Rebekah Johnson: Welcome to Tuesday Talks, a live discussion series where we shed light and bring truth to emerging topics in the communications industry. I’m Rebekah Johnson, Founder and CEO of Numeracle, and I'll be co-hosting today’s session with Anis Jaffer, Chief Product Officer at Numeracle.
It is great to get back together again, it's been a long time.
Anis Jaffer: It feels like it’s been months since we’ve been on here together.
Rebekah Johnson: The last time we did this together was May 4th and the only thing I really remember from May 4th had to do with Elon Musk and what was going on in space.
But since then, it’s been good. We’ve each gone off and interviewed, which is the point now that Tuesday Talks has spread its wings and brings on guests to dive into other topics where we're not always the experts. We really want to bring industry experts into our conversations.
I'm really excited though to get back together and this really is a perfect topic for today. What we're doing is recapping some of our favorite sessions from the SIP Forum 2021 STIR/SHAKEN Virtual Summit. Anis, did you attend?
Anis Jaffer: Yes, I did for the most part. There were some sessions that I couldn’t because of other commitments and some I couldn’t stand. Regardless, there were also a lot of great sessions, to be honest. Being able to get the recordings post-session is good so we can go back and listen to them when we have the time.
Rebekah Johnson: Talking with people, while I’m attending an event live, over text going, “Did you just hear what they said?!” And the responses being, “I have it up on my computer but I'll listen to it later.”
I really enjoyed this type of setup. I’m sure we're all going to get back together in person again someday, but I do like the instant replays.
Anis Jaffer: I agree. In fact, you get a lot of content through the virtual ones because you can plan your day. In person, you're constantly juggling between attending sessions and taking care of your day at work so this at least allows us to focus on both. Then, whenever you have time you can get in and out.
Rebekah Johnsons: I agree. And if you didn’t participate in the event or were not aware of it, we will have links that allow you to get access to those recordings, you just have to register. This event took place from July 19th through the 23rd, featuring discussions around STIR/SHAKEN, KYC (Know Your Customer), Rich Call Data (RCD), and other emerging topics in the telecom space.
Numeracle and Aegis Mobile presented the closing session which was focused on presenting “What's Really Expected for Service Providers post-June 2021 Deadline?” Between myself, John Bruner of Aegis Mobil, Stephen Smith of Fonative, and Steve Augustino from Kelley Drye & Warren LLP, we introduced the importance of implementing KYC-based customer vetting and verification process to ensure bad actors are identified and stopped before fraud can be committed across the voice network.
Before we dive in, one of the things I love about this particular event is that it’s really an opportunity to see the industry’s experts all coming together to talk about the topics that mean a lot to them and it's the work that they do all year long. I don't know of any other type of event where you get this many experts together where we dive into the technical details and some high-level as well. You don't have to be a technical person to attend, this covers regulatory as well, and some high-level and forward-looking conversations. But if there’s one thing that you can always count on at the SIP Forum, it’s a history lesson on STIR/SHAKEN, and this year did not disappoint.
Kicking off the Virtual Summit, the Chair of the IP-NNI and AT&T’s very own technical expert, Martin Dolly, provided an overview of the then, and now, and how we got here. Starting in October of 2012, the FTC held a workshop to discuss robocalling and spoofing. This was the collecting of the minds who apparently had some kind of monumental lunch that set standards, bills, tooling, and technologies and measures in motion to present day 2021 where we are still talking about robocalling and spoofing. This particular session covered the achievements, challenges, and technological advancements of the past 9 years. That’s a long time, Anis.
Anis Jaffer: I feel like we’ve been doing this for quite some time now, and it’s only been about 4 years now, though it feels a lot longer than that. But it’s good to hear that this has been going on and at the top of the list for this group for the last 9 years. There is a lot of good work that has gone in.
Rebekah Johnson: With this particular session, and I think this is common at least in the sessions that I’ve attended in the past, that it kicks off with a history lesson. Because we do need to remember where we came from and also acknowledge the achievements that have been done because we get stuck in that wheel of constantly working and wondering when it’s ever going to come to an end and if we’ve done anything good. This particular session outlined and paused for a moment to acknowledge what has come about.
Some of the key points that they covered, with regards to the technologies and advancements, are a lot of the activities around vetting and TN validation. So, we have the telephone number registry for a central location, for all vetting, we've discussed delegated certificates for enterprise validation and the distributed ledger. Throughout the week, each one of those particular topics was talked about a little bit deeper. We also acknowledged the brand calling service side, enhanced user displays such as RCD, and out-of-band solutions. On the standards side and the advancements there and also in the technology and POC.
So it’s good to acknowledge that we are working and there is something being produced. But, as always, there are some areas to watch as well. We still have concerns, topics, and issues that need to be addressed.
One thing that I thought was interesting, and Anis and I are a bit removed from this, but there was a statement made that the bar for CA token issuance is lowering. That’s a little concerning, especially when we talk about a framework for trust. I don't know if you had any thoughts on that. I don't know what this technically means about the bar being lowered, but clearly, there is something that's coming about with regards to that as we move forward.
Anis Jaffer: The big difference between how Canada is implementing STIR/SHAKEN versus the US could be a driver. As you know, in Canada the PA and CA was a combo solution and the vendor was picked to both, so that could be a reason why the CA token process requisites are lower. I don’t know though, I’m just guessing so maybe this is something we should get somebody from Canada to talk about this. But there is a definite difference between how Canada is implementing, in terms of the vendors, versus what we have in the US. Also, in Canada, they have more TDM players so we also have to look at how the TDM carriers are looked at when it’s rolled out.
Rebekah Johnson: Another area to watch, with regards to the vetting and TN validation, comes down to which one is going to dominate the ecosystem, and which one will fade away. I think from this year versus last year, there's a lot of concepts that were being presented. This year it seems like there is more solid proof of evidence for which model works. Some are still in the infancy stages for vetting and TN validation but you could see some maturity that's occurred in the ecosystem. But it’s still a game of which one gets the most adoption. I think we’ll still live in a world where there are multiple solutions vetting and TN validation and we'll figure out how to work in that environment, but I definitely think some will fade away. That’s my opinion.
Anis Jaffer: And remember, this is the first session after the June 30th deadline so there were some data points that were shared as a result of the deadline passing from some service providers implementing some of these solutions. My observations were that there were some underlying themes, definitely identity, trust, vetting, verification, and then branded calling and enhanced call display. Those were the high-level themes of all the sessions that were presented.
I also think that is a result of getting past the deadline and now the solution providers are looking at how to implement this at scale and what else they can do once STIR/SHAKEN has been implemented. To me, that is the branded calling solution and identity-based services, whether it is validation or vetting, or authentication. That’s what I saw the themes of the sessions were.
Rebekah Johnson: Speaking of implementing at scale, the other third theme was the international signing of calls. International call signing is definitely taking center stage. With this year’s keynotes titled, “The View from Canada,” and, “The View from the Netherlands.” Trust, which is a topic of discussion this year, and albeit sometimes it’s a discussion on why someone shouldn’t trust, but I couldn’t help but wonder as we were hearing from the other countries that are implementing STIR/SHAKEN and what their motivator is behind why they are implementing this. We have a lot more trust issues to focus on and figure out how to exchange this information and bring identity on a global scale.
I couldn’t help but wonder if we can’t trust each other in our own country using our own standards, will we ever advance this trust model on a global scale? I guess we’ll just have to wait and attend next year’s SIP Forum because I am pretty sure that’s when we’ll get that update from Martin Dolly. Just something to think about.
Anis Jaffer: International implementation is beginning to happen, at least in Canada we know that they’re further along than in other countries. For the other places, I think we’ll just have to wait and see. The keynote from the Netherlands was interesting. They said that the issue that we have here is not what they see there. There are subtle differences between locations and how they perceive this problem.
Rebekah Johnson: That brings me to one of my favorite sessions, and I’ll be honest, it’s because of who was presenting. I am a huge fan of Jon Peterson from Neustar, I think he is a mini-genius in this space, for sure, and that is a session that you should absolutely rewatch. With regards to that one, he covers the topic of international calls. This particular session has some really good data points, and even though the session didn’t really have answers, Jon is really good at framing the problem that we need to start talking about and driving those conversations around.
One of the key points with regards to the international signed traffic at the verification services, there is an increase of approximately 20 times, over a 10-week span of this year, of signed calls from an international. And that’s a non plus one call. A few data extractions from this evaluation included how calls are being attested. Of those international non-plus one calls that were signed, 94% of the calls were signed with a B-Level attestation. But it is questioned whether B is the right choice for those calls and then due to the consequences of signing with C, which is a topic that we have here in the US, there could be a trend that emerges of calls wanting to coalesce to at least a B. Does that bring distinction or does that just bring more uncertainty?
What are your thoughts on that?
Anis Jaffer: It’s interesting that you quoted that number. I'm thinking about another session, this was one of the analytics providers, and when they presented they quoted the same number, 94% - 95%, of the honeypot calls for determining robocalls were signed as B. Again, it was the same statistic, 95% of the calls they were seeing as B-Level attestation, which is interesting that the two different parties quoted the same number even though one was International the other one was for the robocall honeypot that was created to capture those calls. So that’s a telling number if you ask me.
Rebekah Johnson: And they highlighted something that I hadn’t thought about, that although the standards are not clear on A, B, and C for the attestation we feel like it’s crystal clear and there shouldn’t be any doubts around this. With the guests within this session, there was a representative from France and a representative from Canada and they talked about how maybe their number planning and how they manage numbers in their country doesn't quite fit into those categories.
I think it's interesting how they're going to reconcile that because then that's a challenge for the analytics. What does B really mean? Because, Anis, you just said that there were bad actor calls based on the analytics that were labeled B attestation. So I don’t know if that means A is good.
Anis Jaffer: What I think will happen is the analytics will focus on B-Level calls, either leave and run their algorithms like how they're doing today before STIR/SHAKEN was implemented, or they will start looking at B-Level calls and you could see the spam categories and calls getting blocked if you don't have A-Level attestation. That's what I think is going to happen; they will start focusing on the B-Level calls.
With the international calls, I’m surprised they have so much traffic with B-Level because they should be signed C because they don’t know where the call is originating when it hits the US gateway. It should be C, so that’s interesting.
Rebekah Johnson: With different countries addressing somewhat different problems, we have the potential to introduce variations in implementation. But I'm worried that this just creates more murky water so we'll have to watch it. Anis, let's put on the list that we need to do a deep dive on the international calls, maybe one or two Tuesday Talks on that one and maybe get some guests to dive into that.
Let’s move on to some of the other really exciting topics. Let’s talk about the branding sessions, there were several of those. Do you have any highlights on those?
Anis Jaffer: There were a couple of sessions on that. Before we get into it, there were a couple of things that came out of the GA update that I want to highlight. The GA update session was on Friday, right before your session with Aegis, and they mentioned that there were a couple of policy changes they had approved. One was that non-service providers, like RespOrgs, can get SPC tokens. The other one was the approval for the optional use of delegate certificates in the STIR/SHAKEN ecosystem.
They highlighted these two items in their discussion and it is important because this allows RespORgs to now use their SPC tokens to either validate their numbers and issue a delegate cert, or they could use the same system to validate as part of a registry, like the TFN registry. It's an important update in the right direction which allows the toll-free numbers and RespOrgs who use toll-free numbers to get validated.
The optional use of delegate certs and STIR/SHAKEN then allows enterprises to get delegate certs, either directly from their provider CA or their provider through a subordinate CA to a subordinate. That framework still is being finalized but the fact that the policy has now been approved is a good update in the right direction for enterprises. I wanted to highlight that before we talk about branded calling.
Concerning branded calling, there were several sessions, some of them were use cases that were presented and some were discussions about enhanced call display and how that can improve the customer experience. There were some demos of these solutions as well. What was interesting is that they did not particularly address what kind of methodology was used for the use cases, whether it was delegate certs or a centralized repository, that was not discussed.
In one scenario for one use case that was demoed, it looked like it was an out-of-band solution that was behind the scenes that was used to implement a branded name. However, if the solution works and an enterprise can leverage that model, that’s good. But what was not elaborated was the kind of technology that was used behind the scenes. There was an update on the centralized registry and that mentioned delegate certs. It seems like the models are now overlapping and whichever is best used by a particular carrier is the one that has been showcased; that’s the impression that I got.
Now, the best session on delegate certs was, of course, the one by Chris Wendt, who is one of the authors, and he had a session on trusted identity security and how delegate certs enable that. He clearly articulated why the PK (Public Key) model used by delegated secure is more secure and distributed within the STIR/SHAKEN framework, which means that the PAs, the CAs, and the subordinate CAs are all part of the same ecosystem and getting the certs issued with that hierarchy enables more trust and adds that layer of security. That was a great session talking about how to leverage delegate certs for distributed identity.
Rebekah Johnson: I even tagged that one for anyone new to delegate certificates. They did a brilliant job of explaining it and giving some really good analogies in a frame of mind that you would understand and be able to relate to. My word for Chris is, simplistically brilliant, that’s how he presents.
Anis Jaffer: He also addressed some of the common misnomers of how delegate certs are used and addressed some of those issues as well.
Finally, there was also a presentation on out-of-band, specifically on out-of-band as it relates to the STIR/SHAKEN ATIS framework. It addresses the scenarios where you have intermediate TDM switches. There’s a difference between the out-of-band that was talked about in this forum versus what Google has implemented, for example, in their Verified Caller. Here, the solution is specifically addressing non-IP switches in the call path by updating what is called a CPS, or a Call Processing Service, on both ends. On the origination side, the OSP (originating service provider) can update the CPS as part of the STaaS (Storage as a Service) function. The TSP (terminating service provider) can use the CPS to retrieve the data on the termination side. This is very interesting but it is very specific and it is targeted at service providers to leverage this model.
In the case of Google Verified Calls, as we know, it is for an enterprise to update the Google call server and then the terminating device connecting to the call server will ring. So the concept is pretty much the same, it’s just a matter of who uses it. The STIR/SHAKEN ATIS framework allows service providers to leverage the out-of-band model to transport information when there are non-IP switches in between whereas the Google solution is over the top, anyone who is making a call as an enterprise can connect and send the data to the terminating device.
We have to watch for how much adoption happens with the service provider model but at least it was discussed and presented. That was another interesting session that was there.
Rebekah Johnson: I would like to move on to a more exciting topic, which is called regulatory; I think it’s important that we follow this side of it. Anis, on the regulatory side there were several topics and the same industry leaders that we’re used to but there was one theme that, to me, was the theme of enforcement with regards to the FCC. An attorney-advisor from the enforcement bureau at the FCC discussed what the TRACED Act empowers and some of the changes that came out of that. What I see is a lot of organization going on.
From the Enforcement Bureau side, we have increased enforcement tools. There are increased penalties, a longer statute of limitations from 1-4 years, and what this does is allows for more time for case development. As they continue listing things like limiting the citation requirements for robocall cases, they expanded the scope of who the Enforcement Bureau can go after...I couldn’t help but think, as a CEO, there are three buckets: resources, time, and money. To me, it was very clear that what the enforcement side has been given is time and perhaps some more resources such as through the Industry Traceback Group (ITG).
So there was some organization going on there, specifically on the Traceback Act with the portions of the call blocking. It resulted in cease and desist letters from the enforcement bureau and that is a statement needing to clean up your act and that is a direct quote from the enforcement bureau. Those letters mean, you need to clean up your act. Two obligations come out of those letters:
- You need to investigate and mitigate the identified traffic within 48 hours. While more time is given to the enforcement bureau, less time is given to the bad actors.
- Implementing measures to prevent new and renewing customers from using their network to originate illegal calls.
It was clear that the initiatives for identification of bad actors, and those service providers enabling them, along with organization across bureaus, technology leaders, and associations, is a focus from the FCC’s Enforcement Bureau.
Clearly, the Enforcement Bureau is preparing to execute its enforcement power in a streamlined, repeatable, and effective manner. They are being empowered to succeed; this isn’t something new for the Enforcement Bureau, they are leveraging years of experience to define that path forward for the FCC, and ultimately, consumers, for their protection. What I would say is, they built the stick and now we watch and see who gets bumped on the head.
Speaking of enforcement, and that last point in the cease and desist letters, the last topic that was discussed is KYC (Know Your Customer) and I'm going to be a little greedy and talk about our session very quickly. We rounded out the SIP Forum with a topic on Know Your Customer. You've heard us talk about it on Tuesday Talks so I'm not going to rehash what we’ve discussed but I will call out and mention what a great platform this was for us to participate in. It was all worth it when we received a notice from somebody who attended our particular webinar and found themselves in a situation where they were delivering some bad traffic. Because of what we walked through with each of our panelists, they knew exactly what they needed to do to address this, and that’s powerful, that's what I want to see.
Molly Weis: Our audience question is: STIR/SHAKEN certificates are not available to international operators outside the USA. So, to register in the Robocall Mitigation Database, I can only add a Robocall Mitigation Plan. Based on this, how will AT&T, for example, know that the call came in from my carrier if I'm three intermediate carrier hops away from AT&T?
Anis Jaffer: If the originator is an international originator when the call lands at the US gateway, the US gateway needs to sign the call with a STIR/SHAKEN cert. Otherwise, AT&T wouldn’t know when they received it. Again, if there is an intermediate TDM, the cert could get lost, that's the reality of the situation today. It's going to be very difficult for AT&T to figure out if the originating service provider was two or three hops away from the US gateway. Now, if they are using the US gateway and are signing the call, and the call is taking an IP route and is landing at AT&T, they will know who they are or who signed the certificate.
Rebekah Johnson: That is all we have time for so we’d like to thank all of you for joining us today for another episode of Tuesday Talks. We hope to see you all again on Tuesday, August 24th. Take care.
