STIR/SHAKEN and Robocall Mitigation

Illegal robocalls are currently the number one source of consumer complaints at the FCC. What was once an annoyance has become a plague to U.S consumers receiving billion of robocalls every month. In the United States, both the FCC, through rule-making, and Congress, through legislative initiatives, have been active to address this problem.

Download Brochure

Below is a timeline and the highlights of these efforts.

event

On November 17, 2017, the FCC issued FCC 17-151 Report and Order and Further Notice of Proposed Rulemaking.  This ruling allowed:

  • Voice service providers to block calls from phone numbers on a Do-Not-Originate (DNO) list and those that purport to be from invalid, unallocated, or unused numbers.
  • The FCC further indicated that voice service providers do “not” require consumer opt-in for them to be allowed to do this network-level blocking based the specific types of calls outlined in the order.
event

On June 6. 2019, the FCC issued FCC 19-51, a Declaratory Ruling clarifying that voice service providers may:

  • Offer opt-out call blocking programs based on any reasonable analytics designed to identify unwanted calls.
  • This ruling also allows voice service providers to offer their customers “white list” programs, which only allow certain calls to be completed, requiring informed, opt-in consent.

In conjunction with the Declaratory Ruling, the FCC issued a Third Further Notice of Proposed Rulemaking that:

  • Proposes to create a safe harbor for voice service providers that block calls for which Caller ID authentication fails and seek comment on extending the safe harbor to the blocking of calls that are unsigned.
  • Proposes to require voice service providers that block calls to ensure that emergency calls reach consumers.
  • Seeks comment on protections and remedies for callers whose calls are erroneously blocked.
event

On December 31, 2019, the TRACED Act which was signed into law to specifically address the robocall problem. The law:

  • Gives the Federal Communications Commission (FCC) more authority to go after the scammers responsible for unwanted robocalls. It allows the FCC to go after scammers the first time they break the law and extends the statute of limitations by up to four years in some cases. It also ups the financial penalties against robocallers.
  • Encourages stronger Justice Department criminal prosecution of unlawful robocalls by requiring the FCC to provide the DOJ with evidence of criminal robocall violations.
  • Requires all carriers to eventually implement new technologies to authenticate caller-ID information, preventing call spoofing -- at no additional line-item cost to consumer.
event

On March 31, 2020, the FCC issued FCC 20-42 Report and Order and Further Notice of Proposed rulemaking, which:

  • Mandated all originating and terminating voice service providers to implement STIR/SHAKEN in the Internet Protocol (IP) portions of their networks by June 30, 2021
  • Takes public comment on expanding the STIR/SHAKEN implementation mandate to cover intermediate voice service providers, extending the implementation deadline by one year for small voice service providers, and adopting requirements to promote caller ID authentication on voice networks that do not rely on IP technology
event

On July 16, 2020, The FCC issued FCC 20-96 Third Report and Order, Order on Reconsideration, and Fourth Further Notice of Proposed Rulemaking. This ruling:

  • Provides a call-by-call safe harbor for unintended or inadvertent blocking of wanted calls where terminating voice service providers block based on reasonable analytics that include caller ID authentication information and the consumer is given the opportunity to opt-out
  • Allows voice service provider to block calls from certain bad-actor upstream voice service providers. Specifically, they make block calls from an upstream voice service provider that, when notified that it is carrying bad traffic by the Commission, fails to effectively mitigate such traffic or fails to implement effective measures to prevent new and renewing customers from using its network to originate illegal calls
event

On September 29, 2020, the FCC issued FCC 20-136 Second Report and Order This ruling:

  • Expanded the STIR/SHAKEN requirements to include all voice service providers, including those considered as over-the-top providers
  • Granted a two-year extension to the deadline to implement Caller ID Authentication based on the following attributes:
    • Small, rural voice service providers with fewer than 100,000 subscriber lines
    • Any voice service provider who cannot obtain a certificate from the STIR/SHAKEN Governance Authority
    • Any voice service provider which materially relies on a non-IP (TDM) network for the provision of voice services
  • Required voice service providers subject to the extension are required to have an appropriate robocall mitigation program to prevent unlawful robocalls from originating on the network of the provider
  • Did not mandate a specific solution for applying STIR/SHAKEN to TDM networks, but rather continued to encourage the industry to solve this problem
  • Required intermediate carriers to pass any Identity header (unaltered) that they receive to the terminating voice service provider or subsequent intermediate provider in the call path. It also mandated that intermediate carriers agree to participate in the traceback program
event

On December 29, 2020, the FCC issued FCC 20-187 Fourth Report and Order. This ruling:

  • Expanded the safe harbor based on reasonable analytics to cover network-based blocking if the network-based blocking incorporates caller ID authentication information where available. This can be done without customer opt-in or opt-out
  • A terminating voice service provider must ensure its network-based blocking targets only calls highly likely to be illegal not simply unwanted
  • And a terminating voice service provider must have in place a process to reasonably determine that the particular call pattern is highly likely to be illegal prior to blocking calls
  • Requires terminating voice service providers that block calls to immediately notify callers of such blocking using specific, existing codes when blocking calls. The FCC requires terminating voice service providers that block calls on an IP network return SIP Code 607 or 608, as appropriate. Both of these codes are designed to be used for call blocking. Because SIP codes are not available on non-IP networks, the FCC requires that terminating voice service providers that block calls on a TDM network return ISUP code 21, with the cause location to be “user”
  • Gives voice service providers until January 1, 2022, approximately 12 months after the adoption of this Order, to comply with the immediate notification requirements
event

On April 20, 2021, the FCC issued DA 21-454, a Public Notice Announcing Opening of Robocall Mitigation Database and Filing Instructions and Deadlines. This public notice provided the following information:

  • The FCC’s Wireline Competition Bureau announced the availability of the Robocall Mitigation Database. Voice service providers are required to file their certifications providing detailed information regarding their implementation of the STIR/SHAKEN caller ID authentication framework and/or a robocall mitigation program. Certificate filing must be done by June 30, 2021.
  • When filing, the voice service provider needs to certify that their traffic is either fully, partially, or not yet signed with STIR/SHAKEN.  If the traffic is not fully signed with STIR/SHAKEN, they the voice service provider is required to certify that some or all of the calls they originate are subject to a robocall mitigation program and submit additional information with specific reasonable steps taken under a program to avoid originating illegal robocalls. Voice service providers also need to make a commitment to respond to traceback requests and to cooperate with investigating and stopping illegal robocalls.
  • Beginning September 28, 2021, intermediate providers and terminating voice service providers will be prohibited from accepting traffic from voice service providers not listed in the Robocall Mitigation Database.

 

As the industry moves forward to implement STIR/SHAKEN and robocall mitigation solutions, Ribbon participates in these efforts with the goal of ensuring calls can be properly authenticated, signed, and verified, in order to return trust to phone calls we all receive.

STIR/SHAKEN Standards

To overcome the influx of unwanted calls in the service providers network, the industry has created two new standards: STIR (Secure Telephone Identity Revisited) and SHAKEN (Signature-based Handling of Asserted information using toKENs) standards. Together, these two standards, create the framework to ensure every SIP-signaled call has a certificate of authenticity attached to it — a digital signature — that allows service providers verify caller ID to mitigate unwanted robocalls and prevents bad actors from using Caller ID spoofing. With STIR/SHAKEN, service providers can restoretheir end customer’s trust in validity of caller ID.

stir-shaken-sam-phones

Ribbon Support for STIR/SHAKEN

Service providers can choose between two Ribbon STIR/SHAKEN solutions:

settings_input_antenna

Service provider owned and deployed within the service provider’s network

cloud

Ribbon hosted STIR/SHAKEN
as a Service (S/SaaS)

Ribbon STIR/SHAKEN

Ribbon STIR/SHAKEN Solution Deployed By Service Provider

Ribbon SBCs, PSX, and GSX have been validated on their compliance with the caller authentication standards developed by the Internet Engineering Task Force (IETF) and the Alliance for Telecommunications Industry Solutions (ATIS).

In an originating service provider's network Ribbon’s Call Controllers can attest to the originator’s identity and provide a tag the call accordingly before it sends a SIP invite to the SBC or GSX. The SBC or GSX will generate and pass an authorization request to the PSX. In turn, the PSX routes the authentication request to the STI function, whether that is provided by Ribbon or any certified 3rd party. Following STI authentication and signing, the PSX will receive signature information and pass that back to the SBC or GSX to be forward to the next network hop.

In the terminating service provider's network the SBC or GSX will generate a verification request and send it to the PSX to be forwarded to the STI function. Following STI signature verification, the PSX will receive the verification information and pass it back to the SBC or GSX. In addition, the PSX can instruct the SBC or the GSX to perform a specific call validation treatment, based on the verification information.

Both the SBC and the GSX have flexible handling of error conditions, e.g. “reject the call”, “continue with the call”, or “continue with the call and remove Identity header” if signature verification fails. And if the call terminates with a Ribbon Call Controller, it too will provide verification status reporting.

call-trust-diagram

Ribbon STIR/SHAKEN as a Service

Select Ribbon’s S/SaaS solution to take advantage of a cloud-hosted managed service instead of implementing a STIR/SHAKEN-compliant Secure Telephone Identity product within your own network. With this solution, Ribbon takes care of all the STIR/SHAKEN authentication, signing, verification, and certificate repository services. The service provider’s only obligation is to have a Session Border Controller (SBC) for interworking with the Ribbon hosted service. As part of the response to the SBC, Ribbon’s S/SaaS can instruct the SBC to perform a specific call validation treatment, based on the verification information.

This hosted service is offered by Ribbon in a standard SaaS model where the service is consumed on a usage basis.

Download Solution Brief

Hosted-STIR-SHAKEN-Service-diagram

Controlled Networks chooses Ribbon STIR/SHAKEN