STIR/SHAKEN International Story Still Being Written
A key topic at the 2021 SIP Forum STIR/SHAKEN Virtual Summit this past July, was if, and how, nations around the world are making progress in the battle against call spoofing, robocalls, and fraud. This heightened international interest is likely due to the exponential rise in robocalls worldwide. And, with the June 30 deadline for U.S. carriers required to implement STIR/SHAKEN now in the rear-view mirror, the world is watching closely to understand the treatment of international calls into the U.S., if it significantly reduces the number of robocalls, and if the model can be adapted to be used in other countries.
At the summit, which attracted attendees from over thirty countries, it became clear that the problem of international robocalls can’t be viewed in isolation. In addition to the need for regulatory bodies in other countries to take action against nuisance calls, billions of legitimate international calls coming into the U.S. are at risk of receiving ‘unfavorable treatment’ and being mislabeled as SPAM, or possibly blocked because we may not be able to identify the originating network. This is particularly true of international roaming calls, calls from offshore contact centers, and from branch offices of U.S. companies. That’s a significant number of calls.
This issue is top of mind for U.S. carriers, many of whom have asked their international partners to register in the FCC’s Robocall Mitigation Database so that they are recognized. Foreign providers have had varied responses to the request. Many were unaware, many agreed, but others did not. Unless we close the loophole with international calls, the issue of call spoofing and fraud will persist.
In the International STIR/SHAKEN session at the summit, Neustar VP and Fellow Jon Peterson joined Director, Network Infrastructure and Resilience at Ofcom, Huw Sanders; and Senior Expert, Naming, Numbering, and Addressing at Orange Lab Networks, Philippe Fouquart, to discuss whether it’s the right time to talk about international call authentication, and possible pathways to leverage STIR/SHAKEN and U.S. learnings worldwide.
Can STIR/SHAKEN be applied internationally?
STIR (Secure Telephone Identity Revisited), a standard created by the IETF is considered a universal standard that can be successfully deployed in any country to help authenticate calls using SIP-based services. STIR has also been tested extensively in the ATIS Robocalling Testbed, by domestic and international carriers, for numerous years. SHAKEN, on the other hand, was designed specifically for the U.S., and deals with governance issues in how the STIR efforts should be managed.
While STIR is focused on the ‘what’, SHAKEN if focused on the ‘how’. The specifics of SHAKEN can’t be replicated everywhere because the way phone calls are assigned and managed varies country by country. It seems that each nation will need to figure out their own version of SHAKEN based on their unique infrastructures, processes, laws and governance structures.
To provide helpful guidance to other countries, according to Jon Peterson, we have to ask ourselves how similar Telephone Number (TN) administration is conducted in other countries. It’s crucial that we understand how calling identity differs.
For example in the UK, the “presentation number” differs from the “network number”. So, for STIR/SHAKEN to work, an attestation level needs to be assigned, but we need to know to which number it’s being applied.
Jon noted, “We all know how TN is handled here in the U.S. Not all countries have the same tools at their disposal or history of identifiers. We predicated much of SHAKEN on possession of Operating Company Numbers (OCNs). But, we need to think hard about comparable identifiers in different environments, and how are calls attested. Are they gonna look enough like our Governance Authority/Policy Administrator structure that we can figure out how those different zones of authority, with very different rules, can learn to trust each other?”
During the session, a poll was taken to take the pulse of attendees. When asked how important international (non plus-one) originated calls were to their business, as shown below, close to 90 percent said it was important.
- 87% Extremely, very, or somewhat important
- 13% Not important
When asked how they plan to handle international non plus-one calls terminating in the U.S., they replied:
- 42% Sign calls with a "C" attestation until agreed standard is reached
- 13% Use trunks to segment traffic and vet numbers and entities
- 25% International originator will acquire certificate and sign
- 5% Have another plan
- 14% Not relevant
It’s clear from the responses that international traffic is vitally important to most U.S. carriers, but they haven’t reached a consensus yet on how to best manage things in terms of STIR/SHAKEN. Assigning calls with a “C” attestation, which was the top choice as highlighted above, practically ensures they will be labeled as suspect, or perhaps even blocked.
Tracebacks provide interim measure.
One approach to the issue of international roaming traffic is tracebacks. U.S. Telecom|The Broadband Association created the International Traceback Group (ITG) to help. According to the ITG, “Suspected illegal robocalls are traced systematically back through various networks until the ITG identifies the originator of the suspicious calls, where the calls entered the U.S. if internationally originated, and often the identity of the calling party.
Service providers only know who they received a call from and where they routed it, but the ITG traces the call back from the recipient to the originator of the call – usually routing through four or more, or sometimes as many as nine or ten service providers (or “hops”) across the globe. While the ITG doesn’t arrest or penalize these fraudsters, they do collaborate closely with federal and state law enforcement agencies who do.
Global collaboration needed for success.
Twenty-five percent of summit respondents said they’re counting on international carriers contributing to at least some portion of the verification process. Providing these carriers with their own certificates so they can sign calls themselves would allow them to be on the same playing field with the U.S. carriers, but it also requires a great deal of trust.
Jon continued, “When you wonder about using STIR/SHAKEN internationally, a lot of it comes down to ensuring calls aren’t blocked coming into the U.S. But, we can easily imagine a way that calls can get into North American with an intact PASSporT. That’s much better than calls coming in with a "B" or "C" attestation. Clearly this would be a better solution.”
Robocall reduction within their home borders would remain an issue to be resolved. And even if STIR/SHAKEN is wildly successful in the U.S., replicating this in other countries is not as simple as one might think.
The issue is not off in the distance. Neustar’s preliminary data shows that between May 1 to July 20, we saw a 20x increase in the number of STIR/SHAKEN PASSporTs crossing our verification services, especially as we got closer to the June 30 deadline. “This is going to be a process,” Jon concluded, “but it’s very material right now, there are calls for these non plus numbers that are being signed today, and getting attestations today. How we interact with that, it’s not something to kick the can on.”
One thing is certain. Implementation of STIR/SHAKEN in the U.S. was an example of unprecedented collaboration across the industry, and the same will be required for success internationally.
Neustar is a pioneer in call authentication as the co-author of STIR standards and early contributor to the SHAKEN framework, and we play an ongoing leadership role in defining industry standards with ATIS, IETF, and CRTC. We provide the industry’s reference implementation of STIR/SHAKEN as the exclusive operator of the ATIS Robocalling Testbed, where real world STIR/SHAKEN implementations are being tested for interoperability, and Neustar leads the industry in commercial call authentication deployments.