Rebekah Johnson: Welcome to Tuesday Talks, a live discussion series where we shed light and bring truth to emerging topics in the communications industry. I'm Rebekah Johnson, Founder and CEO of Numeracle, and I'll be co-hosting today’s session with Ed Antecol, VP of Professional Services and Legal Counsel at COMsolve Inc. Ed's back with us today to pick up where we left off in our previous session. I really appreciate you joining us for round two, Ed.
Ed Antecol: Thanks Rebekah, it’s great to be back.
Rebekah Johnson: So let’s recap a little bit from our last session. We introduced the challenges and the considerations around the Canadian deployment of STIR/SHAKEN, we talked about the lay of the land, the governance, and the deadlines. This week, we are going to focus more on the real-world cross-border challenges today for gateway service providers and explore how number reputations fit in.
Speaking of gateway providers, I wanted to bring to your attention what we're busy down here in the U.S. doing: the FCC put out a Further Notice of Proposed Rulemaking (NFPRM) (Fourth & Fifth). Now, there are a few key points in here that are of interest to you, Ed. One of them is to propose a requirement for gateway providers to apply STIR/SHAKEN caller ID authentication to and perform robocall mitigation on foreign-originated calls with U.S. numbers. That's a common thing that we see between the U.S. and Canada.
The FCC is requesting comment on that first line, and also, with regards to the efficacy of the Robocall Mitigation Database moving forward. We’ve talked a little bit about this and we've covered this topic in previous Tuesday Talks. If the FCC is seeking comments on this with regards to robocall mitigation and also on the gateway provider, first, I want to ask you if there's an equivalent to the Robocall Mitigation Plan requirement in Canada that similarly touches on this gateway provider expectation.
Ed Antecol: The short answer is no. There is no equivalent Robocall Mitigation Database and there are no Mitigation Plan requirements in Canada. I can go one step further and say that if your mitigation plan involves participation in traceback to get at the root causes of the nuisance calls, in Canada, the traceback assistance rules are pretty much in their infancy.
In a Commission decision, 2018-32 the Commission stated that a standard industry-wide call traceback process is needed to determine the origin of nuisance calls. The Commission considered that such a process would enable corrective action to be taken at or close to the source of such calls thereby reducing their volume and further protecting the privacy of Canadians.
However, the regulator left it up to the Canadian industry to develop the traceback processes. The industry got together, had a bunch of meetings, and submitted a report to the Commission. The Commission looked at the report and in a recent decision in 2021-268, released on August 5th of this year, the Commission stated that it considers that it would be preferable to wait until there was an onboarding process developed to facilitate the joining of as many TSPs as possible into this call traceback environment.
The bottom line is that the Commission did not mandate carriers to participate in call traceback or offer traceback assistance. The Commission will look at mandating that at a later date once the Industry Group gets together and suggests the way to onboard and streamline call traceback processes.
Rebekah Johnson: That’s interesting because in the U.S. I don’t think there was a waiting period to see how the industry would react. The TRACED Act gave the FCC the ability to establish that official group that is run under the US Telecom Group. I would say it’s doing quite well but with the Robocall Mitigation Plan, it was highly encouraged for the TSPs or service providers to participate in the traceback. They were asking you but they were also simply telling you, there wasn’t much choice.
Ed Antecol: So if you’re a U.S. carrier and your Mitigation Plan includes tracing these calls from Canada that are considered a nuisance and problematic, they’ll probably dead-end their efforts because there isn’t a functioning mechanism right now for call traceback. There are a handful of carriers that are doing it but participation is not mandatory.
Rebekah Johnson: Ed, are you aware of any participation? Because that’s a good point.
Ed Antecol: Well, COMsolve, which is the company I work for, actually chaired the group that did a trial of call traceback with several participating carriers. That working group produced the report that the Commission considered in their recent report. So yes, trials were done and nuisance calls were put into the system, complaints were put in, and carriers attempted traceback. Then, as soon as you hit a carrier that wasn't part of the group it stopped, end of the story.
Then there's one other challenge with imposing the rule on international gateway providers and that is in Canada we don't have a concept of an international gateway, it's not a well-defined concept. As a provider of wholesale voice services, your traffic could be from anywhere including an international carrier like China Mobile with a Canadian point of interconnection, or a recent pop-up web service provider. They're all wholesale customers and these companies aggregate traffic from many sources and push it out through a cross-border bilateral agreement to U.S. carriers.
Canadian carriers don’t generally classify their wholesale customers as originating traffic from inside or outside of Canada so they may or may not be able to tell from the calling line ID whether it is an internationally originated call. If the calling line ID is spoofed they have no idea if the call came internationally from outside of Canada. So that's a problem and there are no rules that are going to force carriers to segregate and identify traffic that originates from international sources. Defining international gateways and obligations on international gateways is going to be a bit of a problem.
Rebekah Johnson: I think the best that we can see is for the implementation of STIR/SHAKEN by international providers, they will sign their calls with C. I don't know what more they can do at that point when it comes to signing. I guess that's their way of saying we've implemented STIR/SHAKEN but I don't know if it's achieving what we are supposed to be achieving.
Ed Antecol: If the traffic is arriving on a big cross-border pipe then yes, you can say that it is coming from an international source. But what happens when the traffic is coming by the internet and is bounced all around the place before you, as the voice termination service provider, get that call?
Rebekah Johnson: I feel as though I’ve said the same time frame for the last four years saying that STIR/SHAKEN is 3 to 5 years out. Every time we go further and further into the rabbit hole we just discover more and more challenges around this, but I'm not saying we should stop efforts. It becomes very clear why this is such an incredible channel for fraud. It's so easy to hide, so easy to hide.
So speaking of hiding, one of the strategies that get talked about and get implemented, I know it's a very hot topic in the U.S. and that the FCC's visiting again, is the concept of Know Your Customer. We’ve talked a lot about what Know Your Customer means in the U.S. I would say we’re doing fairly well with the solutions that are coming about for the industry to choose the policies and procedures, we’ve seen FTC enforcement around the expectations are, and we have subject matter experts now.
This is becoming something where you have to get around and put it into your process as opposed to exploring the concept. I think we’re beyond that phase. I do want to go into how we are addressing cross-border Know Your Customer challenges. What are your thoughts in that area and how does Canada view the concept of Know Your Customer?
Ed Antecol: First off, in Canada, there are only a few rules around Know Your Customer and they've only recently been put in place for cell phones and some requirements placed on the mobile carriers mostly to mitigate a wave of identity and password theft. People were going into cellular stores and obtaining a new SIM for someone else's phone and were able to hijack text messages and then ask for a new password. They’re reset and the second-factor authentication gets transmitted to the new phone and people get hacked.
So our Commission strong-armed the wireless carriers to collect a little more information about their customers so that when there was a SIM replacement request they knew who they were dealing with and gave the SIM to their actual customer. The Commission hasn't dealt with the issue formally for things like prepaid cell phones that you buy out of a vending machine. Or you can go on the carrier's website and give them whatever, or you buy it at the grocery store and when you go on the website you give them your name and you can put any name you want.
When I was at a wireless carrier we had lots of customers named Mickey Mouse in our prepaid services and they all seemed to live on Main Street. When you have prepaid calling cards as well, there's simply no Know Your Customer requirements. The customer may be incented to log in and register their card and provide a name but it's all customer-provided identification with no third-party verification.
Rebekah Johnson: I do know, on that point because I’ve been tracking it, I would say Canada is further along and advanced on the identity of individuals, not businesses when we talk about STIR/SHAKEN and the Know Your Customer concept. I think there is some positive activity and movement in Canada to address at least that identity problem which you brought and asking, how can you trust the information that is being provided, who is going to vet it and verify it?
It's no different than what we face with Enterprises when we're talking about Know Your Customer with STIR/SHAKEN. Taking this down into the STIR/SHAKEN application, what are your thoughts in that area?
Ed Antecol: In Canada, we're going to follow the same industry rules for when you give an A, when you give a B, and when you give a C. The expectation is if you're going to give an A-level Attestation is that you know the customer. What that means is open to debate but at least there's an attestation that the carrier claims to know the customer.
Once the A-level attestation is generated for the call in Canada and it's going southbound, in Canada we're pinning our hopes for cross-border STIR/SHAKEN on a bilateral agreement between the two countries using the ATIS technical report, 10087, as the baseline mechanism for initial cross-border SHAKEN. Under this model, the two countries would agree to recognize each other's Certificate Authorities (CAs) and instruct their respective Policy Authorities (PAs) to merge their trusted CA lists.
The merged trusted CA list would then be distributed to all service providers in both countries using existing distribution mechanisms for recognizing Certificate Authorities. That would mean that calls authenticated in one country would then successfully verify in the other country.
However, it's not that simple. We're pinning our hopes on that happening but it's not going to happen anytime soon. First, the Governance Authorities (GAs) would need to agree and instruct the PAs accordingly, so, the GAs in one country would have to agree to trust the GAs in another country and the rules would have to be somewhat similar in both countries before you could establish that mutual trust.
Then there would also need to be a way to uniquely identify which Policy Authority has approved a specific certificate and a specific Certificate Authority in the SHAKEN ecosystem. That might have some implications for naming requirements in the certificate policies. There may well be and we’re hoping there is this bilateral mechanism, but it's going to be a while. Maybe a couple of years out, I would imagine.
Rebekah Johnson: It almost sounds like we're building a UN for cross-border communications a little bit. Like settling agreements and coming to the table discussing how we can allow for the flow of traffic. It’s going to be interesting to see how this progresses. I think we must maintain the trust that some rules need to be followed which are tied up in the standards. But also, how the PA and GA, and CA are established to either build up or break down trust across countries. I think we’re going to have to return to this topic and have you as a recurring guest, Ed, update us as we progress through those steps.
I want to bring this down to call centers and BPOs that operate in Canada and they originate their calls in Canada but they terminate in the U.S. Numeracle has quite a few customers that are in this scenario, and in my prior life when I was focused on privacy, security, and regulatory compliance for communications, it is always a challenge to work with BPOs in Canada because of the privacy issues, whatever it may be. No doubt there are probably challenges with the world of analytics and the status of where the U.S. is with STIR/SHAKEN when it comes to BPOs or call centers delivering calls into the U.S. There are challenges right now, it's not a problem just in three to five years, there are some challenges they face at this moment.
From your perspective from where you sit, can you shed some light on those challenges and maybe some ways to get around them?
Ed Antecol: First of all, many call centers by law have to change the calling line ID to produce a number where the customer can call them back. When Canada, by law, call centers may have to spoof a phone number legitimately and it may be a U.S. number. Many Canadian call center service backups are overflow call centers for U.S. call centers. It is quite likely you will have an outbound contact center displaying the U.S. calling line ID for calls originating in Canada.
This is not a theoretical issue, and distinguishing that traffic from the nuisance traffic that is finding its way into these big pipes carrying millions of minutes each month and trying to filter out the bad ones is going to be a problem. However, if you take drastic measures and see calls coming from outside of the U.S. and it's got a U.S. number, and you tag it and do something to mitigate it, you're going to be hitting a lot of legitimate BPO traffic and that's going to be a problem.
Getting some way for STIR/SHAKEN to convey that this customer is entitled to use that number and conveying that the number isn’t spoofed is going to be important. Otherwise, the analytics engines are going to start flagging the Canadian call centers terminating traffic to the U.S. as if it's nuisance traffic creeping into the U.S.
Rebekah Johnson: Even on the reputation side, we do provide services too. It’s interesting when BPOs in Canada that are hired by U.S. enterprises, Numeracle when we perform our KYC (Know Your Customer), we're doing a KYC on the BPO and then we work our way right back to the U.S. with an enterprise that’s established here in the U.S.
Naturally, that particular enterprise has got it beaten to him to ask questions about green checkmarks and if their calls going to get signed with an A-level attestation. We have these complex relationships so it's not as though the enterprise is working directly with the carrier. Often time, they honestly don’t know who is originating their calls and signing their calls. They know who they’ve may be hired to manage the omnichannel experience for their customers but they don't have that relationship with the carriers. So all they're asking for is to make sure their calls are signed A-level attestation.
Why is that such a challenge to ask right now concerning a U.S.-based customer who is leveraging a call center in Canada to have their calls signed with A-level attestation?
Ed Antecol: It’s a challenge because the phone number that they’re going to use and the calling line ID were probably not issued by the carrier they're using to send that call southbound. So they need to convince the carrier to whitelist that number and the carrier have to be willing to maintain a whitelist as well and that's going to be a real problem.
Then the problem is further complicated in that outbound call centers may use more than one carrier for their outbound traffic. If they have multiple sites in multiple jurisdictions they might be using a different incumbent carrier in each province where they operate. You’ve also got to convince multiple carriers to whitelist the calling line ID that you’re planning on using. It's a huge new set of problems that they're going to face.
I think as the U.S. gets ahead of Canada in terms of rule cementation and cracking down on nuisance calls, I think it's going to hurt the Canadian call center business and it’s is going to be a barrier for these call centers.
Rebekah Johnson: And here we go again where the problem comes down to identity. It's always an identity problem. I’m very strongly opinionated about having identities, whether it’s for a consumer, like myself, or for businesses. I think this is an area we’ll continue to watch as, ultimately, the identity problem, the identity challenge, creates more and more hurdles to be able to conduct business and communicate.
Ed, I appreciate your time here and I am, for the sake of the audience, going to attempt to summarize everything we've covered on our cross-border challenges, specifically in Canada, over the last two episodes where we've had the pleasure of your infinite wisdom on this topic. I think we can bring it down to six, usually, we do 3, but since we did two parts we're going to allow you to have six. So I'm going to cover the 6 hot topics, and Ed, add where you need to add.
- The first one that we got from our kick-off was that Canada is starting light and they are starting late. It's still a wait-and-watch, stay informed, stay aware situation but there is no rush for enterprises or carriers to take right now.
- Another other key point is because we get this all the time, Canada has no formal Robocall Mitigation requirement. That it's still focused on the U.S., Canada does not have it but that does not mean that Canada is not watching to see if there is something that they should do.
- Inter-carrier call traceback assistance is still in its infancy. It is not a mandate like it is in the U.S. it is just voluntary participation. Ed is a subject matter on that with COMsolve being the one who facilitated the development of the report but it is still in its infancy. If you are a carrier listening and you are in Canada, I would recommend that you participate.
- Canada will be deploying a phased implementation, initially no TDM implementation, and VOIP players won't be ready for November 30th because the rules won't be settled in time for a launch. I don't think that's too different than in the U.S. so that goes back to point number 1 of starting late and starting light. (Ed Antecol: I’ll just add that the VOIP players in Canada aren’t even allowed to get a STIR/SHAKEN certificate at this point. Even if they wanted to. Rebekah Johnson: I think that will change, but yes, you’re right. I think it’s good to learn what you don’t know. I think it plays a part in the light deployment.)
- Wholesale customers and resellers are probably at the biggest disadvantage because they're less likely to be trusted by their carrier providers and there is no mandate for a delegated certificate service offering to wholesale customers. I will add that this becomes an enterprise challenge for businesses that are leveraging these resellers than the wholesale customers. A voice will probably be developed around that to bring attention to it.
- Last but not least, there is probably not going to be a lot happening on November 30th when it comes to cross-border delivery. There is not going to be a solution in place by that time, so it will be interesting based on those points you have from the U.S. perspective.
- I'm going to add a 7th one and that is with regards to the FCC's requirement where if a carrier is not in the Robocall Mitigation Database, the U.S. carriers are supposed to block their traffic. What that means, I still don't know. We are going to do a follow-up on Tuesday Talks when we get some evidence on how that’s being managed, enforced, and implemented.
At this point Ed, I want to thank you for participating with us in two Tuesday Talks.
I believe we have some questions from the audience, so Molly…
Molly Weis: We do have a question for you, Ed: How do you think the CRTC will put structure around monitoring the STIR/SHAKEN progress or enforcing the deadline?
Ed Antecol: The CRTC has established semi-annual reporting requirements that the TSPs must comply with to inform our Regulators as to their progress towards implementing STIR/SHAKEN. The last report filed by telecommunications service providers (TSPs) was due August 31st of this year and, for the most part, these reports indicate little actual implementation except for the large incumbent carriers. Most of those players that did file reports simply said they're doing lab testing or they're in the process of trying to get a certificate but weren't reporting any material amount of SIP-based traffic with STIR/SHAKEN PASSporTs at all.
Further reports to our Regulator are required every six months with the first report due for the 31st of May in 2022. That'll be the first chance that our regulator, and the first chance for the public in general, to see what kind of progress we've made towards implementing STIR/SHAKEN, how much SIP traffic is being signed as a percentage of total calls, and what kind of attestation levels are being provided because in these reports you have to provide those breakdowns as well. We're going to have to just sit and wait seven more months before we have another data point to see where we’re at.
Rebekah Johnson: I hope it's not 7 months before we have you back as a guest, Ed. We'd like to thank all of you for joining us or another episode of Tuesday Talks. We hope to see you again on Tuesday, October 19th, as we continue our multi-part discussion on cross-border call delivery and STIR/SHAKEN. Thank you.