Before the Federal Communications Commission
Washington, D.C. 20554
“Every person on the planet and every entity on Earth should know with certainty with whom they are communicating.”2
We have failed. The telecom industry began its collective fight against illegal and unwanted robocalls eight years ago when the Federal Communications Commission and industry kicked off the Robocall Strike Force. What have we accomplished since then? Trust in the voice channel continues to erode, scams and fraud remain at unacceptably high levels,3 and the name display on incoming phone calls is either non-existent or not trustworthy. There are some successes—Rachel from card services does not call anymore, and nobody has offered me an extended warranty on my car for many months. Nevertheless, we can do better. The tools are out there, but to fix the problem requires widespread adoption of secure verified identity presentation and a telecom network that allows critical identity information about the caller to reliably traverse the network to the call recipient.
Maybe we have been fighting the wrong fight. While robocalls are a nuisance, the bigger issue is unidentified and misidentified callers committing fraud.4 The victims are twofold—those who have direct losses, along with the remainder who no longer trust voice communications.
Our collective failure to fight “illegal and unwanted robocalls” is due, in large part, to failing to define the end goal other than have less spam, fewer scams, and to put the perpetrators in jail or impose large fines. Numeracle proposes that our goal should be two interrelated objectives: 1) all electronic communications should securely display the identity of the originator; 2) nobody else should be able to fake that identity display, which means authorization and a chain of trust leading to the owner of that identity.5If we can satisfy those two objectives, the need to label and block suspected bad calls diminishes substantially. What would American consumers rather have on their incoming call screens—a verification that it really is their bank calling with the bank’s name, logo, and call reason displayed, or a terminating carrier’s algorithmic guess at whether the call is “spammy” or “artificial intelligence” that overrides the name display on the phone?
All of the major wireless carriers have recognized the need for verified incoming call information by enabling one form or another of branded calling, but the security of these technologies varies widely6 and the cost is often a prohibitive premium intended for callers that see branded calling as a means to increase answer rates for better return on investment for outbound calls rather than the basic means by which all calls are transmitted with the caller’s verified identity displayed to the recipient. The Commission’s goal should be that all calls from businesses, governments, and other entities have verified identity displays.7
Instead of working toward the twin goals of identity verification and spoof prevention, industry and regulators have gone down the rabbit hole of using analysis and machine learning (some would call it artificial intelligence) to make informed opinions about whether a call should be blocked, labeled as spam or scam, or go through without interference. Numeracle personnel recently had a conversation with a representative of one of the three major wireless providers.
Numeracle pointed out that appointment reminder calls from hospitals—including several Numeracle clients—are routinely labeled as spam. The carrier representative defended that practice—while he said the appointment reminders are fine and should not have a spam label, some health care systems ask for co-payment information during the same call, thereby justifying the spam label. The carrier and its analytics partner recommended to complaining hospitals that they should not ask for a copay in order to avoid the spam label.8As a result, calls from those health care providers say “Spam Risk” instead of “ABC Hospital.”
Who decided that the wireless carriers and their analytics engine partners should dictate the business practices of our nation’s health-care system by imposing a labeling and blocking process without standards, with little recourse to correct errors, and vast implications on the ability of Americans to communicate with one another? The wireless carrier described above uses the same “Spam Risk” label for a legitimate, wanted call with consent from a health-care provider as it does for an unidentified caller that is trying to deceive the recipient by impersonating the hospital. That carrier is making the conscious decision to reject the call originator’s ability to display its name to the recipient who has consented to receive this call merely because the carrier does not like the business practice of requesting co-payment information at the same time as reminding the patient of an upcoming appointment. While requesting co-payment information in this way may not be an ideal business practice according to a handful of call recipients who complained, thereby resulting in the spam labeling, the question of how businesses obtain payment for services is for Congress, the Department of Health and Human Services, and regulators to decide—not for the wireless carriers and their analytics engine partners to impose unilaterally without notice and an opportunity to be heard.
The Commission’s foray into artificial intelligence regulation has the potential to lead us further astray. Until we have solved the identity problem, we are just guessing with limited metadata to make substantive inferences about the content of calls and whether consumers want to receive them—regardless of whether those calls were placed via artificial intelligence or by more traditional means. And the use of AI to identify potentially fraudulent or unidentified calls is hampered without trusted, verified information about the identity of the communication’s originator. Before we tackle the vexing problem of what to do with artificial intelligence both making calls and analyzing calls, we collectively need to establish the foundation that the caller’s identity is verified, transmitted securely end-to-end, and displayed to the call recipient.
Consumers are entitled to know with certainty who is calling them. Or who is messaging them, whether using SMS, RCS, or iMessage. Or communicating through WhatsApp, other social media, or e-mail. Why have we collectively failed to accomplish this? While WhatsApp, social media platforms, and conference systems such as Microsoft Teams, Webex, and Zoom have marginally better identification and security than the PSTN, are we collectively willing to abandon open ecosystems for closed-garden communication networks? That’s the direction we are headed. The drafters of the Kingsbury Commitment more than a century ago would be rolling in their graves as communications become fragmented and isolated—not due to inadequate technological means to solve the problem of unidentified and misidentified communications, but because of a lack of willingness to do so.
Which of these two calls is actually from the White House switchboard?
.png)
The display on the left says “White House” and has a green checkmark that the number has been validated. That has to be real, right? The call on the right says “Gsa Bill Once” as the caller name, and there is no check mark that the originating number has been validated.
If you said the call on the left is the actual call from the main White House switchboard phone number, you’d be wrong. The undersigned went into the customer service portal of a major wireless carrier and changed his outgoing caller name from his real name to “White House.” It’s that simple. (As an aside, one of the three major carriers has categorized the main White House switchboard number as spam in recent months.) While it is true that the phone number on the left is not the actual White House number and is traceable to the call originator, in our current era of e-sims, number portability, and easily obtained burner phones, the damage from impersonation could be done before law-enforcement determines who owns that phone number and finds a way to track down and stop the fraudster using that number.
When Kamala Harris called Tim Walz to ask him to be her running mate as vice president, he ignored the first call because no name was displayed. “The most important call of my life, ”Walz said. “It popped up and we didn’t recognize the Caller ID and it went tovoicemail.”9 We can do better.
Senator Ed. Markey (D-Mass.) likes to hold the carriers’ feet to the fire with pointed letters requesting information.10 What would happen if Senator Markey were to make a call from his main Washington office line of(202) 224-2474? The CNAM11 display—if enabled—would be “Senator John Kerry” on two of the three major carriers. (The third currently labels it as “Spam Risk.”) Kerry was the previous holder of Markey’s seat from Massachusetts, but Kerry left that position eleven years ago. Someone is asleep at the wheel and has not updated the CNAM databases in that timeframe.
.png)
One core reason for our failure is the focus on the phone number rather than the identity of the caller. Phone numbers are terrible identifiers. While they are unique, they are not immutable or familiar. Other than a handful of phone numbers of friends and family (and even this knowledge has faded over the last two decades as we rely on using pre-programmed contacts instead of physically tapping each digit to place a call), we do not know nor care about the phone number that is calling us or that we are calling. We care about identity. A phone number is an attribute assigned to an identity, but it is not the identity itself. Even if a customer adds the phone number of a company she does business with to her contacts, that is only one number of many the company may use. A call from the company could come from a different agent with a different number or from a different division of the company. Relying on the phone number as the basis for identity has led us down the wrong path for eight years. A phone number is a means for call routing and billing. It is not an identity and should not be treated as such.
If my bank is calling to alert me about fraud on my account, the current safeguard is to call the number from the website, an account statement, or on the back of the card if the recipient is skeptical about the legitimacy of the call. The FCC recommends thispractice.12 Can’t we do better? The technology exists to prevent impersonation so that “My Bank” and only “My Bank” can invoke that name display on an incoming phone call. It shouldn’t matter which particular phone number a call originates from at that bank as long as that phone number is secure and positively linked to the bank’s identity.
STIR/SHAKEN is part of the path forward in the United States. But unjustified expectations have exceeded the reality of what it was designed to do. All STIR/SHAKEN does is communicate downstream whether the originating carrier signing the calls is asserting that it has a link between the caller and the phone number placing the call. STIR/SHAKEN has two fundamental shortcomings: 1) it relies on the honesty of the originating carrier with little standards or oversight; and 2)it does not communicate the name of the caller, just the phone number. STIR/SHAKEN is great at identifying the originating service provider. That’s it.
Let’s first use human intelligence to verify callers and display that information before we worry about artificial intelligence. AI is not a panacea to our robocall problem nor has it been the cause of most of our fraud problems thus far.13 AI will not solve the problem of not knowing with certainty who or what originated a communication. In its current state, it’s guesswork.
Educated guesswork, but still guesswork. Once we add verified identities to electronic communications, then and only then can consumers trust AI once they answer the call. Numeracle supports the proposal that the use of AI be disclosed, but this concern is secondary to the identity of the caller. How AI is used to provide customer service for a consented phone call in this circumstance is more of an issue for bank regulators and market pressures than it is for the FCC.
The Commission’s proposed rules will create a situation where lawful callers will disclose their use of AI, while callers already undeterred by the Commission’s rules and limited ability to collect fines from scammers, shell companies, overseas companies, and other illegal actors will skip the AI disclosure and continue to defraud American consumers. The Commission’s rulemaking actions in preventing robocalls have been focused on empowering voice service providers to block and label various types of calls, based on both solid information (invalid, unallocated, and unassigned numbers, along with numbers on a do not originate list) and vague criteria (reasonable analytics to identify calls highly likely to be illegal). What the Commission and industry have not done is give consumers a reason to trust the display information on incoming calls.
Instead, why don’t we identify the caller accurately and securely so the call recipient is empowered to answer the call or ignore it, or program preferences with their carrier or on their device about which calls they want to receive?14 Verification of the identity of an incoming call that it really is from a consumer’s bank—whether the call uses an AI voice or human—is far more useful to prevent fraud than an unidentified call accompanied with a warning that the call is using an AI voice.
The harm from the Biden AI call that has been the subject of recent FCC enforcement action could have been mitigated if that call had been identified properly. The call was not from “Biden for President” with an indicator of validity. Instead, it was from Steve Kramer.15 If the call name presentation had been “Steve Kramer,” we would be far less concerned about whether the voice was real or not. We would know the call did not come from the Biden campaign.
The ability of AI to root out scams is promising, but nascent and unreliable. The Commission should not rely on hoping that AI can do what human intelligence has thus far failed to do—accurately identify legitimate wanted calls and distinguish those from spam or unwanted calls.
Commenters in FCC proceedings have routinely bemoaned that there is no “silver bullet”16 and that fighting robocalls will always be a game of “whack-a-mole.” Numeracle believes otherwise. Verified identities delivered securely can be the silver bullet and reduce if not eliminate the need to play whack-a-mole to fight scam callers that pop up with different phone numbers on different networks with different illegal schemes.
ATIS and IETF have created an overlay to STIR/SHAKEN called Rich Call Data, or RCD. RCD goes further than STIR/SHAKEN and includes information about the caller’s name, phone number, call reason, and logo. RCD is not inherently secure—any caller using SIP technology can insert such claims. What does make RCD secure, though, is an ecosystem that establishes standards to verify and vet the identity claims by trusted members. RCD claims that are not signed by a trusted originator are not displayed to the call recipient. Under a complete implementation of RCD, only RCD claims that are vetted and verified are displayed on the recipient’s incoming call display.
Zero Trust Architecture (“ZTA”) is a security model built on the premise that all devices and users are not trustworthy until verified. As described in the Department of Defense Zero Trust Reference Architecture,17 “[t]he foundational tenet of the Zero Trust Model is that no actor, system, network, or service operating outside or within the security perimeter is trusted. Instead, we must verify anything and everything attempting to establish access. It is a dramatic paradigm shift in philosophy of how we secure our infrastructure, networks, and data, from verify once at the perimeter to continual verification of each user, device, application, and transaction.”
The Biden administration issued an Executive Order18 on Improving the Nation’s Cybersecurity, stating that for the Federal Government, the “prevention, detection, assessment and remediation of cyber incidents is atop priority and essential to national and economic security.” Building on the principles of ZTA, the Biden administration marked a dramatic shift across the critical infrastructure sectors, one of which is communications, to transfer the burden of protection from consumers to those most capable of instilling protection:
Today, end users bear too great a burden for mitigating cyber risks. Individuals, small businesses, state and local governments, and infrastructure operators have limited resources and competing priorities, yet these actors’ choices can have a significant impact on our national cybersecurity. …[A]cross both the public and private sectors, we must ask more of the most capable and best positioned actors to make our digital ecosystem secure and resilient. In a free and interconnected society, protecting data and assuring the reliability of critical systems must be the responsibility of the owners and operators of the systems that hold our data and make our society function, as well as of the technology providers that build and service these systems.19
For too long, the burden of protecting against robocalls has been placed on the American public. Businesses have no way to protect their essential communications from spoofing and mislabeling, and consumers lack the verified information to make informed decisions about answering and responding to telephone calls. ZTA can change that. Any secure verified identity presentation system should be based on a zero-trust security model, open to multiple participants deemed not trustworthy until verified through a robust standard with revocation for violating the standard.
Imagine a world where smartphones displayed the identity of the incoming caller with an indicator that the identity has been verified. If my phone said “Microsoft” and the call reason said “Technical Support” I would trust that call, while if the phone said “Some Random Guy in an Overseas Call Center Who Would Not Identify Himself or His Company but claims to be Microsoft,” I would not trust that incoming call and would not even answer it.20 While the foregoing example is clearly in jest, it reveals an underlying principle that we have collectively overlooked: the ability to perpetuate scams by impersonation is blocked if we prevent the impersonation in the first place. Under a secure RCD system based on Zero Trust Architecture, the only entities that can get “Microsoft” as their caller name are Microsoft and those entities it authorizes to call on its behalf. The delivery pathway to carry this data to the subscriber must also adhere to the same security model thus creating an end-to-end trusted pathway.
But to get there, delivery of verified identities has to be consistent. A bank cannot tell its customers that all its legitimate calls will be presented with a verified identity and to reject or distrust calls that purport to be from the bank but without the indicator of reliability unless all the bank’s calls are delivered with a verified identity. Accordingly, we need everyone to get on board—whether through regulation or market pressure. Fragmented, siloed, and pay-to play identity displays undermine the collective goal to have verified identity displays on all calls from all entities—whether government, business, or another type of entity.
We will never have universal secure verified identity presentations as long as TDM remains in our communications networks, with the result of dropping the trusted identity information embedded in SIP headers before it gets to the recipient. The “TDM in the middle” problem remains. It is urgent that the Commission do something about it and force the sunset and retirement of obsolete communications networks. Scammers seek out the weakest link, and the Commission and industry have declined to eliminate those weak links. The Commission started down this path eleven years ago but abandoned the initiative.21 Until that effort is completed, much of the Commission’s work to combat robocalls through STIR/SHAKEN and derivative technologies such as RCD is for naught.
CTIA has created an RCD ecosystem called Branded Calling ID that embodies the principles stated above.22 Numeracle is an eager proponent and collaborator in developing this system, which began operating earlier this month. It is open to various participants to onboard callers, vet the identity and calling practices of callers, sign the calls, originate the calls, and terminate the calls with the verified information displayed to the call recipient. Numeracle applauds CTIA for its years of diligent work to create this trust framework, and Numeracle is excited to work with T-Mobile as the first carrier to terminate calls with RCD under the BCID framework.
An open ecosystem for RCD based on Zero Trust Architecture is the pathway forward. In such a system, certain entities are authorized by a trust anchor to vet call originators and sign their calls. The terminating carriers display the verified and vetted information to the call recipient. Sounds simple, and in some ways, it is. What’s to stop abuse of the system? The security certificate necessary to sign the calls is revocable for abuse of the system. Without that security certificate, the incoming call display will not include a name, logo, call reason, or verification indicator—just the phone number. This technology prevents name spoofing, which is far more problematic than number spoofing because, as stated above, consumers rarely consider the phone number of an incoming call.
The handset manufacturers are ready to go. Motorola, Samsung, and Apple have all implemented this technology natively in their devices so this functionality does not require the user to install a separate app. Below are screenshots of a call without BCID on the left and with BCID on the right:
.png)
(Actual unedited screenshots23 of phone calls delivered on October 10, 2024, to an Apple iPhone 15 Pro Max with iOS 18.0.1 on the T-Mobile network.)
.png)
(Actual unedited screenshots of phone calls delivered on October 10, 2024, to a Motorola Edge 2022 with Android 13 OS on the T-Mobile network.)
Numeracle is not asking for a Commission mandate at this time to require the use of RCD-based identity display, but we do note that the Commission has full legal authority to do so, and the time is rapidly approaching for the Commission to take such a step if industry cannot coalesce and present verified identity information on telephone calls. The Commission noted that it “strongly encourage[s]” deployment of RCD in its draft order released Sept. 5, 2024.24
The TRACED Act set a goal of “ensur[ing] the calling party is accurately identified.”25 Almost no progress has been made on this requirement in the five years since the TRACED Act went into effect. Note that the law says “calling party” and not “originating phone number” or “originating service provider.” STIR/SHAKEN solves for the originating phone number (when done properly) and originating service provider, but not the calling party.
The TRACED Act required the Commission to “issue best practices that providers of voice service may use as part of the implementation of effective call authentication frameworks
… to take steps to ensure the calling party is accurately identified.” The Commission issued best practices26 in 2020, but those best practices have not been updated and omit basic principles.27 While the Commission has required the implementation of STIR/SHAKEN, this technology, by itself, does nothing to “ensure the calling party is accurately identified.” All that STIR/SHAKEN does for an A-level attestation, standing alone, is transmit a claim by the originating service provider that the customer claims and the originating service provider agrees—with only loosely definedstandards28—that it is entitled to use a particular number. The caller’s identity is not part of STIR/SHAKEN—just phone numbers. Any information about the caller’s name is typically enabled by alternative means, including legacy CNAM systems or branded calling systems.
The TRACED Act empowers the Commission to implement additional measures to accomplish the goals of the TRACED Act. “[T]he Commission shall … assess the efficacy of the technologies used for call authentication frameworks implemented under this section and …revise or replace the call authentication frameworks under this section if the Commission determines it is in the public interest to do so … .”29 If industry cannot immediately coalesce on an effective call authentication framework that “ensure[s] the calling party is accurately identified,” the Commission should act.
The Commission already recognizes the importance of accurate identification in the context of artificial or prerecorded voices, but only after the call is answered. The Commission’s rules require under 47 CFR§64.1200(b)(1) that telemarketers “state clearly the identity of the business, individual, or other entity that is responsible for initiating the call. ”Instead of waiting for the phone to be answered and having an oral message of identity that could easily be a lie, why are we not independently verifying the identity and displaying that identity when the phone is ringing and the recipient is deciding whether to answer—and for all calls, not just artificial and prerecorded voice? It’s like we’ve all decided to go back to 1985 before our phones had the ability to display the incoming phone number and caller name. Our smartphones have a display that can show name, number, logo, call reason, and verification status. Let’s use those capabilities instead of imposing more requirements of unverified identity assertions after the call is answered as the NPRM is planning to do for AI-generated calls.
Readers of these comments will have noticed that they do not talk much about artificial intelligence. That is deliberate because fine-tuning the approach to AI invoice calls is like putting the cherry on top of an ice cream sundae when the bowl is cracked and the ice cream is a melted mess.
AI is both a challenge and an opportunity. The use of AI in and of itself is not fraudulent. There are many legitimate uses for businesses with consent to be using AI. Identity presentation when a call is delivered, however, will enable consumers to make informed decisions.
Before we fine-tune how to identify and handle AI in call origination and to use AI to identify potential fraud at the call termination end, we must have a system in place to verify the identity of a telephone call originator, pass that identity end-to-end securely through the network, and display that information to the recipient of the call. Numeracle believes that the best approach to preventing robocalls—and especially fraudulent robocalls—is to empower consumers to know who is calling and to take individual action. That action can include blocking, labeling, or diverting to voicemail certain callers or categories of calls, but without accurate information about the identity of the caller and the type of call they are making, those consumer decisions will be based on incomplete or inaccurate information and will inevitably prevent wanted calls from going through and fail to block some unwanted calls.
Rebekah Johnson, Founder & CEO, Numeracle
Keith Buell, General Counsel & Head of Global Public Policy, Numeracle
