August 18, 2021

STIR/SHAKEN 101: Your Quick & Easy Guide to FCC Compliance

Everything you need to know as a voice provider in the new world of caller ID authentication.

With the FCC’s June 30, 2021 STIR/SHAKEN deadline in the rear-view, you may be wondering what actions, if any, your company must take to satisfy these requirements. We break it all down below.


What is STIR/SHAKEN?

First, the basics: STIR/SHAKEN, short for Secure Telephone Identity Revisited/Signature-based Handling of Asserted information using toKENs, is a technology framework designed to reduce caller ID spoofing. This set of standards and protocols does not in itself block unwanted calls; rather, it allows carriers to pass various attestation levels which help assess the reliability of caller ID information.


In essence, STIR/SHAKEN is a useful tool in identifying potential spam, but it must be used in conjunction with robust analytics services to maximize its effectiveness.

I’m a Carrier: Do I Need to Comply With STIR/SHAKEN?

Carriers effectively have three choices:

  1. Fully implement STIR/SHAKEN
  2. Institute a Robocall Mitigation Program
  3. Both

Here’s what the FCC has to say on the matter.


“As of April 20, 2021, the FCC requires that all providers certify in the Robocall Mitigation Database that they have fully implemented STIR/SHAKEN or have instituted a robocall mitigation program to ensure that they are not originating illegal robocalls. All providers are required to submit to this public database the contact information for the personnel at their company responsible for robocall-mitigation related issues. And those providers certifying to their implementation of a robocall mitigation program are required to include descriptions of the reasonable steps they are taking to avoid originating illegal robocall traffic. Filings in the Robocall Mitigation Database are due June 30, 2021. Finally, because the STIR/SHAKEN framework is only operational on IP networks, Commission rules also require providers using older forms of network technology to either upgrade their networks to IP or actively work to develop a caller ID authentication solution that is operational on non-IP networks.”


RoboKiller Enterprise is your source for proven robocall mitigation strategies and STIR/SHAKEN compliance. Contact us at enterprise.robokiller.com to learn more.

Does STIR/SHAKEN Apply to My Company?

First, you’ll need to determine whether or not your organization is considered a voice service provider. A voice service is defined as:


“...any service that is interconnected with the public switched telephone network and that furnishes voice communications to an end user . . . and without limitation, any service that enables real-time, two-way voice communications, including any service that requires internet protocol-compatible customer premises equipment (commonly known as “CPE”) and permits out-bound calling, whether or not the service is one-way or two-way voice over internet protocol.”


This includes wireline, wireless, and Voice over Internet Protocol (VoIP) providers, including both two-way and one-way interconnected VoIP providers.


Are There Exceptions to Filing?

There are exceptions to the filing requirement. However, it’s important to note that these exceptions do not grant an exemption to compliance but only an extension. In short, you may not have needed to file by June 30, 2021 if: 

  1. You are a small, typically rural voice service provider with fewer than 100,000 voice subscriber lines.
  2. You are a voice service provider that materially relies on non-IP networks.
  3. You are a voice service provider based outside the United States. STIR/SHAKEN does not apply globally, however, foreign service providers who process international calls must adopt STIR/SHAKEN technology nonetheless. The international deadline to establish a robocall mitigation plan is September 28, 2021.

Keep in mind that, if you are required to file but do not, the impact can be quite severe; other service providers will be forced to block calls originating from your network.


Additionally, even if you seek an exemption to full STIR/SHAKEN implementation, you are still required to implement a robocall mitigation program. 


What is a Robocall Mitigation Program?

Broadly speaking, a robocall mitigation program is precisely what it sounds like: a plan to help reduce robocalls and their harmful effects. However, in the case of the FCC directive, robocall mitigation has a very specific legal and regulatory meaning: a program to “prevent unlawful robocalls from originating on the network of the provider.”


A robocall mitigation program can take many forms. Based on our experience with the industry-leading consumer app, RoboKiller, we see the following as most effective and worth consideration.



Blocklists

Blocklists are the oldest and simplest mechanism for identifying bad callers. The idea is straightforward: keep a list of phone numbers that have been identified as originating fraudulent calls, compare outgoing or incoming calls to that list, and block the call if there is a match. 


Unfortunately, blocklists aren’t a perfect system. Phone numbers often change hands, so a number that’s bad today may be fine a month from now. Additionally, most scammers aren’t exactly playing by the rules, so when one number is blocked they’ll simply move on to a new one. This is easy to do given the large number and variety of Direct Inward Dialing (DID) providers out there and the low costs associated with them.


Audio Fingerprinting

Rather than analyze a particular phone number, audio fingerprinting examines audio within a call. As a result, this robocall mitigation tactic is especially useful in identifying robocalls that follow a script.



Once a bad call is fingerprinted, artificial intelligence (AI) and machine learning (ML) can be used to quickly compare other suspicious calls against a database of fingerprints. Audio fingerprinting can be used to block calls regardless of the actual phone number, thus offering the recipient an additional layer of protection. The bigger the database of fingerprints, and the more signals informing it on a daily basis, the easier it is to catch bad actors.


Ultimately, audio fingerprinting takes STIR/SHAKEN a step farther in that it seeks to understand the intent of the caller, not just the call’s origin. 


Call Data Analysis

Call Data Record (CDR) analysis is the process of looking at call records at scale and teasing out particular patterns that are suggestive of problematic calling. For example:

Like audio fingerprinting, AI and ML are particularly useful here, given the high number of calls and the associated metadata typically analyzed. Also similar to audio fingerprinting, call data analysis is fairly complex and expensive to attempt alone due to the sheer amount of data, model creation, and computing power required.


Call Reputation

Call Reputation can be thought of as something of a roll-up of several other methods listed here. It attempts to simplify things somewhat by ascribing a “reputation” to a given phone number: good, bad, or neutral. How a reputation score is calculated can vary depending on the vendor, but it’s safe to say that the more “signals” (data points) used, the better. 


Numbers can change reputation fairly quickly. Therefore, it’s important that reputation scores are updated dynamically, ideally in real-time. As is the case with other mitigation programs, this requires a significant amount of data processing and analysis work that is far more economical to outsource than build in-house.


Call Screening

Similar to voicemail, call screening can take many forms (e.g., an audio CAPTCHA). No matter its form, call screening works by requiring the originating caller to perform some sort of specific and (ideally) human action, so as to prove that they are not a robot.


This offers the added benefit of slowing the caller down, which is problematic for scammers and fraudsters who rely on speed and efficiency. Again, like some of the other technologies listed above, there is a constant cat and mouse game between scammers learning how to trick these screeners and the good guys trying to make things harder for them.


Bottom Line: RoboKiller Enterprise is the Answer

If you’re seeking to become STIR/SHAKEN compliant (and fast), RoboKiller Enterprise can assist with all your regulatory needs. If, however, a full STIR/SHAKEN solution isn’t right for you, we can help you develop an effective robocall mitigation program. (Or, we can assist with both.)

RoboKiller Enterprise’s Call Confidence API is a fully-functional call reputation product that can be a core component​​—or even the entirety—of your robocall mitigation program. Our API is powered by many of the technologies listed above: 

As the leading robocall and call protection provider, to date we have developed a database of over 550 million phone numbers, informed by nearly 2 million phone calls and 550 million customer feedback reports—totals that grow significantly by the day. We take these call signals and feed them into our AI-powered RoboKiller Command Center, where they are turned into actionable insights in the war against robocalls; insights that you can use without spending precious time and thousands of dollars building new technologies and staffing a team.


If you’d like to learn more about using RoboKiller Enterprise as part of your robocall mitigation program, head to the RoboKiller Enterprise website and sign up for your FREE 7-day trial.