- STIR/SHAKEN Call Authentication
- Governance Authority
- Certification Authority
- Policy Administrator
- Know Your Customer (KYC) Vetting
- Rich Call Data (RCD) for Call Signing
- Illegal Number Spoofing
- Delegate Certificates
Mentioned Organizations
- Alliance for Telecommunications Industry Solutions (ATIS)
- The North American Numbering Council (NANC) Call Authentication Trust Anchor (CATA) Working Group
Pierce Gorman: Welcome to Tuesday Talks, a live discussion series where we bring truth and shed light across the brand identity and communications industry. I'm Pierce Gorman, a Distinguished Member of Numeracle's Technical Staff, here to do a Tuesday Talks takeover as your host for Part II of our Global Call Authentication Domination series. We seem to be setting new precedents for this podcast every time we come together for this series, and today is no different.
Today's session will be co-hosted by Eric Priezkalns, Chief Executive of the Risk and Assurance Group and Editor of Commsrisk.com. We're adding a third guest speaker to our lineup for the first time on the podcast. Jim McEachern of the Alliance for Telecommunications Industry Solutions, better known as ATIS. Welcome to you both.
Eric Priezkalns: Thanks for having me on the show, Pierce.
Jim McEachern: Pleasure to be here.
Pierce Gorman: Building off the past two episodes in this series, we talked about the internationalization of STIR/SHAKEN call authentication technology, rich call data call authentication, and a little about delegate certificates. That last piece on delegate certificates is a piece that we don't often talk about with call authentication, but it's a critical piece.
Jim, I know that you've been active in the past working on, what I call, the Global Governance Authority, Policy Administrator, and Certification Authority Framework, sometimes just called Global GA/PA/CA. Do you want to get us started and talk about what that initiative was and what it's supposed to do for global call authentication?
Jim McEachern: I can do that, but I want to step back first. You said this episode builds on the first two episodes, so I went back and listened to them in preparation for this. When I listened, I found that I almost agreed with everything that Eric, in particular, said. Almost agreed. If I explain where I didn't quite agree, it might help set the stage for this talk and hopefully make for an interesting dialogue between us as we go forward.
The first issue I had was that Eric objected to the term 'No Silver Bullet Solution' because he thought it implied that we were taking a scattergun approach and just trying to do a range of technologies. The problem I have with that is that talking about a silver bullet implies that you're looking for the solution. The silver bullet solves a problem, and it's gone. End of discussion. And that's just not what STIR/SHAKEN was intended to be. It's not a complete solution; it's a tool. It's a tool that can help but doesn't completely solve the problem. So you need to think of it as tools, and that helps.
The other thing he said was that technology wouldn't solve the problem all by itself without enforcement. Agreed. Where I slightly disagree was when he said instead of playing whack-a-mole, we should be playing thinking about this as cat-and-mouse. I don't for a second believe that if we took out the top five robocallers in the world, the problem would be solved. I don't think it would be solved if we took out the top ten or 100. If there's money to be made, it will bring them back. What we need to do is not play either cat-and-mouse or whack-a-mole, but in fact, try to change the playing field.
Right now, robocallers have an advantage, and we want to change the playing field so that we have the advantage and make it harder for them to make money and make it easier to catch them. If you think about STIR/SHAKEN in that context, I believe you have a better way of doing that. What I mean by changing the playing field and building on STIR/SHAKEN as a foundational tool is moving towards what you talked about last week with Rich Call Data (RCD) building on STIR that extends STIR/SHAKEN outward to the enterprises. That allows them to provide basic authentication and confirmation of who they are and why they're calling and provides a real value to them by being able to authenticate themselves to the consumers, which hopefully will help with the uptake of that.
Of course, the discussion about going global leads us into today's talk. Today, you can get certificates if you're a US or Canadian carrier. Sometime next year, French carriers will be able to get certificates. But you need to go way beyond that, and that's where globalization becomes important. The standards have given us insight into how we could do that. The question is not how we could do it but how we will do it. I believe we just need to get on with it and do something that improves the situation.
I'll pause and let Eric talk, and then we can get into the specifics of the global GA/PA or build this out in more detail.
Eric Priezkalns: Well, I'll defend myself a little bit. Partly because I don't think I was specifically critiquing what you were saying in the past, Jim. I think you are unusually precise in your choice of words when talking about STIR/SHAKEN, how to stop robocalls, and what's happening in the USA. I think other people are a lot less precise than you, Jim, and I don't think they are necessarily doing that because they lack an understanding of the strategy. I think it's in their interests to be a bit vague, confused, or obfuscate some of the issues.
As we discussed in Episode 1 of this series with Pierce, my point, in terms of law enforcement, is it seems to make very little sense to spend a lot of money and require a lot of effort to determine who is the origin of a robocall if you have no intention of taking any legal action against them that, therefore, would discourage them from continuous do that. You may feel as though targeting the top five or top ten, I didn't say that specifically, but you may say that doesn't have an impact. I would say, why not try for a change? Let's lock some people up and see if it has an impact, rather than dismissing the possibility that it has an impact.
You, I have to say, have been very precise about your choice of words. I think I'm going to recall a publication that quoted you and Brent Struthers on February 14, 2019, in New York Magazine, which told its reasons that we are witnessing the beginning of the end of robocalls and that by the end of 2019, spam phone calls could be on the ropes. My point here is not that you have misled anybody because they accurately reported what you told them.
But some people want to run away, make claims, and promise results that haven't been delivered so far and probably aren't likely to be delivered how the US strategy is executed. That then leads to a problem because if the messaging to the US public is confused, the messaging for the rest of the world is also confusing.
Pierce Gorman: I'm going to tag on that too. I had a conversation recently about STIR/SHAKEN with you, Eric, in an email where I said that some would claim that the value, reason, and purpose of STIR/SHAKEN was to combat number spoofing. That STIR/SHAKEN was going to prevent number spoofing, and that was going to be the thing that saved people from the scourge of illegal robocalling or the worst aspect of unlawful robocalling.
I commented that it certainly won't because the numbers get spoofed before the call gets signed. It's also very difficult; I went into some detail about how hard it is to know from a call signer's perspective whether or not a number that came in off a trunk should have been there. So in my view, STIR/SHAKEN call authentication, which operates between signing carriers and verifying carriers, is only useful to improve the performance of TRACED Act to find who signed the call. Now, that may not get you to the service provider that originated the call because a couple of things are happening.
One is the STIR/SHAKEN deadlines have not expired yet. June 23rd, 2023, is the deadline for the smaller service providers that were given a waiver in the original rule that required it. But then there are also service providers that have downstream service providers sign on their behalf, which obfuscates their source.
The bottom line is the value of STIR/SHAKEN, at least from this engineer's perspective, is traceback and identifying the originating service provider. It's only valuable if you try to prosecute them for bad behavior. Whether it's 5, 10, or 100 illegal callers, if you're not doing anything, you probably didn't need to bother developing and deploying this technology except that it also provided the enabling framework for doing more interesting things.
Jim McEachern: That makes sense. And Eric, I don't disagree with anything you said. All I can do is try to be as precise as I can on this, and I will continue to do that. Despite that, I believe this is an enabling infrastructure that can help as we extend it forward. Otherwise, I wouldn't be here.
Eric Priezkalns: It's a classic problem of expectations management.
Jim McEachern: I agree 100% with you, and I said that in public many times. One of my biggest fears is that people will expect more from this than anything could ever deliver and then declare it useless when it's only halfway there. This is not the first time I said that.
Eric Priezkalns: When we put this into an international context, the danger is falling into a trap where over-promising is needed to encourage other countries to adopt the same technology because that's essential to the success of the US strategy. But overpromising leads to cynicism when it doesn't deliver quickly enough in those countries, and other countries can see there haven't been the promised results. That's the trap I feel this strategy is now falling into.
Jim McEachern: That is a trap. I think the whole discussion about Rich Call Data (RCD) and the fact that it can provide real value to enterprises prove why and how they're calling. That creates a pull for it as the potential way forward or as a catalyst to move this forward. One of the significant gaps right now is that if those enterprises are not in Canada or the US, they can't do that. This brings us back to talking about how we can allow service providers and enterprises globally to get their call signed and hopefully create that.
Eric Priezkalns: I get why this is twinned in your mind, though I would say strategically, we're looking at a very different argument for RCD based on what Pierce and I discussed in the previous episode. The big difference is that if RCD is seen as a premium-priced mechanism for enterprises that want to pick up their calls, they have the reason to allocate resources to support a roll-out program positively. Because they'll see the benefits and put sufficient resources in place for adequate Know Your Customer (KYC) controls because they'll want RCD to work.
That's very different from a policing-style strategy where everybody has to adopt STIR/SHAKEN, which is currently the mindset driving STIR/SHAKEN. If there are some bad actors in the system, they undermine faith in the entire system. It's a different point of view regarding whether the goal is to incrementally increase the number of people showing their calls as trustworthy versus a big bang approach that requires everybody's calls to be validated simultaneously.
Jim McEachern: I hear you. What I'll say is that's never been my strategy. Of course, people aren't checking with me about the strategy, so I can't take full credit or blame for that. But I agree.
Pierce Gorman: We can also all agree that, what I've been calling it, is it's an experiment. In theory, if we have really good traceback information available and we can improve the performance of that traceback information, the signature in the call, it could be more effective. The example that I'll share from David Frankel, who used this example with me in a conversation, is that if you were to park your car at the end of San Francisco International Airport and start broadcasting on the tower frequency, it wouldn't be very long before gentlemen with badges would show up and escort you away because you're doing something that you shouldn't be doing.
The FCC has radio frequency finding equipment that they use to identify where there's going to be a problem because of a conflict. If the automation of traceback was able to be done at that level and the information is available in the registration of the service provider doing the signing and who had to register with the Policy Administrator and in the FCC's Robocall Mitigation Database. If that information is vetted and reliable and they initiate a robocall campaign, analytics can pick it up probably within minutes. The identification could also be automated, perhaps within minutes.
So you could imagine a situation where illegal robocalling, or I should say service providers that are admitting illegal robocall campaigns could have a knock on their door the same day as the start of the campaign. Now, that would be running at optimal performance. Will we ever get there? It's tough to say. Many things have to happen between now and when we could reach that point.
But it's what you said, Eric, everybody has to do it for it to work, and you have to do the knocking on the door. You have to prosecute. If you don't do that, then the strategy is absolutely going to fail. At least, that's my opinion.
Now, back to the other thing I enjoy more: rich call data. I don't like the idea of prosecuting; I like the idea of a caller asking permission. The SIP method is called an invite, so it's like you're inviting somebody to a session. If you could provide information about yourself that's reliable and trustworthy and that has been vetted, then maybe your call will more likely be answered. That's what rich call data is supposed to do.
Whether you're doing rich call data or STIR/SHAKEN, a certificate is associated with a public key to verify that signature. As Jim pointed out, that's available in the United States and Canada, and it'll be in France next year. But what do you do for the rest of the world? So, Jim, what do you do for the rest of the world?
Jim McEachern: Basically, there are two strategies. There's the carrot and the stick. Eric, you're focused on the stick, and that's great, and I hope we enable that. But I'm focused on the carrot. They're not incompatible. So hopefully, we can do it. What do we do about it globally? The North American Numbering Council (NANC) Call Authentication Trust Anchor (CATA) Working Group looked at this in some detail in the report this summer. There are a couple of ways to go beyond Canada and the US.
The first way is one country at a time, and that's fine, but that will take forever or certainly long enough. Eric, I think you're right; people will have lost interest before you get all the way there. The other approach is you find an entity that can be the definitive Global Authority for the world. The problem is, and again, this was in the report, is when you look at the usual suspects for that type of Global Authority, they all have a constituency that fully supports them.
Still, they all have limitations and people who absolutely refuse to go there. You quickly conclude that searching for the one everyone's going to support is a fool's errand and will let you down. Instead, you need to recognize that there will be multiple authorities that are not tied to a single country. You could call them global, but that implies it is global. We're starting to call them Non-jurisdictional GA/PAs (Governance Authority & Policy Administrators), so they're not tied to any given country. There can be more than one of those, but they need to be reputable, recognized, and trusted by the US, Canadian, and French GAs (Governance Authorities), but they can go forward. That's the approach that we're taking.
Again, we've talked about this in past conferences. Still, ATIS and I connected, and we are working on launching one of those that will allow service providers in countries that aren't currently covered to get certificates. If they are trustworthy and have been vetted, they offer the services to enterprises that have gone through Know Your Customer (KYC) efforts and have also been vetted so they can have signed calls. It will not solve it everywhere and will not fit into the stick side of it so much, but it will enable the carrot, hopefully creating a pull for that. So that's what we're trying to get on with, and hopefully, it moves the yardsticks or meter sticks.
Eric Priezkalns: I don't know where to start. Somehow, because everything you say is perfectly reasonable, it is ultimately about how many people, how many countries, and how many businesses buy into any plan. That is why I keep saying elaborate the plan and be clear about what the plan is. The plan is also sometimes confused with the technology. I agree with you that STIR/SHAKEN is a tool, but it is a tool, not a plan. A tool is not a strategy. A tool has a place within a plan and a place within the strategy because you intend to use the tool in specific ways.
I think it's interesting that right now, when we're on the cusp of having an American become the new Secretary General of the ITU (International Telecommunication Union), so in a way, you're saying, Jim, that you've given up on the United Nations for dealing with this problem. I don't mean to be flippant, but why wouldn't the United Nations be precisely the right kind of body, you might think, to deal with this kind of problem? I mean, if you want somewhere that everyone is represented and they send engineers from all over the world to the ITU, Jim, you would think that perhaps that might have a chance or at least to deal with this problem.
Jim McEachern: I can't speak authoritatively on that, but there are two catches I can see. One is that the ITU develops standards as opposed to creating the governance structure. They're not entirely different, but they're not the same. The other is that this is very much in the IP domain. While there's total recognition that the ITU is the authority in the traditional telecom domain, when you go into IT, it is my understanding that there are significant objections. I understand that it overlaps, but that's only part of it. I think that's the catch, as I understand it in the discussions I've seen.
Eric Priezkalns: Fair enough on that. I would also say that the difficulty in transposing governance from traditional telephony to IP-based networks is the rub. Either way, you could be applied to several practical problems, too, including whether we deal with spoofing or not or how well we deal with authentication. The other thing I would say is that, with the carrot in mind incentivizing people, yes, there's a logic for rolling out STIR/SHAKEN more generally, but then there are other ways that can be used to achieve some of the goals that STIR/SHAKEN could be used for.
If it isn't a comprehensive global policing type of strategy being adopted, you could seek to pursue specific carrots using different tools and methods. I'll draw your attention to the fact that Deutsche Telecom recently extended increased ownership of the number of shares that they owned for T-Mobile, just over 48%, at your old company, Pierce. You don't tend to get up to over 48% if you're not planning to get over 50%. Right now, Deutsche Telecom is trialing a technology that is an out-of-band approach, distinct from the approach that ATIS has standardized, that would solve many of the same problems.
I can see there a very simple boundary that exists somewhere in Germany, especially if those Germans are now entertaining control of T-Mobile, where people will say there is a new front line between one technology that's used to achieve this goal and the different technologies used to achieve this goal and choices need to be made.
Of course, when it's a carrot-type approach, it could well be that we end up in a very multipolar infrastructure for our technology when digital signatures aren't used consistently across different countries. There will be some intermediaries, like Deutsche Telecom, who will play the part of the go-between in determining which calls are acceptable or not.
Jim McEachern: Certainly, we have concluded that we have to accept the possibility that there will be multiple solutions but that, of course, you need end-to-end intra-operability. There would need to be interworking or translation between those. That's something that we fully recognized.
The one thing I will say that I strongly believe in is that anything that is put forward in a meaningful way has to be standards-based. If the approach is standards-based so that multiple people can implement it and multiple implementations can interoperate, then that's a totally legitimate discussion.
When we get into the domain of product offerings, that's where I personally have heartburn. The other thing I will say is that I've looked at several other solutions that have been proposed and mechanisms that have been proposed. They were standards-based, and the only area where I really get annoyed or upset is when people talk about these as being simple.
The reason I object is, for example, because of what we've had STIR/SHAKEN. When you don't know much about a thing, it may look really simple, but as you understand it better and better, you realize that it's difficult to do well. Pierce, you're old enough to remember when SIP was considered this wonderfully simple thing. As long as people don't call them much simpler solutions, then we can see.
I think we've given up on the idea of a definitive mandated global approach; that just doesn't fit our world. It would be nice in some ways, making our job easier, but that's just not how things work.
Eric Priezkalns: I don't have a dog in the fight about simplicity. I want to point out that cost will be a big factor in how techniques get adopted worldwide. Especially as you want countries that are not as well equipped as the USA to engage with this. Because you want the countries that are the origin of fraudulent calls to be engaged, the cost will be very important in terms of which technologies are successful for people without cost.
Pierce Gorman: Though your indictment from the very first podcast is still correct if you're going to do STIR/SHAKEN between carriers, where they're signing, and you're verifying, and you identify that there's somebody sending you illegitimate calls, what are you going to do about it?
Even if you get a global GA/PA/CA and issue certificates, what if Deutsche Telecom doesn't like AB handshake and then decides to do STIR/SHAKEN, what are you going to do if you identify that there are bad calls coming? I'd like to make a quick comment, Jim, that it would be great if you could elaborate more about what Eric challenged you with on what the ATIS and iconnectiv proposal will do.
One of the questions in my mind, for instance, is the access to certificates is constricted within the United States, so you have to be a service provider or responsible organization, or you have to be a telephone number management company. That is actually going to be a challenge when people want to do rich call data with delegate certificates, and there's also a challenge with doing RCD and SHAKEN.
But anyway, there needs to be some elaboration about what gets in there and how that's reliable and trustworthy.
Jim McEachern: That comes down to a KYC initiative applied to the service provider. It involves knowing they are who they say they are, including multiple implementations under the same umbrella, and establishing your reputation and technical credibility.
I will say that it is very similar to the approach Canada is taking to allow service providers who don't have direct access to numbering resources. So it's the same thing where you vet them using those principles. I can go into pages of detail offline if anyone wants, but that's the essence of it.
Pierce Gorman: We have a question from the audience that I'm supposed to ask Jim McEachern. How does US unwillingness to sunset TDM impact the prospects for global adoption of SHAKEN?
Jim McEachern: Two quick things before we run out of time. One is that ATIS has a non-IP Call Authentication Task Force that works on mechanisms that would work for non-IP TDM networks. It's not complete, but it is working on that problem. The second thing, of course, is that even if you solve it completely in the US, you still have a lot of TDM globally. I believe that for this to be useful, either as a carrot or a stick, you need to go global; therefore, it's just one piece of a much larger puzzle.
Pierce Gorman: We'd like to thank all of you for joining us today for another episode of Tuesday Talks. This was a great session to have our first three way conversation on this podcast, and perhaps it won't be the last you'll see of all three of us. All right, thank you.
Pierce Gorman has helped shape the standards, architecture, and deployment of technologies critical to the continuous advancement of the telecommunications industry. He most recently worked at T-Mobile, responsible for voice architecture development for VoIP robocalling protection and STIR/SHAKEN call authentication design and standards development. During his 30-year tenure at Sprint, he drove cooperative development and implementation of next-generation voice and VoIP signaling, routing, and services architecture.
Pierce is a member of four ATIS working groups, all three of the FCC's NANC Call Authentication Trust Anchor (CATA) working groups, the STI Governance Authority Technical Committee, and the CTIA Technical Committee in support of the Registered Caller branded calling initiative. He has also actively participated in the US Telecom Association (USTA) Industry Traceback Group, SIP Interconnection Working Group hosted by NTCA, and the Internet Engineering Task Force (IETF) Secure Telephone Identity Revisited (STIR) working group.
Eric Priezkalns is the Chief Executive of the Risk & Assurance Group, an international association of telecoms professionals concerned with risk management and business assurance. Many people also know him as the Editor of Commsrisk.com, a website that has presented news and opinion about risks faced by communications providers since 2006. Previously, he was a senior manager and business consultant specializing in risk management and business assurance for telcos.