With ongoing implementation of the STIR/SHAKEN authentication framework, your business’s calls to consumers are at greater risk of being blocked. Here’s what you need to know and the steps you can take to prepare and protect your organization.
What is STIR/SHAKEN?
STIR/SHAKEN (Secure Telephone Identity Revisited/Signature-Based Handling of Asserted Information Using toKENs) is an industry-developed set of rules and procedures designed to enhance call integrity through authenticating caller ID information associated with telephone calls by assigning each call an encrypted “digital fingerprint.”
Why is STIR/SHAKEN being adopted?
STIR/SHAKEN is aimed at combating malicious robocalling and illegal spoofing, which remain at the top of consumer complaints filed with the Federal Communications Commission (FCC). However, the challenge is to create an authentication process that addresses these abusive calls without threatening the ability of businesses to contact consumers for legitimate purposes such as prescription reminders, travel notifications, and school closings – communications that consumers need and want.
How does STIR/SHAKEN work?
In the STIR/SHAKEN framework, originating service providers are responsible for authenticating calls they originate onto the telephone network. This is done by digitally assigning an encrypted attestation rating asserting the degree of confidence that the caller is entitled to use the indicated phone number. The terminating service provider can then use this information and a decryption key to validate the calling party’s number and screen spoofed calls to its customers. There are three levels of attestation that can be assigned by the originating service provider:
Full Attestation (A) – the service provider has authenticated its relationship with the customer making the call and that the customer is authorized to use the calling number.
Partial Attestation (B) – the service provider has authenticated its relationship with the customer making the call, but cannot verify that the customer is authorized to use the calling number.
Gateway Attestation (C) – the service provider has authenticated that it has placed the call on its network, but has no relationship with the originator of the call (for example, a call received from an international gateway or using legacy equipment).
Service providers must be able to substantiate their attestation rating, which is all the more important during a traceback situation.
Is STIR/SHAKEN the same as call blocking?
No. With STIR/SHAKEN, attestation ratings are used by the carrier’s analytics partner as an input into its blocking algorithm. These algorithms take into account hundreds of variables including complaints, calling patterns, call duration, etc.
“A” rated calls are likely to be treated favorably, while “B” and “C” rated calls will be viewed with suspicion. Analytics firms have been reticent on how much weight they are giving to attestation ratings but have indicated that it will increase over time.
What are some limitations of STIR/SHAKEN?
While STIR/SHAKEN provides improved screening of malicious robocalling and facilitates traceback of calls, there are also a number of limitations:
- The authentication process does not indicate whether a call is legal/illegal or wanted/unwanted.
- Because STIR/SHAKEN only works on IP-based telephone networks, service providers will not be able to properly authenticate calls originating from legacy non-IP systems or equipment.
- “B” ratings are likely if using caller ID’s values obtained from Carrier A when placing calls using Carrier B (may arise in contact centers using clients’ caller IDs, least cost routing, or fail-over systems). This “enterprise problem” is currently being studied by the Alliance for Telecommunications Industry Solutions (ATIS) and technical solutions are in development.
What is the timeline for implementation of STIR/SHAKEN?
Deployment of STIR/SHAKEN began in 2019. Although only major carriers are utilizing the framework at this time, its usage is expanding. For example, AT&T wireless calls to some AT&T subscribers now appear with a “checkmark” in the call log.
The TRACED Act requires that STIR/SHAKEN be fully deployed by June 30, 2021, although the FCC can grant extensions in certain circumstances.
Are other countries participating in STIR/SHAKEN?
Currently, the STIR/SHAKEN framework does not address international gateway calls; however, conversations with other regulatory bodies are ongoing.
Can businesses create their own STIR/SHAKEN and authentication framework?
Currently, STIR/SHAKEN is a carrier framework only.
What do businesses need to do to prepare for STIR/SHAKEN?
There are a number of steps businesses can take to prepare their organizations for STIR/SHAKEN:
- Businesses should contact their carrier(s) to inquire how their STIR/SHAKEN implementation is progressing and how they can ensure their calls receive an “A” rating.
- If a business finds that it is having trouble with calls being blocked, it should work with a service to rotate calling numbers used, or preferably, validate its calling with the carriers and their analytics partners.
- Businesses should conduct test calls and report inaccurate labels or blocking to the carrier or app provider.
Michele is the Managing Partner at M&S and former Chief of the Ohio Attorney General’s Consumer Protection Section. Bringing more than two decades of experience in the consumer protection arena, she advises highly regulated businesses on a wide range of telemarketing, privacy, and other consumer protection matters.