It’s not hyperbole to suggest that virtually no one likes being robocalled by a telemarketer. The perfectly honed mealtime call that tells you of a non-existent but expiring car warranty or an errant grandchild in prison is more than unpleasant, regardless of how you feel about the First Amendment’s guaranteed right of free speech. I’m sure the constitution’s framers had no concept that robocalls would be considered protected communications while simultaneously becoming the annoyance du jour for more than a decade.
It’s hardly news that telemarketers prey on the most vulnerable. While these pests enjoy the benefits of the First Amendment in terms of free speech, their collective actions make their business models no less slime-worthy. But sadly, they work because otherwise, the slimy telemarketers would go the way of the (insert name of a favorite band that has disappeared here). Nonetheless, these annoying robocalls may just be one of the very few things that people from across the political spectrum can agree upon, and as such, Congress’s implementation of the Pallone-Thune Telephone Robocall Abuse Criminal Enforcement and Deterrence Act (
TRACED Act, Pub. L. No. 116-105 (2019)) has led to recent Federal Communications Commission (FCC) action. The FCC’s recent creation and the imposition of the
STIR/SHAKEN initiative to restore trust in voice communications is also a giant leap forward against this widespread problem. And yes, feel free to picture James Bond (any) sipping a dry martini as you read on.
STIR is an acronym for secure telephony identity revisited, with SHAKEN standing for secure handling of asserted information using tokens (hence KEN). At the most basic levels, these rules are designed to clamp down on voice service providers (VSPs) that display inaccurately—if not downright deceptive—caller identification (caller ID) information attempting to get an unsuspecting victim to pick up the phone when a number looks local. Victims then share information over the phone that would best be kept confidential. VSPs for whom these rules apply must deploy a solution by June 30, 2021.
The new rules directly address spoofing, where inaccurate but local caller ID appears when an inbound call is delivered. Most spoofers believe – rightly so –that if people see a local number particularly with a familiar exchange (NXX), they’re more likely to pick up the phone. As such, the bad guys have been “neighbor spoofing” (yes, this is a thing) numbers for the last few years. It’s important to note that not all spoofing or blocking is bad, and some will remain legally permissible (calls from doctors’ offices, medical entities, or law enforcement as examples).
The rise of Internet telephony has made spoofing easier to accomplish. However, with the new rules, the underlying technology is legally irrelevant. The goal/requirement is that call data be authenticated and verified at each link of the connection from handset to handset. If required header information isn’t verifiable, VSPs will have a very good indication that something is, to use a technical legal term, hinky.
The STIR/SHAKEN rules have two components: authenticating and verifying caller ID information, and a social process, designed to insure trust in the authentication and verification. STIR/SHAKEN information, which includes encrypted caller ID information, along with the originating provider ID attests to the veracity of the information provided and offers an electronic acknowledgment certificate. The social process acknowledges that the originating provider is who it claims to be. To provide further assurances, the assignment and management of certificates will be governed by an industry-led governance system.
The intention is that if and when a call fails verification, the likelihood that it has been maliciously spoofed (keyword here is “maliciously”) is high. This information can then be used to notify the intended recipient and enable them to block the call. Additionally, the verification information can be used to create useful call analytics while also identifying vulnerabilities in the chain of custody of the call itself. While more rulemaking is expected, these processes must be in place on the Internet protocol (IP) portion of the network by June 30, 2021. The problem won’t go away on that date, but with VSPs increasingly relying on IP telephony for connectivity, identifying and minimizing contact that the bad guys have with targeted consumers will significantly reduce.
With some exceptions for small providers, the new rules require that caller ID verification from end-to-end, beginning with the voice service provider from whom the call originates, to an intermediate provider(s) to the provider that connects the call to the recipient. The underlying theory is that if the authentication fails at any point in the process, it’s likely that the call has originated from an inaccurate, dare I say “deceptive,” “spurious,” or “faked” location.
Finally, the FCC and Congress will continue to monitor the success of the problem in reducing, if not eliminating robocalls. Over five years, the FCC must report on the number of robocall complaints, the number of enforcement actions the Commission has taken, the number of fines collected, and a narrative describing how voice over Internet protocol (VoIP) providers are actively reducing robocalls.
I have a friend who enjoys playing with the telemarketers once they reach him (he’s armed with a fake persona and bank information just to drag the process out for the caller). He does this for sport, and the stories he tells about leading hapless telemarketers down the garden path would be awfully funny if they weren’t so…well…awful. Going forward, maybe he’ll have more time to pursue other activities. But why let someone else have all the fun?
