Some people pretend in public that the goal of STIR/SHAKEN is to protect ordinary people from scam calls. They say regulators need to mandate massive expenditure on STIR/SHAKEN for the public good. They do not expect anyone to find it peculiar that they obsessively demand the global adoption of one specific US-governed method of checking CLIs, whilst they have nothing to say about the many other anti-scam controls that have been tried. Nor do they expect anyone to question why they became deeply invested in a very particular network technology at a time when most networks were incapable of supporting it, or why they remain so insistent upon using it although many networks still cannot support it. STIR/SHAKEN was developed by Americans, and the US Federal Communications Commission (FCC) mandated its use in 2021, but it is still so poorly supported by current US networks that only one-third of US calls are assured by STIR/SHAKEN from end to end. It does nothing worthwhile for the other two-thirds of calls that Americans receive, and would be even less effective elsewhere. This technology is not suited to the task of protecting ordinary people from the huge surge in networked crime occurring right now. But when you listen long enough to industry insiders they sometimes reveal the real motivation for aggressively selling STIR/SHAKEN to regulators.
In my discussions with operators its typically financial. You cant justify CAPEX with little or no ROI. Its a tough business these days which is why the regulator is so important. “Sometimes the regulator is your friend” We saw this with STIR/SHAKEN mandate. The carriers actually wanted the congressional mandate since the argument was “Unless everyone HAS to do Call Authentication no one will.
This insight comes courtesy of Richard Shockey, chief loudmouth within the STIR/SHAKEN camp. You may remember Shockey as the US lobbyist engaged by Ofcom, the UK comms regulator, to justify the implementation of STIR/SHAKEN in the UK. His scheming came to nothing when Ofcom later rejected his plan because…
…it is now clear that widespread international adoption of CLI authentication is unlikely to happen in the near-term.
Ofcom does not believe STIR/SHAKEN can protect consumers from crime occurring now. But Shockey has repeatedly chatted with his American pals, in plain view on social media, about how the USA should be more like the UK because the latter will transition to IP networks en masse by the end of 2025. That means STIR/SHAKEN might be more effective in the UK than in the USA in two years from now except for every call that originates overseas. And as Ofcom realized, no serious person expects the whole world to adopt STIR/SHAKEN anytime soon, if ever. Does Shockey’s global plan for STIR/SHAKEN sound like a credible way of preventing the present-day scams that plague ordinary Americans, Brits, and people worldwide? And if we can implement effective controls to stop those scams more quickly, why would regulators want to mandate massive spending on technology that offers no additional protection to consumers?
Shockey’s motives were never hard to discern. The words ‘fraud prevention’ do not appear on his CV, but ‘big spending on networks’ is written all over it. Shockey calls himself the Chairman of the SIP Forum, a body whose sole purpose is to drive expenditure on IP networks that use SIP signaling. The SIP Forum is funded by businesses who stand to make more money if SIP signaling becomes ubiquitous. One of the advantages of SIP signaling is that it can be modified to carry additional data alongside that required for a traditional phone call, so that new services can be created and sold to enterprises, such as telemarketing calls which display a corporate logo on the recipient’s handset.
What does consumer protection have to do with generating a return on investment? Nothing. The US Federal Communications Commission stated they were mandating STIR/SHAKEN to protect the public from illegal calls, not because it would increase profits. But if implementing the technology is profitable then why is there a need to mandate it? The problem is that widespread adoption of the technology would only be profitable for some comms providers, not others. A telco cannot sell an additional service to an enterprise if the service cannot be made to work for all the customers of that enterprise. Those customers will inevitably receive phone calls that must cross many different routes maintained by many different carriers. For the new SIP-based services to work, they must be enabled by every network involved in handling the call. That means STIR/SHAKEN is essential to a long-term strategy for developing additional revenues for some US operators. But the architects of this strategy knew it was doomed unless they found a way to force all operators to implement it without delay. They even have to force foreign telcos to adopt it because so many US enterprises base their call centers overseas. And if STIR/SHAKEN was universal, then US businesses would find it easier to make telemarketing calls to everybody everywhere.
I have no objection to telcos making money. I prefer capitalism and free markets to the alternatives. That is why I love the fact that Brazilian telcos are voluntarily adopting a variant of STIR/SHAKEN because they openly intend to supply new services to telemarketing firms. Those telcos are exercising a free choice. The Brazilian regulator, Anatel, did not have to mandate the call validation being tested in Brazil at this very moment in time. But whether you like free markets or not, mandating STIR/SHAKEN is not an effective way to protect consumers from scams. Its advocates seek to manipulate public opinion by treating STIR/SHAKEN as the only method that can tackle scams, when it is actually one of the poorest methods available, because other methods can deliver better results sooner.
It is often believed by naive observers that the USA is a bastion of unrestrained free market capitalism. A close examination of US telecoms markets shows they are anything but free. Yet more evidence of this can be found in the way consumer protection legislation was intentionally structured to pressure telcos into spending money on changing their networks, in just the way that Shockey observes through his casual comments about ‘the Congressional mandate’. The TRACED Act, which imposed STIR/SHAKEN on IP networks operated by US telcos, also included a very peculiar pseudo-rule for non-IP networks.
Section 4 (b) Authentication Frameworks
…not later than 18 months after the date of the enactment of this Act, the [Federal Communications] Commission shall–
(A) require a provider of voice service to implement the STIR/SHAKEN authentication framework in the internet protocol networks of the provider of voice service; and
(B) require a provider of voice service to take reasonable measures to implement an effective call authentication framework in the non-internet protocol networks of the provider of voice service.
June 30, 2021 fell 18 months after the TRACED Act became law, so that was the deadline for IP networks to implement STIR/SHAKEN. But note that June 30, 2021 is also supposed to be a deadline for a strangely-worded clause that applies to non-IP networks. By this date, telcos with non-IP networks must have taken ‘reasonable measures’ to implement call authentication. Contrast the very particular demand for IP networks — comply with STIR/SHAKEN, specific standards that had already been written — with the vague requirement for other networks to accomplish the same kind of goal, but without identifying how this was meant to be achieved. There were two good reasons for the law being so vague. Firstly, there is no consensus on how to achieve this goal for non-IP networks, and US telcos still do not know how they are supposed to achieve it. Years have passed and the US industry is no closer to satisfying this demand for an effective call authentication framework for non-IP networks, despite it being stated in law. Secondly, if there was a consensus method of implementing call authentication across all non-IP networks then the same method would work for all IP networks too.
IP networks can do everything that non-IP networks can do and then do more; any method of exchanging call authentication information that can be effected for non-IP networks would be a universal method that could be effected for every kind of telecoms network. So the TRACED Act created a scenario where the poorest telcos, with least resources to upgrade existing networks, would have seen how enormous amounts of money were spent on the development of STIR/SHAKEN by vendors which lobbied furiously for it, and they would then somehow be expected to club together to invest in research and development for an alternative to STIR/SHAKEN that might have then be applied universally, but which will not be sold to any IP network because of all the money that operators would have already spent on implementing STIR/SHAKEN by then. This looks like a fig leaf to disguise the fact that politicians had been lobbied into creating a two-tier system that would pressure telcos to invest in IP networks because of the impossibility of satisfying a fake obligation that cannot be enforced because you cannot punish people for not inventing something new.
The absurdity created by this bias in the TRACED Act then had knock-on repercussions for the FCC, whose lawyers presumably understood the difficulty of enforcing an unenforceable law that says telcos have to invent something new, but who were well aware of the real political motives behind this law. The FCC’s rule proposals published in response to the demands of the TRACED Act state:
Because STIR/SHAKEN is a SIP-based solution, those portions of a voice service provider’s network that are not capable of initiating, maintaining, and terminating SIP calls cannot authenticate or verify calls under that framework. The TRACED Act directs us, not later than June 30, 2021, to require voice service providers to take “reasonable measures” to implement an effective caller ID authentication framework in the non-IP portions of their networks.
We propose to interpret the TRACED Act’s requirement that a voice service provider take “reasonable measures” to implement an effective caller ID authentication framework in the non-IP portions of its network as being satisfied only if the voice service provider is actively working to implement a caller ID authentication framework on those portions of its network, either by upgrading its non-IP networks to IP so that the STIR/SHAKEN authentication framework may be implemented, or by working to develop a non-IP authentication solution. [emphasis added]
So, the FCC’s lawyers took an impossible demand imposed by lawmakers and then ‘interpreted’ this as saying something it definitely does not say. The TRACED Act does not say all telcos must replace their non-IP networks with IP networks, or else be punished for not doing something which it is impossible for them to do. The law only says that anyone operating non-IP networks must take reasonable measures to implement call authentication in their non-internet protocol networks. As doing the impossible is unreasonable, it follows that telcos with non-IP networks are not reasonably required to do anything. But the FCC arbitrarily took a rule about authenticating calls on non-IP networks and said it would be satisfied by replacing the non-IP networks with IP networks.
The USA has tied itself in knots by creating fantasies about telcos which operate non-IP networks creating unnamed new associations that write unknown new standards for call authentication which would compete with STIR/SHAKEN, despite the government and its regulator already rigging the market in favor of forcing telcos to switch to IP networks. Shockey is astute about that. But he and the other crony capitalists behind STIR/SHAKEN failed to appreciate that bad, unenforceable laws are easily ignored. Asking for a non-IP alternative to STIR/SHAKEN would be foolish unless the alternative could be integrated with STIR/SHAKEN. Otherwise, the USA would have two incompatible authentication systems that would both be useless whenever a call crosses a boundary between IP networks and non-IP networks. Many people have identified ways to authenticate calls independently of STIR/SHAKEN; making these methods compatible with STIR/SHAKEN is the biggest obstacle to overcome. So virtually no money has been spent on developing this mythical non-IP authentication approach that only the government and its regulator ever pretended to be plausible. The only people who even talked about such a possibility was a small clique within the same group that already devised STIR/SHAKEN. It is hardly surprising that their employers did not pour money into creating a substitute with a limited lifespan when they also benefit from the endless stream of revenues from IP networks.
The FCC hence used the wiggle room created by “reasonable measures” to avoid setting any actual deadlines for telcos supposedly complying with the TRACED Act by being in the process of transitioning from non-IP networks to IP networks. This has proven to be important, because a lot of the reason why two-thirds of US calls still do not arrive at their destination with a STIR/SHAKEN signature attached rests with even the biggest telcos maintaining non-IP interconnects with other telcos. Some telcos could refuse to have such interconnects, but that would open a different can of worms about anti-competitive behavior and when telcos are obliged to interconnect with each other. So the FCC just kicks the can down the road, negating its own rule about telcos needing to switch to IP networks by never imposing a deadline for when this must occur. This upsets people like Shockey, who repeatedly tells audiences in the USA and other countries about the UK’s deadline for transitioning to IP networks by the end of 2025, and kept linking it to the false claim that the UK had decided to implement STIR/SHAKEN; some relevant examples of his social media activity can be found here, here, here and here. The obsessive pursuit of the transition to IP networks was the only objective that ever mattered to people like him, so it must rankle that all the deceit about wanting to protect consumers still has not accelerated that transition within the USA.
A superior method of preventing scam calls is described by ECC Recommendation 23(03), in which the regulators of 46 European countries called for restrictions on inbound international calls that falsely present a domestic phone number. The inevitable adoption of this control across the whole of Europe undermined Ofcom’s original position on STIR/SHAKEN. Unlike the situation with the government and the regulator in the USA, Ofcom never needed to create a fantasy about consumer protection to provide the public with a justification for the UK’s transition to IP networks; that decision was reached independently. This meant Ofcom had very little reason to maintain the pretense constructed by Shockey when he advised Ofcom that STIR/SHAKEN is essential for consumer protection. ECC Recommendation 23(03) has since destroyed any hope of mandating STIR/SHAKEN worldwide because European telcos will stop the flow of spoofed calls from overseas long before their networks all use SIP signaling. The huge reduction in calls from foreign scam compounds means European regulators will have no need to indulge fantasies about the unproven long-term consumer protection benefits of submission to a single global CLI governance authority dominated by the USA that derives its power from the universal implementation of expensive technology sold by cynical US businessmen with a track record of constructing lucrative monopolies for themselves.
My argument with Shockey and his ilk is that they are shamefully dishonest about their motives. They seek to hijack the goal of crime prevention, with the result that more people would suffer more crime whilst everybody is made to wait for technologies that cannot possibly deliver worthwhile results for many years. Shockey’s cohort has no genuine interest in fighting fraud. They want regulators to rig markets to increase sales of some kinds of network technologies, so some comms providers can then use those technologies to develop new telemarketing revenue streams. That is not good for free markets, it is not good for national cultures that hate US-style telemarketing, and it is not good for consumers who will end up paying higher bills to offset the increased expenditure by networks that cannot monetize STIR/SHAKEN. The deep flaws in the economics and practicality of SIP-based call validation means global STIR/SHAKEN is dead, and the only people mourning its demise are the profiteers who hoped to exploit it worldwide.