STIR/SHAKEN and Robocall Mitigation

Spam and illegal robocalls are currently the number one source of consumer complaints at the FCC. What was once an annoyance has become a plague to U.S consumers receiving billion of robocalls every month. In the United States, both the FCC, through rule-making, and Congress, through legislative initiatives, have been active to stop this problem.  

Download Brochure

Below is a timeline and the highlights of these efforts.

event

On November 17, 2017, the FCC issued FCC 17-151 Report and Order and Further Notice of Proposed Rulemaking.  This ruling allowed:

  • Voice service providers to block calls from phone numbers on a Do-Not-Originate (DNO) list and those that purport to be from invalid, unallocated, or unused numbers.
  • The FCC further indicated that voice service providers do “not” require consumer opt-in for them to be allowed to do this network-level blocking based the specific types of calls outlined in the order.
event

On June 6. 2019, the FCC issued FCC 19-51, a Declaratory Ruling clarifying that voice service providers may:

  • Offer opt-out call blocking programs based on any reasonable analytics designed to identify unwanted calls.
  • This ruling also allows voice service providers to offer their customers “white list” programs, which only allow certain calls to be completed, requiring informed, opt-in consent.

In conjunction with the Declaratory Ruling, the FCC issued a Third Further Notice of Proposed Rulemaking that:

  • Proposes to create a safe harbor for voice service providers that block calls for which Caller ID authentication fails and seek comment on extending the safe harbor to the blocking of calls that are unsigned.
  • Proposes to require voice service providers that block calls to ensure that emergency calls reach consumers.
  • Seeks comment on protections and remedies for callers whose calls are erroneously blocked.
event

On December 31, 2019, the TRACED Act which was signed into law to specifically address the robocall problem. The law:

  • Gives the Federal Communications Commission (FCC) more authority to go after the scammers responsible for unwanted robocalls. It allows the FCC to go after scammers the first time they break the law and extends the statute of limitations by up to four years in some cases. It also ups the financial penalties against robocallers.
  • Encourages stronger Justice Department criminal prosecution of unlawful robocalls by requiring the FCC to provide the DOJ with evidence of criminal robocall violations.
  • Requires all carriers to eventually implement new technologies to authenticate caller-ID information, preventing call spoofing -- at no additional line-item cost to consumer.
event

On March 31, 2020, the FCC issued FCC 20-42 Report and Order and Further Notice of Proposed Rulemaking, which:

  • Mandated all originating and terminating voice service providers to implement STIR/SHAKEN in the Internet Protocol (IP) portions of their networks by June 30, 2021
  • Takes public comment on expanding the STIR/SHAKEN implementation mandate to cover intermediate voice service providers, extending the implementation deadline by one year for small voice service providers, and adopting requirements to promote caller ID authentication on voice networks that do not rely on IP technology
event

On July 16, 2020, The FCC issued FCC 20-96 Third Report and Order, Order on Reconsideration, and Fourth Further Notice of Proposed Rulemaking. This ruling:

  • Provides a call-by-call safe harbor for unintended or inadvertent blocking of wanted calls where terminating voice service providers block based on reasonable analytics that include caller ID authentication information and the consumer is given the opportunity to opt-out
  • Allows voice service provider to block calls from certain bad-actor upstream voice service providers. Specifically, they may block calls from an upstream voice service provider that, when notified that it is carrying bad traffic by the Commission, fails to effectively mitigate such traffic or fails to implement effective measures to prevent new and renewing customers from using its network to originate illegal calls
event

On September 29, 2020, the FCC issued FCC 20-136 Second Report and Order This ruling:

  • Expanded the STIR/SHAKEN requirements to include all voice service providers, including those considered as over-the-top providers
  • Granted a two-year extension to the deadline to implement Caller ID Authentication based on the following attributes:
    • Small, rural voice service providers with fewer than 100,000 subscriber lines
    • Any voice service provider who cannot obtain a certificate from the STIR/SHAKEN Governance Authority
    • Any voice service provider which materially relies on a non-IP (TDM) network for the provision of voice services
  • Stated that voice service providers subject to the extension are required to
    • Have an appropriate robocall mitigation program to prevent unlawful robocalls from originating on the network of the provider
    • Respond fully and in a timely manner to all traceback requests from the Commission, civil law enforcement, criminal law enforcement, and the industry traceback consortium.
  • Did not mandate a specific solution for applying STIR/SHAKEN to TDM networks, but rather continued to encourage the industry to solve this problem
  • Required intermediate carriers to pass any Identity header (unaltered) that they receive to the terminating voice service provider or subsequent intermediate provider in the call path. It also mandated that intermediate carriers agree to participate in the traceback program
event

On December 29, 2020, the FCC issued FCC 20-187 Fourth Report and Order. This ruling:

  • Expanded the safe harbor based on reasonable analytics to cover network-based blocking if the network-based blocking incorporates caller ID authentication information where available. This can be done without customer opt-in or opt-out
  • A terminating voice service provider must ensure its network-based blocking targets only calls highly likely to be illegal not simply unwanted
  • And a terminating voice service provider must have in place a process to reasonably determine that the particular call pattern is highly likely to be illegal prior to blocking calls
  • Requires terminating voice service providers that block calls to immediately notify callers of such blocking using specific, existing codes when blocking calls. The FCC requires terminating voice service providers that block calls on an IP network return SIP Code 607 or 608, as appropriate. Both of these codes are designed to be used for call blocking. Because SIP codes are not available on non-IP networks, the FCC requires that terminating voice service providers that block calls on a TDM network return ISUP code 21, with the cause location to be “user”
  • Gives voice service providers until January 1, 2022, approximately 12 months after the adoption of this Order, to comply with the immediate notification requirements
event

On April 20, 2021, the FCC issued DA 21-454, a Public Notice Announcing Opening of Robocall Mitigation Database and Filing Instructions and Deadlines. This public notice provided the following information:

  • The FCC’s Wireline Competition Bureau announced the availability of the Robocall Mitigation Database. Voice service providers are required to file their certifications providing detailed information regarding their implementation of the STIR/SHAKEN caller ID authentication framework and/or a robocall mitigation program. Certificate filing must be done by June 30, 2021.
  • When filing, the voice service provider needs to certify that their traffic is either fully, partially, or not yet signed with STIR/SHAKEN.  If the traffic is not fully signed with STIR/SHAKEN, they the voice service provider is required to certify that some or all of the calls they originate are subject to a robocall mitigation program and submit additional information with specific reasonable steps taken under a program to avoid originating illegal robocalls. Voice service providers also need to make a commitment to respond to traceback requests and to cooperate with investigating and stopping illegal robocalls.
  • Beginning September 28, 2021, intermediate providers and terminating voice service providers will be prohibited from accepting traffic from voice service providers not listed in the Robocall Mitigation Database.

 

As the industry moves forward to implement STIR/SHAKEN and robocall mitigation solutions, Ribbon participates in these efforts with the goal of ensuring calls can be properly authenticated, signed, and verified, in order to return trust to phone calls we all receive.

STIR/SHAKEN Standards

To overcome the influx of unwanted calls in the service providers network, the industry has created two new standards: STIR (Secure Telephone Identity Revisited) and SHAKEN (Signature-based Handling of Asserted information using toKENs) standards. Together, these two standards, create the framework to ensure every SIP-signaled call has a certificate of authenticity attached to it — a digital signature — that allows service providers verify caller ID to mitigate unwanted robocalls and prevents bad actors from using Caller ID spoofing. With STIR/SHAKEN, service providers can restore their end customer’s trust in validity of caller ID.

stir-shaken-sam-phones

Ribbon Support for STIR/SHAKEN

Service providers can choose between two Ribbon STIR/SHAKEN solutions:

settings_input_antenna

Service provider owned and deployed within the service provider’s network

cloud

Ribbon hosted STIR/SHAKEN
as a Service (S/SaaS)

Ribbon STIR/SHAKEN

Ribbon STIR/SHAKEN Solution Deployed By Service Provider

Ribbon offers voice service providers a complete solution to deploy STIR/SHAKEN.  This solution encompasses all the components that are integral to, and required for, caller identity authentication, signing, verification and certificate management.

  • Call controllers, session border controllers, and policy & routing servers that initiate call authentication or call verification requests and handle the responses from the Secure Telephone Identity (STI) domain
  • Secure Telephone Identity - Authentication Service (STI-AS) and the associated functions of Service Provider Key Management Service (SP-KMS) and Secure Key Store (SKS) to process originating network requests for signed assertion of caller’s identity
  • Secure Telephone Identity - Verification Service (STI-VS) and the associated function of Secure Telephone Identity Certificate Repository (STI-CR) to process terminating network requests for certificate verification of a caller’s identity.  Note: Ribbon provides the STI-CR function as a cloud-hosted service on Ribbon Identity Hub
  • Secure Telephone Identity – Certificate Authority (STI-CA) providing the following capabilities:
    • Accept SHAKEN Certificate Signing Requests (CSRs) for new certificates
    • Automatically validate Service Provider Code (SPC) Tokens and issue standards-compliant SHAKEN signing certificates that include the required Telephone Number Authorization List extension.
    • Revoke certificates if needed and notify the Secure Telephone Identity – Policy Administrator (STI-PA).
    • Note:  Ribbon provides the STI-CA function as a cloud-hosted service on Ribbon Identity Hub

Ribbon STI is compliant with ATIS-1000082 and RFC8224/8225/8226. Ribbon STI implements the ATIS-82 server side specifications and can be deployed within a service provider’s network When deployed in an originating voice service provider’s network, Ribbon’s STI solution will receive call authentication requests, provide all the steps necessary to process these requests and respond with signed assertion of caller’s identity. Following STI authentication and signing, the signature information will be passed back to the authentication request originator to be forward to the next network hop.

When deployed in a terminating voice service provider’s network, Ribbon’s STI solution will receive call verification requests, provide all the steps necessary to process these requests and respond with the appropriate verification of caller’s identity. Following STI certificate verification, the verification information will be passed back to the verification request originator.

 

Ribbon-STI-diagram

Ribbon STIR/SHAKEN as a Service

Select Ribbon’s STIR/SHAKEN (S/SaaS) solution to take advantage of a cloud-hosted managed service instead of implementing a STIR/SHAKEN-compliant Secure Telephone Identity solution within your own network. Allow Ribbon to take care of all the STIR/SHAKEN authentication, signing, verification, and certificate management services as described above. The service provider’s only obligation is to have a Session Border Controller (SBC) for interworking with the Ribbon hosted service. As part of the response to the SBC, Ribbon’s S/SaaS can instruct the SBC to perform a specific call validation treatment, based on the verification information.

This hosted service is offered by Ribbon in a standard SaaS model where the service is consumed on a usage basis.

Download Solution Brief

Hosted-STI-diagram

Controlled Networks chooses Ribbon STIR/SHAKEN