The battle to stop illegal robocalls is never-ending. The FCC’s latest missive is its Eighth Report and Order (Order), issued in Docket 17-97 on November 22, 2024, which sets rules for carriers who rely on third parties for their Stir/Shaken call authentication obligations. The STIR/SHAKEN caller ID framework allows service providers to verify that the caller ID information transmitted with a particular call matches the caller’s number and is able to stop many illegal calls before they are sent to the terminating caller.
However, some small providers do not find it economical to implement the STIR/SHAKEN technology and are forced to rely on other companies for call authentication. And as the agency notes, there are currently no rules for these third-party providers.
While the Commission requires most providers to implement STIR/SHAKEN on the Internet Protocol (IP) portion of their networks, some service providers rely on third-party authentication solutions to fulfill this requirement. This raises concerns about improperly authenticated calls and diminished accountability for providers, undermining confidence in the STIR/SHAKEN framework. Strengthening requirements for third-party authentication solutions will allow providers to realize the economic benefits and efficiencies of working with third parties on the technical aspects of caller ID authentication while maintaining the integrity of the STIR/SHAKEN framework for the protection of consumers. (FCC News Release, November 21, 2024).
In the Order, the Commission takes the following steps to assure companies relying on third parties for call authentication can do so with confidence.
First, the FCC defines third-party authentication as “scenarios in which a provider with a STIR/SHAKEN implementation obligation under the Commission’s rules enters into an agreement with another party—a “third party”—to perform the technological act of signing calls on the provider’s behalf.”
Next, the agency limits the third-party authentication arrangements authorized under its rules to those in which the provider with the STIR/SHAKEN implementation obligation: (1) makes all attestation level decisions, consistent with the STIR/SHAKEN technical standards; and (2) ensures that all calls are signed using its own certificate obtained from a STIR/SHAKEN Certificate Authority—not the certificate of a third party. Utilizing a third party to sign traffic without complying with the requirements will constitute a violation of the Commission’s caller ID authentication rules.
The Commission further requires that any provider certifying to partial or complete STIR/SHAKEN implementation in the Robocall Mitigation Database must be registered with the STIR/SHAKEN Policy Administrator, obtain its own SPC token from the Policy Administrator, use that token to generate a certificate with the Certificate Authority, and authenticate all its calls with that certificate, whether directly or through a third party. According to the Commission:
This will ensure that responsibility for properly authenticating a call’s caller ID information—including complying with the attestation requirements of the ATIS standards—remains with the party assigned the STIR/SHAKEN implementation obligation under the Commission’s rules and will prevent providers from shirking their due-diligence duties by shifting STIR/SHAKEN authentication procedures to third parties. By requiring calls to be signed using the certificate of the provider with the implementation obligation, the STIR/SHAKEN governance model will be able to function as intended by making it easier to identify providers responsible for any authentication information transmitted with a call and facilitating enforcement remedies that may be needed for failures to comply with authentication requirements. (Order, at para. 24).
The Commission requires all providers with a STIR/SHAKEN implementation obligation to memorialize and maintain records of any third-party authentication agreement(s) they have entered, subject to certain limitations.
Finally, the Commission requires that providers that choose to work with a third party that performs the technological act of signing calls must do so pursuant to a written agreement. The agreement must specify the specific tasks that the third party will perform on the provider’s behalf and confirm that provider will: (1) make all attestation-level decisions for calls signed pursuant to the agreement, and (2) ensure that all calls will be signed using the provider’s certificate. The agreement must stay in place for as long as any third-party authentication arrangement exists, and all copies of third-party agreements must be maintained for a period of two years from the end or termination of the agreement.
The Order will be effective 30 days after it is published in the Federal Register after approval by the Office of Management and Budget (OMB).
PR Archives: Latest, By Company, By Date