The number of robocalls continues to increase and has become a drain on time and money. Initially, businesses used automated calls to keep the customer informed upon request; for example, a pharmacy would send notifications on your prescription. However, increasingly, automated calls are being used by illegitimate businesses to scam customers.

Furthermore, the COVID-influenced situation has led to the rise of more scammers. Between 2019 and 2020, there has been a 30% increase in the amount of money lost due to such phone scams. Nevertheless, robocalls cannot be fully eliminated because it is still considered an effective way to reach customers at scale. To make sure that such robocalls are legitimate, STIR/SHAKEN protocols have become a mandate for businesses.

STIR/SHAKEN, at its core, is a technology and regulatory framework to help reduce fake robocalls and illegal caller ID spoofing. The STIR/SHAKEN protocols provide superior consumer protection and, if properly leveraged, equip the enterprise with the ability to show their calls as relevant and legitimate. While STIR/SHAKEN is for service providers, enterprises need to understand how it works as it will ultimately determine how their calls will show.

Difference between STIR and SHAKEN

The working group of the Internet Engineering Task Force has defined STIR (Secure Telephony Identity Revisited) as a set of standards and protocols to create a digital signature for each call. The digital signature includes not only the information about the caller but also allows for verification by the service provider at the receiving end. The SHAKEN (Secure Handling of Asserted Information using toKens) protocols, on the other hand, determine how the service providers within their network must deploy STIR.

The role of FCC in maintaining STIR/SHAKEN protocols

The Federal Communications Commission (FCC) is in charge of enforcing how service providers implement STIR/SHAKEN protocols to restore people’s trust in phone calls. FCC also mandated that all service providers have implemented both protocols no later than June of 2021. Another rule laid down by the FCC is that the providers not using the IP networks required by STIR/SHAKEN need to either move to IP or develop a solution that can authenticate caller ID on their non-IP networks.

The TRACED (Telephone Robocall Abuse Criminal Enforcement and Deterrence) Act was signed in December of 2019. Its purpose was to tackle all the illegal robocalls that were invading the privacy of the American public and implement a streamlined mechanism to report any suspected robocall and spoofing violation.

The TRACED Act specified that the FCC should ensure that STIR/SHAKEN protocols are implemented no later than 18 months after the date the Act was signed. Hence, the deadline of June 2021.

How does STIR/SHAKEN work?

STIR/SHAKEN protocols only work on IP networks. These protocols use an encrypted authentication process to verify the ID of the original call provider via an encrypted digital signature with one of 3 types of attestations, using labels A, B, and C.

Types of STIR attestations:

  • A – Full attestation when the provider is able to confirm the identity of the caller and that it is a legitimate call.
  • B – Partial attestation when the provider can only confirm the identity of the caller but did not provide the number.
  • C – Gateway attestation where the provider can only confirm that they are the point of entry, with the call coming from another network or from a provider that does not use STIR/SHAKEN protocols.

What is the SHAKEN framework?

The SHAKEN framework leverages the implementation of STIR standards within the IP networks. SHAKEN provides a set of guidelines for the PSTN (public switched telephone network) on how to handle calls coming without STIR information. It eventually defines how service providers share attestation certificates.

Are there exemptions from STIR/SHAKEN implementation?

Yes, if they come under the following categories. Additionally, exemptions may be granted on a case-by-case basis if providers petition for either an exemption or an extension of the deadline.

  • Small providers with less than 100,000 subscribers were given two more years to implement STIR/SHAKEN.
  • Providers unable to obtain the SPC tokens required for call authentication are exempt indefinitely.
  • If providers have or are about to file a Section 214 Discontinuance Application on or before June 30, 2021, they are given a compliance extension of one year (up to June 30, 2022).
  • An indefinite exemption is granted to non-IP parts of the provider’s network.

To conclude, STIR/SHAKEN is here to stay. Its implementation deadline only means that robocall mitigation is to be taken seriously by service providers and businesses. Trusting that the incoming call is authenticated will go a long way to build people’s confidence in the existing telephone systems.