How Trusted Cross-Border Communications Can Work with STIR/SHAKEN
by Mary Gonzalez
By now, we’re all acquainted with the STIR/SHAKEN caller ID authentication framework and its aim to decrease the number of illegal robocalls and illegal call spoofing by establishing the validated source of a number and the identity behind it. When the STIR/SHAKEN standards were being defined, they were written as if from a single country perspective and so far, deployment has primarily focused on the United States. The fact that the U.S. has deployed STIR/SHAKEN does not mean that it is a U.S.-specific technology.
The standards were designed not to be specific to any given country because it was intended to eventually be deployed abroad country-by-country. Because it was difficult enough to define standards for one country alone, the scope of the standards was designed to consider each country’s regulatory requirements as well as their ownership of the numbers to be validated. Per country, the standards can be tweaked to fit individual needs in terms of the governance while ensuring that at the protocol level it will work cross-border.
The United States has led the way in defining and writing the standards and setting up a method to regulate its implementation through the Robocall Mitigation Database, with relevant deadlines to encourage the due diligence of service providers to implement the standards. The FCC has already begun seeking comments on the future of the enforceability and longevity of this database as an adequate solution to ensuring adoption. Enough time has now passed in the United States regarding domestic traffic for the FCC to begin focusing on gateway providers as the point of entry for foreign calls and cross-border communications.
How trusted cross-border communications could work
In comparison to the United States, Canada is following closely behind with its implementation of the STIR/SHAKEN standard, not in terms of the technologies being used, but in terms of the governance, the structure of the standards, its enforcement, and the deadlines that surround it.
International STIR/SHAKEN expert based in Canada, Jim McEachern, has worked with ATIS, the SIP Forum, and the IP-NNI Task Force within ATIS to help Canada define its own cross-border specifications. For the two countries to establish a trusted system that allows for cross-border voice traffic, is to root this trust in a Certificate Authorities List (CA List).
According to McEachern, “The trust anchor in SHAKEN is when the Governance Authority and Policy Administrator are able to maintain a list of the approved Certificate Authorities who issue the certificates in SHAKEN. That list is effectively the root of trust.”
— Jim McEachern
When a cross-border call is verified you can confirm the call was signed with a certificate that can be traced back to the trusted CA List. If the certification is not present on that list, the call fails. While this may seem like a straightforward solution to ensure trusted communications between countries, the issue lies in that both countries maintain their own CA Lists. If a call gets signed in Canada with a Canadian Certificate Authority (CA), when the United States receives the call they must cross-check it with their own U.S. CA List. If the Canadian CA is not on that list, it fails verification automatically.
This does not mean that the call will be blocked upon entering the United States, but will not be a signed call. At that point, apps or analytics outside of STIR/SHAKEN may or may not block it as suspicious. To protect trusted communications, Canada and the U.S. will need to merge their trusted CA Lists and create a sort of bilateral agreement so that the call can pass cross-border and pass verification. This has not happened yet but hopefully will within the next year, according to McEachern.
Issues of scale
Establishing one bilateral agreement of merged trusted CA Lists with one country is difficult and time-consuming enough. Add in 200 other countries and the number of agreements that need to be made amongst them adds a great deal of time and complexity when scaling this direct approach to other countries.
A centralized database model has been proposed for many sources to register within, allowing these agreements to be done in a more scalable fashion. However, that comes with its own set of issues. Who do you trust? What are the criteria for joining? How will information be monitored and amended? Who hosts the database and who has access to it?
Even if answers to these questions are found, in order to keep bad actors from penetrating the system, a rigorous vetting and Know Your Customer (KYC) policy must be defined and implemented as well. Even though it does not guarantee the complete removal or prevention of bad traffic, it acts as a monitoring, verification, and enforcement mechanism that is able to maintain a higher level of trust.
Regulatory differences and challenges
In the United States, the TRACED Act put out by the FCC defines the need for a caller ID authentication framework in order to address consumer complaints and combat the origination of illegal robocalls. While the TRACED Act does touch on the STIR/SHAKEN standards as a solution, there is a potential danger to tying down laws and regulations to the standards as standards in general require the ability to change and be amended quickly if they need to be. It also complicates the notion of having a single standard to address and meet the laws and requirements of various countries.
“There are very few countries, other than the U.S., that have passed legislation that demands dealing with robocalling. Not many have specifically referenced STIR/SHAKEN in legislation the way the U.S. has come close to doing. But even if you don't have it in the legislation, if every country tackles the problem in their own way, then it might work for all calls within their country but we all know that that's only a small subset of the problem because it won't work between countries and globally.”
— Jim McEachern
Making international STIR/SHAKEN successful
There is not going to be any single deployment of STIR/SHAKEN that can be applied globally at once. Nor will there be a global policeman who can mandate that everyone implement the standards in the same manner. Instead, there will be multiple mechanisms and solutions that will have to rely on a standard that takes interoperability into account in order for it to work end-to-end. To give it the highest chance of success in eliminating or preventing illegally spoofed calls, there must be a robust monitoring and enforcement mechanism, such as a Know Your Customer solution, in order to expand implementation without compromising integrity.