[Federal Register Volume 85, Number 77 (Tuesday, April 21, 2020)]
[Rules and Regulations]
[Pages 22029-22043]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-07585]
-----------------------------------------------------------------------
FEDERAL COMMUNICATIONS COMMISSION
47 CFR Part 64
[WC Docket Nos. 17-97, 20-67; FCC 20-42; FRS 16631]
Call Authentication Trust Anchor; Implementation of TRACED Act--
Knowledge of Customers by Entities With Access to Numbering Resources
AGENCY: Federal Communications Commission.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: In this document, the Commission adopts a rule that mandates
that all originating and terminating voice service providers implement
the STIR/SHAKEN caller ID authentication framework in the internet
Protocol (IP) portions of their networks by June 30, 2021. In
establishing this requirement, the Report and Order both acts on the
Commission's proposal to require voice service providers to implement
the STIR/SHAKEN caller ID authentication framework if major voice
service providers did not voluntarily do so by the end of 2019, and
implements Congress's direction in the recently enacted Pallone-Thune
Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED)
Act to mandate STIR/SHAKEN not later than 18 months after the date of
enactment of that Act. This action builds on the Commission's
aggressive and multi-pronged approach to ending illegal caller ID
spoofing.
DATES: Effective May 21, 2020.
FOR FURTHER INFORMATION CONTACT: For further information, please
contact Mason Shefa, Competition Policy Division, Wireline Competition
Bureau, at [email protected].
SUPPLEMENTARY INFORMATION: The full text of this document, WC Docket
Nos. 17-97, 20-67; FCC 20-42, adopted and released on March 31, 2020,
is available for public inspection during regular business hours in the
FCC Reference Information Center, Portals II, 445 12th Street SW, Room
CY-A257, Washington, DC 20554 or at the following internet address:
https://docs.fcc.gov/public/attachments/FCC-20-42A1.pdf . The Further
Notice of Proposed Rulemaking WC Docket Nos. 17-97, 20-67; FCC 20-42,
adopted concurrently with this document and available at the same
internet address, is published elsewhere in this issue of the Federal
Register.
Synopsis
I. Introduction
1. Each day, Americans receive millions of unwanted phone calls.
One source indicates that Americans received over 58 billion such calls
in 2019 alone. These include ``spoofed'' calls whereby the caller
falsifies caller ID information that appears on a recipient's phone to
deceive them into thinking the call is from someone they know or can
trust. Spoofing has legal and illegal uses. For example, medical
professionals calling patients from their mobile phones often legally
spoof the outgoing phone number to be the office phone number for
privacy reasons, and businesses often display a toll-free call-back
number. Illegal spoofing, on the other hand, occurs when a caller
transmits misleading or inaccurate caller ID information with the
intent to defraud, cause harm, or wrongly obtain anything of value. And
these spoofed calls are not simply an annoyance--they result in
billions of dollars lost to fraud, degrade consumer confidence in the
voice network, and harm our public safety. A 2019 survey estimated that
spoofing fraud affected one in six Americans and cost approximately
$10.5 billion in a single 12-month period.
2. The Commission, Congress, and state attorneys general all agree
on the need to protect consumers and put an end to illegal caller ID
spoofing. Over the past three years, the Commission has taken a multi-
pronged approach to this problem--issuing hundreds of millions of
dollars in fines for violations of our Truth in Caller ID rules;
expanding those rules to reach foreign calls and text messages;
enabling voice service providers to block certain clearly unlawful
calls before they reach consumers' phones; and clarifying that voice
service providers may offer call-blocking services by default. We have
also called on industry to ``trace back'' illegal spoofed calls and
text messages to their original sources and encouraged industry to
develop and implement new caller ID authentication technology. That
technology, known as STIR/SHAKEN, allows voice service providers to
verify that the caller ID information transmitted with a particular
call matches the caller's number. Entities variously refer to this
technology as either ``SHAKEN/STIR'' or ``STIR/SHAKEN.'' In the past,
the Commission has referred to the technology as ``SHAKEN/STIR.'' To
ensure consistency with the TRACED Act, we use ``STIR/SHAKEN'' here.
Its widespread implementation will reduce the effectiveness of illegal
spoofing,
[[Page 22030]]
allow law enforcement to identify bad actors more easily, and help
voice service providers identify calls with illegally spoofed caller ID
information before those calls reach their subscribers.
3. Today, we build on our aggressive and multi-pronged approach to
ending illegal caller ID spoofing. First, we mandate that all voice
service providers implement the STIR/SHAKEN caller ID authentication
framework in the internet Protocol (IP) portions of their networks by
June 30, 2021. In recognition of the fact that it is caller ID
information transmitted with a call that is authenticated, we use the
term ``caller ID authentication'' in this Report and Order and Further
Notice of Proposed Rulemaking. We understand this term to be
interchangeable with the term ``call authentication'' as used in other
contexts, including the TRACED Act. In establishing this requirement,
we both act on our proposal to require voice service providers to
implement the STIR/SHAKEN caller ID authentication framework if major
voice service providers did not voluntarily do so by the end of 2019,
and implement Congress's direction in the recently enacted Pallone-
Thune Telephone Robocall Abuse Criminal Enforcement and Deterrence
(TRACED) Act to mandate STIR/SHAKEN not later than 18 months after the
date of enactment of that Act. Second, we propose and seek comment on
additional measures to combat illegal spoofing, including further
implementation of the TRACED Act.
II. Background
4. Technological advancements and marketplace developments in IP-
based telephony have made caller ID spoofing easier and more affordable
than ever before. Today, widely available Voice over internet Protocol
(VoIP) software allows malicious callers to make spoofed calls with
minimal experience and cost. Taking advantage of the ability to use
spoofing to mask the true identity of an incoming call, these callers
have turned to this technology as a quick and cheap way to defraud
targets and avoid being discovered. Driven in part by the rise of VoIP,
the telecommunications industry has transitioned from a limited number
of carriers that all trusted each other to provide accurate caller
origination information to a proliferation of different voice service
providers and entities originating calls, which allows consumers to
enjoy the benefits of far greater competition but also creates new ways
for bad actors to undermine this trust.
5. To combat illegal spoofing, industry technologists from the
internet Engineering Task Force (IETF) and the Alliance for
Telecommunications Industry Solutions (ATIS) developed standards for
the authentication and verification of caller ID information for calls
carried over an IP network using the Session Initiation Protocol (SIP).
The Session Initiation Protocol (SIP) is ``an application-layer control
(signaling) protocol for creating, modifying, and terminating
sessions'' such as internet Protocol (IP) telephony calls. The IETF
formed the Secure Telephony Identity Revisited (STIR) working group,
which has produced several protocols for authenticating caller ID
information. ATIS, together with the SIP Forum, produced the Signature-
based Handling of Asserted information using toKENs (SHAKEN)
specification which standardizes how the protocols produced by STIR are
implemented across the industry. The SIP Forum is ``an industry
association with members from . . . IP communications companies,'' with
a mission ``[t]o advance the adoption and interoperability of IP
communications products and services based on SIP.'' Together, these
technical standards comprise the ``STIR/SHAKEN'' framework for caller
ID authentication. The STIR/SHAKEN framework consists of two high-level
components: (1) The technical process of authenticating and verifying
caller ID information; and (2) the certificate governance process that
maintains trust in the caller ID authentication information transmitted
along with a call.
6. Authenticating and Verifying Caller ID Information Through STIR/
SHAKEN. The STIR/SHAKEN authentication and verification processes
center on the transmission of encrypted information used to attest to
the accuracy of caller ID information transmitted with a call.
Specifically, an originating voice service provider adds a unique
header to the network-level message used to initiate a SIP call (the
SIP INVITE). This SIP INVITE contains a series of unencrypted headers
which provides information about the message, such as a ``From''
header, giving information about the calling party; a ``To'' header,
giving information about the called party; and a ``Via'' header, which
``indicates the path taken by the request so far and helps in routing
the responses back along the same path.'' Both originating and
downstream providers are technically capable of appending headers to
the SIP INVITE. When a subscriber places a call, the originating voice
service provider uses an authentication service to create this
``Identity'' header, which contains encrypted identifying information
as well as the location of the public key that can be used to decode
this information. The authentication service can be provided by the
voice service provider itself, or by a third party acting under the
voice service provider's direction. When the terminating voice service
provider receives the call, it sends the SIP INVITE with the Identity
header to a verification service, which uses the public key that
corresponds uniquely to the originating voice service provider's
private key to decode the encrypted information and verify that it is
consistent with the information sent without encryption in the SIP
INVITE. Like the corresponding authentication service on the
originating voice service provider's end, the terminating voice service
provider's verification service can be performed internally or by a
trusted third-party service. The verification service then sends the
results of the verification process--including whether the decoding
process was successful and whether the encrypted information is
consistent with the information sent without encryption--to the
terminating voice service provider. STIR/SHAKEN thus establishes a
chain of trust back to the originating voice service provider.
7. Because the STIR/SHAKEN framework relies on transmission of
information in the Identity header of the SIP INVITE, it only operates
on the IP portions of a voice service provider's network--that is,
those portions served by network technology that is able to initiate,
maintain, and terminate SIP calls. If a call terminates on a network or
is routed at any point over an intermediate provider network that does
not support the transmission of SIP calls, the Identity header will be
lost. Because STIR/SHAKEN only operates on IP networks, some
stakeholders have advocated for a solution referred to as ``out-of-band
STIR,'' in which caller ID authentication information is sent across
the internet, out-of-band from the call path, allowing STIR/SHAKEN to
be implemented on networks that are not fully IP. Out-of-band STIR
remains in the early stages of development.
8. The STIR/SHAKEN framework relies on the originating voice
service provider attesting to the subscriber's identity. The SHAKEN
specification allows an originating voice service provider to provide
different ``levels'' of attestation. Specifically, the voice service
provider can indicate that (i) it can confirm the identity of the
subscriber making the call, and that the subscriber is using its
associated
[[Page 22031]]
telephone number (``full'' or ``A'' attestation); (ii) it can confirm
the identity of the subscriber but not the telephone number
(``partial'' or ``B'' attestation); or merely that (iii) it is the
point of entry to the IP network for a call that originated elsewhere,
such as a call that originated abroad or on a domestic network that is
not STIR/SHAKEN-enabled (``gateway'' or ``C'' attestation).
9. To maintain trust in the voice service providers that vouch for
caller ID information, the STIR/SHAKEN framework uses digital
``certificates'' issued through a neutral governance system. The STIR/
SHAKEN credentials are based on an X.509 credential system. X.509 is a
specific standard for a type of public key infrastructure system that
uses certificates to facilitate secure internet communications. The
framework requires that each voice service provider receive its own
certificate that contains, among other components, that voice service
provider's public key, and states, in essence, that (i) the voice
service provider is that which it claims to be; (ii) the voice service
provider is authorized to authenticate the caller ID information; and
(iii) the voice service provider's claims about the caller ID
information it is authenticating can thus be trusted. Every time an
originating voice service provider originates an authenticated call, it
transmits the location of its certificate in the Identity header,
allowing the verification service to acquire the public key and verify
the caller ID information, and have certainty that the public key is
truly associated with the voice service provider that originated the
call. The ``location'' is sent unencrypted in the form of a Uniform
Resource Locator (URL).
10. The STIR/SHAKEN governance model requires several roles in
order to operate: (1) A Governance Authority, which defines the
policies and procedures for which entities can issue or acquire
certificates; (2) a Policy Administrator, which applies the rules set
by the governance authority, confirms that certification authorities
are authorized to issue certificates, and confirms that voice service
providers are authorized to request and receive certificates; (3)
Certification Authorities, which issue the certificates used to
authenticate and verify calls; and (4) the voice service providers
themselves, which, as call initiators, select an approved certification
authority from which to request a certificate, and which, as call
recipients, check with certification authorities to ensure that the
certificates they receive were issued by the correct certification
authority.
11. Commission and North American Numbering Council Action to
Promote STIR/SHAKEN Deployment. In July 2017, the Commission released a
Notice of Inquiry, launching a broad inquiry into caller ID
authentication and how to expedite its development and implementation.
In the Notice of Inquiry, the Commission recognized the potential of
caller ID authentication to ``reduc[e] the risk of fraud and ensur[e]
that callers be held accountable for their calls.'' Among other issues,
the Commission sought comment on its role in promoting implementation
of caller ID authentication technology; what involvement, if any, it
should have in STIR/SHAKEN governance; and how to address caller ID
authentication for networks that use non-IP technology.
12. In February 2018, the Commission directed the Call
Authentication Trust Anchor Working Group of the North American
Numbering Council (NANC) to recommend ``criteria by which a [Governance
Authority] should be selected'' and a ``reasonable timeline or set of
milestones for adoption and deployment of a SHAKEN/STIR call
authentication system, including metrics by which the industry's
progress can be measured.'' In its May 2018 report, the NANC
recommended that representatives from various industry stakeholders
comprise a board overseeing the Governance Authority, and that
``individual companies capable of signing and validating VoIP calls
using SHAKEN/STIR should implement the standard within a period of
approximately one year after completion of the NANC CATA report.''
Chairman Pai accepted these recommendations shortly after they were
issued by the NANC.
13. In November 2018, drawing on the NANC's May 2018 recommendation
that capable voice service providers rapidly implement STIR/SHAKEN,
Chairman Pai sent letters to major voice service providers urging them
to implement a robust caller ID authentication framework by the end of
2019. He asked these providers for specific details about their
implementation plans, and encouraged those that did not appear to have
established concrete plans to promptly protect their subscribers with
STIR/SHAKEN. In response, the providers submitted letters detailing
their implementation efforts. Since that time, Commission staff has
closely tracked the progress of major voice service providers in
implementation of the STIR/SHAKEN framework.
14. In June 2019, the Commission adopted a Declaratory Ruling and
Third Further Notice of Proposed Rulemaking that proposed and sought
comment on mandating implementation of STIR/SHAKEN in the event that
major voice service providers did not voluntarily implement the
framework by the end of 2019. We stressed that ``[i]mplementation of
the SHAKEN/STIR framework across voice networks is important in the
fight against unwanted, including illegal, robocalls'' and proposed to
extend any mandate to ``wireline, wireless, and Voice over Internet
Protocol (VoIP) providers''; sought comment on what we should require
voice service providers to accomplish to meet an implementation
mandate; and asked for comment on how long voice service providers
should be given to comply with such a mandate. We further sought
comment on whether we should establish requirements regarding the
display of STIR/SHAKEN attestation information, what role the
Commission should have in STIR/SHAKEN governance, and how we could
encourage caller ID authentication on non-IP networks. The Declaratory
Ruling and Third Further Notice of Proposed Rulemaking also affirmed
that voice service providers may, by default, block unwanted calls
based on reasonable call analytics, as long as their customers are
informed and have the opportunity to opt out of the blocking; proposed
to create a safe harbor for voice service providers that block calls
which fail STIR/SHAKEN verification; and sought comment on whether we
should create a safe harbor for voice service providers that block
calls which do not have authenticated caller ID information.
15. In July 2019, the Commission held a summit focused on
implementation of STIR/SHAKEN. Summit participants included
representatives from large and small voice service providers, analytics
companies, vendors, and members of the Governance Authority. The
participants discussed implementation progress made by major voice
service providers; using STIR/SHAKEN to improve the consumer
experience; and implementation challenges faced by small voice service
providers.
16. Developments in STIR/SHAKEN Governance. Currently, the Secure
Telephone Identity Governance Authority (STI-GA), established by ATIS,
fills the Governance Authority role. The STI-GA's membership was
designed to provide a diverse representation of stakeholders from
across the industry. The STI-GA selected the Policy Administrator,
iconectiv, in May 2019. In December 2019, the Policy Administrator
approved the first Certification Authorities, and announced that voice
service providers are now able to
[[Page 22032]]
register with the Policy Administrator to obtain the credentials
necessary to receive certificates from approved Certification
Authorities.
17. Implementation by Voice Service Providers. We recognize that a
number of providers have been working hard to implement caller ID
authentication. Some voice service providers reported that, by the end
of 2019, they had completed the necessary network upgrades to support
the STIR/SHAKEN framework and that they were exchanging a limited
amount of traffic with authenticated caller ID information with other
voice service providers. Others, however, reported only that they had
completed necessary network upgrades by the end of 2019, but had not
begun exchanging authenticated traffic with other voice service
providers. Still others have shown little to no progress in upgrading
their networks to be STIR/SHAKEN-capable.
18. More specifically, as of the end of 2019, AT&T, Bandwidth,
Charter, Comcast, Cox, T-Mobile, and Verizon announced that they had
upgraded their networks to support STIR/SHAKEN. AT&T, for example,
confirmed that it ``authenticates all calls on its network that
originate from [Voice over LTE] and consumer VoIP customers'' and
``estimates that approximately 90 percent of its wireless customer base
(prepaid and postpaid) and more than 50 percent of its consumer
wireline customer base are SHAKEN/STIR capable.'' Charter stated that
it ``fulfilled [its] commitment to complete the implementation of the
STIR/SHAKEN framework by the end of [2019].'' Similarly, Comcast
reported that ``virtually all calls originating from a Comcast
residential subscriber and terminating with a Comcast residential
subscriber are fully authenticated through the STIR/SHAKEN protocol.''
Cox reported that it ``has deployed SHAKEN/STIR to over 99% of [its]
residential customers enabling Cox to sign originating and terminating
calls.'' T-Mobile stated that it was ``the first wireless provider to
fully implement STIR/SHAKEN standards on [its] network'' and is
``capable of signing and authenticating 100% of SIP traffic that both
originates and then terminates on [its] network.'' According to
Verizon, it ``finished deploying STIR/SHAKEN to its wireless customer
base (which constitutes more than 95% of [its] total traffic) in March
2019,'' ``is devoting substantial resources to deploying STIR/SHAKEN to
wireline customers that receive service on IP platforms capable of
being upgraded with the STIR/SHAKEN protocol'' and expects ``to achieve
deployment of STIR/SHAKEN to Fios Digital customers later this year.''
19. These voice service providers, however, were exchanging only a
limited amount of authenticated traffic with other voice service
providers as of the end of 2019. For instance, Comcast has begun to
exchange authenticated calls with AT&T and T-Mobile, and explained
that, as of December 2019, approximately 14.25% of all calls
``originating on other voice providers' networks and bound for Comcast
residential subscribers had a STIR/SHAKEN-compliant header and were
verified by Comcast.'' T-Mobile explained that it is also
authenticating some traffic exchanged with AT&T, Comcast, and
Inteliquent. According to AT&T, it ``exchanges approximately 40 percent
of its SHAKEN/STIR consumer VoIP traffic with one terminating service
provider.'' Verizon stated that it was signing ``under half of [its]
outbound traffic'' with one provider as of the end of 2019, and that
``for the other three partners,'' its production levels were under 5%.
Cox explained that it is ``exchanging authenticated traffic with four
carriers resulting in over 14% of all calls on Cox' residential IP
network being verified.'' Charter stated that it is ``exchanging signed
and authenticated customer call traffic end-to-end with Comcast.''
Bandwidth is also in early stages of exchanging traffic and ``has
designed, tested and deployed the capability to exchange some of its
production traffic with Verizon Wireless directly utilizing `self-
signed' certifications that are in keeping with the STIR/SHAKEN
framework.''
20. Other voice service providers--namely Frontier, Sprint, U.S.
Cellular, and Vonage--stated that they have performed necessary network
upgrades, but had only begun the negotiating and testing phase of
exchanging authenticated traffic with other voice service providers as
of the end of 2019. Frontier reported that it ``established the
capability to authenticate and sign calls'' and is in the negotiating
and testing phase regarding authenticating traffic exchanged with other
voice service providers. Sprint reported that it ``deployed the core
STIR/SHAKEN capability in its network'' and was testing the exchange of
authenticated traffic with Comcast and T-Mobile. In 2019, U.S. Cellular
``successfully implemented the STIR/SHAKEN technology in its network''
and is currently ``in various stages of the [interconnection agreement]
process with three of the four national wireless carriers . . .
including, the successful exchange of traffic on a test basis with at
least one of . . . those carriers.'' Vonage reported that it was
testing with ``its two largest peering partners'' and had ``reached out
to twenty additional carriers to implement outbound and inbound testing
schedules.''
21. An additional category of voice service providers--namely
CenturyLink, TDS, and Google--has indicated limited progress in making
the necessary network upgrades. CenturyLink, for instance, stated that
as of late 2019 it had ``taken the steps necessary to prepare its
network for SHAKEN/STIR deployment'' and is currently conducting
testing for wider deployment on its IP networks. TDS, meanwhile,
reported that it had completed work in 2019 to evaluate, select, and
lab test a vendor solution to allow it to integrate STIR/SHAKEN in the
IP portions of its network. It is in the process of developing
implementation plans, but because many of its interconnection points
with other providers are not IP-enabled, it ``forecast[s] that only a
small percentage of traffic will be exchanged in IP when SHAKEN/STIR is
initially deployed in the TDS IP network.'' Google provided limited
detail about the status of implementation but stated that it ``remains
committed to implementing SHAKEN/STIR and . . . ha[s] taken
considerable steps toward doing so.''
22. Congressional Direction to Require STIR/SHAKEN Implementation.
On December 30, 2019, Congress enacted the TRACED Act, with the stated
purpose of ``helping to reduce illegal and unwanted robocalls'' through
numerous mechanisms. Along with other provisions directed at addressing
robocalls, the TRACED Act directs the Commission to require, no later
than 18 months from enactment, all voice service providers to implement
STIR/SHAKEN in the IP portions of their networks and implement an
effective caller ID authentication framework in the non-IP portions of
their networks. The TRACED Act further creates processes by which voice
service providers (1) may be exempt from this mandate if the Commission
determines they have achieved certain implementation benchmarks, and
(2) may be granted an extension for compliance based on a finding of
undue hardship because of burdens or barriers to implementation or
based on a delay in development of a caller ID authentication protocol
for calls delivered over non-IP networks. The TRACED Act further
directs us, not later than December 30, 2020, to submit a report to
Congress that includes: (1) an analysis of the extent to which voice
service providers have implemented caller ID authentication frameworks
and
[[Page 22033]]
whether the availability of necessary equipment and equipment upgrades
has impacted such implementation; and (2) an assessment of the efficacy
of the call authentication frameworks.
23. This rulemaking is one of several steps we are taking to
implement the TRACED Act. For instance, we recently proposed rules to
establish a registration process for a ``single consortium that
conducts private-led efforts to trace back the origin of suspected
unlawful robocalls.'' Additionally, the Wireline Competition Bureau
(Bureau) has charged the NANC Call Authentication Trust Anchor Working
Group with providing recommendations regarding the TRACED Act's
direction that the Commission ``issue best practices that providers of
voice service may use as part of the implementation of effective call
authentication frameworks . . . to take steps to ensure the calling
party is accurately identified.'' We will continue to work swiftly and
carefully to implement the TRACED Act and protect Americans from
illegal robocalls.
III. Report and Order
24. In this Report and Order, we require all originating and
terminating voice service providers to implement the STIR/SHAKEN
framework in the IP portions of their networks by June 30, 2021. We
adopt this mandate for several reasons, including that (1) Widespread
implementation will result in significant benefits from American
consumers; (2) the record overwhelmingly reflects support from a broad
array of stakeholders for rapid STIR/SHAKEN implementation; (3) the
state of industry-wide implementation at the end of 2019 demonstrates
that further government action is necessary for timely, ubiquitous
implementation; and (4) the TRACED Act expressly directs us to require
timely STIR/SHAKEN implementation. Below, we discuss these reasons in
more detail; describe the specific requirements that comprise our
mandate; discuss our legal authority to adopt these requirements;
respond to the limited record opposition to a mandate; and find that
the benefits of STIR/SHAKEN implementation will far exceed the costs.
USTelecom and CTIA ask us to adopt a broad call blocking safe harbor
today. Transaction Network Services suggests that we require or
recommend that providers pair STIR/SHAKEN with analytics. We intend to
address call-blocking issues and the role of analytics in relation to
call blocking in a separate item and thus decline to address these
requests here.
A. Mandating the STIR/SHAKEN Framework
25. We require all originating and terminating voice service
providers to implement the STIR/SHAKEN framework in the IP portions of
their networks by June 30, 2021 for several compelling reasons. First,
ubiquitous STIR/SHAKEN implementation will yield substantial benefits
for American consumers. We estimate that the benefits of eliminating
the wasted time and nuisances caused by illegal scam robocalls will
exceed $3 billion annually. And more importantly, we expect STIR/SHAKEN
paired with call analytics to serve as a tool to effectively protect
American consumers from fraudulent robocall schemes that cost Americans
approximately $10 billion annually. Further, we anticipate that
implementation will increase consumer trust in caller ID information
and encourage consumers to answer the phone, thereby benefitting
businesses, healthcare providers, and non-profit charities. Widespread
implementation also benefits public safety by decreasing disruptions to
healthcare and emergency communications systems, and as a result,
saving lives. Additional benefits include significantly reducing costs
for voice service providers by eliminating unwanted network congestion
and decreasing the number of consumer complaints about robocalls.
Ultimately, we expect widespread STIR/SHAKEN implementation to reduce
the scourge of illegal robocalls that plague Americans every day.
26. Second, the record overwhelmingly reflects support from a broad
array of stakeholders for rapid STIR/SHAKEN deployment, and many
commenters support a STIR/SHAKEN mandate. Commenters, including the
attorneys general of all fifty states and the District of Columbia,
consumer groups, and major voice service providers expressed support
for Commission action if widespread voluntary implementation did not
occur. The unified state attorneys general argue that a mandate is
necessary ``in the absence of prompt voluntary implementation'' by the
end of 2019 because without such action, ``[b]ad actors exploit
inexpensive and ubiquitous technology to scam consumers and to intrude
upon consumers' lives, and the problem shows no signs of abating.''
Consumer group commenters, including Consumer Reports, the National
Consumer Law Center, Consumer Action, the Consumer Federation of
America, the National Association of Consumer Advocates, and Public
Knowledge, observe that ``cross-carrier implementation has been
relatively limited'' and state that we ``should require phone companies
to adopt effective call-authentication policies and technologies.''
AT&T explains that ``SHAKEN/STIR must be widely deployed to be
effective.'' Verizon similarly explains that STIR/SHAKEN only works if
all voice service providers have implemented the framework in the call
path--increasing the utility of a mandate. Other providers, including
Comcast and Transaction Network Services, support a ``measured'' STIR/
SHAKEN requirement that accounts for existing implementation
challenges. We find that our June 30, 2021 implementation date and
application of the STIR/SHAKEN mandate to only the IP portions of
originating and terminating voice service providers' networks satisfies
these commenters' concerns. And even commenters who express hesitation
about a mandate are receptive to one that accounts for the burdens and
barriers confronted by rural and small voice service providers, which
we proposed to address through the process established in the TRACED
Act. For example, the Voice of America's Broadband Providers and Teliax
are receptive to a mandate that ``focus[es] on implementation of . . .
legislation Congress enacts'' and provides for a more flexible
implementation timeframe for small and rural providers.
27. Third, although some major voice service providers have taken
significant steps towards STIR/SHAKEN implementation, the level of
implementation by the Commission's end of 2019 deadline shows that,
absent further governmental action, we will not have timely ubiquitous
implementation. As Verizon states, ``verifying [c]aller ID for
consumers using STIR/SHAKEN presents a classic collectivity challenge
that industry may not be able to overcome on its own.'' As we have
explained, some voice service providers reported that, by the end of
2019, they completed the necessary network upgrades to support the
STIR/SHAKEN framework and that they were exchanging a limited amount of
traffic with authenticated caller ID information with other voice
service providers. Others, however, reported only that they had
completed necessary network upgrades by the end of 2019, but had not
begun exchanging with other voice service providers. Still others have
shown little to no progress in upgrading their networks to be STIR/
SHAKEN-capable. We find that the lack of common exchange among these
voice service providers--and the absence of
[[Page 22034]]
substantial progress by several of them--demonstrate that major voice
service providers have failed to meet the goal of achieving full
implementation by the end of 2019. We therefore must act to ensure
faster progress to protect the public from the scourge of illegal
robocalls.
28. Finally, confirming our decision is the recently-enacted TRACED
Act, which provides additional support for the implementation mandate
we set forth today. The TRACED Act directs the Commission to ``require
a provider of voice service to implement the STIR/SHAKEN authentication
framework in the [IP] networks of the provider of voice service.''
Congress's clear direction to require timely STIR/SHAKEN implementation
further encourages us to adopt the mandate in this Report and Order.
29. Limited Record Opposition to a STIR/SHAKEN Implementation
Mandate. We disagree with those commenters who argue that we should not
move forward with a STIR/SHAKEN implementation mandate. First, we
specifically disagree with the argument that we should delay a mandate
while industry develops technical solutions to allow the STIR/SHAKEN
framework to accommodate certain more challenging scenarios. According
to some commenters, the standards for attestation do not fully account
for the situation where an enterprise subscriber places outbound calls
through a voice service provider other than the voice service provider
that assigned the telephone number. In such scenarios, commenters
claim, it would be difficult for an outbound call to receive ``full''
or ``A'' attestation because the outbound call ``will not pass through
the authentication service of the voice service provider that controls
the numbering resource.'' To provide ``full'' or ``A'' attestation, the
voice service provider must be able to confirm the identity of the
subscriber making the call, and that the subscriber is using its
associated telephone number. We are optimistic that standards bodies,
which remain engaged on the impact of STIR/SHAKEN on more challenging
use cases and business models, will be able to resolve those issues--
just as they have overcome numerous other barriers to caller ID
authentication so far. We will continue to monitor industry progress
towards solutions to these issues. For instance, the Internet
Engineering Task Force (IETF) has proposed a ``certificate delegation''
solution that would allow ``the carrier who controls the numbering
resource . . . to delegate a credential that could be used to sign
calls regardless of which network or administrative domain handles the
outbound routing for the call.'' Further, granting a delay until
standards bodies address every possible issue would risk creating an
incentive for some parties to draw out standards-setting processes, to
the detriment of widespread STIR/SHAKEN implementation. To the
contrary, by establishing a June 30, 2021 deadline for widespread STIR/
SHAKEN implementation, we create an incentive for standards bodies to
work quickly to issue actionable standards and solutions for enterprise
calls. For this reason, we need not adopt a separate deadline for
industry development of standards and solutions for enterprise calls,
as requested by Cloud Communications Alliance. In any event, the TRACED
Act requires that voice service providers implement the STIR/SHAKEN
framework in their IP networks on this timetable, with only those
extensions and exceptions specified by Congress. We decline USTelecom's
request ``to remove the discussion surrounding enterprise signing from
the Draft S/S Mandate Order and to move it to the Draft S/S Mandate
FNPRM to seek further comment.'' We find this request inconsistent with
the structure of the TRACED Act, which creates a general mandate and
exceptions to that mandate, rather than limiting the scope of the
mandate to non-enterprise calls in the first instance. We also note
that USTelecom has emphasized that some enterprise signing will be
``possible in the near term'' and that ``some voice service providers
with enterprise customers are already working on providing the ability
for their enterprise customers to have certain enterprise calls signed
(with A-level attestation) this year.'' We are confident that
mandating, consistent with the TRACED Act, that voice service providers
implement the STIR/SHAKEN framework in their IP networks--subject to
the extensions and exceptions created by the TRACED Act--will create
beneficial incentives for industry to continue to quickly develop
standards to address enterprise calls.
30. Second, we disagree with Competitive Carriers Association's
argument that adopting a STIR/SHAKEN mandate would ``risk impeding
development of other potential new strategies to block robocalls.'' The
STIR/SHAKEN framework is one important solution that should be part of
an arsenal of effective remedies to combat robocalls, and its
implementation does not preclude voice service providers from pursuing
additional solutions. Further, consistent with Congress's direction in
the TRACED Act, we will plan to revisit our caller ID authentication
rules periodically to ensure that they remain up to date.
31. Finally, we disagree with ACA Connects' suggestion that we
limit our implementation mandate to only those voice service providers
that originate large volumes of illegal robocalls. ACA Connects fails
to account for the importance of network-wide implementation to the
effectiveness of STIR/SHAKEN in reducing spoofed robocalls. Moreover,
it fails to explain how we would identify or define such carriers or
how such a scheme would stop malicious callers from simply using a
different voice service provider.
1. STIR/SHAKEN Implementation Requirements
32. We adopt our proposal in the 2019 Further Notice to require
voice service providers to implement the STIR/SHAKEN framework.
Specifically, we require all originating and terminating voice service
providers to fully implement STIR/SHAKEN on the portions of their voice
networks that support the transmission of SIP calls and exchange calls
with authenticated caller ID information with the providers with which
they interconnect. This STIR/SHAKEN mandate will create the trust
ecosystem necessary for effective caller ID authentication.
33. As part of today's mandate, we adopt the following three
requirements: (i) A voice service provider that originates a call that
exclusively transits its own network must authenticate and verify the
caller ID information consistent with the STIR/SHAKEN authentication
framework; (ii) a voice service provider originating a call that it
will exchange with another voice service provider or intermediate
provider must authenticate the caller ID information in accordance with
the STIR/SHAKEN authentication framework and, to the extent technically
feasible, transmit that caller ID information with authentication to
the next provider in the call path; and (iii) a voice service provider
terminating a call with authenticated caller ID information it receives
from another provider must verify that caller ID information in
accordance with the STIR/SHAKEN authentication framework. We discuss
these requirements below. The TRACED Act states in Sec. 4(b)(1)(A)
that the Commission shall ``require a provider of voice service to
implement the STIR/SHAKEN authentication framework'' in its IP
networks. It goes on to create an exemption, stating that the
Commission ``shall not take the action'' set forth in
[[Page 22035]]
Sec. 4(b)(1)(A) ``if the Commission determines [by December 30, 2020]
that such provider of voice service'' in its Internet Protocol networks
meets four criteria focused on achieving certain benchmarks prior to
the full mandate going into effect. USTelecom has submitted proposed
interpretations of those four criteria for our consideration. Among
other things, USTelecom proposes requiring a showing that all consumer
VoIP and VoLTE traffic originating on a voice service provider's
network is capable of authentication, or will be capable of
authentication, by June 30, 2021. CTIA and USTelecom argue that we
should consider replacing the implementation criteria that we adopt
with USTelecom's interpretations of the four criteria in Sec.
4(b)(2)(A). We find this request inconsistent with the structure of the
TRACED Act, which creates a general mandate to implement STIR/SHAKEN in
Sec. 4(b)(1)(A) and a separate exemption process in Sec. 4(b)(2)(A).
Further, USTelecom's suggested language would not adequately address
the responsibilities of voice service providers to ``implement the
STIR/SHAKEN authentication framework'' in accordance with Sec.
4(b)(1)(A) because it would only require demonstration of testing and
capability rather than the details of how authentication must actually
be applied.
34. First, a voice service provider must authenticate and verify,
consistent with the STIR/SHAKEN authentication framework, the caller ID
information of those calls that it originates and terminates
exclusively in the IP portions of its own network. The most effective
caller ID authentication system requires the application of STIR/SHAKEN
to all calls, including calls solely originating and terminating on the
same voice service provider's network. We recognize that certain
components of the STIR/SHAKEN framework are designed to promote trust
across different voice service provider networks and so are not
necessary for calls that a voice service provider originates and
terminates solely on its own network. A provider satisfies its
obligation under this requirement so long as it authenticates and
verifies in a manner consistent with the STIR/SHAKEN framework, such as
by including origination and attestation information in the SIP INVITE
used to establish the call.
35. Our next two requirements relate to the exchange of caller ID
authentication information. In the 2019 Further Notice, we sought
comment on whether we should ``require providers to sign calls on an
intercarrier basis.'' The record demonstrated support for this
approach, and we add specificity by outlining particular obligations on
voice service providers for this requirement. More specifically, a
voice service provider that originates a call which it will exchange
with another voice service provider or intermediate provider must use
an authentication service and insert the Identity header in the SIP
INVITE and thus authenticate the caller ID information in accordance
with the STIR/SHAKEN authentication framework; it further must transmit
that call with authentication to the next voice service provider or
intermediate provider in the call path, to the extent technically
feasible. We recognize that the transmission of STIR/SHAKEN
authentication information over a non-IP interconnection point is not
technically feasible at this time. Additionally, a voice service
provider that terminates a call with authenticated caller ID
information it receives from another voice service provider or
intermediate provider must use a verification service, which uses a
public key to review the information stored in the Identity header to
verify that caller ID information in accordance with the STIR/SHAKEN
authentication framework. These actions are at the core of an effective
STIR/SHAKEN ecosystem, and each action requires the other: A
terminating voice service provider can only verify caller ID
information that has been authenticated by the originating voice
service provider and transmitted with authentication, while an
originating voice service provider's authentication has little value if
the terminating voice service provider fails to verify that caller ID
information.
36. Definitions and Scope. For purposes of the rules we adopt
today, and consistent with the TRACED Act, we define ``STIR/SHAKEN
authentication framework'' as ``the secure telephone identity revisited
and signature-based handling of asserted information using tokens
standards.'' For purposes of compliance with this definition, we find
that it would be sufficient to adhere to the three ATIS standards that
are the foundation of STIR/SHAKEN--ATIS-1000074, ATIS-1000080, and
ATIS-1000084--and all documents referenced therein. We recognize that
industry is actively working to improve STIR/SHAKEN. Compliance with
the most current versions of these three standards as of March 31,
2020, including any errata as of that date or earlier, represents the
minimum requirement to satisfy our rules. ATIS and the SIP Forum
conceptualized ATIS-1000074 as ``provid[ing] a baseline that can evolve
over time, incorporating more comprehensive functionality and a broader
scope in a backward compatible and forward looking manner.'' We intend
for our rules to provide this same room for innovation, while
maintaining an effective caller ID authentication ecosystem. Voice
service providers may incorporate any improvements to these standards
or additional standards into their respective STIR/SHAKEN
authentication frameworks, so long as any changes or additions maintain
the baseline call authentication functionality exemplified by ATIS-
1000074, ATIS-1000080, and ATIS-1000084.
37. For purposes of our rules, we also adopt a definition of
``voice service'' that aligns with the TRACED Act. The TRACED Act
employs a broad definition of ``voice service'' that includes ``without
limitation, any service that enables real-time, two-way voice
communications, including any service that requires [I]nternet
[P]rotocol-compatible customer premises equipment . . . and permits
out-bound calling, whether or not the service is one-way or two-way
voice over [I]nternet [P]rotocol.'' The TRACED Act definition is
limited, however, to service ``that is interconnected with the public
switched telephone network and that furnishes voice communications to
an end user.'' Thus, the rules we adopt today apply to originating and
terminating voice service providers and exclude intermediate providers.
38. In recognition of the fact that STIR/SHAKEN is a SIP-based
solution, we limit application of the rules we adopt today to only the
IP portions of voice service providers' networks--those portions that
are able to initiate, maintain, and terminate SIP calls. This approach
is consistent with section 4(b)(1)(A) of the TRACED Act, which directs
us to require implementation of STIR/SHAKEN ``in the [I]nternet
[P]rotocol networks of the provider of voice service.'' We agree with
commenters that it would be inappropriate to simply extend the mandate
we adopt to non-IP networks.
39. We adopt the proposal from the 2019 Further Notice that our
implementation mandate apply to all types of ``voice service
providers--wireline, wireless, and Voice over Internet Protocol (VoIP)
providers.'' The Cloud Communications Alliance has raised concerns over
whether all voice service providers are able to obtain the certificates
used for the intercarrier exchange of authenticated caller ID
information under the Governance Authority's current policies. We look
forward to working with the Governance
[[Page 22036]]
Authority and the Cloud Communications Alliance and its members to
determine how best to resolve these issues expeditiously going forward.
This includes both two-way and one-way interconnected VoIP providers.
For STIR/SHAKEN to be successful, all voice service providers capable
of implementing the framework must participate. If a subset of voice
service providers continue operating on IP networks without
implementing STIR/SHAKEN, it will undercut the framework's
effectiveness. Congress demonstrated its recognition of this fact when
it adopted a broad definition of ``voice service'' in the TRACED Act,
which includes ``any service that is interconnected with the public
switched telephone network and that furnishes voice communications to
an end user using resources from the North American Numbering Plan.''
This includes, ``without limitation, any service that enables real-
time, two-way voice communications, including any service that requires
[I]nternet [P]rotocol -compatible customer premises equipment (commonly
known as `CPE') and permits out-bound calling, whether or not the
service is one-way or two-way voice over [I]nternet [P]rotocol.'' We
find that our conclusion to apply the mandate to a broad category of
voice service providers is consistent with Congress's language in the
TRACED Act.
40. Finally, we clarify that the rules we adopt today do not apply
to providers that lack control of the network infrastructure necessary
to implement STIR/SHAKEN.
41. Implementation Deadline. We set the implementation deadline of
June 30, 2021 for two reasons. First, it is consistent with the TRACED
Act, which requires us to set a deadline for implementation of STIR/
SHAKEN that is not later than 18 months after enactment of that Act,
i.e., no later than June 30, 2021. Second, this deadline will provide
sufficient time for us to implement, and for voice service providers to
gain, a meaningful benefit from the implementation exemption and
extension mechanisms established by the TRACED Act. Because we find
that this implementation deadline is necessary to accommodate the
various exemption and extension mechanisms established by the TRACED
Act, we decline to adopt the suggestion of some commenters that we
mandate implementation by June 1, 2020. As we note in the accompanying
Further Notice, the TRACED Act contemplates compliance extensions and
exemptions for those providers that we determine meet certain criteria
by December 30, 2020. We see no way to square this statutory
requirement with imposition of a mandate six months before that date.
2. Legal Authority
42. We conclude that section 251(e) of the Communications Act of
1934, as amended (the Act), provides authority to mandate the adoption
of the STIR/SHAKEN framework in the IP portions of voice service
providers' networks. Section 251(e) provides us ``exclusive
jurisdiction over those portions of the North American Numbering Plan
that pertain to the United States.'' Pursuant to this provision, we
retain ``authority to set policy with respect to all facets of
numbering administration in the United States.'' Our exclusive
jurisdiction over numbering policy enables us to act flexibly and
expeditiously with regard to important numbering matters. When bad
actors unlawfully falsify or spoof the caller ID that appears on a
subscriber's phone, they are using numbering resources to advance an
illegal scheme. Mandating that voice service providers deploy the STIR/
SHAKEN framework will help to prevent the fraudulent exploitation of
North American Numbering Plan (NANP) resources by permitting those
providers and their subscribers to identify when caller ID information
has been spoofed. Section 251(e) thus grants us authority to mandate
that voice service providers implement the STIR/SHAKEN caller ID
authentication framework in order to prevent the fraudulent
exploitation of numbering resources. The Commission has previously
concluded that its numbering authority allows it to extend numbering-
related requirements to interconnected VoIP providers that use
telephone numbers. As the Commission has explained, ``the obligation to
ensure that numbers are available on an equitable basis is reasonably
understood to include not only how numbers are made available but to
whom, and on what terms and conditions. Thus, we conclude that the
Commission has authority under section 251(e)(1) to extend to
interconnected VoIP providers both the rights and obligations
associated with using telephone numbers.'' Moreover, as the Commission
has previously found, section 251(e) extends to ``the use of . . .
unallocated and unused numbers''; it thus gives us authority to mandate
that voice service providers implement the STIR/SHAKEN framework to
address the spoofing of unallocated and unused numbers. The Commission
previously relied on this authority to make clear that voice service
providers may block calls that spoof invalid, unallocated, or unused
numbers, none of which can actually be used to originate a call. In the
2019 Further Notice, we proposed to rely on section 251(e) of the Act
for authority to mandate implementation of caller ID authentication
technology and, specifically, the STIR/SHAKEN framework; no commenter
challenged that proposal. We note, however, that because STIR/SHAKEN
implementation is not a ``numbering administration arrangement,''
section 251(e)(2), which provides that ``[t]he cost of establishing
telecommunications numbering administration arrangements . . . shall be
borne by all telecommunications carriers on a competitively neutral
basis,'' does not apply here. Even if section 251(e)(2) did apply, we
find that it is satisfied by our requirement that each carrier bear its
own costs, since each carrier's costs will be proportional to the size
and quality of its network.
43. The TRACED Act confirms our authority to mandate the adoption
of the STIR/SHAKEN framework in the IP portions of voice service
providers' networks. Indeed, the TRACED Act expressly directs us to
require voice service providers to implement the STIR/SHAKEN framework
in the IP portions of their networks no later than 18 months after the
date of that Act's enactment. The TRACED Act thus provides a second
clear source of authority for the rules we adopt today.
44. Finally, we note that Congress charged us with prescribing
regulations to implement the Truth in Caller ID Act, which made
unlawful the spoofing of caller ID information ``in connection with any
telecommunications service or IP-enabled voice service . . . with the
intent to defraud, cause harm, or wrongfully obtain anything of
value.'' Given the constantly evolving tactics by malicious callers to
use spoofed caller ID information to commit fraud, we find that the
rules we adopt today are necessary to enable voice service providers to
help prevent these unlawful acts and to protect voice service
subscribers from scammers and bad actors. Thus, section 227(e) provides
additional independent authority for these rules. While we sought
comment in the 2019 Robocall Declaratory Ruling and Further Notice on
the applicability of sections 201(b) and 202(a) as sources of
authority, we did so in the context of adopting rules to create a safe
harbor for certain call-blocking programs and requiring voice service
providers that offer call-blocking programs to maintain a Critical
Calls List. Because we did not seek comment in that item on whether
these provisions grant the Commission authority to
[[Page 22037]]
mandate caller ID authentication, and specifically STIR/SHAKEN, we do
not rely on them here as sources of authority.
B. Summary of Costs and Benefits
45. We are convinced that the benefits of requiring STIR/SHAKEN
implementation far outweigh the costs, even if adoption of the TRACED
Act makes a comprehensive cost-benefit analysis of a STIR/SHAKEN
implementation mandate unnecessary. Because STIR/SHAKEN is a part of a
broader set of technological and regulatory efforts necessary to
address illegal calls, and its limited deployment makes it difficult to
measure its full effects at this time, we compare the estimated costs
of implementing STIR/SHAKEN to the overall foreseeable range of
quantifiable and non-quantifiable benefits of eliminating illegal
calls, recognizing that STIR/SHAKEN is necessary but not, alone, a
solution to the problem. These benefits include reduction in nuisance
calls, increased protection from illegally spoofed calls restoration of
consumer confidence in incoming calls, fewer robocall-generated
disruptions of healthcare and emergency communications, reduction in
regulatory enforcement costs, and reduction in provider costs. We
conclude that, based on any plausible assumption about the scope of
illegal calls deterred by STIR/SHAKEN, the foreseeable benefits of
STIR/SHAKEN implementation--including reduction in calls that cost
Americans billions of dollars each year--will far exceed estimated
costs, including both recurring operating costs of between roughly $39
million and $780 million annually and estimated up-front costs, which
may be in the tens of millions of dollars for the largest voice service
providers. It is implausible that total implementation costs will come
close to the expected benefits of our actions. For example, broad
industry support for deploying STIR/SHAKEN strongly indicates that the
benefits to industry alone outweigh implementation costs, even before
considering the benefits to consumers of implementation.
1. Expected Benefits
46. We supplement our estimate of the benefits of eliminating
illegal and unwanted robocalls in the 2019 Further Notice with
additional data. Consistent with our earlier conclusion, we find that
the deployment requirements set forth in this Report and Order will be
integral to solving illegal robocall spoofing specifically and illegal
robocalling generally.
47. Eliminating Nuisance. In the 2019 Further Notice, we estimated
benefits of at least $3 billion from eliminating illegal scam
robocalls. That estimate assumed a benefit of ten cents per call and
multiplied it across a figure of 30 billion illegal scam robocalls per
year, derived from third-party data. We also sought comment on this $3
billion estimate and concluded that ``most of these benefits can be
achieved . . . primarily because SHAKEN/STIR will inform providers of
the call's true origination.'' We received no comment on this
conclusion. In its comments, Smithville Telephone Company states that a
$3 billion benefit amounts to 55 cents per voice line per month
(calculated by dividing the $3 billion benefit by 455 million retail
voice telephone service connections based on the FCC's Voice Telephone
Services Status as of June 30, 2017), and questions whether such
benefit is enough to drive this decision. The estimate of 30 billion
scam calls consists of an estimated 47% of all robocalls. If the
average line receives approximately 5 to 6 scam calls per month,
Smithville's calculation is consistent with our previous estimate. Our
burden is to determine that benefits exceed costs, and we find that the
benefits of implementing STIR/SHAKEN far exceed the costs. We agree
with commenters that STIR/SHAKEN is one important part of a broader set
of tools to solve illegal robocalls. We thus reaffirm our finding that
the potential benefits resulting from eliminating the wasted time and
nuisances caused by illegal scam robocalls will exceed $3 billion
annually.
48. Reducing Fraud. Fraudulent robocall schemes cost Americans an
estimated $10.5 billion annually, according to a third-party survey. To
reach $10.5 billion, Truecaller multiplied the 17% of survey
respondents who reported losing money in a scam during the past 12
months by the 2018 U.S. Census adult population estimate of 253
million. The estimated 43 million phone scam victims was then
multiplied by the average loss of $244. A recent civil action filed by
the U.S. Department of Justice against five VoIP carriers identifies
several examples of fraud where consumers individually lost between
$700 and $9,800 in a single instance. To reach $10.5 billion,
Truecaller multiplied the 17% of survey respondents who reported losing
money in a scam during the past 12 months by the 2018 U.S. Census adult
population estimate of 253 million. The estimated 43 million phone scam
victims was then multiplied by the average loss of $244. While STIR/
SHAKEN will not itself stop a malicious party from using the voice
network to commit fraud, it will inform a call recipient that the
caller has used deceptive caller ID information to try to convince the
called party to answer the phone. Many commenters noted value in
pairing STIR/SHAKEN with call analytics, and we expect this will
significantly reduce the effectiveness of spoofing fraud that costs
Americans billions of dollars each year, and similarly reduce the
incidence of such fraud.
49. Restoring Confidence in Caller ID Information. STIR/SHAKEN
implementation and other efforts to minimize illegal robocalls will
begin to restore trust in caller ID information and make call
recipients more likely to answer the phone. Declines in willingness to
answer incoming calls in recent years have harmed businesses,
healthcare providers, and non-profit charities. For example, utility
companies often call to confirm installation appointments, ``[b]ut if
the customer doesn't answer the phone for the appointment reminder and
the truck shows up when they're not there, by one estimate, that's a
$150 cost.'' Similarly, medical providers have indicated that patients
often fail to answer scheduling calls from specialists' offices and
eventually the office will give up after repeated attempts. Donations
to charities have also declined as a result of the decreased likelihood
of answering the phone. Such organizations likely will benefit because
recipients should be more likely to answer their phones if caller ID
information is authenticated. Furthermore, while we do not adopt any
display mandates in this item, we anticipate that voice service
providers will implement voluntary efforts to restore confidence in
caller ID information. Studies conducted by Cequint indicate that
including additional caller ID information (e.g., showing a business
logo along with caller ID information on a smartphone display to convey
legitimacy) increased pick up rates from 21% to 71%. Such information
will enhance the benefits achieved by STIR/SHAKEN implementation.
50. Ensuring Reliable Access to Emergency and Healthcare
Communications. Implementing STIR/SHAKEN will lead to fewer disruptions
of healthcare and emergency communication systems that needlessly put
lives at risk. Hospitals and 911 dispatch centers have reported that
robocall surges have disabled or disrupted their communications
network, and such disruptions have the potential to impede
communications in
[[Page 22038]]
life-or-death emergency situations. In one instance, Tufts Medical
Center in Boston received more than 4,500 robocalls in a two-hour
period. In another, the phone lines of several 911 dispatch centers in
Tarrant County, Texas, were disabled because of an hour long surge in
robocalls. In 2018, the Commission imposed a $120 million penalty for
an illegal robocall campaign that disrupted an emergency medical paging
service. Enabling voice service providers to more effectively identify
illegal calls, including spoofed calls, to healthcare and emergency
communication systems should reduce the risk of such situations. The
benefit to public safety will be considerable.
51. Reducing Costs to Voice Service Providers. An overall reduction
in robocalls will ``greatly lower network costs by eliminating unwanted
traffic and by eliminating the labor costs of handling numerous
customer complaints.'' We treat these anticipated reductions in cost as
a benefit to providers in order to limit our analysis of expected costs
to those for implementation and operation. Illegal robocalls have led
to unnecessary network congestion with broader possible impacts than
the targeted disruption of healthcare and emergency operations
described above. We agree with Comcast's assessment that ``the ability
to identify and address illegally spoofed robocalls using STIR/SHAKEN
will help reduce network costs for voice service providers.'' One
commenter argues that this benefit may be realized by larger providers
more than smaller providers and we acknowledge that the benefits of
changes in network capacity will vary by provider. Voice service
providers should also realize cost savings through the reduced need for
customer service regarding illegal calls. We find that the overall
benefit of these anticipated cost savings will be substantial and
represent a long-term reduction in provider costs attributable to STIR/
SHAKEN. Voice service providers may pass on the cost savings to
subscribers in the form of lower prices, resulting in additional
benefit to their subscribers.
52. Reducing Spending on Enforcement Actions. Broad STIR/SHAKEN
implementation will both reduce the need for enforcement against
illegally spoofed robocalls and make continued enforcement less
resource intensive. The Commission has brought at least six enforcement
actions against apparently liable actors for illegally spoofing caller
ID, and issued 38 warning citations for violations of the Telephone
Consumer Protection Act. The Federal Trade Commission has taken 145
enforcement actions against companies for Do Not Call Registry
violations, and 25 other federal, state, and local agencies brought 87
enforcement actions as part of a single 2019 initiative. By reducing
overall numbers of robocalls and providing additional information for
enforcement, industry-wide implementation of STIR/SHAKEN will save
resources at federal, state, and local agencies. While we do not
quantify these savings, we believe they add to the benefits of STIR/
SHAKEN implementation that will accrue.
2. Expected Costs
53. Implementation costs for STIR/SHAKEN will vary depending on a
voice service provider's existing network configuration. Commenters
indicated that voice service providers will incur ongoing costs in
addition to one-time implementation costs. Estimated one-time costs
include, among others, software licensing for authentication and
verification services; hardware upgrades to network elements such as
session border controllers and hardware upgrades required for software
compatibility; as well as connectivity and network configuration
changes, depending on current network configuration, and related
testing. One of the largest voice service providers estimates that it
will face one-time implementation costs ``in the tens of millions of
dollars.'' We expect that implementation costs are likely to vary
significantly based on voice service provider size and choices as to
implementation solutions. For example, voice service providers choosing
to directly implement STIR/SHAKEN will likely face larger one-time
costs than voice service providers choosing a hosted solution, which
are likely to have larger recurring costs. Recurring annual costs will
include fees associated with authenticating and verifying calls, plus
certificate fees. Estimates for recurring annual operating costs
discussed by panelists at the Commission's July 2019 SHAKEN/STIR
Robocall Summit range anywhere from approximately $15,000 to $300,000.
Our estimate regarding recurring annual operating costs reflects a
range because of variation in provider costs and the uncertainty of
costs given the ongoing nature of STIR/SHAKEN implementation. One
commenter asserts that recurring annual operating costs are ``likely to
be on the lower end of th[is] range.'' On the other hand, USTelecom
points out that fees paid by voice service providers to the Governance
Authority and Policy Administrator range from $825 to $240,000 per year
and states that a number of its members pay the highest annual fee.
Based on the record, we estimate that the approximately 2,600 voice
service providers together would spend between roughly $39 million and
$780 million annually in operating costs, with up-front costs for the
largest voice service providers in the tens of millions of dollars.
Approximately 2,600 companies offered mobile voice or fixed voice
service in December 2018. We anticipate that voice service providers
may be able to streamline their costs over time. Moreover, we recognize
that smaller voice service providers may have different costs and
challenges than larger providers, but we are confident that benefits to
all Americans far exceed one-time implementation and recurring annual
operating costs. One small, rural provider, using estimates from the
Commission's 2019 SHAKEN/STIR Robocall Summit, concludes that an annual
recurring cost of $100,000 will result in a cost of $26 per line for
its 319 customers. Additionally, in the Further Notice, we propose to
extend the compliance deadline for smaller voice service providers and
anticipate that increased competition between vendors may result in
lower prices and higher quality solutions. One small, rural provider,
using estimates from the Commission's 2019 SHAKEN/STIR Robocall Summit,
concludes that an annual recurring cost of $100,000 will result in a
cost of $26 per line for its 319 customers. Additionally, in the
Further Notice, we propose to extend the compliance deadline for
smaller voice service providers and anticipate that increased
competition between vendors may result in lower prices and higher
quality solutions.
C. Other Issues
54. Display. We are pleased by voice service providers' efforts to
incorporate STIR/SHAKEN verification results in the information that
they display to their customers. Voice service providers so far are
taking a variety of approaches to leveraging STIR/SHAKEN verification
result information to protect their subscribers from fraudulently
spoofed calls, including through display of that information. For
instance, AT&T announced that it would display a green checkmark and
the words ``Valid Number'' to subscribers if the call has been
authenticated and passed through screening. T-Mobile announced that it
would display the words ``Caller Verified,'' on the end user's device
when it has verified that the call is authentic. Other voice service
providers have not yet announced plans to display STIR/SHAKEN
authentication
[[Page 22039]]
information. Because we expect voice service providers to have
marketplace incentives to make the best possible use of STIR/SHAKEN
information once it is available, and because industry practices
regarding display of STIR/SHAKEN verification results are in their
early stages of development, we decline at this time to require voice
service providers to display STIR/SHAKEN verification results to their
subscribers or mandate the specifications voice service providers must
use if they choose to display. AARP and CUNA advocate for a display
requirement but do not identify a reason for a mandate beyond merely
pointing to the value of displaying verification information. While
display of verification information may be valuable, we decline to
adopt a mandate on that basis because we expect the marketplace to
drive display efforts, and because we anticipate that marketplace
solutions will be superior to a static regulatory mandate. In December
2019, the Consumer Advisory Committee recommended that stakeholders
``conduct studies and solicit input on what factors voice service
providers should consider for displaying caller ID information to
consumers, including . . . SHAKEN/STIR verification.'' We do not seek
to prevent the market from determining which form of display, if any,
is most useful; instead, we seek to encourage voice service providers
to find the solutions that work best for their subscribers.
55. Governance. Several commenters advocate changing the governance
structure. These commenters suggest we play an adjudicatory role in
disputes that may arise between voice service providers, or direct the
Governance Authority to take action on specific use cases, or change
the membership requirements of the Governance Authority.
56. We decline to impose new regulations on the STIR/SHAKEN
governance structure. Stakeholders met the aggressive timeline laid out
in the report issued by the North American Numbering Council (NANC),
establishing a collaborative Governance Authority and selecting the
Policy Administrator by May 2019. By December 2019, the Policy
Administrator approved the first Certification Authorities, and voice
service providers were able to register with the Policy Administrator
to obtain credentials necessary to receive certificates from approved
Certificate Authorities. We agree with T-Mobile that, at this time, it
``is not necessary for the Commission to have a role in STIR/SHAKEN
governance.'' STIR/SHAKEN is a flexible solution with an industry-led
governance system that can adapt and respond to new developments. We do
not think that our intervention in the governance structure is
appropriate at this stage given that we do not know the nature and
scope of the problems that may arise and industry is already working to
address specific use cases. Additionally, because the Governance
Authority is made up of a variety of stakeholders representing many
perspectives, we have no reason to believe it will not operate on a
neutral basis. The current STI-GA Leadership and Board of Directors is
available at https://www.atis.org/sti-ga/leadership.
IV. Procedural Matters
57. Paperwork Reduction Act. This document does not contain new or
modified information collection requirements subject to the Paperwork
Reduction Act of 1995 (PRA), Public Law 104-13. In addition, therefore,
it does not contain any new or modified information collection burden
for small business concerns with fewer than 25 employees, pursuant to
the Small Business Paperwork Relief Act of 2002, Public Law 107-198.
58. Congressional Review Act. The Commission has determined, and
the Administrator of the Office of Information and Regulatory Affairs,
Office of Management and Budget, concurs, that this rule is non-major
under the Congressional Review Act, 5 U.S.C. 804(2). The Commission
will send a copy of this Report & Order and Further Notice of Proposed
Rulemaking to Congress and the Government Accountability Office
pursuant to 5 U.S.C. 801(a)(1)(A).
59. Ex Parte Rules. This proceeding shall be treated as a ``permit-
but-disclose'' proceeding in accordance with the Commission's ex parte
rules. Persons making ex parte presentations must file a copy of any
written presentation or a memorandum summarizing any oral presentation
within two business days after the presentation (unless a different
deadline applicable to the Sunshine period applies). Persons making
oral ex parte presentations are reminded that memoranda summarizing the
presentation must (1) List all persons attending or otherwise
participating in the meeting at which the ex parte presentation was
made, and (2) summarize all data presented and arguments made during
the presentation. If the presentation consisted in whole or in part of
the presentation of data or arguments already reflected in the
presenter's written comments, memoranda or other filings in the
proceeding, the presenter may provide citations to such data or
arguments in his or her prior comments, memoranda, or other filings
(specifying the relevant page or paragraph numbers where such data or
arguments can be found) in lieu of summarizing them in the memorandum.
Documents shown or given to Commission staff during ex parte meetings
are deemed to be written ex parte presentations and must be filed
consistent with Rule 1.1206(b). In proceedings governed by Rule 1.49(f)
or for which the Commission has made available a method of electronic
filing, written ex parte presentations and memoranda summarizing oral
ex parte presentations, and all attachments thereto, must be filed
through the electronic comment filing system available for that
proceeding, and must be filed in their native format (e.g., .doc, .xml,
.ppt, searchable .pdf). Participants in this proceeding should
familiarize themselves with the Commission's ex parte rules.
60. Final Regulatory Flexibility Analysis. As required by the
Regulatory Flexibility Act of 1980 (RFA), an Initial Regulatory
Flexibility Analysis (IRFA) was incorporated into the 2019 Robocall
Declaratory Ruling and Further Notice. The Commission sought written
public comment on the possible significant economic impact on small
entities regarding the proposals addressed in the 2019 Robocall
Declaratory Ruling and Further Notice, including comments on the IRFA.
Pursuant to the RFA, a Final Regulatory Flexibility Analysis is set
forth in Appendix C. The Commission's Consumer and Governmental Affairs
Bureau, Reference Information Center, will send a copy of this Report
and Order, including the FRFA, to the Chief Counsel for Advocacy of the
Small Business Administration (SBA).
A. Need for, and Objectives of, the Rules
61. Nefarious schemes that manipulate caller ID information to
deceive consumers about the name and phone number of the party that is
calling them, in order to facilitate fraudulent and other harmful
activities, continue to plague American consumers. In this Report and
Order (Order), we both act on our proposal to require voice service
providers to implement the STIR/SHAKEN caller ID authentication
framework if major voice service providers did not voluntarily do so by
the end of 2019, and implement the Pallone-Thune Telephone Robocall
Abuse Criminal Enforcement and Deterrence (TRACED) Act, which directs
the Commission to require all voice service providers to implement
[[Page 22040]]
STIR/SHAKEN in the IP portions of their networks.
B. Summary of Significant Issues Raised by Public Comments in Response
to the IRFA
62. There were no comments filed that specifically addressed the
proposed rules and policies presented in the IRFA.
C. Response to Comments by the Chief Counsel for Advocacy of the SBA
63. Pursuant to the Small Business Jobs Act of 2010, which amended
the RFA, the Commission is required to respond to any comments filed by
the Chief Counsel for Advocacy of the Small Business Administration
(SBA), and to provide a detailed statement of any change made to the
proposed rules as a result of those comments.
64. The Chief Counsel did not file any comments in response to the
proposed rules in this proceeding.
D. Description and Estimate of the Number of Small Entities to Which
the Rules Will Apply
65. The RFA directs agencies to provide a description and, where
feasible, an estimate of the number of small entities that may be
affected by the final rules adopted pursuant to the Order. The RFA
generally defines the term ``small entity'' as having the same meaning
as the terms ``small business,'' ``small organization,'' and ``small
governmental jurisdiction.'' In addition, the term ``small business''
has the same meaning as the term ``small-business concern'' under the
Small Business Act. Pursuant to 5 U.S.C. 601(3), the statutory
definition of a small business applies ``unless an agency, after
consultation with the Office of Advocacy of the Small Business
Administration and after opportunity for public comment, establishes
one or more definitions of such term which are appropriate to the
activities of the agency and publishes such definition(s) in the
Federal Register.''A ``small-business concern'' is one which: (1) Is
independently owned and operated; (2) is not dominant in its field of
operation; and (3) satisfies any additional criteria established by the
SBA.
1. Wireline Carriers
66. Wired Telecommunications Carriers. The U.S. Census Bureau
defines this industry as ``establishments primarily engaged in
operating and/or providing access to transmission facilities and
infrastructure that they own and/or lease for the transmission of
voice, data, text, sound, and video using wired communications
networks. Transmission facilities may be based on a single technology
or a combination of technologies. Establishments in this industry use
the wired telecommunications network facilities that they operate to
provide a variety of services, such as wired telephony services,
including VoIP services, wired (cable) audio and video programming
distribution, and wired broadband internet services. By exception,
establishments providing satellite television distribution services
using facilities and infrastructure that they operate are included in
this industry.'' The SBA has developed a small business size standard
for Wired Telecommunications Carriers, which consists of all such
companies having 1,500 or fewer employees. U.S. Census Bureau data for
2012 show that there were 3,117 firms that operated that year. Of this
total, 3,083 operated with fewer than 1,000 employees. The largest
category provided by the census data is ``1000 employees or more'' and
a more precise estimate for firms with fewer than 1,500 employees is
not provided. Thus, under this size standard, the majority of firms in
this industry can be considered small.
67. Local Exchange Carriers (LECs). Neither the Commission nor the
SBA has developed a size standard for small businesses applicable to
local exchange services. The closest applicable NAICS Code category is
Wired Telecommunications Carriers. Under the applicable SBA size
standard, such a business is small if it has 1,500 or fewer employees.
U.S. Census Bureau data for 2012 show that there were 3,117 firms that
operated for the entire year. Of that total, 3,083 operated with fewer
than 1,000 employees. The largest category provided by the census data
is ``1000 employees or more'' and a more precise estimate for firms
with fewer than 1,500 employees is not provided. Thus under this
category and the associated size standard, the Commission estimates
that the majority of local exchange carriers are small entities.
68. Incumbent Local Exchange Carriers (incumbent LECs). Neither the
Commission nor the SBA has developed a small business size standard
specifically for incumbent local exchange services. The closest
applicable NAICS Code category is Wired Telecommunications Carriers.
Under the applicable SBA size standard, such a business is small if it
has 1,500 or fewer employees. U.S. Census Bureau data for 2012 indicate
that 3,117 firms operated the entire year. Of this total, 3,083
operated with fewer than 1,000 employees. Consequently, the Commission
estimates that most providers of incumbent local exchange service are
small businesses that may be affected by our actions. According to
Commission data, one thousand three hundred and seven (1,307) Incumbent
Local Exchange Carriers reported that they were incumbent local
exchange service providers. Of this total, an estimated 1,006 have
1,500 or fewer employees. Thus, using the SBA's size standard the
majority of incumbent LECs can be considered small entities.
69. Competitive Local Exchange Carriers (competitive LECs),
Competitive Access Providers (CAPs), Shared-Tenant Service Providers,
and Other Local Service Providers. Neither the Commission nor the SBA
has developed a small business size standard specifically for these
service providers. The appropriate NAICS Code category is Wired
Telecommunications Carriers and under that size standard, such a
business is small if it has 1,500 or fewer employees. U.S. Census
Bureau data for 2012 indicate that 3,117 firms operated during that
year. Of that number, 3,083 operated with fewer than 1,000 employees.
The largest category provided by the census data is ``1000 employees or
more'' and a more precise estimate for firms with fewer than 1,500
employees is not provided. Based on these data, the Commission
concludes that the majority of Competitive LECS, CAPs, Shared-Tenant
Service Providers, and Other Local Service Providers, are small
entities. According to Commission data, 1,442 carriers reported that
they were engaged in the provision of either competitive local exchange
services or competitive access provider services. Of these 1,442
carriers, an estimated 1,256 have 1,500 or fewer employees. In
addition, 17 carriers have reported that they are Shared-Tenant Service
Providers, and all 17 are estimated to have 1,500 or fewer employees.
Also, 72 carriers have reported that they are Other Local Service
Providers. Of this total, 70 have 1,500 or fewer employees.
Consequently, based on internally researched FCC data, the Commission
estimates that most providers of competitive local exchange service,
competitive access providers, Shared-Tenant Service Providers, and
Other Local Service Providers are small entities.
70. We have included small incumbent LECs in this present RFA
analysis. As noted above, a ``small business'' under the RFA is one
that, inter alia, meets the pertinent small-business size standard
(e.g., a telephone communications business having 1,500 or fewer
employees) and ``is not dominant in its field of operation.'' The
[[Page 22041]]
SBA's Office of Advocacy contends that, for RFA purposes, small
incumbent LECs are not dominant in their field of operation because any
such dominance is not ``national'' in scope. We have therefore included
small incumbent LECs in this RFA analysis, although we emphasize that
this RFA action has no effect on Commission analyses and determinations
in other, non-RFA contexts. Interexchange Carriers (IXCs). Neither the
Commission nor the SBA has developed a small business size standard
specifically for Interexchange Carriers. The closest applicable NAICS
Code category is Wired Telecommunications Carriers. The applicable size
standard under SBA rules is that such a business is small if it has
1,500 or fewer employees. U.S. Census Bureau data for 2012 indicate
that 3,117 firms operated for the entire year. Of that number, 3,083
operated with fewer than 1,000 employees. The largest category provided
by the census data is ``1000 employees or more'' and a more precise
estimate for firms with fewer than 1,500 employees is not provided.
71. According to internally developed Commission data, 359
companies reported that their primary telecommunications service
activity was the provision of interexchange services. Of this total, an
estimated 317 have 1,500 or fewer employees. Consequently, the
Commission estimates that the majority of interexchange service
providers are small entities.
72. Cable System Operators (Telecom Act Standard). The
Communications Act of 1934, as amended, also contains a size standard
for small cable system operators, which is ``a cable operator that,
directly or through an affiliate, serves in the aggregate fewer than
one percent of all subscribers in the United States and is not
affiliated with any entity or entities whose gross annual revenues in
the aggregate exceed $250,000,000.'' As of 2018, there were
approximately 50,504,624 cable video subscribers in the United States.
Accordingly, an operator serving fewer than 505,046 subscribers shall
be deemed a small operator if its annual revenues, when combined with
the total annual revenues of all its affiliates, do not exceed $250
million in the aggregate. Based on available data, we find that all but
six incumbent cable operators are small entities under this size
standard. We note that the Commission neither requests nor collects
information on whether cable system operators are affiliated with
entities whose gross annual revenues exceed $250 million. The
Commission does receive such information on a case-by-case basis if a
cable operator appeals a local franchise authority's finding that the
operator does not qualify as a small cable operator pursuant to Sec.
76.901(f) of the Commission's rules. Therefore we are unable at this
time to estimate with greater precision the number of cable system
operators that would qualify as small cable operators under the
definition in the Communications Act.
2. Wireless Carriers
73. Wireless Telecommunications Carriers (Except Satellite). This
industry comprises establishments engaged in operating and maintaining
switching and transmission facilities to provide communications via the
airwaves. Establishments in this industry have spectrum licenses and
provide services using that spectrum, such as cellular services, paging
services, wireless internet access, and wireless video services. The
appropriate size standard under SBA rules is that such a business is
small if it has 1,500 or fewer employees. For this industry, U.S.
Census Bureau data for 2012 show that there were 967 firms that
operated for the entire year. Of this total, 955 firms employed fewer
than 1,000 employees and 12 firms employed of 1000 employees or more.
Available census data does not provide a more precise estimate of the
number of firms that have employment of 1,500 or fewer employees. The
largest category provided is for firms with ``1000 employees or more.''
Thus under this category and the associated size standard, the
Commission estimates that the majority of wireless telecommunications
carriers (except satellite) are small entities.
74. The Commission's own data--available in its Universal Licensing
System--indicate that, as of August 31, 2018 there are 265 Cellular
licensees that will be affected by our actions. For the purposes of
this FRFA, consistent with Commission practice for wireless services,
the Commission estimates the number of licensees based on the number of
unique FCC Registration Numbers. The Commission does not know how many
of these licensees are small, as the Commission does not collect that
information for these types of entities. Similarly, according to
internally developed Commission data, 413 carriers reported that they
were engaged in the provision of wireless telephony, including cellular
service, Personal Communications Service (PCS), and Specialized Mobile
Radio (SMR) Telephony services. Of this total, an estimated 261 have
1,500 or fewer employees, and 152 have more than 1,500 employees. Thus,
using available data, we estimate that the majority of wireless firms
can be considered small.
75. Satellite Telecommunications. This category comprises firms
``primarily engaged in providing telecommunications services to other
establishments in the telecommunications and broadcasting industries by
forwarding and receiving communications signals via a system of
satellites or reselling satellite telecommunications.'' Satellite
telecommunications service providers include satellite and earth
station operators. The category has a small business size standard of
$35 million or less in average annual receipts, under SBA rules. For
this category, U.S. Census Bureau data for 2012 show that there were a
total of 333 firms that operated for the entire year. Of this total,
299 firms had annual receipts of less than $25 million. The available
U.S. Census Bureau data does not provide a more precise estimate of the
number of firms that meet the SBA size standard of annual receipts of
$35 million or less. Consequently, we estimate that the majority of
satellite telecommunications providers are small entities.
3. Resellers
76. Local Resellers. The SBA has not developed a small business
size standard specifically for Local Resellers. The SBA category of
Telecommunications Resellers is the closest NAICs code category for
local resellers. The Telecommunications Resellers industry comprises
establishments engaged in purchasing access and network capacity from
owners and operators of telecommunications networks and reselling wired
and wireless telecommunications services (except satellite) to
businesses and households. Establishments in this industry resell
telecommunications; they do not operate transmission facilities and
infrastructure. Mobile virtual network operators (MVNOs) are included
in this industry. Under the SBA's size standard, such a business is
small if it has 1,500 or fewer employees. U.S. Census Bureau data from
2012 show that 1,341 firms provided resale services during that year.
Of that number, all operated with fewer than 1,000 employees. Available
census data does not provide a more precise estimate of the number of
firms that have employment of 1,500 or fewer employees. The largest
category provided is for firms with ``1000 employees or more.'' Thus,
under this category and the associated small business size standard,
the majority of
[[Page 22042]]
these resellers can be considered small entities. According to
Commission data, 213 carriers have reported that they are engaged in
the provision of local resale services. Of these, an estimated 211 have
1,500 or fewer employees and two have more than 1,500 employees.
Consequently, the Commission estimates that the majority of local
resellers are small entities.
77. Toll Resellers. The Commission has not developed a definition
for Toll Resellers. The closest NAICS Code Category is
Telecommunications Resellers. The Telecommunications Resellers industry
comprises establishments engaged in purchasing access and network
capacity from owners and operators of telecommunications networks and
reselling wired and wireless telecommunications services (except
satellite) to businesses and households. Establishments in this
industry resell telecommunications; they do not operate transmission
facilities and infrastructure. MVNOs are included in this industry. The
SBA has developed a small business size standard for the category of
Telecommunications Resellers. Under that size standard, such a business
is small if it has 1,500 or fewer employees. 2012 Census Bureau data
show that 1,341 firms provided resale services during that year. Of
that number, 1,341 operated with fewer than 1,000 employees. Available
census data does not provide a more precise estimate of the number of
firms that have employment of 1,500 or fewer employees; the largest
category provided is for firms with ``1000 employees or more.'' Thus,
under this category and the associated small business size standard,
the majority of these resellers can be considered small entities.
According to Commission data, 881 carriers have reported that they are
engaged in the provision of toll resale services. Of this total, an
estimated 857 have 1,500 or fewer employees. Consequently, the
Commission estimates that the majority of toll resellers are small
entities.
78. Prepaid Calling Card Providers. Neither the Commission nor the
SBA has developed a small business definition specifically for prepaid
calling card providers. The most appropriate NAICS code-based category
for defining prepaid calling card providers is Telecommunications
Resellers. This industry comprises establishments engaged in purchasing
access and network capacity from owners and operators of
telecommunications networks and reselling wired and wireless
telecommunications services (except satellite) to businesses and
households. Establishments in this industry resell telecommunications;
they do not operate transmission facilities and infrastructure. Mobile
virtual networks operators (MVNOs) are included in this industry. Under
the applicable SBA size standard, such a business is small if it has
1,500 or fewer employees. U.S. Census Bureau data for 2012 show that
1,341 firms provided resale services during that year. Of that number,
1,341 operated with fewer than 1,000 employees. Available census data
does not provide a more precise estimate of the number of firms that
have employment of 1,500 or fewer employees. The largest category
provided is for firms with ``1000 employees or more.'' Thus, under this
category and the associated small business size standard, the majority
of these prepaid calling card providers can be considered small
entities. According to Commission data, 193 carriers have reported that
they are engaged in the provision of prepaid calling cards. All 193
carriers have 1,500 or fewer employees. Consequently, the Commission
estimates that the majority of prepaid calling card providers are small
entities that may be affected by these rules.
4. Other Entities
79. All Other Telecommunications. The ``All Other
Telecommunications'' category is comprised of establishments primarily
engaged in providing specialized telecommunications services, such as
satellite tracking, communications telemetry, and radar station
operation. This industry also includes establishments primarily engaged
in providing satellite terminal stations and associated facilities
connected with one or more terrestrial systems and capable of
transmitting telecommunications to, and receiving telecommunications
from, satellite systems. Establishments providing internet services or
voice over internet protocol (VoIP) services via client-supplied
telecommunications connections are also included in this industry. The
SBA has developed a small business size standard for ``All Other
Telecommunications,'' which consists of all such firms with annual
receipts of $35 million or less. For this category, U.S. Census Bureau
data for 2012 show that there were 1,442 firms that operated for the
entire year. Of those firms, a total of 1,400 had annual receipts less
than $25 million and 15 firms had annual receipts of $25 million to
$49,999,999. Thus, the Commission estimates that the majority of ``All
Other Telecommunications'' firms potentially affected by our action can
be considered small.
E. Description of Projected Reporting, Recordkeeping, and Other
Compliance Requirements for Small Entities
80. This Order modifies the Commission's rules in accordance with
our proposal to require voice service providers to implement the STIR/
SHAKEN caller ID authentication framework if major voice service
providers did not voluntarily do so by the end of 2019, and implements
Congress's direction in the TRACED Act to mandate STIR/SHAKEN. The
amended rules adopted in the Order do not contain reporting or
recordkeeping requirements.
F. Steps Taken To Minimize the Significant Economic Impact on Small
Entities, and Significant Alternatives Considered
81. The RFA requires an agency to describe any significant,
specifically small business, alternatives that it has considered in
reaching its approach. This document does not distinguish between small
entities and other entities and individuals.
G. Report to Congress
82. The Commission will send a copy of the Order, including this
FRFA, in a report to Congress pursuant to the Congressional Review Act.
In addition, the Commission will send a copy of the Order, including
this FRFA, to the Chief Counsel for Advocacy of the SBA. A copy of the
Order and FRFA (or summaries thereof) will also be published in the
Federal Register.
V. Ordering Clauses
83. Accordingly, IT IS ORDERED, pursuant to sections 4(i), 4(j),
227(e), 227b, 251(e), and 303(r), of the Communications Act of 1934, as
amended (the Act), 47 U.S.C. 154(i), 154(j), 227(e), 227b, 251(e), and
303(r), that this Report and Order IS ADOPTED.
84. IT IS FURTHER ORDERED that Part 64 of the Commission's rules IS
AMENDED as set forth in the following.
85. IT IS FURTHER ORDERED that, pursuant to Sec. Sec. 1.4(b)(1)
and 1.103(a) of the Commission's rules, 47 CFR 1.4(b)(1), 1.103(a),
this Report and Order SHALL BE EFFECTIVE 30 days after publication in
the Federal Register.
86. IT IS FURTHER ORDERED that the Commission SHALL SEND a copy of
this Report and Order to Congress and to the Government Accountability
Office pursuant to the Congressional Review Act, see 5 U.S.C.
801(a)(1)(A).
[[Page 22043]]
List of Subjects in 47 CFR Part 64
Communications common carriers, Carrier equipment, Reporting and
recordkeeping requirements, Telecommunications, Telephone.
Federal Communications Commission.
Cecilia Sigmund,
Federal Register Liaison Officer, Office of the Secretary.
Final Rules
For the reasons discussed in the preamble, the Federal
Communications Commission amends 47 CFR part 64 follows:
PART 64--MISCELLANEOUS RULES RELATING TO COMMON CARRIERS
0
1. The authority citation for part 64 is revised to read as follows:
Authority: 47 U.S.C. 154, 201, 202, 217, 218, 220, 222, 225,
226, 227, 227b, 228, 251(a), 251(e), 254(k), 262, 403(b)(2)(B), (c),
616, 620, 1401-1473, unless otherwise noted; Pub. L. 115-141, Div.
P, sec. 503, 132 Stat. 348, 1091.
0
2. Add Subpart HH, consisting of Sec. Sec. 64.6300 and 64.6301, to
read as follows:
Subpart HH--Caller ID Authentication
Sec. 64.6300 Definitions.
(a) Authenticate caller identification information. The term
``authenticate caller identification information'' refers to the
process by which a voice service provider attests to the accuracy of
caller identification information transmitted with a call it
originates.
(b) Caller identification information. The term ``caller
identification information'' has the same meaning given the term
``caller identification information'' in 47 CFR 64.1600(c) as it
currently exists or may hereafter be amended.
(c) Intermediate provider. The term ``intermediate provider'' means
any entity that carriers or processes traffic that traverses or will
traverse the PSTN at any point insofar as that entity neither
originates nor terminates that traffic.
(d) SIP call. The term ``SIP call'' refers to calls initiated,
maintained, and terminated using the Session Initiation Protocol
signaling protocol.
(e) STIR/SHAKEN authentication framework. The term ``STIR/SHAKEN
authentication framework'' means the secure telephone identity
revisited and signature-based handling of asserted information using
tokens standards.
(f) Verify caller identification information. The term ``verify
caller identification information'' refers to the process by which a
voice service provider confirms that the caller identification
information transmitted with a call it terminates was properly
authenticated.
(g) Voice service. The term ``voice service''--
(1) Means any service that is interconnected with the public
switched telephone network and that furnishes voice communications to
an end user using resources from the North American Numbering Plan or
any successor to the North American Numbering Plan adopted by the
Commission under section 251(e)(1) of the Communications Act of 1934,
as amended; and
(2) Includes--
(i) Transmissions from a telephone facsimile machine, computer, or
other device to a telephone facsimile machine; and
(ii) Without limitation, any service that enables real-time, two-
way voice communications, including any service that requires internet
Protocol-compatible customer premises equipment and permits out-bound
calling, whether or not the service is one-way or two-way voice over
internet Protocol.
Sec. 64.6301 Caller ID authentication.
(a) STIR/SHAKEN Implementation by Voice Service Providers. Not
later than June 30, 2021, a voice service provider shall fully
implement the STIR/SHAKEN authentication framework in its internet
Protocol networks. To fulfill this obligation, a voice service provider
shall:
(1) Authenticate and verify caller identification information for
all SIP calls that exclusively transit its own network;
(2) Authenticate caller identification information for all SIP
calls it originates and that will exchange with another voice service
provider or intermediate provider and, to the extent technically
feasible, transmit that call with caller ID authentication information
to the next voice service provider or intermediate provider in the call
path; and
(3) Verify caller identification information for all SIP calls it
receives from another voice service provider or intermediate provider
which it will terminate and for which the caller identification
information has been authenticated.
(b) [Reserved].
[FR Doc. 2020-07585 Filed 4-20-20; 8:45 am]
BILLING CODE 6712-01-P