Comments on third-party STIR/SHAKEN signing

The FCC received in-depth, interesting comments on third-party signing in STIR/SHAKEN. We’ve summarized the comments and recurring themes. Here’s an overview.

The Commission asked for and received comments and reply comments on third-party signing as part of their Fifth Further Notice of Proposed Rulemaking (FNPRM).

In their Sixth FNPRM (¶ 97–106), the Commission stated that the comments and reply comments did not provide sufficient information to fully assess the issue and reach a decision. So they asked for further comments.

Recurring themes

Here are a few recurring themes we noticed across these comments:

• 36% of the commenters wrote that transit provider signing can undermine STIR/SHAKEN by allowing OSP non-participants to hide bad calls amidst other calls signed by the transit provider. (We originally tallied 50% of the comments as having mentioned this theme. After a closer reading of the comments, we changed our tally.)
  • Some also pointed out that not every provider using this arrangement is doing it to hide bad calls. Many chose this approach because there was some ambiguity about the requirements, and this seemed like an easy way to comply.
• 43% said that Originating Service Providers (OSPs) should be required to sign their calls with their own certificate to satisfy their STIR/SHAKEN obligations.
  • 29% disagreed, saying that transit provider signing, using the transit provider’s certificate, should satisfy the OSP’s STIR/SHAKEN obligations.
• 36% expressed concern over improper attestations or attestation inflation.
• 14% mentioned delegate certificates, specifically, that they can improve attestation level in some cases but have not been widely adopted.
• 14% said that, if the Commission clarifies that OSPs must authenticate their calls with their own certificate and attestation level, then the Commission should allow time for transition (6 months was suggested).

Comments

There were 107 pages of comments from 14 submissions. We’ve summarized the comments below. If you’d like more information, you can click the filer’s name above each summary to read that organization’s filing.

ACA Connects—America’s Communications Association

• The Commission should target specific practices that threaten the integrity of STIR/SHAKEN.
• The Commission should affirm the permissibility of legitimate third-party arrangements that are working to the benefit of consumers.
• ACA has members that act as voice resellers to supply the last-mile connection to customers. The voice service is managed by a wholesale provider, including switching and interconnection. It’s common for the voice reseller to receive telephone numbers from the wholesale provider. In these arrangements, subscribers cannot display a caller ID number that is not associated with their account.
• ACA recognizes that third-party call authentication could raise serious concerns, such as when a provider employs a third-party for call authentication to avoid scrutiny and accountability. But this doesn’t apply to ACA members, who market services to households, small businesses and legitimate enterprises. They have no incentive to conceal the source of their calls. ACA is not aware of any evidence that these providers are a vector of unlawful robocalls.

Cloud Communications Alliance

• ATIS-1000088 says that originating service providers may sign calls using their own certificates for their end user and service provider customers. Those standards state that a provider is the originating service provider for their reseller or value-added service provider customers who serve end users but are not originating service providers.
• There is no persuasive evidence that such arrangements undermine STIR/SHAKEN or result in assigning A- or B-level attestation for illegally spoofed calls.
• Eliminating or restricting third-party authentication would require the expenditure of time and resources. Should the Commission take such action, it should adopt a reasonable transition period of at least six months.
• Barring third-party authentication may lead to traffic currently receiving an A- or B-level attestation being downgraded to a C-level attestation.

INCOMPAS

• INCOMPAS recommends that the Commission take no action that would prohibit or limit a provider’s ability to use third-party authentication to satisfy its STIR/SHAKEN obligations.
• Providers are authenticating calls with A-level attestation when the upstream carrier sends a call using a downstream carrier’s telephone number, B-level attestation if the validated upstream provider is sending traffic with numbers that are not the carrier’s registered numbers, and C-level attestation when there is no knowledge of or connection with the end user.
• INCOMPAS has been a vocal advocate for delegate certificates, but delegate certificate use has stalled for lack of widespread adoption.
• The Commission should not require third parties to sign calls using the provider’s SPC token.
• The Commission should not modify the definition of “customer” to mean “end user.”
• The Commission should not require providers to identify third-party solutions in their Robocall Mitigation Database certifications.

National Consumer Law Center and Electronic Privacy Information Center

• The Commission should prohibit the temporary rental of telephone numbers, a tactic used to avoid “scam likely” warnings and enable neighborhood spoofing.
• NCLC and EPIC provided several sample advertisements for “dynamic caller ID” services intended to make the called party “assume your business is local.”
• This improper use of rented numbers is inextricably linked to the authentication of caller IDs. (NCLC and EPIC filed more specific suggestions as an ex parte in the Number Policies docket.)
• Even the most perfect and robust use of STIR/SHAKEN will not stop callers from hiding their real name, location, and telephone number unless the use of rented DIDs is also eliminated.

Neustar, Inc.

• Neustar offers call authentication solutions to voice service providers with two deployment options: on-premises (i.e., SHAKEN Software) and Hosted SHAKEN (terminology from the NANC Small Provider report on STIR/SHAKEN).
• Whether a voice service provider chooses on-premises or hosted deployment, the provider is responsible for defining and managing the policies used to sign and verify calls, including the setting of appropriate attestation levels.

New York State Public Service Commission

• While full STIR/SHAKEN implementation is preferred, the NYSPSC believes that allowing providers to use third parties to perform caller ID authentication will aid robocall mitigation efforts while giving these providers flexibility in complying with the rules.

NCTA—The Internet & Television Association

• The Commission should clarify that an originating service provider (OSP) may use a third-party authentication service if:
  1. The service signs calls using the OSP’s SPC token rather than the third party’s token.
  2. The OSP remains responsible for deciding the attestation level.
  3. The OSP discloses its use of a third-party authentication service in its Robocall Mitigate Database filing.
• These criteria will provide transparency to identify the OSP originating the call and making the attestation-level decision.
• OSPs are in the best position to determine the appropriate attestation level.
• All OSPs will have a fair and proportionate financial stake in the STIR/SHAKEN ecosystem.
• Identifying third-party authentication services used will increase transparency and enable the Commission to monitor compliance.
• The Commission should couple any clarification it adopts with an appropriate transition period to promote fairness and avoid exposing providers acting in good faith to the threat of immediate liability.

NTCA—The Rural Broadband Association

• While third-party signing services are a valuable option, the potential for bad actors to use these arrangements to undermine STIR/SHAKEN cannot be overlooked.
• Bad actors can hide illegal robocalls amidst other calls authenticated by a third party.
• Legitimate providers’ calls can be mislabeled spam because they’ve been commingled with bad calls leveraging third-party signing.
• Closing this vulnerability is relatively simple: The Commission merely needs to require that all OSPs register with the STI-PA, and get their own certificates to be used to sign their calls.
• These requirements are simple and relatively inexpensive. The low cost is outweighed by the benefit of closing a serious vulnerability that could harm consumers and undermine STIR/SHAKEN.

Numeracle

• The Commission’s actions on third-party signing should be guided by a simple principle: The provider whose certificate is used to sign the SHAKEN PASSporT with either an A- or B-level attestation should be the entity that did a Know-Your-Customer (KYC) analysis of the caller, either directly or with the assistance of a vetting agent.
• There are two main scenarios where a voice service provider uses a third party in call authentication:
  1. The third party handles some technical details for the OSP, and the calls are authenticated with the OSP’s certificate. This is common and should be allowed. It satisfies the letter and spirit of STIR/SHAKEN.
  2. The OSP routes calls to another service provider that uses its STIR/SHAKEN capabilities and certificate to sign the call. Under the ATIS standard, such calls should get a C attestation, but in practice, those calls are signed with B or even an A attestation. This clearly does not meet the intent or spirit of the FCC’s rules, the intent of Congress as expressed in the TRACED Act, or the intent of the SHAKEN standard.
• A provider using a third-party authentication service needs a way to send or configure the attestation level it determines to a third-party authentication service. It does not need to send KYC information. (Numeracle described various methods to convey the attestation level.)
• The Commission should mandate that a provider explicitly state its KYC standards in its robocall mitigation plan.
• Getting calls signed as soon as possible in the call flow greatly helps in finding sources of illegal traffic.
• The Commission should clarify that, for the STIR/SHAKEN standard, a “customer” refers to a communicating end entity, not a communications service provider.
• The Commission should require all providers to sign calls with their own SPC token and verify in the Robocall Mitigation Database that they are registered for their SPC token through the STI-PA.

Somos, Inc.

• The Commission should explicitly permit third-party authentication by RespOrgs for calls placed from Toll-Free Numbers (TFNs) as described in ATIS-1000093.
• The Commission should mandate all service providers to accept delegate certificates as outlined in ATIS-1000093.
  • Somos understands that some service providers will not accept any delegate certificates, rendering the ATIS-1000093 standard useless.
  • Without delegate certificate acceptance, enterprises placing legitimate outbound calls from TFNs cannot achieve the A-level attestation they deserve, which harms the enterprise’s brand, decreases trust, and damages the integrity of TFNs.

Transaction Network Services, Inc.

• Improper over attestations are far too common in the current STIR/SHAKEN ecosystem.
• Up to 10% of calls using invalid calling numbers that are sent by non-top tier carriers (i.e., carriers other than the seven largest in the U.S.) were sent with A-level attestation.
• The Commission should charge the Enforcement Bureau to review improper attestation issues referred by outside parties. It could use the Private Entity Robocall and Spoofing Portal to accommodate reports of improper attestation.

TransNexus

• “Third-party signing” is a confusing and misleading way of thinking about this problem. “OSP non-participation” and “transit provider signing” are clearer, more accurate ways to describe the issue.
  • Hosted SHAKEN and Carrier SHAKEN, as described in the NANC Small Provider SHAKEN report, are fine. Although they involve a third party, the OSP is still participating in the SHAKEN ecosystem and signing its calls with its certificate using an attestation level that it determines.
• OSP non-participation undermines STIR/SHAKEN and robocall prevention.
• OSP non-participation does not follow the STIR/SHAKEN standards.
• OSP non-participation does not comply with the Commission’s rules.
• The Commission should issue a Declaratory ruling stating that a provider cannot claim a STIR/SHAKEN implementation unless it:
  • Is registered with the STI-PA to receive SPC tokens,
  • Obtains a SHAKEN certificate from an STI-CA,
  • Uses its certificate to create digital signatures (or has its digital signature created by a service on its behalf) authenticating itself as the signing entity for call authentication information, and
  • Performs STIR/SHAKEN caller ID authentication and verification as described in CFR 64.6301(a) in conformity with the STIR/SHAKEN standards.

USTelecom—The Broadband Association

• The Commission need not restrict third-party signing. Instead, it should be permitted so long as the call is signed using the provider’s token.
• This will provide the accountability the STIR/SHAKEN framework is designed to facilitate.
• The Commission should clarify that, for STIR/SHAKEN, “customer” should refer to the individual or entity that procured voice service from the provider.

ZipDX LLC

• The originating voice service provider must meet all its obligations, including authenticating its calls using STIR/SHAKEN signed with its signature created by a certificate that identifies it as the originating service provider.
• Only an originating voice service provider can sign calls with an A- or B-level attestation.
  • Downstream transit providers are involved in something that is broken if they accept unsigned calls. If they are signing those calls with their own certificate using A- or B-level attestation, then they are making things worse. C-level attestation is appropriate, and it serves as a confession that the system is not working properly.
• For every call, there must be one and only one originating voice service provider, and their A- or B-level signature with their name must appear on that call.

TransNexus solutions

TransNexus is a leader in developing innovative software to manage and protect telecommunications networks. The company has over 20 years’ experience in providing telecom software solutions including toll fraud prevention, robocall mitigation and prevention, TDoS prevention, analytics, routing, billing support, STIR/SHAKEN and SHAKEN certificate services.

Contact us today to learn more.