STIR/SHAKEN for 499 Filers

So I’ve been a bit lax in updating our STIR/SHAKEN stuff and our Robo-Calling Mitigation filing to reflect it. When trying to figure all the June 30th stuff out, we did all the leg work for things (OCN, etc) but couldn’t get a clear answer on things. Best we got was from our upstream was “We will sign your calls until we are told we can’t”.

Well, the FCC just sent a friendly reminder that we fall under Interconnected VoIP Provider and we need to meet compliance by Aug 31st or we’ll end up on a bad list (basically). So if you are a 499 filer and have been lax like me on doing the final steps or worse, haven’t done anything. I’m sure you’ll be getting a friendly reminder too.

I have raised this up a few times the last couple months and everyone here told me we were not reading the statue right and that your underlying carriers could sign the calls but the FCC has been clear that the Service Provider that owns the end customer must sign the calls. Glad to see they are enforcing it.

Tom do you have a copy of what they sent you can post here for everyone.

Most of it is a bunch of jargon about our statuses, etc but the section they reference as how they came to our status is probably what people should see:

FCC rules 47 CFR §§ 64.6301(a) and 64.6304(a)(1)(i) require a non-facilities based small voice service provider to have fully implemented the STIR/SHAKEN caller ID authentication framework by June 30, 2022. FCC rule 47 CFR § 64.6305(b)(5)requires a voice service provider to update its Robocall Mitigation Database filing within 10 business days of any change to the information provided in its filing.

In the December 2021 Caller ID Authentication Fourth Report and Order, the Commission defined a voice service provider as “non-facilities based” if it offers voice service to end-users solely using connections that are not sold by the provider or its affiliates. See 47 CFR 64.6300(g), FCC 21-122, para. 19 (available at the following link: https://docs.fcc.gov/public/attachments/FCC-21-122A1.pdf). The Commission explained that this definition tracked information collected in the FCC Form 477, and stated that it would use recent FCC Form 477 data to determine which Robocall Mitigation Database filers meet its definition of non-facilities based. Filers that have only reported interconnected VoIP subscriptions sold bundled with a transmission service carrying underlying VoIP service were deemed to fall within the Commission’s definition of “non-facilities based.”

This is why I’m incredibly glad we decided to close down our SIP business and migrate all customers away to a new vendor as a referral partner instead of a provider. Both VoIP Innovations and a telecom lawyer that I spoke with told me that we didn’t have to worry about this…but they were both wrong.

The certificates needed, the SBC infrastructure, the learning curve, and having to go through and reconfigure all customers was just not worth it in the end - too much effort for too little profit for a SIP provider of our size.

Has Stir/Shaken been implemented industry wide by now and can customers actually expect a positive outcome from this in terms of receiving fewer spam calls? We were hoping it would help but looks like it doesn’t, at least for us.
We are customers of Vitelity and Twilio and can say that we have seen no change in the number of spam calls coming in, in fact it has gotten worse in the last few weeks.

Has the implementation of stir/shaken been a failure or what’s the reason why spam calls remain as widespread as before?

After almost two years of people explaining this I’m not sure how this is still a question being asked. So of everyone in the cheap seats, one more time.

STIR/SHAKEN is NOT A CALL BLOCKING METHOD. It is not for consumer end users, it is for carriers/providers to validate and mark calls for TRACEBACKS. Here is the most important part: IT DOES NOT TELL YOU ABOUT THE CONTENT OF THE CALL OR THE REPUTATION OF THE CALLERID

Call Originates with Verizon CallerID and terminates over Verizon’s network to destination carrier network. Verizon DID on Verizon’s network = A Level Attestation given by Verizon.

Call originates with Verizon CallerID and terminates over Telnyx’s network to destination carrier network. Verizon DID on Telnyx’s network = B Level Attestation given by Telnyx’s. It’s their network and their customer but not their DID.

Everything else is C or no grade. That includes calls originating from TDM/Non-IP networks within the US (yup they still exist), calls originating from overseas/Canada.

So again, STIR/SHAKEN is not for end users it’s for carriers to trace calls through networks. It’s not meant to block anything, at all. It does not tell you if the call is spam or not.

Are we all getting this now?

1 Like

I thought that the idea behind stir/shaken was to reduce spam calls, but it apparently isn’t.
Thanks for explaining this.

It is by actually forcing carriers to sign calls with their information so now, even after a call routes through 3 different carriers transit routes when it hits Z they know it truly came from A and not C that they received it through. STIR/SHAKEN was a result of the TRACED Act from 2019. The TRACED Act called for the industry to come up with a solution for better/improved call tracing or the FCC would (just like Kari’s Law).

This is part of the reason the FCC is pushing hard for TDM/copper to be shut down. It can’t support current or future innovation. It’s stifles it more than it grows it.

Just keep in mind that I got this non-compliance notice and if I don’t get in compliance by their deadline I get put on a list that says other carriers (including my upstreams) will be required to block my termination traffic.

In terms of consumer benefits, I understand that it is there to prevent identity fraud (particular the identity of financial or government organisations), not properly identified, but unsolicited, commercial calls. The main benefit for spam would be that it makes it more difficult for callers to avoid block lists.

In terms of blocking calls AFAIK carriers have no legal right to reject a call based on the attestation level or if there is no attestation at all, however, end-users are allowed to reject calls based on the attestation level. So there is some benefit for end users.

Regarding the attestation levels, one of our carriers has offered to sign all of our off-net traffic with an A level attestation. It is because of the trust in the relationship and them knowing what type our phone calls are.

Now regarding the tracebacks, I find the whole idea BS. With no STIR/SHAKEN in place you can still trace calls but the big guys refuse to cooperate. It’s the same reason why most big carriers refuse to offer TLS and encrypted media to end-users and other carriers.

IMO the whole STIR/SHAKEN implementations/regulations were designed with big carriers a$$eS in mind (wild guess: the orgs that pay a ton of money in regulatory fees have a say in new regulations) so they don’t have to make major changes to their infrastructure but ZERO thought was put in for smaller carriers who are being finically hurt by this. (see many posts even on the forums here)

If carriers/FCC would’ve really wanted to fight spam calls they could’ve done it without STIR/SHAKEN. If we can easily detect spam calls hitting our network based on different detection methods, the big guys sure can detect the OUTGOING attacks and block/investigate them.

And as we speak, there are a ton of spam/scam calls WITH attestation levels being made but nothing is being done about it.

Someone told me he has seen a lot of SPAM calls with A level attestation where the CallerID was spoofed but obviously no one is doing anything to stop them.

Uhm, this is a bit off. STIR/SHAKEN was designed by the “big guys” so not sure how they are refusing to corporate. I think you’re gleaming over the amount of “VoIP Providers” out there that haven’t done things like become a 499 Filer or get an OCN. The FCC let what a VoIP provider is sit in the grey area for too long but as of Dec 2021 (see above) they have defined it. Most of the people in this forum that sell voip services to their customers (have the relationship not their upstreams) that haven’t done the proper leg work to comply to most anything at the FCC level.

As for the whole no TLS thing, you do understand that the “big boys” are doing Facilities Based VoIP because per the FCC that is the replacement for POTS/analog copper lines. That means the provider/carrier is providing the voice over their own network from the Central Office. It’s not going over the public Internet, it’s within their own network. So why would TLS need to be there?

We fall under the Non-Facilities Based AKA Over-the-Top, which means we rely on another carriers network/Internet to provide voice service over. It also means that without the use of VPNs, the traffic goes over the public Internet, it is taking routes through unknown networks you have no control over. So yeah, TLS would be desired for that scenario.

Is this like when my cousin’s friend’s second uncle experienced something? You got a bit more data to go on outside of vague statements?

Cool, because accuracy in caller id isn’t the point. You have the attestation from the provider that says exactly who the caller is. If they have violated laws you can now do something about it because the carrier says they have a direct relationship with the person who allegedly violated the law.

Tom you are wrong. All Legacy non VOIP calls must be signed starting 2023. The exemption expires for them and numerous companies have products to let calls be signed at the SS7 layer now so in less then a year that exemption goes away.

PitzKey

Regarding the attestation levels, one of our carriers has offered to sign all of our off-net traffic with an A level attestation. It is because of the trust in the relationship and them knowing what type our phone calls are.

That is not correct. The FCC has sent carriers letters saying they can not sign a call with a A or B if they are selling to a reseller. They can only sign with a A or B if they sell direct to the end user. This is a sticking point and goes against the mandate that you MUST know the end user placing the call. They can not know the end user placing the call if they are selling to you. You as the reseller have to sign the call.

The FCC is clear in its 4th ruling that all voip resellers regardless if they have a SBC or not must sign all their own calls for end users who buy from you direct the service.

You got an FCC order link on this I can check out? I can’t find anything from my searches but I might be using the wrong terms.

I will look for it. I did not save it as it did not pertain to us so I moved on from it. It was in May time I read about it.

Oh I found it. It was just another update to the existing deadline on June 30 2023. The deadline that we (voip) was supposed to have until they changed it in Dec 2021.

This was the same order that carriers with foreign gateways (accepts overseas calls) and domestic gateways have to treat them separately with S/S and RMD.

Ok glad to hear you found it. So you agree with my statement about TDM has to sign calls next year?