FCC Meets on Implementing TRACED Act

Amid the COVID-19 pandemic, the FCC met remotely on Tuesday March 31, 2020 and took the next step in implementing the TRACED Act.

The TRACED Act was enacted on December 30, 2019, with the stated purpose of “helping to reduce illegal and unwanted robocalls” through numerous mechanisms. Along with other provisions directed at addressing robocalls, the TRACED Act directed the FCC to require, no later than 18 months from enactment, all voice service providers to implement STIR/SHAKEN in the IP portions of their networks and implement an effective caller ID authentication framework in the non-IP portions of their networks.

The FCC Order issued on March 31, adopted by unanimous vote of the five-member commission, mandates that all voice service providers implement the STIR/SHAKEN caller ID authentication framework in the IP portions of their networks by June 30, 2021. [The full text of the order can be found here: https://www.fcc.gov/document/mandating-stirshaken-combat-spoofed-robocalls-0.] This order is a follow up on the on a previous declaratory ruling where the FCC promised to require voice service providers to implement this framework if they did not voluntarily do so by the end of 2019.

The STIR/SHAKEN process relies on the service provider that originates the call providing encrypted identification information and a key for the information to be decoded. The service provider of the number receiving the call then sends the information and key to a verification service, which could be internal or external, to determine whether the encrypted information matches the unencrypted information. The verification service then sends the results to the service provider of the number receiving the call.

The STIR/SHAKEN framework also allows the originating service provider to provide levels of “attestation” as to the identity of the caller. This includes (1) that the provider can confirm the identity of the subscriber making the call and the subscriber is associated with the number, (2) that it can confirm the identity of the subscriber, but not the telephone number and (3) that a call originated outside the IP network, such as abroad or on a non-IP network.

Critics of the STIR/SHAKEN process claim that it does not go far enough to protect consumers because it only works on the internet protocol (“IP”) portions of a provider’s network. Technology for verifying the identity of a caller not using an IP network is still in its early stages of development, but the FCC has requested feedback on this process as the TRACED Act directs that, not later than June 30, 2021, voice service providers must take “reasonable measures” to implement an effective caller ID authentication framework in the non-IP portions of their networks.

For the STIR/SHAKEN process to work, each voice service provider must have its own certificate that validates the provider’s identity and shows that the provider is authorized to authenticate a caller. The FCC has laid out the following necessary roles in order to regulate and administer the certificates:

(1) Governance Authority to define the policies and procedures for which entities can issue or acquire certificates;

(2) Policy Administrator to apply the rules set by the governance authority, confirm that certification authorities are authorized to issue certificates, and confirm voice service providers are authorized to request and receive certificates;

(3) Certification Authorities to issue the certificates; and

(4) Voice Service Providers to function as call initiators that request certificates and call recipients that check with Certification Authorities to ensure that the certificates they receive were issued by the correct Certification Authority.

Currently, the Secure Telephone Identity Governance Authority (STI-GA), comprised of a diverse representation of stakeholders from across the industry, fills the Governance Authority role. The STI-GA selected the Policy Administrator, iconectiv, in May 2019. In December 2019, inconectiv approved the first Certification Authorities and announced that voice service providers were now able to register with inconectiv to obtain the credentials necessary to receive certificates.

As of the end of 2019, AT&T, Bandwidth, Charter, Comcast, Cox, T-Mobile, and Verizon had upgraded their networks to support STIR/SHAKEN. Other voice service providers, including Frontier, Sprint, U.S. Cellular, and Vonage, have performed necessary network upgrades as of the end of 2019, but only begun the negotiating and testing phase of exchanging authenticated traffic with other voice service providers. CenturyLink, TDS, and Google reported limited progress in making the necessary network upgrades.

The in issuing its March 31, 2020 order, the FCC determined that despite the list of providers taking action to implement STIR/SHAKEN, timely ubiquitous implementation required government action. The support of attorneys general of all fifty states and the District of Columbia, consumer groups, and major voice service providers, in addition to the language of the TRACED Act encouraged the FCC to issue the June 30, 2021 deadline.

All types of voice service providers including wireline, wireless, and Voice over Internet Protocol (VoIP) providers, must comply with this June 30, 2021 deadline. Although there may be some exceptions for small providers with non-IP networks, this implementation is likely to come at a substantial cost. The FCC estimates that there are approximately 2,600 voice service providers together would spend between roughly $39 million and $780 million annually in operating costs alone for the STIR/SHAKEN process. These numbers do not include the tens of millions of dollars that the largest service providers either have spent of have to spend just getting the STIR/SHAKEN systems up and running.

The FCC determined that the implementation and operating costs of the STIR/SHAKEN system were well worth it given the potential cost savings to consumers. The FCC estimates that ubiquitous STIR/SHAKEN implementation will eliminate over $3 billion annually in wasted time and nuisances caused by illegal scam robocalls. More importantly, STIR/SHAKEN paired with call analytics will help to protect American consumers from fraudulent robocall schemes that cost approximately $10 billion annually.

In order to complete the implementation of the caller ID authentication in section 4 of the TRACED Act, the FCC seeks further comments on the topics:

• Whether the definition the FCC adopted of the “STIR/SHAKEN authentication framework,” defined as “the secure telephone identity revisited and signature-based handling of asserted information using tokens standards,” is sufficient for implementation of the TRACED Act;

• The definition of “providers of voice service;”

• Expanding STIR/SHAKEN to intermediate providers;

• The burdens and barriers to implementation for the classes of providers identified, particularly the burdens presented by equipment availability and cost;

• The two provisions for extension of the June 30, 2021 deadline for (1) undue hardship and (2) if the servicer materially relies on a non-IP network;

• What constitutes “reasonable measures” for implementation of effective caller ID authentication framework for non-IP networks;

• How to define consumer or small business for the purposes of the prohibition under the TRACED Act of voice service providers charging line item fees to consumer of small businesses;

• How to address issues with potential confusion over labeling of robocalls; and

• How section 6(a) of TRACED Act’s directive of reducing access to both toll free and non-toll free numbering resources by potential perpetrators of illegal robocalls can be implemented.

The period for comments expires on May 15, 2020 and replies are due by May 29, 2020.