What does STIR/SHAKEN mean for cloud communications?

by Liam Pearson

by Liam Pearson

What does STIR/SHAKEN mean for cloud communications?

By the end of this year, the cost of fraudulent robocalls will reach $58 billion. And by 2027, that number will increase to $70 billion.

Such is the scale of the problem, last year an Anti-Robocall Multistate Litigation Task Force was formed in the U.S. to crackdown on illegal robocalls. Chairwoman of the Federal Communications Commission (FCC), Jessica Rosenworcel, also founded the FCC Robocall Response Team dedicated to combatting illegal robocalls. “We’re not going to stop until we get robocallers, spoofers, and scammers off the line”, said Rosenworcel.

Back in 2021, under official FCC compliance regulation, large voice service providers in the U.S. were required to implement a caller ID authentication standard called STIR/SHAKEN. By June 30 2021, the FCC confirmed the successful uptake of the standard by the largest voice service providers.

Fast forward to 2023 and the FCC has extended the mandatory implementation of STIR/SHAKEN. Facilities-based small service providers and gateway providers are now required to implement the standard by June 30 2023 to maintain FCC compliance.

But what exactly are robocalls and call spoofing, and how can STIR/SHAKEN help combat the problem? In this blog post I’ll be exploring just that.

Robocalls and caller ID spoofing

Ever gotten a call from a hidden number or picked up the phone to a robotic voice with no caller ID?  If you answered yes, then you’ve already experienced robocalls and call spoofing.

The FCC defines robocalls as “unsolicited prerecorded telemarketing calls to landline home telephones, and all autodialed or prerecorded calls or text messages to wireless numbers, emergency numbers, and patient rooms at health care facilities”. Not all robocalls are illegal in the U.S. (such as those when prior consent is given), but FCC rules limit many types of unsolicited robocalls under the Telephone Consumer Protection Act.

Caller ID spoofing is the act of faking the caller ID on a phone call. The FCC defines spoofing as “when a caller deliberately falsifies the information transmitted to your caller ID display to disguise their identity”.

To understand the scope of the problem, just this May, Avid Telecom was accused of making 7.5 billion scam robocalls and calls to people on the Do Not Call registry. State attorneys general across the U.S. sued the company for the illegal facilitation of robocalls and for violating federal telemarketing, spoofing, and robocalling laws.

What does STIR/SHAKEN mean for cloud communications?

What is STIR/SHAKEN and how does it help?

Not to be mistaken with the famous Bond line, STIR/SHAKEN is a framework of interconnected standards used to verify and ‘sign off’ caller IDs. It ensures any call made over Voice over Internet Protocol (VoIP) comes from an authenticated phone number, thereby reducing the risk of caller ID spoofing and robocalls.

The STIR/SHAKEN protocol is a mix of two standards. The first is STIR (standing for Secure Telephone Identity Revisited) which was developed by the Internet Task Engineering Force (ITEF) in 2018 to create digital signatures. It does this using Session Initiation Protocol (SIP) data to establish information about call origins, caller identities, and the terminating provider.

The second is SHAKEN (standing for Signature-based Handling of Asserted Information Using Tokens) which provides standards for how service providers manage and implement STIR for caller identification over their IP network.

The full process works like this:

Step 1: When a call is processed, the VoIP provider receives a SIP invite including the call origin and the telephone number of the person initiating the call.

Step 2: An attestation level (an indicator of the level of confidence a carrier has in the number) is assigned to the caller by the originating provider. There are three attestation levels: full attestation (the carrier can identify the caller), partial attestation (the carrier is unsure about the caller), and gateway attestation (the carrier cannot verify the caller).

Step 3: The originating service provider adds certificate information to the SIP identity header. Additional information including the origination identities, attestation level, and encrypted digital certificate of authentication is added.

Step 4: The recipient’s provider receives and decrypts the certificate information.

Step 5: The information is sent to a verification service which validates the information and then returns the SIP identity header to the recipient’s provider.

Step 6: The recipient receives the call.  

What does the 2023 deadline mean for cloud communications providers?

Well, it depends on the size of your business and where you are located.

As we know, large providers in the U.S. are already required to uphold FCC compliance with the adoption of STIR/SHAKEN. We also know that, by June 30 2023, facilities-based small service providers will be required to implement STIR/SHAKEN and certify the completion of a successful implementation in the Robocall Mitigation Database.

Further regulation has now extended the mandatory implementation of STIR/SHAKEN and robocall mitigation requirements to intermediate providers. This comes after the FCC released its Sixth Report and Order and Sixth Further Notice of Proposed Rulemaking in March earlier this year. Intermediate providers will now be required to fully implement STIR/SHAKEN and a compliance deadline has been set for December 31 2023.

But it’s not just in the U.S. that regulation is on the up. In Canada, all Telecommunications Service Providers (TSPs) were required to fully implement STIR/SHAKEN by November 30 2022. France’s electronic communications, postal, and print media distribution regulatory authority, ARCEP, implemented a spam robocall preventative measure in 2019 and two years ago France adopted the Naegelen law making number authentication mandatory.

STIR/SHAKEN is one solution being adopted in France. And in May of this year, Local Exchange Global Operations Services started using Ribbon’s STIR/SHAKEN solution which is designed to meet the requirements for caller identity authentication, verification, signing, and certificate management as defined by French law. 

The UK’s communications regulator Ofcom has also taken steps to combat spoofing. All telephone networks in the UK were required to put in place steps to identify and block spoofed calls “where technically feasible” by May 15 2023. That said, the UK is on a path to transitioning to digital phone services by the end of 2025, which may necessitate the adoption STIR/SHAKEN or another similar protocol soon.

Will STIR/SHAKEN stick?

Shaken not stirred might be how Bond takes his martini but if the world’s favorite secret service agent decided to switch to a career in communications, I’d like to think he’d order his VoIP calls STIR/SHAKEN.

All jokes aside, for cloud communications providers in the U.S. STIR/SHAKEN is a phrase that you’re probably already familiar with. And if not then you will be soon. With the FCC extending the scope of its regulations around the STIR/SHAKEN protocol, it’s imperative that providers stay abreast of these changes to ensure FCC compliance. 

And whilst STIR/SHAKEN was designed originally for U.S. use, legal action against robocalls is mounting internationally. Whether combatted with the STIR/SHAKEN protocol or by other means, it’s clear that communications platforms will continue to be held accountable for taking greater action against fraudulent activity.


Related articles