Numeracle, Inc. (“Numeracle”) hereby files these initial comments in response to theFederal Communications Commission’s (“FCC” or “Commission”) Further Notice ofProposed Rulemaking in the above-captioned proceedings.1
While the base STIR/SHAKEN framework establishes a chain of trust back to the originating voice service provider, to reap the full benefits of STIR/SHAKEN the chain of trust must extend beyond the originating provider and back to the entity placing the call. Through the development of the STIR/SHAKEN framework under the governance of the STIGA/PA, the industry has established a Public Key Infrastructure for voice calls supporting a mechanism to obtain and deliver trust with the origination of a call. Unfortunately, the end-to-end trust for enterprises is not supported due to lack of Commission guidance to create best practices to accurately identify the calling party associated with the authorized number when the originating voice service provider does not have the ability to attest.
I. Background
The authentication and verification processes of the STIR/SHAKEN framework establishes a secure transmission of encrypted information used to attest to the accuracy of caller ID information transmitted with the call by the originating voice service provider.2 In order to transmit the attested caller ID information, the originating voice service provider will add a unique header to the network-level message used to initiate a SIP call (the SIP INVITE).3
The Commission states one of the expected benefits of the STIR/SHAKEN mandate is to restore confidence and trust in the Caller ID Information to make call recipients more likely to answer the phone. Without this trust in caller ID information, the Commission acknowledged the decline in answer rates in recent years have harmed businesses, healthcare providers and non-profit charities. The Commission notes that “such organizations likely will benefit in improved answer rates due to caller ID information is authenticated”.4
II. Attestation Levels
The Commission has already defined what it means to authenticate caller identification information5 based on its definition of caller identification information.6 To authenticate caller identification information, the originating voice service provider will determine which of the three attestation levels it will assign to the call. The SHAKEN standards for assigning attestation level requires the originating voice service provider to determine the identity of the calling party and its authorization for use of the number before determining whether to assign A, B or C.7 The provider assigns attestation levels a based on two factors: authorization to use the number and the identity of the customer.
Figure 1 shows how the base SHAKEN implementation functions in the market today for individual subscribers as implemented by some carriers.8 Voice service providers originating calls for their subscribers provide authenticated caller ID information through a“Know Your Customer” (“KYC”) process to identify the customer and verifying the association of the telephone number the service provider provisioned to the customer. If the number and identity criteria are fully met, the provider should assign A Level attestation.Through the STIR/SHAKEN verification process, the terminating service provider can verify the caller ID information and trust the identity header information to display in the manner chosen by the terminating voice service provider.
Through the same attestation criteria of customer identity and number, the base SHAKEN authentication can also be implemented by the originating voice service provider to attest to the accuracy of caller identification information transmitted with a call for customers that are not individual subscribers. Utilizing their KYC process and number provisioning process, an originating voice service provider can provide A level attestation to a call made by a business, government entity, or similar. Through the STIR/SHAKEN verification process, the terminating service provider can verify the caller ID information and trust the identity header information to display in the manner chosen by the terminating voice service provider.
III. STIR/SHAKEN Standards Do Not Support Legal Callers Need for “A” Level Attestation Due To Distributed Customer Identity and Number
When the relationship between the caller, the assigned number, and the originating voice service provider does not meet the criteria for A level attestation, the provider will apply B or C level attestations. Even though a B or C level attestation does not provide the certainty of an A attestation, these options are part of the STIR/SHAKEN framework to, at a minimum, support traceback efforts to the originating or gateway carrier.
Figure 3 shows how a voice service provider will authenticate the caller ID information with a B level attestation. The originating voice service provider will assign B attestation when it can verify the identity of the customer through its KYC process but is not able to establish a verified association with the telephone number. This is a common practice with enterprises known as “Bring Your Own Number” (“BYON”)9. With BYON, the enterprise obtains numbers directly from a RespOrg or TN provider other than the originating service provider. The verified association still exists with the RespOrg or TN provider, but the originating voice service provider is not able to attest to the authorization at the time of call origination.
Attesting to the accuracy of the caller identification information with a B level attestation based on the caller ID information available to the originating voice service provider is proper application of STIR/SHAKEN. However, this is not the ideal attestation level a legally operating enterprise compliant with the applicable consent and auto-dialer rules expects on its originating calls. The concern for B level attestation is based in how the call is treated by the terminating service provider, which may not display to call recipient the same level of trust as an A attestation. Multiple industries of enterprises have filed concerns with theCommission regarding lower-level (B or C) attestation treatment.10
The relationship between callers, phone numbers, and originating providers is not as simple as the examples that guided the development of STIR/SHAKEN. The current practices involving multiple entities in the call scenario makes achieving an A level attestation for an enterprise caller difficult, if not impossible. Figure 4 is one of several examples where an intermediary entity is between the enterprise whose caller ID information identity and associated telephone number is to be attested by the originating voice service provider. This intermediate entity is not a carrier, but rather could be a hosted cloud service provider, hostedPBX, Unified Communications providers, Communications Platform as a Service (CPaaS) providers, Contact Centers, etc. A common complex call-origination configuration for calling parties such as hospitals, state governments, retailers and banks is the use of one or more intermediate entities to manage communications.11 In the current base SHAKEN model, for an enterprise who utilizes an intermediary provider such as a Business Process Organization(BPO), the originating voice service provider will authenticate the calls with a C level attestation because they do not have a relationship with the initiator of the call. There is still value as it relates to traceback efforts for the originating voice service provider to create an identity header even with C level attestation. But the value to the consumer for restoring trust in the voice channel is not achieved and the caller suffers because of the diminished trust.
Numeracle does not advocate for the removal of B or C attestations, instead Numeracle supports the Commissions efforts to define best practices for originating voice service providers to pursue A level attestation by accurately identifying the calling party associated with the number originating a call on their network.
IV. Conclusion
The STIR/SHAKEN framework captures the two factors for the originating voice service provider to determine attestation: 1) the verified identity of the calling party; and 2) the calling party’s authorization to use the associated number to originate a call. Due to the enterprise use cases, the relationship between callers, phone numbers, and originating providers is distributed. Despite the distributed nature, the verification of the identity of the calling party and the authorization to use of the associated number exists today. The challenge faced by the originating voice service provider is obtaining access to trusted and verified number and identity information in line with the STIR/SHAKEN PKI infrastructure.
The Commission should ensure that as industry deploys STIR/SHAKEN, the needs of legal callers to establish A level attestation despite the lack of a simple one-to-one relationship with an originating voice service provider should be supported by the standards and best practices.
Respectfully submitted,
NUMERACLE
Rebekah Johnson
Founder & CEO
Numeracle
P.O. Box 2523
Arlington, VA 22202