Call Authentication Trust Anchor

Issuing agencies

Abstract

In this document, the Wireline Competition Bureau (Bureau) of the Federal Communications Commission (Commission) addresses two recurring statutory obligations under the TRACED Act relating to the Commission's caller ID authentication rules. First, the Bureau seeks comment for its annual reevaluation of the STIR/SHAKEN implementation extensions granted by the Commission for implementation of the STIR/ SHAKEN call authentication framework. Second, the Bureau seeks comment for its first triennial assessment of the efficacy of STIR/SHAKEN call authentication framework as a tool in our work combating illegal robocalls.

Full Text

<html>
<head>
<title>Federal Register, Volume 87 Issue 169 (Thursday, September 1, 2022)</title>
</head>
<body><pre>
[Federal Register Volume 87, Number 169 (Thursday, September 1, 2022)]
[Proposed Rules]
[Pages 53705-53708]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2022-18380]


=======================================================================
-----------------------------------------------------------------------

FEDERAL COMMUNICATIONS COMMISSION

47 CFR Part 64

[WC Docket No. 17-97; DA 22-831; FR ID 100507]


Call Authentication Trust Anchor

AGENCY: Federal Communications Commission.

ACTION: Proposed rule and request for comments.

-----------------------------------------------------------------------

SUMMARY: In this document, the Wireline Competition Bureau (Bureau) of 
the Federal Communications Commission (Commission) addresses two 
recurring statutory obligations under the TRACED Act relating to the 
Commission's caller ID authentication rules. First, the Bureau seeks 
comment for its annual reevaluation of the STIR/SHAKEN implementation 
extensions granted by the Commission for implementation of the STIR/
SHAKEN call authentication framework. Second, the Bureau seeks comment 
for its first triennial assessment of the efficacy of STIR/SHAKEN call 
authentication framework as a tool in our work combating illegal 
robocalls.

DATES: Comments are due on or before October 3, 2022; reply comments 
are due on or before October 21, 2022.

ADDRESSES: Pursuant to sections 1.415 and 1.419 of the Commission's 
rules, 47 CFR 1.415, 1.419, interested parties may file comments and 
reply comments on or before the dates indicated in this document. 
Comments and reply comments may be filed using the Commission's 
Electronic Comment Filing System (ECFS). See Electronic Filing of 
Documents in Rulemaking Proceedings, 63 FR 24121 (1998). Interested 
parties may file comments or reply comments, identified by WC Docket 
No. 17-97 by any of the following methods:

[[Page 53706]]

    <bullet> Electronic Filers: Comments may be filed electronically 
using the internet by accessing ECFS: <a href="https://www.fcc.gov/ecfs/">https://www.fcc.gov/ecfs/</a>.
    <bullet> Paper Filers: Parties who choose to file by paper must 
file an original and one copy of each filing.
    <bullet> Filings can be sent by commercial overnight courier, or by 
first-class or overnight U.S. Postal Service mail. All filings must be 
addressed to the Commission's Secretary, Office of the Secretary, 
Federal Communications Commission.
    <bullet> Commercial overnight mail (other than U.S. Postal Service 
Express Mail and Priority Mail) must be sent to 9050 Junction Drive, 
Annapolis Junction, MD 20701.
    <bullet> U.S. Postal Service first-class, Express, and Priority 
mail must be addressed to 45 L Street NE, Washington, DC 20554.
    <bullet> Effective March 19, 2020, and until further notice, the 
Commission no longer accepts any hand or messenger delivered filings. 
This is a temporary measure taken to help protect the health and safety 
of individuals, and to mitigate the transmission of COVID-19. See FCC 
Announces Closure of FCC Headquarters Open Window and Change in Hand-
Delivery Policy, Public Notice, 35 FCC Rcd 2788 (March 19, 2020), 
<a href="https://www.fcc.gov/document/fcc-closes-headquarters-open-window-and-changes-hand-delivery-policy">https://www.fcc.gov/document/fcc-closes-headquarters-open-window-and-changes-hand-delivery-policy</a>.
    Ex Parte Rules. This proceeding shall be treated as a ``permit-but-
disclose'' proceeding in accordance with the Commission's ex parte 
rules. Persons making ex parte presentations must file a copy of any 
written presentation or a memorandum summarizing any oral presentation 
within two business days after the presentation (unless a different 
deadline applicable to the Sunshine period applies). Persons making 
oral ex parte presentations are reminded that memoranda summarizing the 
presentation must: (1) list all persons attending or otherwise 
participating in the meeting at which the ex parte presentation was 
made; and (2) summarize all data presented and arguments made during 
the presentation. If the presentation consisted in whole or in part of 
the presentation of data or arguments already reflected in the 
presenters written comments, memoranda, or other filings in the 
proceeding, the presenter may provide citations to such data or 
arguments in his or her prior comments, memoranda, or other filings 
(specifying the relevant page and/or paragraph numbers where such data 
or arguments can be found) in lieu of summarizing them in the 
memorandum. Documents shown or given to Commission staff during ex 
parte meetings are deemed to be written ex parte presentations and must 
be filed consistent with section 1.1206(b) of the Commission's rules. 
In proceedings governed by section 1.49(f) of the rules or for which 
the Commission has made available a method of electronic filing, 
written ex parte presentations and memoranda summarizing oral ex parte 
presentations, and all attachments thereto, must be filed through the 
electronic comment filing system available for that proceeding, and 
must be filed in their native format (e.g., .doc, .xml., .ppt, 
searchable .pdf). Participants in this proceeding should familiarize 
themselves with the Commission's ex parte rules.

FOR FURTHER INFORMATION CONTACT: For further information, please 
contact Jonathan Lechter, Competition Policy Division, Wireline 
Competition Bureau, at (202) 418-2343 or by email at 
<a href="/cdn-cgi/l/email-protection#f9b39697988d919897d7b59c9a918d9c8bb99f9a9ad79e968f"><span class="__cf_email__" data-cfemail="1d5772737c69757c733351787e7569786f5d7b7e7e337a726b">[email&#160;protected]</span></a>.

SUPPLEMENTARY INFORMATION: This is a summary of the Bureau's Public 
Notice seeking comment on two recurring statutory obligations under the 
TRACED Act in WC Docket No. 17-97, DA 22-831, released on August 5, 
2022. The full text of this document is available for public inspection 
at the following internet address: <a href="https://docs.fcc.gov/public/attachments/DA-22-831A1.pdf">https://docs.fcc.gov/public/attachments/DA-22-831A1.pdf</a>. To request materials in accessible formats 
for people with disabilities (e.g., braille, large print, electronic 
files, audio format, etc.), send an email to <a href="/cdn-cgi/l/email-protection#274144441217136741444409404851"><span class="__cf_email__" data-cfemail="9ff9fcfcaaafabdff9fcfcb1f8f0e9">[email&#160;protected]</span></a> or call the 
Consumer & Governmental Affairs Bureau at (202) 418-0530 (voice), or 
(202) 418-0432 (TTY).

Synopsis

I. Comments Sought on STIR/SHAKEN Implementation Extensions for Annual 
Review, Pursuant to Section 4(b)(5) of the TRACED Act

    When Congress directed the Commission to mandate implementation of 
STIR/SHAKEN in the TRACED Act, it also required the Commission to 
assess burdens and barriers to implementation, and it gave the 
Commission discretion to extend compliance with the implementation 
mandate upon a public finding of undue hardship. The Commission 
performed this assessment and granted three categorical extensions of 
the STIR/SHAKEN mandate on the basis of undue hardship: (1) small voice 
service providers; (2) voice service providers unable to obtain the 
``token'' necessary to participate in STIR/SHAKEN; and (3) services 
scheduled for section 214 discontinuance. See Second Caller ID 
Authentication Report and Order, 85 FR 73360 (Nov. 17, 2020). (As 
directed by a separate provision of the TRACED Act, TRACED Act Sec.  
4(b)(5)(B), the Commission also granted an extension for those portions 
of the network that rely on technology that cannot initiate, maintain, 
and terminate SIP calls. Because this extension was not granted on the 
basis of undue hardship, we do not seek comment on it in this Public 
Notice.)
    The TRACED Act further requires the Commission to assess burdens 
and barriers to implementation ``as appropriate'' after that initial 
assessment, and directs the Commission to, ``not less frequently than 
annually after the first [extension] is granted,'' reevaluate and 
potentially revise any extensions granted on the basis of undue 
hardship. It requires the Commission to issue a public notice 
explaining ``why such [extension] remains necessary'' and ``when the 
Commission expects to achieve the goal of full participation'' in 
caller ID authentication. To comply with these obligations, the 
Commission directed the Bureau in the Second Caller ID Authentication 
Report and Order to annually reevaluate the Commission's granted 
extensions for undue hardship and revise or extend those extensions as 
necessary. (The Commission determined that the Bureau is in the best 
position to undertake this fact-intensive, case-by-case evaluation.) In 
its directions to the Bureau, the Commission permitted the Bureau to 
further extend an extension to which voice service providers are 
already subject, but prohibited the Bureau from terminating an 
extension prior to the extension's originally set end date. The 
Commission did not permit the Bureau to grant extensions to any voice 
service providers or services not already subject to one. Should we 
further extend a granted extension, we are permitted to decrease, but 
not expand, the scope of entities entitled to that extension based on 
our assessment of burdens and barriers.
    In September 2021, we released a Public Notice seeking comment on 
the Commission's three granted extensions and any associated burdens 
and barriers to the implementation of STIR/SHAKEN. 86 FR 56705 (Oct. 
12, 2021). In December 2021, we issued our first annual reevaluation 
and declined to modify any of the existing extensions. The extension 
for services scheduled for section 214 discontinuance ended on June 30, 
2022. We now seek comment to enable our second annual reevaluation of 
the two remaining STIR/SHAKEN implementation extensions--

[[Page 53707]]

for small voice service providers and for providers unable to obtain 
the required token--granted based on undue hardship.
    Small Voice Service Provider Extension. We seek comment on the 
Commission's extension for facilities-based small voice service 
providers. In September 2020, the Commission granted a two-year 
extension for all small voice service providers, defined as ``a 
provider that has 100,000 or fewer voice service subscriber lines.'' 
Second Caller ID Authentication Report and Order. Under this extension, 
small voice service providers were given until June 30, 2023 to 
implement STIR/SHAKEN. The Commission found that this extension was 
appropriate because small voice service providers may face substantial 
costs--in addition to resource constraints--to implement STIR/SHAKEN 
and confront unique equipment availability issues. In December 2021, 
the Commission shortened the extension for a subset of small voice 
service providers likely to be the source of illegal robocalls. 87 FR 
3684 (Jan. 25, 2022) It shortened the extension to one year--until June 
30, 2022--for non-facilities-based small voice service providers based 
on overwhelming record support and available evidence showing that this 
subset of providers were originating a large and disproportionate 
amount of robocalls. It also required small voice service providers 
suspected of originating illegal robocalls to implement STIR/SHAKEN on 
an accelerated timeline. The Commission maintained the two-year 
extension for facilities-based small voice service providers because it 
found they were less likely to be the source of illegal robocalls. When 
we considered this remaining extension in the 2021 annual reevaluation, 
we declined to lengthen it beyond June 30, 2023, noting that the 
Commission's guiding principle in establishing the extension was ``to 
achieve ubiquitous STIR/SHAKEN implementation to combat the scourge of 
illegal caller ID spoofing as quickly as possible.''
    We seek comment on the burdens and barriers to facilities-based 
small voice service provider implementation and whether we should 
revise their STIR/SHAKEN extension. Have the burdens or barriers 
affecting small providers originally discussed in the Second Caller ID 
Authentication Report and Order, changed since last year's evaluation 
and, if so, how? Should any Commission actions in the previous year 
inform or impact our reevaluation of the small voice service provider 
extension? Have any new burdens or barriers emerged that the Commission 
did not consider or could not have been aware of when it initially gave 
small voice service providers a two-year extension? If so, do these 
burdens or barriers warrant an extension beyond the current June 30, 
2023 date, and if so, how long of an extension is necessary and 
appropriate? How would any additional extension be consistent with the 
Commission's goal of ubiquitous STIR/SHAKEN implementation?
    In response to our Public Notice seeking comment for the 2021 
annual extension reevaluation, the Satellite Industry Association (SIA) 
requested an ``indefinite'' extension for satellite voice service 
providers'' in light of the ``challenging circumstances facing small 
satellite VSPs, combined with their unique economic, operational, and 
technical characteristics.'' The Bureau determined that the record was 
insufficient to evaluate SIA's request at that time, but stated it 
would seek further comment on the request as part of the instant 2022 
reevaluation. In the interim, as part of its May 2022 Further Notice of 
Proposed Rulemaking, 87 FR 42670 (July 18, 2022), the Commission sought 
comment on the larger questions of the applicability of the TRACED Act 
to small satellite providers and whether it should grant such providers 
an extension for implementing STIR/SHAKEN.
    Should the Bureau further extend the small provider implementation 
extension just for small satellite voice service providers as part of 
this inquiry or should we leave this issue to the full Commission to 
consider more generally? Do small satellite voice service providers 
face unique challenges in implementing STIR/SHAKEN? What are these 
challenges? How do they impact this subset of providers' ability to 
implement STIR/SHAKEN? What is a realistic time frame for any extension 
we grant? What impact would an extension for small satellite voice 
service providers have on other providers or the public? What impact 
would such an extension have on the Commission's longstanding goal of 
ubiquitous deployment of STIR/SHAKEN?
    Extension for Voice Service Providers That Cannot Obtain a SPC 
Token. We seek comment on the Commission's extension for voice service 
providers that cannot obtain the Service Provider Code (SPC) token 
necessary to participate in STIR/SHAKEN. In the Second Caller ID 
Authentication Report and Order, the Commission granted voice service 
providers that are incapable of obtaining a SPC token due to Governance 
Authority policy an extension until they are capable of obtaining said 
token. (Recognizing that ``a voice service provider may not be able to 
immediately come into compliance with its caller ID authentication 
obligations after it becomes eligible to receive'' a SPC token, the 
Commission stated that it ``will not consider a voice service provider 
that diligently pursues a certificate once it is able to receive one in 
violation of [its] rules.''). In May 2021, the Governance Authority 
revised the STI-GA Token Access Policy to enable token access by some 
voice service providers previously unable to receive a token. In the 
2021 annual reevaluation, we found that this policy revision had 
resolved the main practical concern underlying this extension and that 
token access no longer stood as a significant barrier to full 
participation in STIR/SHAKEN. We nonetheless declined to revise this 
extension on the basis that it remains necessary for the reason the 
Commission previously identified: ``[A]n entity that meets the 
definition of a provider of `voice service' cannot comply with the 
STIR/SHAKEN rules if it is unable to receive a token.''
    We seek comment on this extension and whether it remains necessary. 
Is it still true that a provider cannot comply with the STIR/SHAKEN 
rules if it is unable to receive a token? Has anything changed that has 
made a token unnecessary to participate in STIR/SHAKEN, making this 
extension no longer needed? Even if it remains theoretically necessary, 
are all practical impediments presented by token access resolved, such 
that we should consider recommending terminating this extension? If we 
did recommend terminating this extension, when is an appropriate end 
date? If the extension remains necessary, is token access an impediment 
to ubiquitous STIR/SHAKEN? Are there steps the Commission or the 
Governance Authority could take regarding token access to better 
promote full participation in STIR/SHAKEN?

II. Comments Sought on STIR/SHAKEN Efficacy, Pursuant to Section 
4(b)(4) of the TRACED Act

    When Congress mandated that the Commission require voice service 
providers to implement STIR/SHAKEN in the TRACED Act, it also directed 
the Commission to ``assess the efficacy of the technologies used for 
[the] call authentication frameworks'' no later than three years after 
the December 30, 2019 enactment date of the Act. The Commission was 
also directed to ``revise or replace the call authentication 
frameworks'' if the Commission

[[Page 53708]]

determines it is in the public interest to do so based on the 
assessment and to submit a report to Congress ``on the findings of the 
assessment . . . and on any actions to revise or replace the call 
authentication frameworks.''
    Pursuant to this Congressional mandate, we seek comment to inform 
our analysis of the efficacy of the STIR/SHAKEN caller ID 
authentication framework that the Commission required voice service 
providers to implement on their IP networks. (We do not, in this Public 
Notification, seek comment on caller ID authentication in non-IP 
networks. In the September 2020 Second Caller ID Authentication Report 
and Order, the Commission determined that no standardized framework for 
non-IP networks existed and consequently required providers to work to 
develop a solution rather than implement a framework. The Commission 
recently sought comment on whether we should require providers to 
implement a non-IP caller ID authentication solution. Because the 
Commission has not yet mandated providers implement any particular non-
IP caller ID authentication technology, there is no implemented 
technology to assess in this required reevaluation.) We start by 
seeking comment on the standard by which we should assess the efficacy 
of STIR/SHAKEN. We propose to assess the efficacy of STIR/SHAKEN based 
on how well it effectuates the authentication of caller ID information. 
We believe this is the best standard because it evaluates the 
effectiveness of the STIR/SHAKEN framework at executing the function of 
the technology mandated under section 4: performing caller ID 
authentication. We seek comment on this proposal. Is there another way 
to interpret this statutory language and assess the STIR/SHAKEN 
framework? For example, should we measure the impact of STIR/SHAKEN on 
preventing illegally spoofed robocalls, or preventing all illegal 
robocalls, to determine its efficacy? How would such an approach be 
consistent with the text of the statute? Would it be an appropriate 
measure of STIR/SHAKEN's effectiveness as a caller ID authentication 
framework? Or would such an approach only measure the impact and 
limitations of caller ID authentication generally, regardless of ``the 
technologies used''? Could different caller ID authentication 
frameworks more or less effectively combat illegally spoofed or all 
illegal robocalls?
    We next seek comment on the efficacy of the STIR/SHAKEN framework 
under this standard. Has STIR/SHAKEN proven to effectively authenticate 
caller ID information? Are there ways it could be more effective at 
that task and, if so, how? Do any specific factors limit its efficacy, 
and what solutions might resolve those issues? Will any identified 
concerns be addressed by further deployment across the voice network? 
In the Bureau's December 2020 Report to Congress, we stated that, 
without widespread implementation, it was ``premature to assess the 
efficacy of STIR/SHAKEN in practice'' at that time. (The TRACED Act 
required the Commission to submit that report ``not later than 12 
months after'' enactment.) Since that date, many voice service 
providers have been required to implement, and have implemented, STIR/
SHAKEN. Is it still premature to evaluate the efficacy of STIR/SHAKEN 
in practice? If so, we seek comment on whether commenters continue to 
believe that the framework is effective as designed. And if commenters 
believe we should evaluate STIR/SHAKEN under a different or additional 
standard, we seek comment on the efficacy of STIR/SHAKEN under any 
alternative standards proposed. Under any standard, we seek comment on 
whether the efficacy of STIR/SHAKEN would improve when the framework is 
paired with other tools or if there are additional steps that the 
Bureau, Commission, or stakeholders such as voice service providers or 
the Governance Authority could take to improve the efficacy of STIR/
SHAKEN. (Recognizing the benefits of pairing caller ID authentication 
with call analytics, the Commission adopted a safe harbor enabling 
voice service providers to block unwanted calls by default based on 
reasonable analytics that incorporate caller ID authentication 
information, so long as consumers are given the opportunity to opt 
out.)
    Should the Commission consider whether it is in the public interest 
to revise or replace the STIR/SHAKEN framework? Would revising or 
replacing the framework at this time be premature, as providers 
continue to take steps to implement the technology consistent with the 
Commission's efforts to bolster its caller ID authentication rule 
scheme? How would the costs of such revision or replacement compare to 
the benefits? We ask that any comments indicating that the STIR/SHAKEN 
framework is ineffective at authenticating caller ID information 
identify alternatives that would more effectively authenticate caller 
ID information.

Federal Communications Commission.
Pamela Arluk,
Chief, Competition Policy Division.
[FR Doc. 2022-18380 Filed 8-31-22; 8:45 am]
BILLING CODE 6712-01-P


</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>