Pierce Gorman: Welcome to Tuesday Talks, a live discussion series where we bring truth and shed light across the brand identity and communications industry. I'm Pierce Gorman, a Distinguished Member of Numeracle's Technical Staff, and today I'm joined by Sarah Delphey, Numeracle's VP of Trust Solutions. If you'd like to know more about me and my background, check out Numeracle's latest Inside the Innovators article, where I talk about my experience helping to develop and deploy call authentication standards.
Sarah has over a decade of experience when it comes to risk mitigation and customer policy creation and is an industry expert in trust solutions, especially Know Your Customer (KYC). Sarah, can you share a little more about yourself and your expertise for the audience?
Sarah Delphey: Thanks, Pierce. It's good to join the podcast for the first time, and hopefully, I'll be invited back. As Pierce said, I am Numeracle's VP of Trust Solutions. I joined the company relatively recently and spent many years at Bandwidth, where I was Director of Traffic Assurance and led the risk mitigation functions, campaign registration functions, and fraud mitigation team. My experience has been end-to-end customer evaluation and monitoring, so I'm excited to join the Numeracle team.
Pierce Gorman: We're very excited to have you here too, Sarah. You know that I feel very strongly about trust and imbuing trust in call authentication, so I was really glad when you joined. Let's start by setting a foundation of where we currently stand and where we think or we expect STIR/SHAKEN is going, based on the FCC requirement to report to Congress because they recently requested comments on the efficacy and performance of STIR/SHAKEN.
We're looking at the necessary iterations to STIR/SHAKEN, where there is an increased focus on what is known about the caller, not just the call signer. Can you give us a flavor of the focus and the intent there?
Sarah Delphey: This is a really great opportunity where the FCC has requested comments from folks on the efficacy of STIR/SHAKEN. They're essentially asking, how are we doing? How is it going? What else do we need to be thinking about? This is part of the TRACED Act mandate to form that report and send that information back to Congress so that they can continue reporting on how things are going. As part of those comments, and in general with our advocacy with what we're doing in the industry, essentially, the perspective of STIR/SHAKEN is that it has established a really great framework for the transmission of information about the providence of a call and about a call in general throughout that call flow. What we think is the next iteration of STIR/SHAKEN that needs to be looked at is how to authenticate the actual call or information before that information being placed into a call.
Really, the way that we're looking to do that is through refocusing on KYC principles. KYC is Know Your Customer, though sometimes you hear KYB, which is Know Your Business if you're working with business customers. You also hear Customer Due Diligence depending on the industry you're working in and their terminology. All of this is the framework of understanding from the moment you begin that relationship, all the way through the end of the customer relationship, authenticating who they are, what their intended use is on the network, and monitoring that existing activity.
Mostly for our purposes, and we're talking about, we think the next thing that the industry should focus on is how to identify a caller such that we, for enforcement purposes, can focus more on the caller themselves versus the environment that we have right now where we're increasingly focused on finding bad actors in the industry. This is important, but we need to start thinking about how to get to that actual caller.
Pierce Gorman: I agree with that wholeheartedly. When I think about KYC and Customer Due Diligence and the work that goes on in validating the caller's identity, it occurs to me that this is a big challenge for the largest population of people impacted by the FCC regulations.
The current extension on the implementation of STIR/SHAKEN extends to small and rural service providers, service providers with less than 100,000 subscribers. More recently, the rule changed to cover non-facilities-based voice-over IP service providers, which extends to very small businesses who heretofore never had any obligation to do anything with call authentication.
I wonder about their ability to do the Customer Due Diligence and Know Your Customer and whether or not they have the expertise, the tools, and the infrastructure costs. How do you see KYC in the context of small businesses originating service providers?
Sarah Delphey: It's really a great question, and it's a big challenge. We're trying to form a framework that could theoretically apply to the incredibly diverse set of service provider participants that we have in the marketplace today. Everyone from AT&T, Verizon, or any major mobile carrier that has millions of subscribers down to the folks in the local area working with law offices, your accountant, et cetera.
Often, these folks don't even self-identify as communications service providers and identify as IT-managed service providers. That's the service they provide, and as part of their portfolio, they sell IP-based voiceover, IP desk phone replacements, IVR services, and software associated with those things. But for them, this is a challenge because they're the ones that have the ability to directly authenticate who the calling party is because that's their direct customer.
If we think that to fully implement STIR/SHAKEN, we have to make it such that every single one of them can influence the ability to sign their own calls, then we have already failed. We'll be here for years trying to get these really small folks because they're totally relying on their underlying service provider for everything telecom, taxes, season surcharges remediation, and everything they just don't think about. If they have to, they won't sell it, and it will get more expensive for small businesses and consumers, which is not something we want to happen.
It's a challenge, but if we can form some standards for authentication, at least for them, to try and make it as easy as possible. I'd love to hear your thoughts on the certificates aspect of it and how that could be handled or how that transmission could be handled.
Pierce Gorman: That's a good question, and it brings me to my favorite topic of rich call data (RCD). Rich call data is a term that's thrown around a lot, but we're referring to the type of call signature that allows a caller, not just the originating service provider, but the caller themselves, to present information about themselves. We'll commonly say if they have a logo, they could display the logo, they can send the calling name, and authenticate it in the call signature as well as a reason for calling.
These are all valuable things, but the important thing that has to go with it is the caller's identity and some information about the caller's identity. That's a key thing I think Numeracle does is that we work on the reputation of phone numbers to help people get their calls completed.
Now we must extend that ability to provide reputation to the identity itself. Can you tell me what you think about trust solutions and improving the identity information available in those RCD calls?
Sarah Delphey: I have a lot of thoughts on it. I think one of the things that I feel the industry should change its focus on is an overreliance on telephone numbers as an approximate source of identity. When I say that, I mean that one of STIR/SHAKEN's underlying goals is stopping the illegal spoofing of numbers with the idea that if the recipient, or the downstream party, or the law enforcement entity can trust that the phone number that's being displayed is actually badly in use by that calling party, then that will have a meaningful negating effect on illegal robocalling.
There's been debate about whether or not that's true or to what extent that will help. I think there are some fundamental flaws with the presumption that we should focus on phone numbers instead of calling identities as the first and foremost thing we want to be transmitted in a call flow. One of the major problems with that is that it's just not how the industry works. You have phone number providers, and then you have outbound calling providers.
Very commonly, enterprises will have multiple different providers. They will add providers to that call flow and that routing path for very legitimate non-nefarious business reasons like they want to make additional calls to a particular destination and their current carrier doesn't offer great routes, quality pricing features, what have you, so they add a secondary carrier and dynamically route their traffic to that destination over the secondary carrier.
Or they have one service provider for desk phone replacement and one for call center software. It becomes so a la carte and broken up in that, fundamentally, often the provider placing those outbound calls cannot directly validate that that customer placing the call, even if in a delegated cert situation, they don't have the direct ability to confirm that yes indeed, this number is owned by that same party. They can't communicate with the party that provided the phone number and collaborate and asks if it's their customer.
There are a lot of reasons why that can't happen today. Phone numbers are something that is very difficult just based on the structure for that outbound calling carrier to be able to validate that. Separately, you have this issue of phone numbers changing very often, but the underlying calling business does not. We've heard about it, and it does exist where nefarious number cycling or using too many numbers, et cetera, does happen, which is an issue. But there are also legitimate reasons why a business might want to change the phone numbers it's using, add new ones, remove old ones as people leave, etc.
If we're thinking about just phone numbers when their lifecycle could very legitimately have so little influence or value in identifying the legitimacy of the underlying caller, it's just another reason why we need to transition to a place where in addition to thinking about the legitimacy of that caller ID, we transmit and identify and authenticate the identity of that calling party.
If their identity has been validated and is trusted, whether or not we know at least they are who they say they are, we don't necessarily know everything about them and what they do. But we know that is a real business, and this is their name, and that's tied to that businesses generally call regardless of the phone number. That acts as a natural deterrent to illegal spoofing or poor number utilization practices. Then you can do things like look at number utilization if they are using number spoofing or something like that in a way that's improper. Your behavior is suddenly tied to your identity across the ecosystem.
That's the next thing that the industry really needs to tackle: how do we find that identity? How can we authenticate it so that it can be trusted? How do we send that out through the industry so everyone involved in that call path can decode and attribute that calling behavior back to that originating party?
Pierce Gorman: These are critically important things that you're covering there, and I hope everybody is picking up on the complexity when we were talking about the smaller originating service providers that can occur when you're trying to tie trust to a given telephone number. I've talked to those folks, and I've heard it here as well, that it could be a situation where you go to a company, let's say it's a fairly large enterprise, and you might have different parts of the enterprise that are wanting to do outbound calling.
Maybe one is customer care, and another might be whatever the other group is. They might be getting numbers from different providers. They might have connections from different providers. Maybe even the purchasing agent doesn't know anything other than they pay a bill for the numbers they lease. Do you know whether that provider legitimately had those numbers when they gave them to you?
The trail of breadcrumbs that you have to go through or would theoretically have to go through is maybe not even there. I get the feeling that it's just not practical to try and do that. So the identity information that could be made available, especially in Rich Call Data call signatures, becomes much more important. A place where I think that shows up is when you asked earlier about certificates. What do I see in certificates that is something to pay attention to when we talk about KYC and capturing the identity and being able to transport it?
With RCD, we use that term so many times, we need to do a show just on that. We kind of already did in our last episode, "Global Call Authentication Domination Part III.” For those who aren't familiar with it, RCD refers to being able to send that additional enhanced identity information, and there are a couple of different ways it can be transmitted. It can be transmitted in a signature dedicated to RCD, or it can be transmitted in a signature applied by the originating service provider and just added as a claim. Now, if the originating service provider does it, you don't get the caller identity that's behind it other than through that telephone number.
As we've just described, you see a layering of identity and telephone numbers. We need to get better at that. The certificates that are applied to Rich Call Data signatures are called delegate certificates. There are certificates that are issued to an enterprise or business process outsourcing organization (BPO), and just in talking about that enterprise and the BPO, you can see where it might be important for the called party or the terminating service provider to know if it's a BPO organization that's calling.
If they're presenting the identity of, let's say, Home Depot, how do we know that it's okay for them to have presented that identity? How do we know that they're representing Home Depot? Is Home Depot's signature somewhere in that certificate? Is there a claim in the certificate that says, yes, this identity is being presented on my behalf? That information really isn't there. Now, there is an opportunity to add that kind of information, and there are different ways that might be done, but it's not a current set of standards. That's something that would need to be worked on.
I liked your comment about "approximate identity," I think that is how you put it when talking about the telephone number. Maybe this shouldn't just be a change in thinking. It needs to be a change in standards and perhaps a change in regulation as well. This ties back to the work that you've been doing to try and craft some comments to help the FCC see what we see. I wouldn't want to go back and change the standards that describe how to capture authorization and authentication of a telephone number but add to it the additional information insofar as we can that layering so that we recognize that, we talk about it, we document it, and we're able to transport that.
Sarah Delphey: I'd love to elaborate on that and comment on the fact that I glossed over what Know Your Customer processes really are and how we might standardize that throughout the industry. We don't have enough extra time for me to do an entire walkthrough of every single piece of information a company might wish to validate, but we're going to have a longer form panel and some other documentation coming on that.
I want to share that I think one of the issues many small businesses have with adding in these validation processes is that there is no business incentive for them to do it. If a small business or small service provider wants to do the right thing, they want to validate, they want to make sure they don't want to transmit any fraud, there are a lot of business reasons why introducing additional authentication processes requiring documentation, requiring more pieces, asking more questions, creates tension, friction, and delay in a customer onboarding process.
Unless you see a strong benefit of doing that, unless there's some incentive to do it, there's no reason for these small providers to do it. There's no business reason, and there are many business reasons not to do it. That's one piece of this where it's nice to say that we all just need to build robust KYC authentication processes, but we're also all here to do business. We shouldn't assume that everybody will benevolently do things that are not in their business interests. That's where I think we need to find ways, which is how it ties together.
If by doing this caller authentication work and transmitting that information in the call and if we can create and derive a clear benefit to calls that have that information, whether that's a reduction in blocking or labeling, whether that is more transparency to the consumer, whether it's enabling businesses to have spoofing protection, or enable other services that we could create for businesses that would then be a value add for those institutions. The small businesses that want things in exchange for providing their information; that's one thing that could theoretically address.
By creating standards across the industry, we can eliminate some of the competitive push and gaps. What we have right now is that those who do little to no KYC and just let folks on versus those that are asking a bunch of questions and doing robust analysis are at a competitive disadvantage. Because when we sign up for one of these things as small businesses, we don't say, "I really appreciated how thorough my service provider was in asking me about my history and my business ownership." I would appreciate that, but I have a very unique perspective, and I understand that most people don't necessarily appreciate that, and their service provider thinks that's a great thing.
Again, by creating incentives and accountability that they're doing this and get credit for it, they want a reason to keep doing this because they like it, but they won't keep doing it out of the goodness of their heart. That's the other piece that needs to come up in this conversation. Rather than just push standards that nobody will follow, create incentives and create accountability for folks in following those.
Pierce Gorman: If Eric Priezkalns was here, he would have really loved your comments about the need for an incentive, that there is a burden, and that there is friction. Is it worth it to go at all this work? Do they get any benefit from it from doing the extra work versus not doing the extra work? I don't know that we have any answers to those questions, but I think it's really smart to be thinking about that so that we can think about how to provide an incentive.
We have a couple of questions that were pre-submitted, and here's the first one: What is your observation on how STIR/SHAKEN traceback functionality is being used in the industry today? That's a question for you because you were a vibrant Industry Traceback Group (ITG) member. What's your view there on the observation of how STIR/SHAKEN traceback functionalities are being used in the industry today?
Sarah Delphey: There's STIR/SHAKEN, and then there's traceback, and then how those interact. The Traceback Group generally performs a very critical and increasingly critical function from an enforcement perspective, finding the originating sources of robocalls. In an environment where no trusted information about the caller is transmitted over the call, you have to use something like traceback to find the originating source.
The Traceback Group and the functions it performs are fantastic, and this is my personal observation. It appears that law enforcement agencies are increasingly relying on traceback data in identifying the parties they want to take some sort of enforcement action against. In terms of STIR/SHAKEN, unless this has changed very recently, the traceback process continues to rely on starting with the terminating service provider, the provider for the consumer(s), it's usually multiple phone calls that are being traced back at the same time that received the alleged illegal robocall campaign that is the subject of the traceback effort and works that back through each provider upstream on the call.
There has been talk about not doing that, and to the extent that there is STIR/SHAKEN or there's a certificate attached to it going straight to the signing party of the call and working back from there, I think there were some concerns. I think the Traceback Group could speak to that; I don't want to put words in their mouth as to the reasons why they haven't adopted that. From my understanding, a lot of that is about one not having 100% trust in the signatures on those calls to say they can skip certain parts because they know exactly who that is, and they can trace it back.
It's also about ensuring consistency of data all the way through because each service provider will be a little bit different. We'll have 1 second off or slightly this way or that, the duration is slightly different, it shows up differently in one system, and the caller ID shows up slightly differently in another. We want to ensure that we are tracing back every single point on that call. I think nobody would argue that it would be a lot more efficient if we could just automatically do traceback, plug these calls in, know who signed them, and know exactly who it is, we've short-circuited the entire process.
I think no one would argue that that would be great. It's just a question of whether we can trust it. It's an indication that more work must be done for the industry to get to the point where most calls are still unsigned. In the ecosystem, there are different statistics, but that's also part of the problem: many of these calls going through the traceback process are simply not signed at this point.
Pierce Gorman: Not signed or signed by a downstream provider.
Sarah Delphey: Right. You're only getting to the same person who's already a Traceback Group member. Maybe you've short-circuited one hop in your six or seven-hop traceback process, but how much is that really buying you when many of these providers that terminate the largest ones are responding to tracebacks within ten minutes, an hour, 2 hours, whatever it is. You can get through them pretty quickly. It's just a question of value.
Pierce Gorman: It's something that needs to be worked on in the future. We've got one more pre-submitted audience question, which is: Has there been any action by the FCC against non-compliant carriers? As far as I know, there has not been any FCC action against carriers that are non-compliant with STIR/SHAKEN. I think it's the question that's being asked, Sarah. Would you agree with that?
Sarah Delphey: I'm not sure I fully understand the specific question that they're asking. There certainly has been a lot of enforcement action, but none recently. There certainly has been, and I will call it out just with the KYC, even if this wasn't the thrust of their question, that the FTC and some of their enforcement actions against service providers have been really interesting. It has laid out some very prescriptive requirements for those service providers in the final judgments and orders against them for KYC actions and customer due diligence actions that the service providers must take and are required to take.
There's a lot of inspiration we can draw there. We're not coming up with this stuff from scratch. The FCC and others have already identified this as a critical component to robocall mitigation functionality.
Pierce Gorman: They could have also been talking about non-compliance to robocall mitigation. I get focused on call authentication, but there is more to fighting robocalls than just STIR/SHAKEN.
We'd like to thank all of you for joining us today for another episode of Tuesday Talks. Thank you, Sarah, for being a wonderful guest. You can see the two of us back in action on Friday, October 21st, at the SIP Forum's STIR/SHAKEN Enterprise Summit to expand on some of the ideas discussed today.
If you'd like to know more about the importance of enterprise identity as a cornerstone of communications trust, the challenges in applying a trust framework, and some best practices for telco providers to implement KYC principles to improve their customer vetting practices, use this registration link so you can attend.
Our next live Tuesday talk session will be on Tuesday, October 11. We hope to see you there!