The Federal Communications Commission today said it closed a robocall loophole by requiring small phone companies to implement the caller ID authentication technology known as STIR and SHAKEN.
Large voice providers were required to implement STIR/SHAKEN a year ago. But there was an exemption for carriers with 100,000 or fewer customers that would have given those smaller companies until June 30, 2023, to comply.
The FCC voted in December to move that deadline up to June 30, 2022, because small phone companies were apparently carrying a disproportionately high number of illegal robocalls.
“Starting today, certain small phone companies must comply with FCC rules to implement caller ID authentication tools on their networks, just as large voice service providers are required to since June 30, 2021,” an FCC announcement said. “These small phone companies are suspected of facilitating large numbers of illegal robocalls and, as a result, the FCC rolled back an extended caller ID authentication implementation timeline granted to them in its original 2020 rules.”
Robocallers have relied more on small companies
In the year since large carriers implemented STIR/SHAKEN, “robocallers have sought to maintain anonymity and avoid enforcement and blocking tools by routing or originating their call traffic on the networks of these largely IP-based small providers that have not yet implemented STIR/SHAKEN,” the FCC said today. “This has allowed robocalls to pass from these networks to terminating provider networks without carrying forward accurate and standardized caller ID/traceback information.”
That should change going forward as the small carriers are now required to implement the Caller ID authentication technology on the Internet Protocol portions of their voice networks. STIR/SHAKEN “provides a common information sharing language between networks to verify caller ID information which can be used by robocall blocking tools, FCC investigators, and by consumers trying to judge if an incoming call is likely legitimate or not,” the FCC said.
The FCC maintains a Robocall Mitigation Database in which voice providers are required to “certify whether and to what extent they have implemented the STIR/SHAKEN caller ID authentication framework.” Phone companies must reject any calls from voice service providers that are not listed in the database, and the FCC can issue fines to providers that don’t file certifications. The FCC explained that companies “certifying to anything short of full STIR/SHAKEN implementation must describe the new steps they are taking to ensure they are not the source of illegal robocalls.”
Because of technology limitations, STIR/SHAKEN requirements haven’t applied to the older TDM-based networks used with copper landlines. The FCC says its rules “require providers using older forms of network technology to either upgrade their networks to IP or actively work to develop a caller ID authentication solution that is operational on non-IP networks.”
Gateway providers must use STIR/SHAKEN by June 2023
Of course, the now-closed exemption for small carriers was far from the only loophole that made it possible for illegal robocalls to proliferate. Many illegal robocalls originate from overseas through so-called gateway providers, for example. The FCC defines a gateway provider as “a US-based intermediate provider that receives a call directly from a foreign originating provider or foreign intermediate provider at its US-based facilities before transmitting the call downstream to another US-based provider.”
The FCC issued an order in May that requires each gateway provider to submit a certification and mitigation plan to the Robocall Mitigation Database. The order also requires gateway providers to authenticate calls with STIR/SHAKEN by June 30, 2023.