- STIR/SHAKEN Standards per the TRACED Act
- International Call Signing and SHAKEN specifications
- Enterprise Challenge/Gap with Attestation
- Trusted Certificate Authorities List (CA List)
- Know Your Customer (KYC) Vetting
- ATIS, IP-NNI Task Force, IETF (Internet Engineering Task Force), SIP Forum, & FCC’s Robocall Strike Force
Rebekah Johnson: Welcome to Tuesday Talks, a live discussion series where we shed light and bring truth to emerging topics in the communications industry.
I'm Rebekah Johnson, Founder and CEO of Numeracle, and I’ll be co-hosting today’s session with Jim McEachern, the industry's leading SHAKEN expert, known for his extensive work establishing governance authority for SHAKEN to reduce the scourge of caller ID spoofing and unwanted robocalls. It's so great to have you with us Jim, welcome.
Jim McEachern: Thanks Rebekah, it’s great to be here.
Rebekah Johnson: Jim, you and I have known each other for almost four years and we met over this exciting topic called STIR/SHAKEN. I was recalling our first interaction, which is when I really zeroed in on the Enterprise Challenge around Attestation, which has become everybody's favorite topic. I believe we were at the AT&T USTelecom offices here in D.C. and you were talking to a small audience about STIR/SHAKEN and giving a good overview of those standards. It was during that presentation that I was introduced to the concept of Attestations A, B, and C.
I really struggled to wrap my mind around how a voice service provider would be able to audit the enterprises and their authorization for use of the telephone numbers when the enterprise didn’t actually work directly with the carrier. That was the world that I came from and this came as a head-scratcher.
I brought up the topic, and then of course, when you raise your hand and say you know something about a topic, Jim McEachern is the guy who will say, “Great, looks like you just volunteered.” Immediately, you asked me to show up for the next ATIS meeting and I didn’t even know what ATIS meant but I showed up, I trusted you. That's where Martin Dolly, who is the Chair of the IP-NNI Task Force, basically said we really need to hear from the enterprise on how this is affecting them. I remember I was sitting next to you and you were raising your hand and pointing your finger at me going, “I brought somebody!” So I was just thrown into it. I go up to the front of the room and introduce myself, talk about the enterprise, and the rest is history.
Jim McEachern: And you love it.
Rebekah Johnson: I did, I truly was really impressed with those who are in the IP-NNI Task Force, to this day. Some of my favorite people are in there. They’re brilliant minds, I love to be surrounded by brilliant people and that's what that group is comprised of.
With that little background on how we met, I really want to dive into your background before we get into today's topic because I think it’s important as to why you are the expert when it comes to the international calls. I’m not going to anybody else for this topic. I’d like for you to give the audience some background and how the standards have come into play on this as well because this is very standards-driven.
Jim McEachern: For my background, I spent 30+ years with Nortel, and basically rode that horse into the ground but it was great fun while it lasted. When that was no longer available I started working with ATIS and focusing on several emerging technologies, everything from connected car to UAV to Next Generation Wireless, and along the way, the IP-NNI Task Force was formed between ATIS and the SIP Forum. One of the things that they tackled was robocalling and what became SHAKEN.
Once I got involved in that, it expanded to take over everything that I was doing, including after I retired, which was at the end of 2018, and that allowed me to focus on this full time. So I say “retired” in quotes.
For the standards, I’ll say one quick thing about why this needs to be based on standards: because this is all about signatures and cryptographic assertions of identity. That is created at the origination of the call with one service provider and it's due course in one country and it’s verified at the other end with a different service provider. If it's not standards-based, they don't play together. It’s as difficult and as simple as that.
Rebekah Johnson: Moving to the topic of today’s discussion on that very point of standards and sharing data, although the standards and the deployment of the standards have primarily focused on the United States, STIR/SHAKEN was intended, as you mentioned, to be deployed country-by-country. It just takes one to step up and define it, implement it, regulate, enforce it… there are all these layers that we have to go through. I think we’ve had enough time now, in the United States, for us to move this forward on all those different levels, and now we’re starting to move our focus over to, based on the standard that each country is going to implement, how to have cross-border communication.
Correct me if I’m wrong, but what I see is Canada being the one right behind the U.S. in the direction that they’re going, based on the establishment, structure, and implementation of STIR/SHAKEN. I’m not necessarily comparing technologies of where they are with voice communications but least with the governance, the standard structure, the enforcement, and deadlines around that. We heard recently, in another event, from the UK and France but there are a whole lot more countries that deliver communications.
Can you walk us down that path of their status?
Jim McEachern: I’m going to step first and talk about when we define the base SHAKEN specifications, and you're right, that was defined from a single country perspective. It was defined from a generic country perspective it was done in the U.S., we are very aware of that. But, it was designed not to be specific to any given country, but to apply to a country. The reason for that, one obvious reason is that every country has its own regulation and they all own phone numbers, so that's a natural scope to the control of it. Frankly, the other problem, or reason, is that it is hard enough to define this for one country. Worrying about the rest of the world, you just won’t get anywhere.
So, we did that, and then once we got to that point at the end of 2018 and we had the governance authority set up in the U.S. and I retired, I could then focus on continuing to work on how we go from one country to cross-border. I'm based in Canada so I give some help to Canada in establishing their governance authority. Then ATIS, the SIP Forum, the IP-NNI, and I defined cross-border specifications.
So what happens when you have two countries that may want to play together? The trust anchor in SHAKEN is that the governance authority and the policy administrator maintain a list of the approved Certificate Authorities, the ones who can issue certificates in SHAKEN. That list of the trusted Certificate Authorities, that’s effectively the root of trust.
When you go to verify, you confirm that the call was signed with a certificate that can be traced back to that trusted CA List. If it's not on there, it fails. When you take a Canada to U.S. call, the call gets signed in Canada with a Canadian Certificate Authority, it gets to the U.S. who check their trusted CA List, if the Canadian CA is not on the U.S. list, it fails verification automatically. What they do is Canada and the U.S. decide they are going to trust each other because they are doing the same thing. So they will trust each other and merge the trust CA List so that now, the U.S. list has Canada plus the U.S. in it so after you do that, the call just passes. Again, it’s as difficult and as simple as that.
Rebekah Johnson: I want to come back and continue with the theme of country readiness. I know that you have direct involvement in Canada, we are talking cross-border right now but we are using different technology to communicate. From your perspective, and I do feel that the cooperation, I would say, with the U.S. and Canada is something I hope to see with other countries, but you have been on both sides bringing this forward. It's the first cross-border, is that correct? I mean, between Canada and the U.S., as far as how our deployment is going?
Jim McEachern: They are being deployed in Canada and the U.S., but right now, if a call is signed in Canada it won't be verified in the U.S. because that merging of trusted CA Lists hasn't happened yet. It has been written to show how you’d be able to do it and I expect that will happen perhaps this year, certainly within the next 12 months. That's on the road map, but it’s still not there yet. With other people, that comes even further down the path.
Rebekah Johnson: I’m going to interject this because people get confused a lot of the time. If the call is being signed, is there an expectation that the terminating carriers will block all calls from Canada until we can communicate with each other via this standard? Would that be a true statement or a false statement because people will run with that?
Jim McEachern: No, that’s a false statement. You would not block on that basis. Now, the FCC has created and is rolling out a special case where if a call originates in Canada, but the calling party number is a U.S. number, then certain different criteria kick in. But right now, if it's a Canadian number that's originating from Canada, it just completes. Again, a call clocking app may or may not block it as suspicious but that has nothing to do with that.
Rebekah Johnson: Can you speak at all to how STIR/SHAKEN scales with bringing on other countries? Are there challenges with that or considerations that we need to take in as we’re deploying?
Jim McEachern: Yes, several ones. The mechanism I described, where the two countries get together and sign a bilateral agreement that they’re going to trust each other, that’s the obvious way or a brute-force way forward, it works fine for Canada and the U.S. and a couple more countries, it works fine. But if you were to extend out to the world with about 200 countries, that would imply something approaching 20,000 bilateral agreements, and that takes a while. That direct approach has problems in scaling when you go to other countries.
Now, we've developed a specification that discusses how to have a central database people could register with, allowing you to do that in a more scalable fashion. The problem is there's a bunch of unresolved issues in that. Who do you trust? What are the criteria for joining? Who hosts the database? All these kinds of things. So the question of how do we get from here to there in a manageable way? is a lot of what I've been thinking about over the last 18 months/two years.
Rebekah Johnson: I always find it interesting when we're talking about a trust framework, those deploying it have the greatest issues with trusting the framework. We just can't get away from the fact that is an element of it; we will have to trust the data that is coming to us and trust people are following the standard. I think it’s telling that we should not look at STIR/SHAKEN to stop the fraudulent robocalls, but it is a way to stop illegal spoofing and help identify the source. I think that's a huge win globally if we can continue on that path. Trust is an element, not only trusting who is delivering the call but who is implementing these standards and following the rules.
Jim McEachern: The trust is a good segway into challenges we face. You’re right, but the need for trust has a couple of aspects. One is, how do you know your customer? How do you have confidence that this is the legitimate person, that this is the person they say they are and that they are a legitimate actor? That's very much the space that you deal in every day, but we need more robust mechanisms for that because, as we move forward with STIR/SHAKEN, the implications of originating the call with that signature gain more significance.
The flip side of that as well is that no matter how hard we try, there are going to be some bad actors that get into the system. We need a Know Your Customer (KYC), a rigorous vetting, and Know Your Customer thing to limit that, but you'll never eliminate it entirely. Therefore, you need to have some kind of monitoring, verification, and enforcement mechanism that maintains that trust. Those are all part of how we get from here to there and how we do that in a scalable way and leverage what we have in terms of associations and contacts and such are the critical things that we need to work on going forward.
Rebekah Johnson: One thing that we've learned, at least in the U.S. in deploying STIR/SHAKEN and the analytics too, is I don't see the standards being deployed without some form of analytics too. There has to be some intelligence sitting on top of this data that is being received on the terminating side. We've learned over the years that there needs to be some kind of remediation process for when things are wrong because it's going to happen. Even though this is all technology, humans are still the entry point for the data, therefore, there will be some challenges there.
Has there been any discussion, or thought, or consideration to international remediation?
Jim McEachern: I've been hesitating because there’s nothing formal or nothing official. It's the kind of thing that I've been thinking about and talking with people about. The answers are not there yet, but a couple of things are clear. One is that there's no entity that you can delegate the problem to. If you go in U.S. contacts, you can go to the FCC and the FTC, and the FBI, and there are a bunch of people who own bits of the problem. Depending on how it unfolds, they can own the problem.
When you go internationally, there are a couple of things that are close but nothing that fits and that's going to do that credibly. As a result, you need to look at this a little bit differently and look at groups of people, things like the EU, which is great for a group of countries, and though it doesn’t apply globally. You’ve got various organizations, whether it be ATIS or i3forum or several associations that can bring together people to collectively manage that trust and remediation, and potentially, even commercial entities that can be part of that.
All of those are going to be part of the solution, but unfortunately, it’s going to be something you're going to have to work out and coordinate as opposed to being able to point to the policeman.
Rebekah Johnson: For those who are listening, you mentioned getting involved with associations, can you just list some of those that are involved that people can become members of and participate in solving this as a whole?
Jim McEachern: Unfortunately, the main people who are defining the SHAKEN requirement, obviously STIR comes from the IETF (Internat Engineering Task Force), so you can do that. For those who aren’t familiar with it, STIR as defined by the IETF is a protocol and a set of tools. But like any set of tools, you can do all kinds of things with it and it's so flexible that it’s hard to have two independent implementations work together.
What SHAKEN does is it takes all these ways you could do it and it says, we're going to do it this way. When you define, nail down, limit all the options and variables, you get something that actually will work together. The only people who are defining SHAKEN are ATIS and the SIP Forum through the IP-NNI Task Force and are driving that forward.
Now, we have been reaching out and coordinating with regulators in Europe and with a variety of associations, but, again, that's just coordinating with them and sharing information with them. We were talking earlier about how just before COVID hit, I was set to go to Portugal and talk to a bunch of the European regulators about how STIR/SHAKEN could apply to their network. Alas, that did not happen but it’s what we’re trying to do.
Rebekah Johnson: Something I didn't think of until just now while listening to you talk, and maybe you have an answer, maybe you don't, but it's just something to watch for. In the U.S. we have the TRACED Act which does touch on a standard for STIR/SHAKEN and the Caller ID Authentication Framework. I have always been a little leery of laws that are tied down to the standards because the standards need to be able to change and they do they need to change quickly.
Do you see other countries doing the same where they may pass rules, regulations, or laws that touch on the standard? If we have that, I don't know how we have this single standard having to meet multiple country's laws.
Jim McEachern: I have the same concern when I see laws referencing standards and technologies. I share that concern. First of all, there are very few countries that have, other than the U.S., that have passed legislation that demands dealing with robocalling. I don't believe that any of those have specifically called out STIR/SHAKEN the way the U.S. has come close to doing. But even if you don't have it in the legislation, one of our big concerns is it if every country tackles the problem in their own way, then it might work for all calls within their country but we all know that that's only a small subset of the problem because it won't work between countries and globally.
That’s yet another reason why ATIS, and me personally, have been actively reaching out to communicate and to share information with as many people as possible and make people understand. The fact that the U.S. has deployed SHAKEN does not mean that SHAKEN is a U.S.-specific technology. You can tweak it to your individual needs in terms of the governance while ensuring that at the bits and bytes at the protocol level it will work cross-border. We can embrace and meet your local needs.
Rebekah Johnson: This is a standard that has been in the works for quite some time. Before the FCC’s Robocall Strike Force put it in the media. I think that's the point, when the media got a hold of it we started seeing news articles about STIR/SHAKEN but it's been in the works for a while.
Jim McEachern: Absolutely, it had been in the works for a year before the Robocall Strike Force was launched. That was the moment where we went from pushing this cool technology and after the meeting to worrying about how it was ever going to be deployed in networks. We went from pushing on a rope to holding onto a rope for dear life to as it gathered steam and took off. That changed the whole dynamic.
Rebekah Johnson: From what I’m seeing just looking at the U.S. and our deployment and the carrier’s ability, a lot of things are just limited by the technology and infrastructure. I don't see anyone disagreeing with the standard or refusing to do it. It's more a matter of the resources, the infrastructure, and the technology to be able to move this forward and that adds a lot of time. I see other countries who are going to be facing the same challenges so we're looking at years, maybe a decade?
Jim McEachern: Globally, it will definitely be years. Again, we’re still thinking about how to communicate internationally and then trying to make that be years and not decades. I don't think there’s any reason why it couldn’t be a question of years. But it is going to be years. When I talked to people a couple of years ago they would tell me we’ve been working on this for so long and ask why we can't deploy it. My analogy is when you deploy this in your network, it is going to touch every piece of the network for every single call. If you don't think about it very carefully and get it right you could crash the entire PSTN. It might be somewhere between annoying and good if Facebook crashes for a week but if the entire telephone network crashed for a week, that would have an impact.
You do need to be careful and make sure you test things very carefully and that's why it takes some time. But we are learning because we now have some real-world deployment that we didn't have before this was deployed in the U.S.
Rebekah Johnson: Jim, to summarize all that we've covered today, I want to allow you to give us the 3 top considerations to make with regards to International STIR/SHAKEN deployment and making it successful.
Jim McEachern:
Rebekah Johnson: I want to pause on that quickly because in prepping for this, that was a topic you and I both agree upon. But I think IN part of the shortcuts for implementing STIR/SHAKEN we're seeing people getting further away from the source of truth. I think this whole thing breaks down if we're not making sure and maintaining that we are identifying who is the entity behind the calls, the entry point onto the network, and carrying that through to termination.
Too much of what I'm seeing is the objective seems to be getting A-Level attestation at all costs and we are just unraveling the value of all of this hard work and implementation. I think this is an opportunity for you to get this on the record with how important that is.
Jim McEachern: It is, we have long involved debates about that so we all agree. You need to expand as much as you can without compromising the integrity. The only thing I will say is that if you have robust monitoring and enforcement mechanism underpinning it, you can expand it further. Where we get into the gray zone is people are expanding it ahead of that enforcement on the assumption that enforcement and monitoring will come, we just need to make sure that it does come. We also need to tweak based on experience because if we don't, we could end up somewhere we don't want to be.
Rebekah Johnson: That’s right. So I believe we have some questions.
Molly Weis: This one comes from the Netherlands: how are the U.S.A and Canada interacting with European countries to bring the standardization effort forward?
Jim McEachern: By having a series of meetings and educational discussions, again, I've been talking with the European regulators for several years on that, we continue to talk with them. At this stage, it’s sharing information and coordination as much as you can.
Molly Weis: Do delegate certificates have a benefit in the world of cross-border communications?
Jim McEachern: Delegate certificates have a benefit in SHAKEN within a country. They allow you to extend even closer to the origin, reliably, by having the enterprise use a delegate certificate sign at the source. Plus, they can use rich call data (RCD) to put a calling name and other information in it. Once it gets to the originating service provider, it’s turned into a standard SHAKEN PASSporT. When you get to the cross-border, it is already going to turn into the standard SHAKEN, it just will have benefited at the source from the delegate certificates.
Rebekah Johnson: I’m going to add to that. On the delegate certificate, the whole point was for elevating the attestation; it's an origination solution. That's where it sits, that's the value that it has. Let’s not make it more than what it is. That's why everything Jim just said makes sense on international standards.
Molly Weis: Can international service providers receive signatures at the U.S. border for calls originating outside of the U.S.?
Jim McEachern: A U.S. carrier at the border can, with some limitations, provide attestation for an international call and can, technically, even provide full attestation but only if it was the originating service provider that carried to call from the origin to the U.S. border. In other words, before the U.S. border, only one carrier had been involved and therefore that carrier knew it could trace right back the origin meaningfully. You can get that, but that’s a tiny percentage of international calls. So it's a “Yes, but…”
Rebekah Johnson: Jim, thank you for joining us on Tuesday Talks. We'd like to thank all of you for joining us for another episode. We hope to see you again on Tuesday, September 21st for Part Two of our International STIR/SHAKEN series. Thank you.
Jim McEachern is a Robocall and SHAKEN expert and consultant and Member of the Alliance for Telecommunications Industry Solutions (ATIS), a standards organization that develops technical and operational standards and solutions for the ICT industry.