STIR/SHAKEN is call authentication framework designed to combat malicious call spoofing and to restore trust in Caller ID, but its actual impact on Americans now facing a robocall epidemic that eclipsed 62 billion calls in 2019 will be limited. A flurry of legislative and regulatory efforts, including the Pallone-Thune TRACED Act, puts heavy emphasis on compelling carriers to implement this technology. However, while as a call authentication tool in the fight against spam calls STIR/SHAKEN does offer some potential value, it is far from a panacea.
What STIR/SHAKEN actually offers is a signal passed between service providers, which contains ownership and authorization information for a calling phone number. In some situations this will provide a definitive notion as to whether a phone number has been spoofed (altered to look as if it is a different number), but in many cases the information it provides will offer little or no value, and possibly even create confusion.
In this article, we will look to debunk myths about what this technology can and cannot do, so that consumers can better understand what they can expect as the STIR/SHAKEN call authentication framework is implemented by service providers over the next several years. We will separate fact from fiction by answering these questions:
- Will STIR/SHAKEN block all unwanted calls?
- Are authenticated calls always safe, and unauthenticated calls always dangerous?
- Is STIR/SHAKEN a universal, global technology?
- Are all calls with spoofed caller ID malicious?
We will begin by answering a fundamental question consumers should understand about this technology.
Will STIR/SHAKEN block all unwanted calls?
No! The first thing consumers should know is that this technology does not actually block ANY spam calls. The STIR/SHAKEN call authentication framework is a set of standards, agreed upon by various telecommunications industry stakeholders, that allows carriers to pass authenticated caller ID information with each call. Essentially, this means that service providers will be able to cryptographically sign calls, which is a complex way of saying that when a call is made to your phone, your service provider will receive a digital signal that indicates to what degree they know who is calling and who owns that number.
The STIR/SHAKEN signal indicates one of three “attestation” levels:
- “A” attestation means that your service provider knows who the entity calling you is and can confirm that the caller is authorized to use that phone number.
- “B” attestation indicates that your service provider has authenticated who owns the calling number, but cannot verify who is using that number to make the call.
- “C” level attestation, specifies your service provider knows who sent the call to their network, but has no idea who originated the call.
The question then becomes what to do with that signal. STIR/SHAKEN simply provides the attestation level, it does not block a call. It will be left to your service provider to decide how to handle that call, and that is going to get complicated.
Are authenticated calls always safe, and unauthenticated calls always dangerous?
When a STIR/SHAKEN signal is passed to your service provider there is no notion of caller intent. A spam caller may have “A” level attestation for their phone numbers, while at the same time, a call with “C” level attestation, could be completely legitimate. In-fact, the latter could actually be a call from your grandmother, which we will explain in detail a bit later. Suffice it to say, service providers cannot rely on STIR/SHAKEN alone to make call blocking decisions.
The challenge is that our phone network is made up of thousands of carriers, and how calls move across the network is complicated. If you are an AT&T subscriber and receive a call from another AT&T subscriber it is possible the call will never leave the AT&T network. Such a call could reliably be authenticated through STIR/SHAKEN as not spoofed, and you might even be comfortable with AT&T allowing or blocking that call on your behalf. However, there is also a very good chance that a call will “hop” across multiple providers on the phone network.
Most calls pass between service providers, and this often means a multi-step journey from caller to recipient. A call might originate with a rural landline carrier who passes the call to a VoIP provider. That VoIP provider then connects the call to a tower owned by a mobile carrier, who then passes the call to your phone. The problem is that STIR/SHAKEN is not integrated into every carrier, and not every carrier is even capable of integrating the technology. Calls passing through these carriers will result in “C” level attestations, and these calls are not necessarily good or bad, they are simply unknown.
Is STIR/SHAKEN a universal, global technology?
STIR/SHAKEN call authentication is powerful technology, but it is only in its infancy in terms of being deployed through the US phone network, and it is not a globally adopted framework. The FCC is looking to mandate its implementation, as does the Pallone-Thune TRACED Act, but the technology is only compatible with IP-based service providers (Internet Protocol).
Large service provider like Verizon and T-Mobile are built on this protocol, which means that STIR/SHAKEN will offer some quick wins in identifying many “neighbor-spoofed” calls. To a limited degree this is already happening, and consumers should see increasing benefits over the next few years as the technology is further deployed.
However, many small carriers, especially those in rural areas, are not IP-based, and are therefore unable to integrate the framework. This is where STIR/SHAKEN potentially impacts calls from your grandmother. Suppose she lives in a rural county and uses a local service provider that is not IP-based. Your service provider will always see her number as a “C” level attestation, yet, you would always want her call to ring through.
STIR/SHAKEN is not a global standard, and that is significantly limiting as we live in a globally-connected society. While we all know that many spam calls originate outside of the US, many legitimate calls originate from outside of the US as well. For example, your bank, insurance company, or healthcare provider might outsource its customer support centers to offshore locations. These calls cannot be authenticated through STIR/SHAKEN, but you likely would not want your service provider to block them based solely on that signal.
Are all calls with spoofed caller ID malicious?
There is not a one-size-fits-all solution to stopping unwanted calls, especially because the public telephone network is so nuanced. We have talked a lot about calls with “A” or “C” level attestations, and obviously, there is enough complexity in that alone to limit the value of STIR/SHAKEN in determining the legitimacy of a call, but that is only the beginning.
STIR/SHAKEN call authentication technology takes on the call spoofing problem which allows a caller to change their caller ID display. However, even spoofing is not by itself good or bad. It is definitely bad, when a scammer or spammer changes their caller ID to trick you, but many calls you receive are legitimately spoofed to your benefit.
Many companies, for example, use what are called PBX phone systems to manage calls. These systems allow a company to share lines amongst multiple extensions, use IVR (integrated Voice Response) prompts to allow you to enter information on your dialer, and more. These systems rely on spoofing so that you can see a unified caller ID display regardless of which extension at the company is calling you. This is often useful, and not at all illegitimate.
STIR/SHAKEN will authenticate PBX systems with a “B” level attestation. Your service provider will know who owns the number, but not who originated the call. PBX systems are used around the world by both legitimate companies, and unfortunately, sometimes also by spam callers. STIR/SHAKEN can only discern levels of ownership and legitimacy, not the intent behind these calls.
What Will STIR/SHAKEN Mean for You?
Over time STIR/SHAKEN will further reduce the onslaught of unwanted calls facing consumers. This article is not meant to suggest that this is a bad technology. It is a good technology with significant limitations based on the complexities of our global, open phone network. The STIR/SHAKEN call authentication framework is not a panacea for the spam call epidemic, but it is a tool that the telecom industry will use to help restore trust in caller ID.
When used in conjunction with other analytics services, such as the audio analysis technologies that power RoboKiller(™), STIR/SHAKEN will offer a useful signal that will bolster the ability of service providers to make more effective call blocking decisions. The important thing is for consumers to set their expectations accordingly and understand that STIR/SHAKEN will not solve the spam call problem by itself.