SHAKEN/STIR: A Step Toward Returning Trust to Incoming Calls
Not a silver bullet solution, but an important commitment to the ongoing validity of the voice channel
On Thursday, July 11, 2019, FCC Chairman Ajit Pai convened the SHAKEN/STIR Robocall Summit focused on the industry’s implementation of SHAKEN/STIR, a caller ID authentication framework to combat illegal robocalls and illegal call spoofing. In late 2018, Commissioner Pai called for major voice service providers to deploy the SHAKEN/STIR framework in 2019. As we’re already halfway through the year, this summit showcased the progress that major providers have made toward reaching that goal and provided an opportunity to identify any remaining challenges to implementation, along with suggestions to best to overcome them.
SHAKEN/STIR: what it is, what it is not
The first panel discussion of the summit included subject matter experts from the top carrier and service provider organizations including Vonage, T-Mobile, Verizon, Bandwidth, AT&T, and Comcast. The discussion began with an introduction by Chris Wendt, Director of Technical Research & Development for IP Communications, Comcast, and Co-author of SHAKEN and STIR standards. In his presentation, Chris summarized some important ‘myth-busting’ information to address the confusion that has arisen since the terms SHAKEN and STIR have gained popularity across mainstream media outlets.
To begin with what SHAKEN/STIR is, it is a framework that can be used to verify the point of origination of a call in order to provide the ability to trace back to this origination should illegal activity be discovered in relation to a phone number’s usage.
Now onto what SHAKEN/STIR is not. While it is a tool to help identify bad actors, it is not a tool to eliminate illegal robocalls all together. It is not a silver bullet solution and it cannot help to determine the illegitimacy or legitimacy of the intent of an incoming call. What this means is that although SHAKEN/STIR can validate that an incoming call is originating from a real phone number, a number which is not being illegally spoofed, this framework does not have the ability to ‘weigh in’ on whether or not the content of the call itself is potentially malicious or unwanted.
SHAKEN/STIR: what it seeks to accomplish
Some of the intended outcomes of SHAKEN/STIR deployment are as follows:
- To address the security of the use of a telephone number for the person or entity who is legitimately associated with it
- To provide a technical framework that supports policy and enforcement goals
- To provide an additional data point to improve the relevance and accuracy of call labeling and identification analytics
Each of the service providers on the panel was given the opportunity to share the progress, challenges, and achievements their organizations have encountered on their journies to SHAKEN/STIR deployment thus far. Vonage, T-Mobile, Verizon, Bandwidth, AT&T, and Comcast all confirmed that their organizations are in various stages of successful, active deployment. Ongoing testing will continue as SHAKEN/STIR ‘signed’ (originating source validated) traffic continues to be successfully ‘passed’ from service provider to service provider.
Illegal spoofing vs. legal spoofing
As ‘call spoofing’ was identified as the tactic SHAKEN/STIR seeks largely to combat, clarification was given to address the fact that a number of enterprise callers use call spoofing for legitimate business purposes as a means to present geographically familiar phone numbers to their consumers. Legal call spoofing will not be interrupted or negatively impacted by SHAKEN/STIR. Organizations using this tool for legitimate business reasons may continue to do so.
It’s important to recognize that call spoofing is a tool used by both legal and illegal callers. Removing the ability for illegal callers to exploit this tool will reduce a large volume of illegal robocall traffic, but call spoofing is not the only tool bad actors use, and it won’t address all of the illegal calls. As SHAKEN/STIR is adopted, we’ll remove illegal call spoofing as one of the major tools in use by fraudulent callers, but we need to be adaptive to what these bad actors are going to do next.
Collaboration and continued work
The panel agreed that this is one issue across the industry that people can come together and agree upon. It was noted that once service providers started working together and talking about solutions in collaboration, real working ideas began to take shape. The resounding advice for the Tier 2 and 3 carriers who may not yet have started on SHAKEN/STIR implementation within their organizations was to start now and take advantage of the collaboration that’s already taking place within the Tier 1 service provider community.
When it comes to a time frame for deployment, though SHAKEN/STIR is partially active today, a number of questions remain such as how a ‘signed’ or ‘verified’ call will be displayed on end users’ devices. Another remaining item to address is how to provide full attestation (validation of where the call originated and who owns the telephone number) for end users when there isn’t a direct relationship between the carrier and the entity behind the call.
Though there are many proposals supporting the delegation of SHAKEN/STIR certificates to legitimate call originators, a finalized solution has yet to be confirmed. As Comcast’s Chris Wendt added, the goal is to “continue to support end-to-end trust even when there is an indirect relationship between the calling entity and the originating carrier,” which is an encouraging view for the legal caller, whose goal it will be to receive the highest levels of call authentication possible.
Using SHAKEN/STIR to inform call blocking and labeling decision making
The second panel of the summit focused on how SHAKEN/STIR can be used to improve the consumer experience. Panelists joining this session included experts from the top call analytics companies, Transaction Network Services (TNS), First Orion, and Hiya, as well as additional leadership perspective contributed by Ericsson, Cox, and AARP.
Building off of the first panel’s takeaway that SHAKEN/STIR will validate the origination of a call, but will not validate anything about the content of the call itself, the second panel began with a discussion on how the validation of a call’s origination is actually a very important new data point that can be integrated into the decision-making algorithms that are already in use today by caller identification analytics companies.
Call authentication data to improve analytics
As a benefit from the addition of SHAKEN/STIR-provided call origination verification data, Lavinia Kennedy, Director, Product Management, TNS, explained that this data improves the quality and accuracy of call labeling or risk ratings associated with a phone number. She added that including SHAKEN/STIR validation not only helps improve the analytics but also helps increase consumer confidence in the accuracy of the call labels presented to them on their devices.
Driving the point home throughout the summit that SHAKEN/STIR alone is not enough to identify trust in an incoming call, but an important step toward improving this trust, Scott Hambuchen, Chief Information Officer, First Orion added the following description as an example:
“Just because a call has been authenticated and validated doesn’t necessarily mean it’s a good guy on the end of the line. It could still be the devil himself calling from a validated number.”
Vigilance will still be needed when answering any call, and as Jonathan Nelson, Director, Product Management, Hiya added, one of the big challenges of today’s analytics is to separate the legal calls from the illegal calls. Both of those audiences (legal and illegal callers) have the same goal — they both want their calls to be answered. Both of those audiences also use the same call tactics. Because of that, it can become hard for analytics to pick these two types of callers apart, however, what SHAKEN/STIR does is gives the analytics an additional, valuable data point to help more accurately tell calls apart.
Stopping the bad actors; protecting the good actors
With the majority of the focus being on how to more effectively identify and stop illegal callers, there was also some discussion on the need to make sure there is an opportunity for callers who fail SHAKEN/STIR validation and/or are improperly blocked to be able to resolve this issue and come to a workable solution.
There are plenty of legal business callers who will remain at risk of their calls being improperly labeled or blocked with or without SHAKEN/STIR. Yet, SHAKEN/STIR puts us one step ahead in terms of restoring consumer confidence in an incoming call and improving the reasonable analytics used to guide call labeling decision making.
What became a key takeaway of the SHAKEN/STIR Robocall Summit was the need for continued education across the industry and at the consumer level. It will be critical to educate the consumer in what the various levels of SHAKEN/STIR attestation mean, what ‘call authentication’ does or does not guarantee, what failed authentication implies, and so on. The panelists agreed that without clear messaging around the new concepts introduced by SHAKEN/STIR, the industry will dilute the effectiveness of creating new trust around the messaging.
Another takeaway was the continued need to increase the feedback loop to identify when the combination of SHAKEN/STIR validation and call analytics incorrectly identify a legal call as an illegal call. A comparison was made by Scott Hambuchen at First Orion comparing false positives generated by call analytics with email junk/spam folders. Now that consumers have become accustomed to the idea of generally trusting their email inboxes, we recognize the occasional need to look inside the junk box to remedy a good email that somehow winds up being classified as ‘spam’ by mistake.
It’s easy enough to move a miscast ‘junk’ email back into the inbox. It should also be that easy to correct a mislabeled phone call, however, this is a path that still needs a tremendous amount of focused attention in order to be accomplished.
As the industry continues to work toward a solution to stop illegal robocalls while allowing legal, wanted calls to get through, Numeracle provides a path to proactively identify yourself as a trusted, legal caller to keep you connected with your consumers. Contact us at www.numeracle.com/contact to learn more.