[VoiceOps] All carriers must get their STIR/SHAKEN certificate by June 30th!

David Frankel dfrankel at zipdx.com
Fri Jun 2 01:21:17 EDT 2023


I don't want to go too far into the weeds on what "facilities-based" means,
because it 30 days it isn't going to matter.

A brief abbreviated history (others can chime in if I've left out something
of substance or mis-characterized): When STIR/SHAKEN was about to be
mandated mid-2021, there was a concern about the impact that might have on a
thousand or more Rural Local Exchange Carriers (RLECs) that serve small
communities in mid-America and elsewhere. These outfits might have 200 or
2000 POTS lines and the owner also runs the General Store and is captain of
the volunteer fire department. He might have gotten broadband to the town
and managed to convert his trunk to the tandem switch to VOIP, but he
doesn't have the money or expertise to license STIR/SHAKEN software as of
2021.

So a two-year extension was written into the rules for outfits with less
than 100K lines. Problem solved. In two years, it was assumed, that S/S
software would be a lot cheaper and maybe even available on an outsourced
basis. And in the meantime, these RLECs weren't the source of robocalls
anyway -- nobody can rotary-dial that fast.

But quicker than you can say "Rachel from Card Services," it turns out that
there are a handful of VOIP providers that just rent a server in AWS onto
which they've loaded Freeswitch, and they are blasting out millions of
robocalls a day. And guess what? Some of these "bad guys" are claiming the
2-year extension because they say they serve less than 100K customers.

Not wanting to be bamboozled, the FCC quickly (in FCC-time) cleverly
shortens the "small provider" extension period from 2 years to 1 for
"non-facilities based providers." 

And now we are in regulatory quagmire. What does "facilities-based" actually
mean? What if I have a server in AWS making a million robocalls/day PLUS I
string a copper pair between my kitchen and my garage and charge myself
$2/month for that? Now am I facilities-based? Somebody can debate that
forever.

Like I said, in 30 days the original two years will be up and the debate is
a don't-care so let's not waste too much time pondering what might have
been.

I'm not in a position to speculate as to what might be happening in all of
the different reseller/wholesale/white-label arrangements that might exist
out there. Each of the parties to those relationships is going to have to
figure out (quickly) how to conform to the new world order and what works
best for their specific situation, both in terms of cost and risk. Might be
time to consult an attorney with expertise in this space -- and realize that
even that won't be definitive because there are ambiguities at every turn. I
think Mary Lou tries to explain this in her remarks.

There is no question that the landscape has changed over the past several
years. Service providers (and resellers) now have more obligations and more
responsibilities and more ways they might be subjected to a service-blocking
situation or an enforcement action than in the old days. It is more
expensive and more complicated and requires more (regulatory) expertise to
operate in the voice telecom space than it used to. 

David Frankel
ZipDX® LLC
St. George, UT USA
Tel: 1-800-FRANKEL (1-800-372-6535)
Visit My Robocall Blog

-----Original Message-----
From: VoiceOps <voiceops-bounces at voiceops.org> On Behalf Of Nathan Anderson
via VoiceOps
Sent: Thursday, June 1, 2023 8:35 PM
To: 'Voice Ops' <voiceops at voiceops.org>
Subject: Re: [VoiceOps] All carriers must get their STIR/SHAKEN certificate
by June 30th!

UGH, I mixed up "origination" and "termination" yet again...I always do
that...

Anyway.  Y'all knew what I meant.  I think.

-----Original Message-----
From: VoiceOps [mailto:voiceops-bounces at voiceops.org] On Behalf Of Nathan
Anderson via VoiceOps
Sent: Thursday, June 1, 2023 7:24 PM
To: 'Voice Ops'
Subject: Re: [VoiceOps] All carriers must get their STIR/SHAKEN certificate
by June 30th!

Thanks both to you and Mary Lou for your thoughtful responses.

Okay, so just to be clear, the remaining carriers for whom the June 2023
deadline applies to are providers who provide dialtone to end-users via
POTS, but who originate at least some of the calls from those end-users to
the PSTN via an IP peer/trunk, and it is specifically those calls that they
now need to start signing but were exempt from doing so until a month from
now?  And the reason that they didn't have to implement a year ago (but pure
IP-based interconnected VoIP providers with < 100K subs *did*) is because §
64.6304(a)(1)(i) only applies to "non-facilities-based" providers, and if a
telecom is building and maintaining POTS circuits to end-users, they are
facilities-based by definition?

This gets us into the weeds on the definition of "facilities-based".  I
assume that the "facilities" in question must be facilities with traditional
telecom switching equipment (either analog or TDM).  So even if you run your
own pure IP network end-to-end with no underlying leased circuits, and
outright own your physical data centers where you house and run all of your
own routers and SIP proxies, if 100% of your voice subscriber base is
provisioned via VoIP, even if the end-user's VoIP equipment is talking to a
server that you own, run, and maintain in your own data center "facilities",
you still do not count as a "facilities-based" telecom, correct?

Is there some "minimum" amount of actual TDM you can be running on your
network in order for you to meet the definition of -- or claim for yourself
the status of -- "facilities-based"?  If someone had zero POTS circuits
built to any of their end-users & all of their users are connected to their
voice network via VoIP, but they have a single ICA with a single LEC, a TDM
trunk between them and that LEC (where they immediately gateway the TDM
traffic to/from IP as it ingresses or egresses their network), and a
presence on the SS7 network...are they now considered to be
"facilities-based"?  And would they similarly have had all of their
IP-trunked origination (calls that weren't going out via their TDM
connection to the LEC) exempted until this year, if they had under 100K
subs?

As far as my question about white-labeling service goes, to be clear, we
aren't in this category and have been signing our customers' calls with our
own SHAKEN cert for the past year.  But I know of plenty of other providers
of similar size & scale (regional ISP whose bread and butter is internet
connectivity, but with a small sprinkling of VoIP on top) who want to have a
VoIP offering for various reasons, but simply outsource 100% of the VoIP
component to a white-labeler.  They bill the customer for the service, and
presumably have a 499 Filer-ID and file As and Qs with USAC, but they have
nothing to do with the underlying voice service...ATAs get drop-shipped to
customers from the white-labeler when service is ordered, the ISP doesn't
have any hand in the provisioning, they don't operate a single SIP proxy or
media gateway, they have zero numbering resources of their own and zero ICAs
with other carriers, etc.  It's like the interconnected VoIP equivalent to
reselling an ILEC analog POTS line...they're just a middle-man when it comes
to billing (and thus, as an indirect result, to collecting and remitting
USF) and front-line support.

Now of course, many wholesale origination providers these days support
having you house your SHAKEN cert on their server & will sign your outgoing
calls for you with your own cert, and even those that don't do this will
still pass your own signature/Identity header in the SIP INVITEs you send to
them unmolested.  But to be able to do the latter, you need to be running a
SIP proxy or B2BUA somewhere between the end-user and your wholesale
provider, which these other providers I'm talking about aren't doing.  And
it's not at all clear to me that most?/many?/any? *white-label*
interconnected VoIP providers are set up to do the former...they're all
STIR/SHAKEN compliant of course, but I'd guess they are signing all of the
calls they originate with their own cert.

That's only an educated guess on my part, of course, since I've been looking
around even after asking here, and have yet to find any first- or even
second-hand accounts one way or the other.

-- Nathan

-----Original Message-----
From: David Frankel [mailto:dfrankel at zipdx.com]
Sent: Thursday, June 1, 2023 1:45 PM
To: 'Mary Lou Carey'; Nathan Anderson
Cc: 'Voice Ops'
Subject: RE: [VoiceOps] All carriers must get their STIR/SHAKEN certificate
by June 30th!

I am not an attorney; this is not legal advice.

The (primary) purpose of STIR/SHAKEN was not to help the ITG. The purposes
are to (at the terminating or called-party end of the call) identify the
entity responsible for originating the call, and allow that entity to signal
what they know about the association between the caller and the calling
number.

We are just about to the point (end of this month) where virtually all
providers are required to sign the calls they originate and send onward via
IP. That includes providers that serve so-called POTS customers (when those
POTS customers place calls sent via other providers). See 47 CFR §
64.6301(a)(2)

This applies to the ORIGINATING provider. The expectation, as made clear in
the implementing specs and regulations, is that the originating provider
KNOWS who the caller is. ATIS says (ATIS-1000088): "Has a direct
authenticated relationship with the customer and can identify the customer."

If you are a reseller and you are the one with the "direct authenticated
relationship with the customer" then your (A- or B-) signature should be on
the calls. As noted, you can get a SHAKEN token and delegate the signing to
your underlying provider. But it will be your name, and your reputation, on
the calls.

If you are an underlying provider and you do NOT know who the customer is,
then insist that your reseller get a token and either sign the calls or
delegate that to you (with their token). If you do not know anything about
the caller, then you are risking your reputation (and perhaps more) by
signing those calls.

More of my thoughts on this topic are here:
https://legalcallsonly.org/attestation-inflation-the-abcs-of-signing-calls/

If you find the regulations confusing, your best bet is to play it safe.
That would mean signing calls with your OWN token when your direct customer
is the one initiating the calls (that is, they are the "caller" for legal
purposes and they are going to take responsibility for conformance of the
calls to ALL the applicable regulations -- and there are many, including
TCPA, TSR, fraud, and state statutes). You, as the originating provider,
still have a set of responsibilities here -- see 47 CFR § 64.1200(n)(3) as
ONE EXAMPLE. If the calls come to you from an entity that is not the one
initiating the calls, then insist that the calls are signed when you get
them (or that your customer provides you with their token so you can affix
their signature).

As Mary Lou indicates, you are playing Russian roulette if you are
originating calls and they do not bear your signature. And your underlying
provider is doing the same if they are accepting those calls unsigned and
sending them onward.

The FCC has a Further Notice of Proposed Rulemaking that is open for comment
RIGHT NOW on the topic of "Third-Party Caller ID Authentication." The FNPRM
is available here: https://docs.fcc.gov/public/attachments/FCC-23-18A1.pdf.
See starting at paragraph 97. Initial public comments on this FNPRM are due
June 5 (Monday) and Reply Comments are due a month later. You'll be able to
read (and file) comments here:
https://www.fcc.gov/ecfs/search/search-filings/results?q=(proceedings.name:(
%2217-97%22)). Once comments are filed the FCC will likely issue an Order in
due course, which may be clarifying or confusing or both or neither.

David Frankel
ZipDX® LLC
St. George, UT USA
Tel: 1-800-FRANKEL (1-800-372-6535)
Visit My Robocall Blog

-----Original Message-----
From: VoiceOps <voiceops-bounces at voiceops.org> On Behalf Of Mary Lou Carey
via VoiceOps
Sent: Thursday, June 1, 2023 2:01 PM
To: Nathan Anderson <nathana at fsr.com>
Cc: Voice Ops <voiceops at voiceops.org>
Subject: Re: [VoiceOps] All carriers must get their STIR/SHAKEN certificate
by June 30th!

US telecom brain trust? Wow......I don't even know what to say, but I'm
thinking I should send my 21-year-old your way because he thinks he's a lot
smarter than I am. LOL!

Im going to preface my response by saying I'm not sure anyone knows exactly
what the ruling means because I've called the FCC and STI-GA multiple times
to ask specific questions like yours. Any time my question gets too
detailed, I've been told to go read the ruling myself because they aren't
attorneys and don't want to give legal advice that would steer me in the
wrong direction. I don't know of any attorneys that have felt so comfortable
discussing the details of the network that they have gone out on a limb to
explain it to everyone either, so I can only tell you what I think based on
what I've been told to date.

My understanding from talking to the FCC and STI-GA is that the purpose of
STIR/SHAKEN was to help the ITG identify all the players in the industry so
the ITG can more easily shut down the bad players and if necessary the
providers that enable those bad players. To me, that means regardless of
whether a company has its own network,  leases another carrier's network, or
resells services, the FCC wants to identify every player in the network. We
can debate which networks are exempt and which networks aren't, but
ultimately there's not a lot you can do if the powers that be decide your
network should be compliant and it's not.

The choice to get a STIR/SHAKEN certificate is ultimately up to each
company. They can either play it safe and get a token or they can play
Russian Roulette with their business and not get a token. To date, I've seen
the FCC/ITG give non-compliant carriers 30 days to become compliant, but
that's not always enough time. I don't know if that is going to change after
the deadline, but it could. It's not that difficult to get your own
certificate and if another carrier is already signing your calls it's not
that much more cost-wise to have your own certificate. So to me it's better
to be safe than sorry.

I hope that helps,

MARY LOU CAREY
BackUP Telecom Consulting
Office: 615-791-9969
Cell: 615-796-1111

On 2023-05-31 09:33 PM, Nathan Anderson via VoiceOps wrote:
> I do find this a little confusing.
> 
> It's already clear that POTS service has been made exempt "until 
> further notice".  So when the small operators exemption deadline was 
> pushed up from end of June 2023 to end of June 2022, that -- by 
> logical deduction -- could only have included small interconnected 
> VoIP operators (which I believe was made explicitly clear anyway, but 
> even if it had been ambiguous in the language, ...).
> 
> So, out of all the interconnected VoIP operators in the States large 
> OR small...who the heck is left who HASN'T already been required to 
> have it implemented on their network by this point??  I don't 
> understand who this June 2023 deadline applies to: the POTS circuit 
> providers aren't covered by it, and all sizes of interconnected VoIP 
> providers should have already implemented it a year ago at the latest.
> 
> Another question that occurs to me (I could probably find the answer 
> to this question with a little searching, but since I'm already here 
> talking to the U.S. telecom brain-trust): would a provider who merely 
> supplies white-labeled service from another interconnected VoIP 
> provider and slaps their own name on it be required to obtain their 
> own SHAKEN cert, and have the underlying VoIP provider sign any of 
> their customers' calls with that cert instead of a cert belonging to 
> the actual VoIP provider, even if the white-labeler/reseller has 
> literally nothing to do with the network at all that services the 
> calls?
> 
> -- Nathan
> 
> -----Original Message-----
> From: VoiceOps [mailto:voiceops-bounces at voiceops.org] On Behalf Of 
> Michael Graves via VoiceOps
> Sent: Wednesday, May 31, 2023 1:12 PM
> To: Mary Lou Carey; Alex Balashov
> Cc: voiceops at voiceops.org
> Subject: Re: [VoiceOps] All carriers must get their STIR/SHAKEN 
> certificate by June 30th!
> 
> There was an extension for "small" providers (under 100k lines) ends 
> on June 30, 2023.
> 
> That extension was basically was targeting rural LECs. It was amended 
> so it only included those who have physical infrastructure to their 
> clients.
> 
> Those who do not operate such legacy infrastructure are supposed to be 
> signing their calls as of June 30, 2022.
> 
> There are further "gateway" orders about how any operator is supposed 
> to handle calls arriving on their network that are not signed.
> 
> Michael Graves
> mgraves at mstvp.com
> o: (713) 861-4005
> c: (713) 201-1262
> sip:mgraves at mjg.onsip.com
> 
> -----Original Message-----
> From: VoiceOps <voiceops-bounces at voiceops.org> On Behalf Of Mary Lou 
> Carey via VoiceOps
> Sent: Wednesday, May 31, 2023 2:46 PM
> To: Alex Balashov <abalashov at evaristesys.com>
> Cc: voiceops at voiceops.org
> Subject: Re: [VoiceOps] All carriers must get their STIR/SHAKEN 
> certificate by June 30th!
> Importance: High
> 
> Any carrier that provides originating VOIP or a combination of 
> originating VOIP / PSTN /  Wireless VOICE services needs to get its 
> own certificate. My understanding is that only those who provide 
> PSTN-only voice services do not need to have their own STIR/SHAKEN 
> token because the technology still does not support it.
> 
> Mary Lou Carey
> (615) 796-1111
> 
> MARY LOU CAREY
> BackUP Telecom Consulting
> Office: 615-791-9969
> Cell: 615-796-1111
> 
> On 2023-05-31 02:11 PM, Alex Balashov wrote:
>> Hi Mary Lou,
>> 
>> Thank you for this.
>> 
>> A stupid - and certainly belated - question: how exactly is a carrier 
>> defined, in the letter of the regulations underlying this deadline?
>> Or to put it another way: who, as a VoIP service provider of one sort 
>> or another, _doesn't_ have to get their own token?
>> 
>> -- Alex
>> 
>>> On May 31, 2023, at 1:46 PM, Mary Lou Carey via VoiceOps 
>>> <voiceops at voiceops.org> wrote:
>>> 
>>> Hey all,
>>> 
>>> I just wanted to send out a reminder that the drop dead date for all 
>>> carriers to get THEIR OWN STIR/SHAKEN certificate is coming up on 
>>> June 30th. You can still have an underlying carrier sign your calls 
>>> for you, but they must sign with YOUR token......not their own! You 
>>> have to register with the STI-PA to start the process at this link:
>>> 
>>> https://authenticatereg.iconectiv.com/register
>>> 
>>> You must have your own IPES Company Code (aka OCN) and 499 filer ID 
>>> to get a STIR/SHAKEN certificate. Just getting the certificate can 
>>> take up to several weeks so please don't wait until the last minute 
>>> to get one. I would hate to see anyone's network get shut down 
>>> because they aren't signing their calls as per the FCC guidelines.
>>> 
>>> MARY LOU CAREY
>>> BackUP Telecom Consulting
>>> Office: 615-791-9969
>>> Cell: 615-796-1111
>>> _______________________________________________
>>> VoiceOps mailing list
>>> VoiceOps at voiceops.org
>>> https://puck.nether.net/mailman/listinfo/voiceops
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops
_______________________________________________
VoiceOps mailing list
VoiceOps at voiceops.org
https://puck.nether.net/mailman/listinfo/voiceops
_______________________________________________
VoiceOps mailing list
VoiceOps at voiceops.org
https://puck.nether.net/mailman/listinfo/voiceops
_______________________________________________
VoiceOps mailing list
VoiceOps at voiceops.org
https://puck.nether.net/mailman/listinfo/voiceops



More information about the VoiceOps mailing list