[VoiceOps] STIR/SHAKEN warning!

Tue Jul 4 13:24:26 EDT 2023

Some additional perspective on STIR/SHAKEN signing requirements. This is not
legal advice; for that, turn to your qualified attorney well-versed in
applicable telecommunications regulations (US Federal and State).

Several relevant STIR/SHAKEN regulations are here:
https://www.law.cornell.edu/cfr/text/47/part-64/subpart-HH.

In particular, § 64.6301(a)(2) says that "a voice service provider shall ...
Authenticate caller identification information for all SIP calls it
originates and that it will exchange with another voice service provider or
intermediate provider and, to the extent technically feasible, transmit that
call with authenticated caller identification information to the next voice
service provider or intermediate provider in the call path."

§ 64.6300(a) says "The term 'authenticate caller identification information'
refers to the process by which a voice service provider attests to the
accuracy of caller identification information transmitted with a call it
originates."

What Mary has said is consistent with this. If you are the originating Voice
Service Provider, the call must be authenticated by you -- it must carry
your signature. You can instruct somebody else to apply your signature per
your specifications (including the level of attestation). But if you are the
originating provider, the signature has to be yours.

§ 64.6300(n) says "voice service" is one that "furnishes voice
communications to an end user using resources from the North American
Numbering Plan." So if your caller is using +1 numbers, then presumably you
are a voice service provider covered by these rules. The rule doesn't
specify whether you (or your customer) have to be in the United States or
not; so I assume the rules apply globally. Also, interestingly, this
particular rule doesn't seem to exclude NANP numbers that are not USA
numbers, so the rule appears to apply to those calling with Canadian numbers
and other non-USA +1 numbers. Different people might read the rule
differently regarding FROM and TO numbers. Some might argue that if the FROM
number is NOT a NANP number, even if the TO number is, then the rules do not
apply.

But it seems clear that if the call is FROM a NANP number, TO a NANP number,
then you as the originating service provider would be required to
authenticate that call with your signature (regardless of where in the world
you and/or your customer are located).

Paul alluded to limitations on the FCC's authority with respect to geography
-- at least constraints on their ability to enforce. The FCC controls their
Robocall Mitigation Database, and they do require downstream providers to
only accept calls from other providers listed in the database. So by
delisting a provider (wherever in the world that provider is), the FCC can
restrict that provider's access to the US network. See 47 CFR §
64.6305(e)(1) & (2). (2) is applicable to foreign providers that use "North
American Numbering Plan resources that pertain to the United States in the
caller ID field to send voice traffic to residential or business subscribers
in the United States." So a US downstream provider could, if they so choose,
accept calls from a foreign provider NOT listed in the RMD as long as the
call has a non-USA number in the caller-ID field.

There are new obligations (several of which went into effect this month) on
so-called Gateway providers -- US-based providers that take calls from
foreign providers. These are in 47 CFR § 64.6303 and 6305 and generally
require Gateway providers to sign unsigned calls. This gets to Paul's
"throat to choke" point.

The cost for a Service Provider to get their own SHAKEN token (so that their
signature can appear on the calls they originate) is not egregious. You need
an OCN, which NECA will give you for a one-time charge of $475. The STI-PA,
iconectiv, charges an annual fee based on revenue to be registered as a
SHAKEN service provider; the minimum is $500 for 2023 (as far as I can
tell). You will then need to engage an STI-CA (certificate authority) to
generate your certificate(s) for call signing. The STI-CA marketplace
appears to be competitive, as confirmed by other commenters.

As far as I know, it is possible for non-USA-based service providers to
participate in this process; I see what I believe to be foreign entities
registered on the iconectiv site
(https://authenticate.iconectiv.com/authorized-service-providers-authenticat
e).

As mentioned, the FCC has on-going formal rule-making processes happening as
we speak. You can see (and participate in) some of the relevant discussion
here:
https://www.fcc.gov/ecfs/search/search-filings/results?q=(proceedings.name:(
%2217-97%22)+AND+submissiontype.description:(%22COMMENT%22%20OR%20%22REPLY%2
0TO%20COMMENTS%22%20OR%20%22NOTICE%20OF%20EXPARTE%22)). This public docket
will see a lot more action tomorrow (Wednesday), which is the due-date for
so-called "Reply Comments."

The compliance burden for voice service providers does seem to be
ever-increasing. This is not new or unique. Many tech businesses (not just
telecoms) have evolving burdens for data privacy and security compliance
(think GDPR); there are finance compliance burdens (think processing credit
cards); the list goes on. The good news in telecom is that over the past
couple of decades other costs have come down tremendously, which created the
business opportunity in the first place. Compliance is a fact of life. If
ultimately the compliance costs grow to the point that certain segments of
your business are not profitable, then it is time to exit those segments.

David Frankel