Robocalls and Small Carriers

In July, NTCA filed comments in the FCC docket that is looking at an industry-wide solution to fight against robocalls. The comments outline some major concerns about the ability of small carriers to participate in the process.

The industry solution to stop robocalls, which I have blogged about before, is being referred to as SHAKEN/STIR. This new technology will create an encrypted token that verifies that a given call really originated with the phone number listed in the caller ID. Robocalls can’t get this verification token. Today, robocallers spoof telephone numbers, meaning that they insert a calling number into the caller ID that is not real. These bad actors can make a call look like it’s coming from any number – even your own!

On phones with visual caller ID, like cellphones, a small token will appear to verify that the calling party is really from the number shown. Once the technology has been in place for a while, people will learn to ignore calls that don’t come with the token. If the industry does this right, it will become easier to spot robocalls, and I imagine a lot of people will use apps that will automaticlly block calls without a token.

NTCA is concerned that small carriers will be shut out of this system, causing huge harm to them and their customers. Several network prerequisites must be in place to handle the SHAKEN/STIR token process. First, the originating telephone switch must be digital. Most, but not all small carriers now use digital switches. Any telco or CLEC using any older non-digital switch will be shut out of the process, and to participate they’d have to buy a new digital switch. After the many-year decline in telephone customers, such a purchase might be hard to cost-justify. I’m picturing that this might also be a problem for older PBXs – the switches operated by private businesses. The world is full of large legacy PBXs operated by universities, cities, hospitals and large businesses.

Second, the SHAKEN/STIR solution is likely to require an expensive software upgrade for the carriers using digital switches. Again, due to the shrinking demand for selling voice, many small carriers are going to have a hard time justifying the cost of a software upgrade. Anybody using an off-brand digital switch (several switch vendors folded over the last decade) might not have a workable software solution.

The third requirement to participate in SHAKEN/STIR is that the entire path connecting a switch to the public switched telephone network (PSTN) must be end-to-end digital. This is a huge problem and most small telcos, CLECs, cable companies, and other carriers connect to the PSTN using the older TDM technology (based upon multiples of T1s).

You might recall a decade ago there was a big stir about what the FCC termed a ‘digital transition’. The FCC at the time wanted to migrate the whole PSTN to a digital platform largely based upon SIP trunking. While there was a huge industry effort at the time to figure out how to implement the transition, the effort quietly died and the PSTN is still largely based on TDM technology.

I have clients who have asked for digital trunking (the connection between networks) for years, but almost none of them have succeeded. The large telcos like AT&T, Verizon, and CenturyLink don’t want to spend the money at their end to put in new technology for this purpose. A request to go all-digital is either a flatly refused, or else a small carrier is told that they must pay to transport their network traffic to some distance major switching point in places like Chicago or Denver – an expensive proposition.

What happens to a company that doesn’t participate in SHAKEN/STIR? It won’t be pretty because all of the calls originating from such a carrier won’t get a token verifying that the calls are legitimate. This could be devastating to rural America. Once SHAKEN/STIR is in place for a while a lot of people will refuse to accept unverified calls – and that means calls coming from small carriers won’t be answered. This will also affect a lot of cellular calls because in rural America those calls often originate behind TDM trunking.

We already have a problem with rural call completion, meaning that there are often problems trying to place calls to rural places. If small carriers can’t participate in SHAKEN/STIR, after a time their callers will have real problems placing calls because a lot of the world won’t accept calls that are not verified with a token.

The big telcos have assured the FCC that this can be made to work. It’s my understanding that the big telcos have mistakenly told the FCC that the PSTN in the country is mostly all-digital. I can understand why the big telcos might do this because they are under tremendous pressure from the FCC and Congress to tackle the robocall issue. These big companies are only looking out for themselves and not the rest of the industry.

I already had my doubts about the SHAKEN/STIR solution because my guess is that bad actors will find a way to fake the tokens. One has to only look back at the decades-old battles against spam email and against hackers to understand that it’s going to require a back-and-forth battle for a long time to solve robocalling – the first stab of SHAKEN/STIR is not going to fix the problem. The process is even more unlikely to work if it doesn’t function for large parts of the country and for whole rural communities. The FCC needs to listen to NTCA and other rural voices and not create another disaster for rural America.

Fighting Spoofing

One of the biggest problems with the telephone network today is spoofing – where robocalls are generated using stolen numbers to mask the identity of the caller. Spoofing and robocalls are the biggest source of complaints to the FCC and NANC (the North American Numbering Council) reports that in 2016 there were 2.4 billion robocalls per month – a number that has surely grown. As recently as a year ago I rarely got robocalls on my cellphone but now get half a dozen per day.

The FCC called upon NANC to find a solution to the problem. NANC used the Call Authentication Trust Anchor Working Group to find a solution to the problem. In May of this year the FCC accepted the recommendations of this group to implement a ‘taken’ system to authenticate that calling numbers are authentic.  Last week Chairman Ajit Pai asked the industry to speed up implementation of the solution, warning that the FCC would issue an order to do so if the industry didn’t solve the problem quickly.

The proposed solution involves a new process used to authenticate the originating telephone number for calls. The concept is to issue ‘tokens’ to carriers that allow them to authenticate, in real-time, that the originating number of a telephone call is really from the party that owns the number. This will mean a whole new overlay on the PSTN to make this validation quickly before a call is terminated.

In addition to developing the specifications for how the process will work, the NANC working group recommended the following industry process for making this work:

  • The industry needs to select a governance authority to take ownership of the process so that it’s implemented uniformly across the industry;
  • The working group also recommended that a policy administrator be chosen that will administer the day-to-day implementation of the new process;
  • The working group also recommended specific roles and responsibilities for the governance authority and policy administrator;
  • Set the goal to have those two entities in place within a year. I think the FCC Chairman’s frustration is due to the fact that this was recommended in May 2018 and I don’t think that the governance authority or policy administrator have been chosen.

Of course, this means a new industry protocol and process and comes with a slew of new acronyms. Primary among this is SHAKEN which represents new SIP protocols used specifically for purpose of creating the all authentication tokens. Also used is STIR (secure telephone identity revisited) which is the IETF group that created the specific protocols for telephony. This leads to the cute acronym SHAKEN/STIR which is being used to describe the whole process (and which would definitely not be approved by James Bond).

The working specifications recognize that what is being prepared is just the first step in the process. They understand that as soon as they implement any solution that spammers will instantly begin looking for workarounds. The initial concept is to first begin be implementing this with the largest carriers and that will still leave a lot of holes with numbers assigned to smaller carriers, numbers deep inside PBX trunk groups, numbers used for Internet calling like Skype. However, the goal is to eventually cover the whole industry.

The concept is that this is going to have to be a dynamic process. I envision it much like the software companies that build spam filters. The group making this work will have to constantly create patches to fix vulnerabilities used by spammers. I have my doubts that anything like this will ever fully stop spoofing and that spammers will always be one step ahead of the spoofing police.

This is a concern for small carriers because it sounds like something new that a voice provider is going to have to pay for. It’s likely that there will be vendors that can do this for small carriers, but that sounds like another check to write to be able to provide voice service.