What is STIR/SHAKEN?
STIR (Secure Telephony Identity Revisited) and SHAKEN (Secure Handling of Asserted information using toKENs) are a framework of standards developed by the communications industry to help address illegitimate caller ID spoofing. The standards provide, among other things, a way to “sign” and “verify” calls so a call recipient has assurances that the call is in fact from the telephone number displayed on the caller ID. However, as STIR/SHAKEN currently only works for calls carried over IP networks, it will take some time before the standard is fully adopted and operational across the entire communications industry (especially where legacy networks are involved). As this is an industry developed solution under an industry-led governance structure, the standards may change and evolve to address new problems and concerns as they arise.
Are there deadlines for STIR/SHAKEN implementation?
STIR/SHAKEN itself is not a government program. However, as of 2021, the US (via the FCC) and Canada (via the CRTC) have adopted government regulations mandating STIR/SHAKEN implementation for communications service providers. It’s possible similar requirements or regulations might be adopted in other countries in the future.
In the US, the FCC established an initial deadline of June 30, 2021 for certain voice service providers (with various exemptions and exceptions for smaller providers, legacy technology, and others, including Fuze, that could not obtain a Service Provider Code token under the existing policies) to implement the STIR/SHAKEN call authentication framework for all SIP-based calls originating on their own networks. Providers (like Fuze) that were exempt from the initial STIR/SHAKEN deadline had to implement a “robocall mitigation program” instead. All voice service providers had to certify whether they had implemented STIR/SHAKEN or a robocall mitigation program in the FCC’s Robocall Mitigation Database (“RMD”) by June 30, 2021. Starting on September 28, 2021,voice service providers are required to block traffic from other providers that have not filed either type of certification in the RMD.
For Canada, the CRTC has established a deadline of November 30, 2021 for STIR/SHAKEN implementation. However, there are still many unresolved details with respect to STIR/SHAKEN in Canada, including the lack of a process for many service providers to obtain a “token” that is needed in order to “sign” calls.
Will providers without STIR/SHAKEN implementation have traffic blocked as of September 28, 2021 under FCC requirements?
No, only providers that have not filed in the FCC’s Robocall Mitigation Database (RMD) will have traffic blocked by other providers. Providers that were exempt from the initial June 30, 2021 STIR/SHAKEN implementation deadline could still file in the RMD by adopting a robocall mitigation program (until such time the providers were able to implement STIR/SHAKEN or otherwise required to do so under subsequent deadlines).
Fuze filed its robocall mitigation program in the RMD prior to the June 30, 2021 deadline. Therefore, Fuze’s voice traffic will not be subject to mandatory blocking by other carriers as of September 28, 2021 regardless of Fuze’s STIR/SHAKEN implementation status.
In any case, Fuze is currently working on its STIR/SHAKEN implementation and expects its initial rollout to be completed in Q3 or Q4 of 2021.
Does Fuze implementing STIR/SHAKEN mean my customers/users won’t get SPAM/robocalls? Does it prevent someone else from spoofing my number?
STIR/SHAKEN itself does not block robocalls or prevent caller ID spoofing. It’s all about knowing which calls are not spoofed, a common tactic used by illegitimate robocallers. The industry developed standards allow calling providers to verify calls in a standardized way: calls will receive the highest level of “attestation” when a provider can validate that a known caller is calling from a telephone number the caller is permitted to use. It’s up to the providers themselves how they use the data provided by this framework. How this is implemented may still vary across the industry. In some cases it will just be additional information presented to a user when they receive a call, letting them know if the number is verified. Some carriers may choose more automated behavior. Generally, the types of spammers making spoofed robocalls will not be eligible to sign their calls, so with this framework those calls are less likely to be answered even if caller ID spoofing is involved.
What are attestation levels, how are they determined?
With the STIR/SHAKEN framework, the originating service provider can “sign” or “attest” to calls at three different levels depending on the relationship with the caller and the right of the caller to use a telephone number:
- “A” is the highest level, meaning it is a known caller with a right to use the telephone number making the call. For most Fuze customers, they are making calls using numbers ported to or purchased from one of our underlying carriers, using one of our endpoints (Desktop, mobile, or Physical phone). In most scenarios, all Fuze calls will get an “A” attestation.
- “B” is the second level, where the call is from a customer known by the provider, but the right to use the telephone number cannot be verified. For Fuze customers this may happen with some call center integration scenarios or if a customer is using a telephone number that cannot be verified by Fuze (e.g., not assigned by Fuze and the customer’s right to use the number is unknown).
- “C” is the lowest level, for calls where both the caller and calling number cannot be authenticated, but the call is going through a known gateway. This level of attestation is unlikely for Fuze customers based on our typical configuration.
Will my calls get blocked if it does not receive an “A” attestation level?
Not necessarily. At this time, there is no regulatory requirement for carriers to block incoming calls strictly based upon attestation levels (and it is unlikely regulators will adopt such a requirement). Each carrier can decide how it wants to present STIR/SHAKEN information and what features (e.g., call blocking features) it wants to offer its customers based upon such information. STIR/SHAKEN attestation levels will most likely serve as just one criteria among many that will be analyzed to determine how calls are handled by call analytics and blocking technology, and ultimate control over which calls are blocked will likely be in the hands of the call recipient. Thus, while carriers are unlikely to block calls strictly based upon attestation levels, certain end customers may choose to do so if such a feature is available.
Will an “A” attestation guarantee that my calls are not blocked?
No. STIR/SHAKEN attestation levels will most likely serve as just one criteria among many that will be analyzed to determine how calls are handled by call analytics and blocking technology, and ultimate control over which calls are blocked will likely be in the hands of the call recipient. Thus, if you are involved in certain types of calling activity (e.g., telemarketing, recruiting, political messaging) unwelcome by certain consumers, it is possible that telephone numbers used by you will be flagged by analytics technology as being associated with such activity. In these cases, certain end customers may choose to block such calls, based upon analytics and other criteria, despite the fact that the call comes with an “A” attestation under STIR/SHAKEN.
Where can I see the attestation level of a call?
For the initial implementation of STIR/SHAKEN, Fuze will be fully compliant, but all call signing and verification will be happening in the background, invisible to users and customer admins.
In later phases, Fuze will explore adding call verification information to our apps and customer facing tools, that timeline has not been determined yet.
How does caller ID masking affect STIR/SHAKEN?
Unauthorized caller ID spoofing is the main problem STIR/SHAKEN attempts to address. However, there are many legitimate (and legal) reasons caller ID masking may need to be implemented. These legitimate caller ID masking scenarios should not be affected if implemented properly. Generally, the Fuze platform does not let customers mask outbound calls unless the numbers are properly associated with a customer’s account (e.g., assigned by Fuze, or ported to Fuze via one of our underlying carriers). Within a customer tenant, a user’s call can be masked with other numbers under that tenant (e.g., have all outbound calls masked to show a customer’s main telephone number) since the platform recognizes the customer has a right to make calls from these numbers. Customers should work with Fuze to follow best practices and develop a strategy for masking to ensure any STIR/SHAKEN concerns are properly addressed.
What information is sent to third parties for STIR/SHAKEN caller ID authentication and verification purposes?
Fuze is partnering with a best in class partner to help implement STIR/SHAKEN. Due to the nature of STIR/SHAKEN (i.e., utilizing third party “authorities” or “administrators” to help validate caller ID authenticity), some information will be sent to third parties (e.g., to a “certificate authority” via our implementation partner) for caller ID authentication and verification purposes. This includes caller ID of the originating and destination phone numbers, which is typical information already passed along in the data stream for phone calls. In any case, STIR/SHAKEN authorities and administrators operate under established policies/procedures to ensure information privacy and security concerns are addressed, and our implementation partner has data protection agreements and follows industry best practices to do the same.
My outbound calls are being tagged as spam, what can I do?
While Fuze takes steps to ensure that every call is signed with an appropriate attestation level, some outbound calls from Fuze numbers may still get marked as spam by the receiving provider. Alongside STIR/SHAKEN, some providers have also added additional measures and data analytics that may result in fully verified calls being marked as spam. STIR/SHAKEN attestation levels serve as just one criteria among many that receiving providers might analyze to determine how calls are categorized by call analytics technology.
For example, if you are involved in certain types of activity (e.g., telemarketing, recruiting, political messaging) that places a high number of calls into a receiving carrier’s network over a short period of time or results in many users blocking your number after receiving calls, the receiving provider’s analytics system could automatically flag future calls from your number as “likely spam” even if such calls come with an “A” attestation level under STIR/SHAKEN. In these cases, how each receiving provider reacts to data analytics or call patterns from a certain telephone number is outside of Fuze’s control.
If a customer has concerns that their calls might be rejected by a called party for these reasons, the customer should work with the companies they are calling to ensure that their numbers are whitelisted (if that feature is available from the receiving carrier). Please keep in mind that whitelisting, or any other investigations/escalations involving call analytics on the receiving end, would have to be initiated by the called party through the receiving carrier (i.e., not by Fuze or through Fuze).