. than they are in Canada, reflecting a generally more cautious approach.
In Canada, several of the larger carriers got together to provide some additional funding to establish a STIR/SHAKEN Governance Authority, which was subsequently ratified by the CRTC. The Governance Authority, in turn, selected Neustar to be the Policy Authority and the first Certificate Authority. As of the last check, Neustar is currently the only Canadian Certificate Authority, but hopefully, additional providers may emerge.
That, in the first instance, is a big difference between Canada and the U.S. and it may impact the ability of the carriers to implement cross-border trust because in the U.S. you have iconectiv as the Governance Authority and there it’s more open. In Canada, carriers can choose from six or seven different companies to get their call certificates so there are different fee structures and price pressures. Secondly, I hear there are several carriers that are their own Certificate Authorities so it's a much more open and competitive market in the U.S. as well.
I think the key takeaway is there are different policy authorities and different trust routes. Neustar has a Canadian trust route and there’s an iconectiv trust route, so there are completely different trust routes. But that’s going to cause some problems when it comes to cross-border because it’s unlikely that the U.S. will accept all Canadian certs on a blanket basis. If a Canadian server arrives in the U.S., it’s unlikely that the carriers will want to or be able to go back and check with a Canadian certificate deposit location. So there will be some challenges and that will all stem from the fact that we have different Governance Authorities and different trust routes.
Rebekah Johnson: How did that Governance Authority start in Canada? How has it been going?
Ed Antecol: It got off to a rocky start. Initially, the Governance Authority decided that only carriers that had direct access to Numbering Resources could get a call certificate. That left out all of the local providers, who in Canada, get their numbers from another service provider or another underlying local exchange carrier. The regulator had to step in and on August 5th of this year, they declared the switch restrictions were not appropriate.
However, we're still waiting on final eligibility rules, so there’s going to be a large chunk of VoIP providers, which could include people like Microsoft, RingCentral, and 8X8, but there will be a large chunk of VoIP providers who won't have direct access to their own call signing certificates and probably won't be able to do their own call validations as well, and that's a problem. Most of those players want to get Canadian certificates who participate but they’re still waiting on the rules. We're launching on November 30th and for the most part, the VoIP players who are not local exchange carriers are just not going to be part of the ecosystem.
Rebekah Johnson: This feeds into the fragmentation of the deployment of STIR/SHAKEN. I would say, at least on the U.S. side and the members of the Governance Authority and the CA (Certificate Authority) and the PA (Policy Authority), I don't see activities to prevent. It seems like everyone is not acting intentionally to prevent adoption. This is a whole new world for all of us and we haven't structured something like this before. I think we start off very small, have that circle of trust start really small, but that's just not realistic. If we trust the framework and we trust the policies, then my stance is, we need to open up the door a little bit. Don't think that it's just only going to be a couple of companies that we should trust and that it’s only the carriers or certain types of carriers.
If you trust the actual framework and trust the work that you actually did, then you won't have those fears around opening it up to the VoIP providers. I think they should be able to participate. I think that's the only way that we can connect all the pipes for the delivery of trust.
Ed Antecol: I agree 100%. I will further note that it was the large carriers that resisted when VoIP providers petitioned the regulator for relief, it was the large carriers that said no but maybe sometime later because they just didn’t trust these little players. I think that sent the Commission off a little bit because some of the VoIP providers that were petitioning were a lot bigger than some of the carriers; Microsoft isn't exactly a small player.
Rebekah Johnson: I'm very proud of the response from the CRTC.
Ed Antecol: Moving along to the story in Canada. The Commission supervises an Industry Interconnection Working Group that was tasked with developing the initial STIR/SHAKEN implementation guidelines. When the carriers were asking what they need to have implemented by November 30th, the Commission said they didn’t know and were waiting for whatever the Working Group recommends and said, “you tell us, the regulator, what we should expect to see on November 30th.” It was mighty generous of them and the carriers who participated in the guidelines took full advantage of the opportunity to carve out as much as possible from the required phase one implementation.
We're implementing, on November 30th, a light solution of STIR/SHAKEN. The requirement to implement STIR/SHAKEN applies to the portion of a service provider's network that originates SIP traffic, transit SIP traffic, or terminating SIP traffic. That’s it. The guidelines exclude the use of STIR/SHAKEN on a mandatory basis for all TDM calls.
So, nobody needs to implement a CPS solution or deal with privacy solution issues that might create for TDM calls. If you originate a SIP call, you send it out on TDM, you throw away the PASSporTs, and send the call on TDM and that's it. The STIR/SHAKEN information is lost. Redirect calls are excluded as well and some of the standards are still being worked on for DIV PASSporTs. If your call involves call forwarding or call transfer, there won't be a STIR/SHAKEN PASSporT that precedes that call. Similarly, toll-free calls won’t have a complete STIR/SHAKEN solution and PASSporTs associated with those calls.
For enterprise customers, their calls will receive STIR/SHAKEN treatment to the extent that their underlying provider is the provider of the numbers, and/or the enterprise customers’ phone equipment is configured so that it cannot change the calling line ID or the calling line ID is put into the SIP invite by the carrier. Many of the enterprise customer calls will have STIR/SHAKEN PASSporTs.
But where an enterprise customer brings their own numbers or if an enterprise customer spans all of Canada so that they have operations in Western Canada where Telus is the main carrier and in Eastern Canada were Bell Canada is the main carrier, they get their numbers from where they have their local offices and calls transport or their private corporate network before redress, those calls probably won't have STIR/SHAKEN certificates. The underlying carrier generally won't be willing to produce a certificate, at least an A certificate, and everybody wants an A, just keep that in mind. All of your customers, if you're a carrier, are going to want an A. Everyone wants an A and an A is the only way to get a green checkmark on a wireless call right now. So, those enterprise customers that have multiple sites that are ‘Spam’ connections to multiple carriers are going to have difficulties getting A’s for their calls.
Rebekah Johnson: And on that enterprise note,it’s important to see that the challenges that we have identified through the deployment of STIR/SHAKEN, since we're further along in the deployment side of it, those are the same challenges whether you’re in Canada or in the U.S. or in the UK. It doesn't matter, there is going to be this Enterprise Challenge that has to be addressed. Then, when you throw in cross-border on top of it, it just becomes really challenging.
I’ve said this from day one and I will always continue to say it: we have the greatest opportunity to establish identity in a network where anyone could be anonymous, but with the same approach we also have the greatest opportunity to completely shut down the value of this channel if we don't get it right.
I think it's good that some of these scenarios are being excluded and that there is a little bit of an approach of just laying down some groundwork first, which is what we saw between AT&T and Verizon. They would test first by sending a call to your network where they’ve signed it and want to see it accepted and rendered first. You have to take those little baby stops because there's a ton of lessons learned and there are still a lot more lessons to be learned in this deployment.
But there is one other point of, “what happens when we don't do this right and get it wrong?” which is related to emergency communications. What else is there with regards to the implementation that the Working Group addressed?
Ed Antecol: So there are two other carve outs. One is resellers and wholesale local service providers who will have problems with STIR/SHAKEN in the initial implementation in Canada as well because there's no mandatory requirement for delegated certificates and there's no mandate on the LEX to use an alternate trust model if delegated certificates aren't used. Of course, there are a number of alternate trust models that could be used.
Lastly, they've decided, at least the current recommendation, is to exclude STIR/SHAKEN implementation from the ESInets in a 911 context. There are standards that are very close to finalization. Let’s say there’s say there’s a hang-up, a pocket dial, or someone has a real emergency and has to hang up right away, or there’s a car crash and the call starts but then stops because of a fire or what have you...the PSAPS generally like to do callbacks and they don’t usually like to display their phone number.
They certainly don’t want these calls blocked as ‘Spam’ because it triggers a lot of extra work for them when they have to follow-up on these hangups. It will be very important for these callbacks from the PSAPs that come through the ESInet to not be labeled as ‘Spam’ and have STIR/SHAKEN certificates, and to perhaps have a priority treatment as well like a resource priority header. For now, they are excluding the implementation of STIR/SHAKEN within the ESInet and they’re also excluding the delivery of a verstat parameter for the PSAP, which could be very useful in preventing things like swat attacks where people make mischievous or fake phone numbers and do mischievous calls to 911.
That’s an area that's going to need a lot of work. There was just a caution and they didn't want to jump right into it for fear of messing up certain things. So, phase one is not going to happen. Does it have to happen? Absolutely.
Rebekah Johnson: What about from the display perspective? Has there been any mandate or requirements on what needs to be rendered to the consumer with his information?
Ed Antecol: The CRTC hasn’t mandated any display of information. They are only dealing with STIR/SHAKEN and not with what the consumer sees. There's no mandatory requirement to pass a verstat parameter to cell phones although most of the wireless carriers will pass a verstat value.
Rebekah Johnson: Yes, we see the same thing and that's what we're going to see across multiple countries where the regulators are going to stay away from the display aspect of it because that’s not their focus. And rightly so, I do think that they should stay away from that. They should be more focused on the establishment and the mandatory requirements for creating this trust model and implementing and allowing for the exchange of the data to occur and definitely stay away from the display.
I don't know about the UK yet, we're going to be interviewing some experts soon from that area but I would like to see every country take that approach and perspective. Speaking of each country, I'm sure you have some thoughts on that from the GA (Governance Authority) side.
Ed Antecol: As I mentioned before, each country is going to have its own certificate granting rules and its own certificate practice statements. It will take some significant time before cross-border trust can be implemented. In thinking short-term, they would have international gateways and tag all incoming calls at the international gateway with a C-Level attestation. I'm not sure that’s going to have much of a positive effect at all because some of these trunks are carrying hundreds of millions of calls each month. I've seen cross-border call swap agreements involving billions of minutes annually.
At the end of the day, if you have a bad actor who snuck on through a carrier and that carrier then hands off to a big international provider who then terminates the traffic to the U.S. at an international gateway, they’ll give it a C you then they'll identify that particular phone number as belonging to a bad actor. They'll try and trace it back and that bad actor may be gone tomorrow or you won't be able to find who they are. They won't be able to assert reputational pressure on the international carrier who delivered the call through the gateway because that's just one call out of millions or perhaps billions of calls. You're not going to terminate a major international carrier because there's a bad actor that somewhere downstream has snuck into the system.
In a domestic sense, you can trace back to the customer and if you find out a lot of customers belong to a particular carrier, you can put the squeeze on that carrier to better police its customers. That's just not going to be realistic on these large international border gateways. There's going to have to be an alternate solution for people to trust these international calls.
Rebekah Johnson: We might have to make this a two-part series because I know that there are more topics that we wanted to cover. I know we have some last questions for the remaining minutes that we have. I'd like to turn it over to the audience's questions now.
Molly Weis: As a contact center in Canada, what, if anything, do you need to do to prepare for the November STIR/SHAKEN deadline?
Ed Antecol: You need to check with the carrier who is providing your outbound trunking and your inbound trunking to accept if you have inbound contact. Make sure that your carrier will provide you a verstat indicator for your inbound calling so you can have some trust in the calling line ID. Normally when the call comes in you're going to validate the customer, but it would be helpful if you also had a verstat value to give you some trust.
On the outbound side, if you’re in the business of contacting customers, you don’t want your calls ignored. You need to make sure that your carrier is delivering a STIR/SHAKEN PASSporT and make sure that they're assigning you an A-Level trust where appropriate. As far as the U.S., a lot of your traffic is going to get tagged as ‘Spam’ unless you find a way, and of course, there are solutions, but you need to find a way to sync up with the analytics engines and the carriers that deploy them to not tag your traffic as ‘Spam.’ There are groups, including COMsolve and, of course, Numeracle, who can actually help companies and customers with their reputation management so that their traffic doesn't get tagged as ‘Spam.’
Rebekah Johnson: I would like to thank all of you for joining us on another episode of Tuesday Talks. We hope to see you again on Tuesday, October 5th, as we continue our multi-part discussion on cross-border call delivery and STIR/SHAKEN. Thank you very much.