Rebekah Johnson, CEO, and Anis Jaffer, Chief Product Officer of Numeracle host a live Q&A podcast series covering all things related to call center communications, including call delivery, STIR/SHAKEN, caller ID technology, TRACED Act, brand identity, and more. In the episode below (transcript edited by insideARM; listen to the full episode here), they debunk myths surrounding the June 30th, 2021 STIR/SHAKEN deadline as per the TRACED Act.
What does the TRACED Act actually require?
Rebekah: We keep hearing people talk about June 2021 as though that's the next thing that's going to be a cliff, and all communications fall off at that point. I can understand why people think that, but anytime we're trying to understand what a deadline is I think it's important to go back to where this date even came from and look at the words around it.
I’m going to read specifically from the TRACED Act. For those who don't know this was signed at the end of December 2019, and it covered the implementation of an authentication framework. So specifically where this June 2021 came from was the TRACED Act basically saying that ‘no later than 18 months after the date of the enactment of the act the commission’ (which is the FCC) 'shall require a provider of voice service to implement the STIR/SHAKEN authentication framework in the Internet Protocol networks of the provider of voice and B) to require a provider a voice service to take reasonable measures to implement the effective call authentication framework in the non-Internet Protocol networks of the provider of the voice service.’
So the FCC has been very busy passing a lot of rules around this. The TRACED Act specifically said that the commission shall require a provider of voice service to implement the STIR/SHAKEN framework in its IP networks. The key thing here is that when it comes to the implementation, STIR/SHAKEN has been around for a while. This is a standard that the carriers have been working on for quite some time, it's just unfortunate that it gets to the point that there has to be a mandate. So that's what we're facing: the carriers were very busy implementing the standard but it just wasn't progressing at the rate that the commission would like to see.
So when we look at what the FCC actually said about this deadline, we have to look at the first report and order that was put out in March 2020. Basically, the FCC adopted the first order mandating that, “originating and terminating voice service providers implement STIR/SHAKEN in the IP portions of their networks by June 30th, 2021.” What's interesting is what’s not said. What’s not said here is, what about the interconnect? What about the non-IP portions of the network?
So we can debunk all of the statements with regards to, “your calls are going to stop come June 2021 if they're not signed.” That is not what is being said here. In fact, the FCC went so far as to make some statements about not being prescriptive of what you do once you implement STIR/SHAKEN; that's going to be on the terminating side to make their decisions about what is best.
They haven't told terminating carriers to block calls that don't have an A-Level Attestation. It's just a line in the sand to say, ‘we need you guys to implement on the originating and terminating side for the IP portions, STIR/SHAKEN. And if you can't meet those deadlines, you have to let us know so we can work out some exceptions for you.’
What exactly is STIR/SHAKEN?
Anis: I also want to chime in with respect to the non-IP service providers. The BASE STIR/SHAKEN Standard is targeted at internet IP-based service providers. The non-IP providers are not going to be implementing. Obviously, you need to have a SIP infrastructure (Session Initiation Protocol) to add the search, traditional TDM basic infrastructure will not be able to do it.
What do we mean by STIR/SHAKEN Standard, or the BASE STIR/SHAKEN? SHAKEN itself is a framework that's built on the idea of STIR protocol. It allows or provides an end-to-end architecture for originating service providers to verify and attest who is originating the call and then a terminating service provider to validate that.
So when an originating service provider or carrier knows the customer and they also know where the customer got the number from, or have a way to verify where they got the number from, then they can add a certificate to the SIP invite attesting that they have a way to verify the customer as well as the number. That essentially is the telephone identity that gets attached to the SIP invite and it gets transported over the SIP network to the terminating service provider who does the reverse. So they get the certificate and then they validate if that certificate is valid, has been signed by the relevant key that has been attested, and then they can choose how to terminate the call. That essentially is what is known as the STIR/SHAKEN Standard, which is the BASE STIR/SHAKEN that needs to be implemented by carriers and service providers by June 2021.
What is 'Attestation' and how does it work?
Anis: One of the key things on the certificate is called the Attestation Level. When the originating service provider signs the call they attest it with one of three different levels: A, B, or C. When the service provider knows the customer and also knows how the customer got the number, either they issued it or they're able to verify that the customer has the right to use that number, then they can sign the call as A. There's also another component to it that they are actually originating the call.
So let's say, for example, Verizon is the service provider and they are servicing a big-box retailer, and if the big-box retailer got the numbers from Verizon and are also using the SIP trunking from Verizon to originate the call, Verizon has all the information that they need to attest the call with A-Level.
In case Verizon doesn't know that the big-box retailer has the right to use the number or if the big-box retailer is using a third-party call center and that call center is originating the call and Verizon does not know if they have the right to use the number, then they have to sign the call with Attestation Level B.
Let's say the same call originates from outside the country coming through an international gateway and Verizon doesn't have any way to know who the originator of the call is, the only thing they know is that the call came through their network and is being placed into their communication network, then they would sign it as Attestation Level C.
So those are the three authentication -- or Attestation -- levels. The gap is the scenario that we talked about for Attestation B. Let's say you have a call center or BPO and they're making calls on behalf of multiple clients. We also know that in some cases there could be two or three parties involved during the call path. So you could have the end client be somebody who is not even making the call, but they have outsourced this call to another call center who is then using a different platform or a CPaaS provider (Communications Platform as a Service), and they got the numbers from one provider, and they're using another network to make the call... These are all the scenarios that are happening in the ecosystem and that is the gap that we have. You would hear: Attestation Gap, enterprises not being able to validate or service providers not being able to validate the enterprises, that's the scenario that we are seeing where enterprises cannot directly get their call signed.
So, what does this mean for enterprise calls?
Rebekah: Anis, what are you seeing with regards to how the carriers are going to take this data in? Let’s say we’ve got the ecosystem set up, everybody's good. The FCC's got their list of voice service providers that are implemented, we love what we see, 90% implemented, go. What are they going to do with this information?
Anis: We think what will happen is, if you are a cell phone subscriber directly calling using a telephone carrier, like Verizon or AT&T, your calls will probably get signed. Because they know who you are and they issued the number it's a straight A-Level Attestation. That will happen. For the complex enterprise scenarios where there are multiple vendors and different parties involved in the call path, those would probably not be signed with Attestation Level-A.
That doesn't mean that calls are not going to get terminated, because the terminating service provider still has a choice to terminate the call. They would also use the analytics providers, just like we have today, for call validation treatment. Analytics would continue to run and using their algorithms would determine if that call is spoofed or spam and they would label accordingly. I don't think it's going to drop off come July. It's probably going to change over a period of time but not immediately. So you would still continue to have calls with different labels that get terminated, but you would also start seeing more and more verified calls, especially subscriber-to-subscriber calls, with Attestation A. Over a period of time, I think enterprise calls would change as more service providers implement.
What are the top three things businesses need to be aware of and should do by June 2021 to be prepared for STIR/SHAKEN?
Rebekah Johnson: This is a bulleted list; top three, not in any particular order.
One, you need to know what your service provider is doing, whether your service provider is the BPO, the CPaaS, UCaaS, or direct carrier, you need to know what they're doing to prepare for June 2021. They should either tell you, ‘we filed for an extension," or 'we're going to meet the timeline.’ If their answer is, ‘what is STIR/SHAKEN?’ you’ve got some concerns, they should not be responding that way. So get an assessment of where your service provider is.
Two, ask your service provider how their compliance with the law is going to impact your current contract. This is a new one, this is the first time anyone is talking about this but I'm bringing it up because I'm starting to see that with STIR/SHAKEN some are shifting the contracts on the originating side. I'm seeing it come through in a variety of different ways, whether it’s an increase in cost, a service-level agreement change, etc. Start having that conversation with your provider. If there is going to be a contractual impact on the services that they provide based on STIR/SHAKEN, then you might consider hiring an attorney to help you through those problems. I think there are going to be some things where we need to get a better understanding.
Third, analytics are going to continue to exist. Anis has covered that the carriers and their CVTs, their analytics providers is what they're called, will continue. They have to. They have to stay in existence to determine calls that are wanted, unwanted, illegal, whatever it may be, they're going to be around. So you still have to address your call blocking and labeling issues. Just think of STIR/SHAKEN as another data element for that decision making on the terminating side.
So those are the top three things that I would focus on. Number four is going to be who's on the list and not on the list. That might be a shopping list for us in the future of who do we work with and not work with?