Hi everyone, welcome to Tuesday Talks, a new live discussion series where we shed some light and bring truth to emerging topics in the communications industry. I am Rebekah Johnson, Founder, and CEO of Numeracle, and I'll be hosting today's session with Anis Jaffer.
Hi everyone, I’m Anis Jaffer, Chief Product Officer of Numeracle. Thanks for having me Rebekah, this is exciting.
Thanks, Anis. Today we'd like to start off with a discussion on the STIR/SHAKEN June 2021 deadline. Believe it or not, there's a lot to talk about on just that one topic. We're going to cover what is expected, who is responsible, and how does it impact call delivery?
We received some excellent questions in advance from a few of you who are logged in here today on this live broadcast, and we will open some of our answers through our topics today. What we’d like to do is lay some groundwork around the topic and then open the floor for live questions and answers for the second half of the program.
We will be recording the session today which will be available via podcast to download and share.
Alright, so let me start off this conversation. We keep hearing about STIR/SHAKEN, a deadline coming up June 2021... what is this deadline for and where did this come from?
We keep hearing people talk about June 2021 as though that's the next thing that's going to be a cliff, and all communications fall off at that point. I can understand why people think that, but anytime we're trying to understand what a deadline is I think it's important to go back to where this date even came from and look at the words around it. So we gotta take ourselves all the way back to the TRACED Act.
So I’m going to read specifically from the TRACED Act. For those who don't know this was signed in right at the end of December right before 2019, and what it covered was really the implementation of an authentication framework. So specifically where this June 2021 came from was the TRACED Act basically saying that ‘no later than 18 months after the date of the enactment of the act the commission,’ which is the FCC, ‘shall require a provider of voice service to implement the STIR/SHAKEN authentication framework in the Internet Protocol networks of the provider of voice and B) to require a provider a voice service to take reasonable measures to implement the effective call authentication framework in the non-Internet Protocol networks of the provider of the voice service.’
So once the TRACED Act is implemented in the FCC has been very busy passing a lot of rules around this. The TRACED Act specifically, again to the commission, said that the commission shall require a provider of voice service to implement the STIR/SHAKEN framework in its IP networks. Now the key thing here is that when it comes to the implementation, STIR/SHAKEN has been around for a while. This is a standard that the carriers have been working on for quite some time, it's just unfortunate that it gets to the point that there has to be a mandate. So that's what we're facing: the carriers were very busy implementing the standard but it just wasn't progressing at the rate that the commission would like to see, so we have to draw a line in the sand.
So when we look at what the FCC actually said about this deadline, we have to look at the first report and order that was put out in March 2020. Basically, the FCC adopted the first order mandating that, “originating and terminating voice service providers implement STIR/SHAKEN in the IP portions of their networks by June 30th, 2021.” And what is interesting Anis, is what’s not said. What’s not said here is, what about the interconnect? What about the non-IP portions of the network?
We need to be really careful when we read and understand what deadlines are about and what's really required. So right there, if we just read the words, we can debunk all of the statements with regards to, “your calls are going to stop come June 2021 if they're not signed.” That is not what is being said here. In fact, the FCC went so far as to make some statements about not being prescriptive of what you do once you implement STIR/SHAKEN, that's going to be on the terminating side to make their decisions about what is best.
So they haven't told terminating carriers that if you receive a call that doesn't have an A-Level Attestation, to block it. Those words are not being found, so I think it's good before we get into what this really means on the technology side, that we understand what that requirement is really all about. It's just a line in the sand to say, ‘we need you guys to implement on the originating and terminating side for the IP portions, STIR/SHAKEN. And if you can't meet those deadlines, you have to let us know so we can work out some exceptions for you.’
Right, and I also want to chime in here with respect to the non-IP service providers. The BASED STIR/SHAKEN, and we’ll get into what BASE STIR/SHAKEN means. The BASE STIR/SHAKEN Standard is targeted at internet IP-based service providers. The non-IP providers are not going to be implementing. Obviously, you need to have a SIP infrastructure to add the search, traditional TDM basic infrastructure will not be able to do it.
What do we mean by STIR/SHAKEN Standard, or the base STIR/SHAKEN? SHAKEN itself is a framework that's built on the idea of STIR protocol. It allows or provides an end to an architecture for originating service providers to verify and attest who is originating the call and then a terminating service provider to validate that. So when an originating service provider or carrier knows the customer and they also know where the customer got the number from, or have a way to verify where they got the number from, then they can add a certificate to the SIP invite attesting that they have a way to verify the customer as well as the number. That essentially is the telephone identity that gets attached to the SIP invite and it gets transported over the SIP network to the terminating service provider who does the reverse. So they get the certificate and then they validate if that certificate is valid, has been signed by the relevant key that has been attested, and then they can choose how to terminate the call. That essentially is what is known as the STIR/SHAKEN Standard, which is the BASE STIR/SHAKEN that needs to be implemented by carriers and service providers by June 2021.
So Anis, I want to ask you a question because we hear a lot of talk about BASE SHAKEN and then there is this Enterprise challenge, what does the Enterprise challenge mean for June 2021? Is that a part of it? What can we expect?
I think to understand what the Enterprise challenge is, we need to look at the different components of the STIR/SHAKEN certificate. One of the key things that goes on the certificate is what is called the Attestation Level. When the originating service provider signs the call they attest it with three different levels. It’s basically a claim where they can attest with an A, B, or C. When the service provider knows the customer and also knows how the customer got a hold of the number, either they issued it or they're able to verify that the customer has the right to use that number, then they can essentially sign the call as A. There's also another component to it that they are actually originating the call.
So let's say, for example, Verizon is the service provider and they are servicing a big-box retailer, and if the big-box retailer got the numbers from Verizon and are also using the SIP trunking from Verizon to originate the call, Verizon has all the information that they need to attest the call with A-Level; that's one level of authentication so that's a flag that is set as A.
In case Verizon doesn't know that the big-box retailer has the right to use the number or if the big-box retailer is using a third-party call center and that call center is originating the call and Verizon does not know if they have the right to use the number, then they essentially have to sign the call with Attestation Level B.
If the same call, let's say it originates from outside the country coming through an international gateway and Verizon doesn't have any way to know who the originator of the call is, the only thing that they know is that the call came through their network and the call is being placed into their communication network, then they would sign it as Attestation Level C.
So those are the three authentication or attestation levels. The gap is the scenario that we talked about for Attestation B. Let's say you have a call center or BPO and they're making calls on behalf of multiple clients. And we also know that in some cases there could be two or three parties involved during the call path. So you could have the end client be somebody who is not even making the call, but they have outsourced this call to another call center who is then using a different platform or a CPaaS provider, and they got the numbers from one provider, and they're using another network to make the call...these are all the scenarios that are happening in the ecosystem and that is the gap that we have. You would hear: Attestation Gap, enterprises not being able to validate or service providers not being able to validate the enterprises, that's the scenario that we are seeing where enterprises cannot directly get their call signed.
So it’s interesting and that sounds complex, it's a lot to do. And I know we saw some comments that were filed with the FCC from some of the carriers asking for an extension of that June 30, 2021 deadline to address this very problem. They did not get that extension, in fact, the FCC responded back saying ‘no, work we're going to keep the requirement for the originating terminating side for the IP networks to implement and we’re going to use that word BASE SHAKEN to distinguish between, how do we dress enterprises, and not.’ They're not going to be, they as in the FCC, are descriptive on, ‘how do you solve for the enterprise,’ but they did make a note that we're going to watch it. So the FCC is going to watch to see that this gets figured out and it's really to the benefit of subscribers at the end of the day; it's those of us who are using the device.
I think we can look at the comments that are being filed, and how the FCC responds to it. Anyone who tells you that the enterprise calls fall a cliff come June 2021, are selling you something, that’s all that they’ve got. That’s a fear that will motivate people to do something, but right now we’ve just got to get the foundation laid first, and the carriers are working extremely hard from resource, dedication, financial resource dedication...just to get the first step implemented.
I think we're a long way away from having fear around what helps with the enterprise, but I’m going to caveat that. You’ve got to be prepared. This is a blessing in disguise, you're fully aware if you're a business, BPO, UCaaS, CPaaS provider. You are aware that there will come a point whenever the enterprise side of this has an effect.
Because Anis, what are you seeing with regards to how the carriers are going to take this data in? Let’s say we’ve got the ecosystem set up, everybody's good. The FCC's got their list of voice service providers that are implemented, we love what we see, 90% implemented, go. What are they going to do with this information?
We think what will happen is, like you said for subscribers, if you are a cell phone subscriber directly calling using a telephone carrier, like Verizon or AT&T, your calls will probably get signed. Because they know who you are and they issued the number it's a straight A-Level Attestation. That will happen. For the complex scenarios, which we talked about, are the enterprises that are using multiple vendors and different parties involved in the call path, those would probably not be signed with Attestation Level-A.
That doesn't mean that calls are not going to get terminated, because the terminating service provider still has a choice to terminate the call. They would also use the analytics providers, just like how we have today, for call validation treatment. Analytics would continue to run and using their algorithms would determine if that call is spoofed or spam and they would label accordingly. I don't think it's going to change anytime like how we have today; it's not going to drop off come July. It's probably going to change over a period of time but not immediately. So you would still continue to have calls with different labels that get terminated.
As more and more enterprises start using this more and service providers start implementing it, there are some models that are being discussed for enterprises, these are called multihoming standards and there are multiple models that are being suggested. We can probably do another session on that, Rebekah, to go in-depth on those models. So has those models implemented I think one or two of those models would probably get more of an option and then you would have a way for enterprises to normally get signed, but also add additional data to those calls and you would change over a period of time.
But come July, I think calls would terminate as we have today. You would continue to see labels but you would also start seeing more and more verified calls, especially subscriber-to-subscriber calls would probably get verified with Attestation A. Enterprise Communications would continue to happen how we see today. Over a period of time, I think it would change as more service providers implement.
Anis, because I have a very curious mind and I don't like to be told how things are going to be, I want to actually go try it out myself and get my own answers, I was kind of pushing you with regards to, ‘how can we test?’ So we did get a client that is signing calls as an enterprise and immediately we thought we had to test this out. Can you share a little bit about the test that we did and what those results were?
Yes, we had a client who is currently using a wide provider that has implemented the BASE STIR/SHAKEN and we had them call our number to see how those calls showed up. What we found was, and our number is on one of the major three carriers, what we found was the calls come through as we would make any calls without any attestation. It doesn't show any attestation level today. We would think that it would change over a period of time, but right now we don't see any difference.
If you have the service provider implement attestation, it also depends on the terminating service provider and how they're accepting the certificates and what they do with it. So that's why I think the call validation treatment and the analytics would continue to play a role in the solution and they are still on the network. How the actual call gets displayed on the device is actually based on how the CVT is done on the terminating service provider. That’s what we’re seeing. We’re going to continue building on this and we’ll monitor as this gets rolled out, but that’s the status today.
And I would say that’s in line with what we’ve been hearing from the terminating carriers, that they haven’t seen anything different from what we just saw in our test. So it will be one that we’ll definitely watch as it progresses as the ecosystem gets fully implemented.
Anis, we blew through this time so fast so I just want to thank you for participating in this idea of Tuesday Talks. Our talks, our one-on-one talks that we have, is a highlight of my week where we dive into dev. conversations, so exposing it to everyone else is really fun.
And part of that means that they can join in on the conversation. I’ve seen some messages in my chat, don’t be shy. This is the part where we want you guys to turn on your camera and ask us your questions. And Molly’s got some if you wanted to submit it via chat and not necessarily join in direct, we’ve got that too.
Ed Olepa (from Rock Central)
I have a question, this is Ed Olepa. Hi Rebekah. I guess my question is, are there any anticipated issues with the algorithms changing because of the June 30th date coming? Could we potentially get marked as spam all of a sudden? What are your thoughts on that?
Let me take a stab at it, Rebekah.
So the call validation treatment at the terminating service provider would look for the attestation levels after June. So once it’s implemented they would look for the certificate and the associated attestation claim. If it’s A, they can conclusively declare that it has been verified and authenticated so you would have a checkmark. Now if you don’t have an A, I think that we would see it the same way that it’s happening today. When you get calls sometimes you’ll see just the number, sometimes you see the CNAM or the name, and in some cases, you see the labels.
I think for scenarios where they don't have the verified attestation, they would implement what we have today. What they’re going to do with Attestation A, I can take a guess. And my guess is if they have associated data, it could be branded call data, it could be authenticated CNAM, it could be data from a third party, like Numeracle, we push to the CVT...if they have that they could then use that to display on the device, in the case of Attestation A, in addition to the checkmark. So you could possibly have a checkmark and you have call data, either branded data or just the name displayed. If you don't have Attestation A, then they would continue to do what they do today, which is either the number, name, or label if they think that there is spam or fraud associated with it.
I’ve got Michael Pryor, he has a really good question. I might not have your answer but let's go for it, Michael.
Michael Pryor (from Brownstein)
So I wanted to go back to the point that you started with at the beginning which I think was right on, which is, that the sky is not going to fall come June 30th. Calls aren’t going to fall off a cliff and be blocked automatically. But there are things that could happen on June 30th in the regulatory sphere. I just wanted your reactions to it.
One is that the FCC is going to require all voice service providers to register to the established robocall mitigation database. They’re going to have to certify that they’re doing one of two things: that they’re either implementing STIR/SHAKEN on their IP networks, whatever implementation means, or, they’ll have to certify, and describe in some detail, their robocall mitigation program. Various carriers have already received extensions to that deadline, but that is a day that does have some significance on the regulatory side. I don’t know what you’re hearing from folks about how they’re planning to address that upcoming deadline on having to register in that database.
And it’s interesting if they don’t register within the database and they’re not listed there, what does it mean on the origination side, and what does it mean on the terminating side? Does that mean that the terminating carrier will block all communications that they originate? Or does it mean that they cannot originate calls? Or maybe they are originating calls but they're just not signed or have the IP header information?
Right, and what I think the FCC rules say about that is that intermediate and terminating providers aren’t supposed to pass along calls from carriers that aren’t registered in the database, including certain foreign service providers. So the registration has big implications because some way or how, the terminating providers are supposed to be checking that database to see if the carrier that’s sending the call is in the database.
I think this goes back to what we were saying earlier with regards to where we're at in the ecosystem. I think each one of these little steps is getting a better foothold and foundation, and what do we accept? Does it get to the point of ok, ‘90% of the industry is registered, now let’s start flipping our switches?’ Because the FCC said they’re not going to be prescriptive on what you can and cannot do with the information, it just has to do this. It’s, ‘implement this standard but we're not necessarily going to tell you what to do with the information that comes through.’ So I don't know, could their option be ‘I do nothing with it?’ I don't know.
I’ve taken a note for ourselves, Rebekah, maybe we can come back to this topic in one of the future sessions.
That’s what I told Michael, get ready Michael you’re going to be on the show. Get some service providers and let’s just hear what they have to say, let them tell us what they’re going to do. So Michael I think that’s the next hot topic, that's July's topic that everybody's going to be focusing on. So get through June and then July we're all of you talking about what you just brought up, for sure, it’s going to be the next panic button in this space.
Alright, do we have time for one more Molly?
I've got a pre-submitted question, I think we have a little bit of time. So this is a good one: What are the top three things businesses need to be aware of and should do by June 2021 to be prepared for STIR/SHAKEN?
Let me think, this is a bulleted list, top three. Ok, I’m not going to put them in any particular order.
So kind of what I preach all the time when it comes to businesses and focusing on their service provider, and actually what Michael was saying is going to be bullet number four probably to the list. But first, you need to know what your service provider is doing, whether your service provider is the BPO, the CPaaS, UCaaS, or direct carrier, you need to know what they're doing to prepare for June 2021. They should either tell you, ‘we filed for an extension, we're going to meet the timeline,’ if their answer is, ‘what is STIR/SHAKEN?’ you’ve got some concerns, they should not be responding that way. So get an assessment of where your service provider is.
The next would be to inquire how their compliance with the law is going to impact your current contract. This is a new one, this is the first time that anyone is talking about this but I'm bringing it up because I'm starting to see that with STIR/SHAKEN someone shifting the contracts on the originating side. I'm seeing it come through in a variety of different ways, whether it’s an increase in cost, maybe it's a service-level agreement change...start having that conversation with your provider. If there is going to be a contractual impact on the services that they provide based on STIR/SHAKEN, then you can hire lawyers like Michael Pryor and anybody else, to help you through those problems because I think there's going to be some things where we need to get a better understanding.
The third one I would say is an important one, it’s that the analytics are going to continue to exist. Anis has kind of covered that the carriers and their CVTs, their analytics providers is what they're called, will continue. They have to. They have to stay in existence to determine calls that are wanted, unwanted, illegal, whatever it may be, they're going to be around. So you still have to address your call blocking and labeling issues. Just think of STIR/SHAKEN as another data element for that decision making on the terminating side.
So those are the top three things that I would focus on. Number four is going to be what Michael brought up with regards to who's on the list and not on the list. That might be a shopping list for us in the future of who do we work with and not work with? I don't know, Anis, if you had anything to add to that?
I think you covered it. I was just going to say that working with your service provider, because they should be able to tell where they are in terms of their STIR/SHAKEN implementation, and also what your relationship with them means in terms of signing the call with A, B, or C, I think you’ve covered that.
Also with regards to the analytics and the CVT, they would continue to exist, so looking at call blocking and labeling for your own phone calls paying attention to it. We are building some tools that would help the monitor that. I think that that is another thing that you would want to look at.
So with that, I think we have reached the end of our first Tuesday Talks! It is such an honor and a humbling experience that everyone attended and participated in this and we look forward to seeing you again at the next Tuesday Talks coming up on February 23rd. Thanks everyone.