Rebekah Johnson: Hi everyone, and welcome to another episode of Tuesday Talks, where we shed light on the evolving complexities within the communications ecosystem. Joining Anis and I today will be our very special guest, Chris Wendt. Chris is the co-chair of the ATIS/SIP Forum IP-NNI Joint Task Force, co-chair of the STI-GA Technical Committee, and a very familiar face for Numeracle through the various ongoing projects and proofs of concept that we’ve worked on together.
So Chris, thank you so very much for joining us today.
Chris Wendt: Thanks, Rebekah, glad to be here.
Rebekah Johnson: So for today’s session, Anis and I will be asking Chris a series of questions, and those are in serious need of some myth-busting. Between too much information, not enough information, and tons of misinformation, we've been seeing a lot of confusion particularly around STIR/SHAKEN deployment, the state of the industry, and what we can expect post the June 2021 deadline.
So without further ado, Anis, let's just dive right in with Chris. Right now, as in today, are calls being blocked by terminating carriers if the calls are not signed with a SHAKEN certificate by the originating carrier?
Chris Wendt: No, they are not and I don't think we have any plan to block calls anytime soon. I would even venture to say that we really will leave that choice up to the user, not not the service provider doing active blocking unless there's something illegitimate, or illegal, or are using illegitimate numbers. There has to be certain credit criteria that are set forth by the FCC but that's an emphatic no.
Rebekah Johnson: It sounds like a little bit of mentioning the analytics. Can we expect to see analytics continue post the deployment of STIR/SHAKEN?
Chris Wendt: I think there's always going to be a role for some analytics. From my point of view, putting truth into the network will hopefully be a major force in unmasking the bad guys in terms of the illegitimate use of phone numbers, illegitimate spoofing, etc... It’s hard to say what role analytics will play, I think it's going to change over time. I think techniques will be there and there's going to be consumer-oriented analytics, but my hope is that the need for them will go down over time.
Rebekah Johnson: Another area we're hearing rumors, or lots of concern, over blocked calls is that there's something magical that happens on July 1st and if certain steps aren't taken by June 30th, that July 1st calls will be blocked. Is that a true statement?
Chris Wendt: No, June 30th is all about the FCC putting a date on when service providers, and this is especially true of the larger service providers, must have implemented their plans for providing STIR/SHAKEN signing in the network, being compliant with their specs, etc... There are some caveats and some exceptions that have been applied for that might go beyond that, but the hope is that there is a relatively major percentage that have implemented STIR/SHAKEN and are signing their calls.
Anis Jaffer: How widespread is the adoption, right now with the carriers that have implemented the standard?
Chris Wendt: From what we’ve seen, the adoption has been really good and ramping up every day. And that's in particular, again, with the major providers. We do see more and more of the medium-size smaller service providers coming online as well, but we're definitely in major percentage territory.
Anis Jaffer: What happens if carriers or some networks are not ready to deploy in time for the June 30th deadline?
Chris Wendt: I don't know if there's any particular penalty. Obviously, this is a very hot issue and I think there probably will be penalties applied if people aren't doing it. Deep pressure has definitely been set by the FCC that you must implement, but that's the end goal. That's why STIR/SHAKEN will be effective because if all of the calls are signed, you'll get the truth in the telephone network and that'll bring us so many positive benefits not just in terms of some of the current problems but we're hoping that that'll set a precedent for the future the telephone network.
Anis Jaffer: I think there were a couple of carriers who had requested an extension which the FCC denied at the end of March, I believe. Related to that, there was also a discussion about a robocall medication database that the FCC can put in place. There were some discussions about maybe creating a database where service providers can have a mitigation plan and be part of that.
What's your take on that? How far along is that? Or is that still early?
Chris Wendt: I don't think all the details are out there but I think it's a really welcomed thing for the ecosystem. Basically, it's the FCC’s mechanism of making sure you have a plan in place and you’ve registered yourself and are committing to a plan in place. I think there are discussions of strings attached and other things where we can tie that to participation in the ecosystem. I don't think we're totally there yet but I think it is a good idea to at least get everyone's commitment and have a way of tying sign calls back to somebody that's in this database.
Rebekah Johnson: Chris, what you mentioned a moment ago about truth in the voice channel, we could just say that and casually say, “We’re going to put trust back in the network.” But what is it that we're really trusting?
We're putting in a lot of technology and we talk about the words STIR and SHAKEN that mean all these other words too. Really, truth and trust are these words we throw around when we're talking about this. You and I have had lengthy conversations around local policy for the originating carrier, and this is Rebekah talking from my perspective, is that the truth comes from the source of truth. There has to be a source from which truth originates. I do believe what I saw in the TRACED Act, the focus is all on the activities of the originating carrier because that is the entry point for these good callers or bad callers. It really is the entry point for them.
These standards, which you were part of writing, which is why you're here, refers to some attestations around, what I like to refer to as just knowledge, what do you know? You, as the original carrier, what do know? And there are two points which are: the entity that's originating the call and the authorization for use of the number. I will say, I think those are two incredible data elements that help us get to the truth and they possibly will get us the trust, it depends on how you assess this truth.
Looking at the local policy side, and we do have listeners who are on the origination carrier side and they've done what they needed to do, they check the box and implemented STIR/SHAKEN but now they're wrestling with this concept of having a local policy to assign A, B, or C, but what does that really mean? Can you shed some light on that side of the standards that’s really more of a policy level?
Chris Wendt: When we originally conceptualized the sense of attestation it was early on in the process, and as an industry, we were forced to go that way because there are so many calling scenarios that are in the telephone network that it would be impossible to cover them all with such a simple mechanism.
So we knew that there was going to be a roadmap for more interesting things to come along. I think the A, B, C thing although people talk a lot about it, it actually does conceptualize how originating service providers are receiving their calls. In the case of A-Attestation, the basic scenario is, “I'm directly providing. I provide a retail product directly as a service provider.” That's the simplest case. “I know my customer, I know that I gave them that telephone number.” So it's an easy Attestation A.
Then you have some of the indirect cases, which are the more interesting things that were getting into in the standards where it's B. For example, you're receiving the call but you didn't give them the telephone number so you don't know if they're necessarily spoofing that number legitimately with the right to use that number.
Or C which really is sort of just the category of, “I received this call but I have no idea where it came or anything,” which is a valid scenario in the telephone network today as well. So what we're trying to evolve to is these Enterprise use cases, these indirect cases, where we can use knowledge like delegated certificates, which is something that I've been working on and advocating for, for a little while now. I know what are POC's have shown, in that case, there's direct cryptographic evidence that the call came from an authorized certificate that represents that trust. And it can pass through as many hops in the network as you want as long as its signature is valid, where it came from and who, at the end of the day, is providing the proof of the right to use that number.
It's sort of an end-to-end thing that we're trying to get to so that once it gets the originating provider, instead of being limited to giving only a B or C-Attestation you can elevate that to an A-Attestation because you have that proof.
Rebekah Johnson: One of the things we're seeing, as you know we have quite a few customers that cover the Enterprise, BPO, call center, and even service providers now, we're actually finding ourselves in that space. We're starting to hear messages from the market that originating service providers were selling A-Levels: “If you want to have your call at an A-Level, you can pay to have your call signed.”
Have you seen that? What are your thoughts on what that does to the entire security framework if customers can just go, “Hey I’d like to have an A, and here's what I'll pay for it”?
Chris Wendt: I haven't seen it personally but I've certainly heard stories of people that are discussing that. The framework, as it is today, it is based on trust but maybe more about reputation. If you choose to do those things and you're not doing things like vetting or knowing your customer or anything associated with validating that that TN is being used by its rightful, well, I shouldn't say owner, but that they have the right to use that number, then that's a risk.
That's where some of the analytics might play into this. Eventually, as there are more trusted calls, then there's going to be the reputation of originating service providers and what attestation they're giving out, and eventually, if it's known that you're doing that type of activity, I believe the either the FCC or others will step in and block you from doing those things.
Anis Jaffer: Based on that Chris, on the terminating side let's assume that the call is received with the certificate and you have an attestation level A, B, or C. Is it fair to state that even if you have an Attestation Level-A on the termination side, you would still have analytics run reputation both on the originating service provider who attested the call as well as any reputation on the number, and then determine what to do with that call? You could still label the call as Spam, or Spam Likely, or whatever else, based on the analytics.
Chris Wendt: Any of those things are really possible and the way analytics works, in terms of patterns, I think it probably could look in any of those or maybe independently look in any of those.
I think the risk is that you're basically assigning the call with your identifier. So the efficiency that we put into tracing back to the provider that is giving these calls has been infinitely increased. It's not going to be the situation where you can hide in plain sight anymore, it's going to be hopefully to the point where we can quickly identify those folks. There is enough pain to getting to the point where you have the privilege of signing calls that you probably don't want to ruin your reputation or lose that capability. I'm hoping that the incentive is that you just don't do that.
Again, the strength of the analytics that it needs to track the reputations of service providers or other criteria will lessen.
Rebekah Johnson: I think that’s a wave that we’re going to see, Anis and I. We’re sitting back and thinking, “Ok, come July 1st, what does the world look like?” And it's going to take, July, August, September...maybe by December or Q1 of 2022. That's when the enforcement side— so we have the Traceback Group, which is well-established and going and doing a great job, then we’re going to start to have these calls that are signed, and we have the Robocall Mitigation Database. I think we'll see that wave of enforcement start to step forward because it’s a little bit easier now. We've got not only your identity on one number that we’re tracing back but have your identity on all the numbers that you're delivering because you’ve attached yourself to them.
No doubt the federal government, doing what they do best, will make a lesson out of somebody with regards to either a slap on the hand or the revocation process might get tested out. Just because we figured out how to implement STIR/SHAKEN, I think the enforcement side and how we live in this ecosystem are still yet to be determined. I'm sure with your role in the governance authority, that you guys are already out ahead of that and thinking about what comes next with that particular side of it.
Chris Wendt: I think it will be interesting that we do use that. Somebody does a test A to calls and the authorities make an example out of that because I think that will be a precedent-setting event for people to realize, “Hey maybe I shouldn't be just giving A-Attestation out willy-nilly.”
Anis Jaffer: We are also hearing that at least right now, some calls that are being attested A go through but then calls that are not as attested as A do not go through or get blocked. Is that something that is happening during this transition phase, or do you see this as an issue when the standard is implemented?
Chris Wendt: Right now, there are two parts. One is, some people call it edge blocking, but we service providers are allowed to block unassigned, unallocated, or illegitimate numbers without hesitation; you have full permission to do that. As part of a robocall mitigation practice, you also have the ability, given user preference or other criteria, to also block calls. And some of those rules are evolving. I think of those things we want to make sure that there is care provided in how you do that and really defer to the customer and what their preferences are. That's my personal take.
We've thought about the overcompensating; now we're blocking too many calls. Instead of saying, “Why did I get that call?” you're saying, “Why didn't I get that call?” I think that's what we're trying to address in terms of making sure that we go beyond the direct use cases but cover the indirect cases and make sure they're signed with A with accuracy so that we can rely on the signing, the attestation, to trust that call.
Anis Jaffer: Going beyond blocking, would there be a difference in how the calls are getting displayed or presented at the terminating side if it’s attested A versus B or C? Let’s assume the call is not blocked, but would there be a difference in how it's presented?
Chris Wendt: Well, the industry debated a lot on the display part and we've talked about green checkmarks, we've talked about analog displays using [V], those things have been adopted. As far as I know, that always associated with the presence of an attestation. In fact, I think even Apple and Android are displaying some of those things. I know Apple is just in the call logs right now, but at Comcast, we’ve turned that on so for all of our residential and some of our commercial customers and so far it's been good. We were worried that maybe there might be some confusion but it doesn't seem like that has turned out to be the case.
Anis Jaffer: Does that mean that the presentation layer is really dependent on the end device and how that behaves? In the case of Apple, as you said, logos show up on the call log but Google has a way to display it as part of the call.
Chris Wendt: I don't know if it was intentional, but we want to make sure that people can adapt and we didn't make decisions that we regretted later in terms of display because I think there was a bunch of debate on what's most effective to the end-user. I think right now, it's new and the fact that not all the calls are signed, it’s an effective thing to get people aware of it, to show the new symbol, to say, “on this call, the telephone number has been verified.”
But we'll see going forward if that becomes the norm, maybe you’d want to go back and re-evaluate and determine you should only show the ones that are not verified. It's all going to have to be in the context of making sure that consumers understand what they're getting. I think time will tell how people react and we're going to start to see it, like you said, going to the end of the year and in early 2022.
Rebekah Johnson: Chris, I know we were together on the proof-of-concept for the first signed delegated certificate. Again, thank you for participating in that long journey just to get to that point. But no good deed goes unpunished, because what we've seen is that although we did this in a little proof-of-concept ecosystem, not in a live environment, from a marketing perspective we're seeing notifications or marketing strategies saying, “Enterprise calls can be signed with an A-Level attestation and we're seeing a 15-20% increase in contact rates.”
First of all, I've never seen their names in any of our standards groups, and I'm here in DC, they’ve never spoken before Federal Regulators before, so how are these companies so confident? What would you say to that? Because it is creating confusion and where I get really defensive are for those service providers who are doing everything right and they're having to compete against service providers who are just throwing out these misleading marketing tactics. What would you say to that service provider who is up against this other one that's making these claims; they're wondering, “Am I missing out on something?”
Chris Wendt: I think from my role and point of view, I need to take the cut-and-dry approach here and say that trust in telephone number identity is an overall benefit that we can all benefit from equally. I may be a little skeptical about some of those statistics; the only thing that I've seen is that there has been some decline in the overall spam. I think that's not just because of STIR/SHAKEN, I think it's lots of enforcement happening, lots of the call blocking that's happening, I think it’s all those things coming together.
The nice thing that's happening because of STIR/SHAKEN, and I still think it's really important to have some trust, just like the web we can't live with TLS (Transport Layer Security) on the web the same thing is true with the telephone number, we really shouldn't live without STIR/SHAKEN. I think the results are going to show for themselves and then it'll be interesting to see how quickly we get to the point where the network is completely, or at 80 or 90% level, and what happens.
Because of the STIR/SHAKEN, we have been evaluating how we vet customers, why we’re giving them out Attestation A, all of that results in a net positive for the overall network and trust in the network.
Rebekah Johnson: That I agree on 100%. Well, Chris, we knew that we were probably not going to get to every question that we wanted to ask you. In fact, we have a lot of technology questions that some of our audience members have submitted as well. Would it be possible to have you on as a second guest for another show in the future?
Christ Wendt: Absolutely.
Rebekah Johnson: That's wonderful, great we didn’t scare you away. Are there any questions that have been submitted to you from our current active audience?
Molly Weis: We do have one so I'm going to roll with this one now. The question here is: In regards to Know Your Customer and being able to address requests from Traceback on calls that go through your network and signed to certain attestation levels, what kind of information would be recommended that a service provider should get from their client? Should it be simple business info like main points of contact? Or does it need to be even more in-depth than that, down to questions about the technology or the business infrastructure?
Chris Wendt: I participated in the NANC CATA Working Group where we took the first stab at trying to define that. I think we have the framework in the current document, that latest document was actually the second Working Group, and we defined the word vetting as the vernacular to use for validating the company, making sure you have contact information in there and making sure they have a physical address, contact info, and stuff like that. Then TN Validation is about making sure you're validating that they actually have the right to use that number.
We looked at EV Certs Process and others as the basis for doing those things. Hopefully, we'll have more extended best practices defined, but you can imagine there are lots of processes to determine the validity of a business.
Rebekah Johnson: I had the opportunity, Chris, you guys invited me to the CATA Working Group to present, and as so someone who's from that space I'll just say that and I thought the report was great, the final product. I was really impressed with the NANC Working Group who listened to the industry and put together a plan that is actionable, and I'll also just add, it mirrors very nicely with what our enforcement arm in the United States asked, which was the FTC side. They've already detailed exactly what their expectation is. The one is going to come knocking on your door and look at your process, so you might want to listen to what they have to say. We have that we're on our website access to read that. At the end of the day, the FCC and the FTC have put out so much information that you cannot stand there and say, “I didn't know,” because there's really been a lot of work and effort put into helping bring clarity to that.
Thanks for joining us today on another episode of Tuesday Talks and we’ll see you again on Tuesday, April 20th where we will be discussing more along the lines of STIR/SHAKEN and the progress that we're seeing in the industry. We hope to see you there, thank you.