Full Report
Chair Brendan Carr said the agency is exploring how to expand STIR/SHAKEN protocols to older legacy phone networks. The post FCC looking to expand anti-robocalling initiative appeared first on CyberScoop.
Analysis Summary
# Regulation/Compliance: FCC Efforts to Combat Robocalls and AI Deepfakes via Call Authentication
## Overview
This summary covers the ongoing efforts by the Federal Communications Commission (FCC), led by Chair Brendan Carr, to enhance call authentication protocols, specifically STIR/SHAKEN, to combat illegal robocalls and evolving threats like AI-generated deepfakes transmitted over telephone and broadcast networks. It highlights current mandates, industry challenges, and potential future enforcement actions.
## Key Details
- Issuing Authority: Federal Communications Commission (FCC), with coordination involving the Federal Trade Commission (FTC).
- Effective Date: STIR/SHAKEN originated from a 2020 regulation. New reporting rules stemming from 2020 mandates were tightened in January (specific year not provided, but context suggests recent).
- Jurisdiction: United States telecommunications networks (voice over IP (VoIP) and potentially legacy networks).
- Status: In Effect, with ongoing expansion and enhancement efforts.
## Requirements
### Mandatory Requirements
1. **Implement STIR/SHAKEN Protocols:** Telecommunications carriers must implement STIR/SHAKEN protocols to formally vouch for the caller's identity during the call handoff process, attesting to the FCC that due diligence was performed.
2. **Adhere to Tightened Reporting Requirements:** Carriers must comply with enhanced industry reporting rules related to STIR/SHAKEN compliance, especially following incidents involving high-confidence authentication for suspected illegal calls.
### Recommended Practices
1. **Extend Authentication to Legacy Networks:** Address gaps in the current STIR/SHAKEN implementation which only fully functions over modern Voice Over Internet Protocol (VoIP) networks.
2. **Focus Oversight on Major Carriers:** While not explicitly mandated by the article, industry experts suggest the FCC should significantly focus oversight and immediate compliance pressure on the three major carriers (AT&T, T-Mobile, Verizon) due to their critical role in the U.S. call ecosystem.
3. **Develop Advanced Blocking Measures:** Implement systems (like the demonstrated "007" concept) that identify and filter calls originating from networks known or suspected to service robocallers immediately, rather than waiting for system-wide protocol updates.
## Affected Organizations
- Industries: Telecommunications Carriers (especially VoIP providers and major carriers), and potentially entities using telephone/broadcast networks to disseminate content (raising issues for AI/deepfake transmission).
- Organization Size: All telecommunications carriers must comply with STIR/SHAKEN, but the FTC focuses enforcement actions on VoIP providers acting as "points of entry" for illegal robocalls.
- Geographic Scope: United States networks.
## Compliance Timeline
- 2020: Initial STIR/SHAKEN regulation placed obligations on carriers.
- January [Recent Year]: FCC adopted new rules to tighten reporting requirements around STIR/SHAKEN compliance.
- Immediate/Ongoing: Carriers are being urged by experts to implement enhanced identification/blocking measures "next month" rather than waiting for longer-term technological solutions.
- Future: FCC Chair Carr is considering seeking enhanced authorities to legally pursue bad actors over deepfakes, implying future compliance deadlines related to AI/deepfake mitigation.
## Implementation Guidance
### Assessment Phase
- **Evaluate VoIP Coverage:** Assess which portions of current network traffic rely on VoIP and are covered by STIR/SHAKEN.
- **Review Authentication Confidence Levels:** Review internal processes following the Lingo Telecom incident to ensure due diligence matches the highest confidence assertions made during call authentication.
### Implementation Phase
- **Expand STIR/SHAKEN Use:** Work on solutions to ensure authentication protocols are utilized or adapted for calls traversing older, *non-VoIP* networks.
- **Improve Traceback and Coordination:** Coordinate with regulatory bodies (FTC, law enforcement) to utilize traceback information to identify and cease service to illegal call originators.
- **Strengthen Internal Protocols:** If not already in place, establish rigorous processes to investigate and suspend service to interconnected VoIP providers flagged by watchdog groups for originating illegal robocalls.
### Validation Phase
- **Monitor Reporting Metrics:** Ensure accurate and timely submission of reports mandated by the tightened FCC rules.
- **Performance Testing:** Measure the effectiveness of current call blocking and authentication measures against known robocall patterns, incorporating feedback from industry surveillance platforms.
## Technical Requirements
1. **STIR/SHAKEN Implementation:** Requirement for carriers to implement the protocol set for formal caller vouching and identity attestation across network handoffs.
2. **Call Authentication Protocols:** Continued work on developing a "better technological system" to address robocalls across the board, potentially including AI-detection elements for deepfakes.
## Penalties & Enforcement
- Fines: **$1 Million Fine** levied against Lingo Telecom for faulty authentication related to AI-generated robocalls. Fines are a recognized enforcement tool, and Chair Carr may seek enhanced authority to pursue legal action against other bad actors.
- Other Consequences: FTC is actively sending warning letters (31 letters sent to VoIP providers) to entities believed responsible for illegal robocalls, informing them they are in danger of triggering formal investigations or enforcement actions.
- Enforcement: Enforcement is currently handled via direct regulatory action (fines) and warnings issued by the FCC and FTC. There is an identified gap, however, in the FCC's historic ability to "take bad actors to court" directly, which Chair Carr may lobby Congress to address, especially concerning AI/deepfakes.
## Related Standards
- **STIR/SHAKEN:** The core technical standard being leveraged and expanded by the FCC regulation.
- **Industry Traceback Group (ITG):** Private organizations cooperating with federal agencies to collect surveillance data on robocalls, informing regulatory oversight.
## Resources
- Official Documentation: FCC Call Authentication Information (defanged link: fcc dot gov/call-authentication)
- Guidance Documents: FTC efforts outlined in testimony regarding coordinating with law enforcement to contact "point of entry" VoIP providers.
- Tools: RRaptor and "007" (examples of monitoring/filtering tools utilized by industry experts but not formally mandated).
## Practical Recommendations
1. **Proactively Address Non-VoIP Traffic:** Immediately prioritize developing strategies to authenticate or mitigate calls traversing legacy networks, as current STIR/SHAKEN coverage appears incomplete.
2. **Engage with Traceback Efforts:** Major carriers must cooperate fully with the FTC and ITG data to swiftly sever ties with problematic downstream providers.
3. **Review AI/Deepfake Risk:** Organizations utilizing automated calling or broadcasting systems should review compliance strategies in anticipation of potential new regulatory mandates aimed at mitigating AI-generated voice fraud over telecommunications lines.
4. **Demand Clarity on Authority:** Stakeholders should monitor legislative action regarding the FCC's request for enhanced authority to litigate against enforcement non-compliant parties.