
FCC will require phone carriers to authenticate calls by June 2021 [pdf] - hbcondo714
https://docs.fcc.gov/public/attachments/DOC-363399A1.pdf
======
cletus
Good. But really, why did this take this long?

It should be relatively easy to identify the bad actors here and I don't mean
the spammers, I mean the telcos that make this possible, deliberately so, by
essentially "laundering" spam calls.

My response to picking up a number is to answer the call and say nothing.
Auto-dial systems will route the call to a person when they get a "live"
response. I don't know the criteria but I'm pretty sure it's them detecting
noise on the call (which could be voicemail).

A human calling will wonder what is happening and fill the silence by saying
something. A machine will not.

I hang up within 6 seconds of this in the hopes that it affects some metric
somewhere of this being a low-quality or spam call. I don't know if it does. I
think I read somewhere once that it did. I could be wrong.

If a real human is on the other end and does say nothing in this window,
they'll generally just call right back. You get the exact same number again
then this time I'll answer it.

It is nice to filter contacts vs non-contacts but there are too many things on
non-contacts. Businesses you deal with, primarily.

In the email world where obviously spam is a huge problem zombie relays that
allow this (which I believe is the primary source?) can get blacklisted. Why
don't telcos who do this also get blacklisted? Or at least identified? This
isn't AT&T or Verizon. It's the little telcos that connect to them.

But is this all too little too late? I think we've discovered over the last 20
years that we're all pretty much over open networks. It's all opt-in now with
the likes of Whatsapp, FB Messenger and so forth.

Oh and while we're at it, can we get rid of this stupid exemption to
robocalling restrictions for political campaigning? It's defended as
"political free speech". To me, this is nonsensical. Free speech doesn't mean
that I should be forced to listen to it.

EDIT: Found an example [1] of the bad actors I'm talking about.

[1]: [https://www.theverge.com/2020/1/31/21117477/justice-
departme...](https://www.theverge.com/2020/1/31/21117477/justice-department-
telecom-scams-robocalls)

~~~
nimish
It took this long because the fcc is run by people who simply do not believe
in using government to enforce oversight.

~~~
readme
We shouldn't interfere in the free market. Those robocalls are just good old
American ingenuity.

~~~
rapnie
Indeed. I'm from the Netherlands and never, ever in my life received a
robocall, and also do not know anyone else who received one.

~~~
wiz21c
I live in Belgium. I receive such a call on average twice a (week) day.
Sometimes it's just blank call (nobody answers) sometimes they're offering
gifts if I go to shop X, they ask if I want to compare my phone/energy bill.

The funniest one is when my fixed line provider (let's call it P) calls me on
my mobile phone (which is another provider) and ask me if I'm one oh _their_
(P) customer :-) (the explanation is that the mobile/fixed businesses are
separated to avoid monopoly and, since they can't share customer data ('cos of
data protection rules), they have to ask them again :-))

~~~
hyperman1
Seconded for the P. They call me every 3 months. Every single one promises
they'll note in their CRM how I wont be contacted again. None can answer why
they didn't read the note from all their previous calls.

------
mulmen
Does this mean I can start answering my phone again? Are there other vectors
for spam calling which are not addressed by this solution?

~~~
0xff00ffee
After 15 years of cell phone spam, anything that shows up as a number on my
personal phone, and not a contact, is reflexively ignored. I don't think I'll
ever shake this habit: if it is important, they will leave a message.

~~~
SketchySeaBeast
I'm struggling with the decision of whether to automatically block anyone not
in my contact list and leave a message in my voicemail explaining why. Don't
want to be unfriendly, but it's only getting more ridiculous.

~~~
grahamburger
Recent versions of Android have an option to automatically screen callers who
are not in your contact list. The caller gets a robot asking them why they're
calling, and you can view the transcript of their response in real time and
decide whether or not to answer.

~~~
ChuckMcM
As I recall this was a Google Voice feature as well.

My mobile carrier puts "scam likely" on calls that its algorithms have
determined are likely spam, I wish there was an android option to just not
ring the phone if that was the caller ID name.

~~~
bonestamp2
My carrier was doing that but I haven't seen it on any spam calls lately.

------
ugh123
I didn't see anything in there about penalties for carriers not enforcing
this. Also willing to bet they beg for extensions claiming they're not ready -
or too costly to implement.

~~~
ableal
Good point. I suspect carriers tolerate scammers because they're good for the
bottom line.

~~~
jazzyjackson
The same way USPS is funded by junk mail, a large volume of Telecoms' voice
calls is likely robo-caller spam. Still I would have thought either Verizon or
AT&T could come up with a competitive advantage of, you know, "the number that
comes up on caller ID is authenticated to actually be the person paying for
that phone number"

The spoofed caller ID to match your local area code has landed on people in my
contact list, and it was extremely jarring to think "why is my best friend's
mom calling me out of the blue" and get offered a discount cruise by a robot.

~~~
Simon_says
Telecoms have no problem figuring out who to bill.

------
webkike
If you’re wondering if STIR/SHAKEN was a James Bond reference, the answer is
yes, and SHAKEN stands for “Signature-based Handling of Asserted information
using toKENs”

~~~
nsxwolf
Backronym writing is a real gift.

------
tgsovlerkhgsel
How will delegation be handled?

Right now, I guess I'm "spoofing" my caller ID by using a VoIP service
unrelated to my actual phone provider to make outbound calls. My phone
provider has every incentive to sabotage this, since this alternative provider
allows me to pay probably something like 1% of the rates I'd be paying to my
regular provider.

The VoIP provider verifies that I own the number before letting me use it as
caller ID, but towards the network it still relies on the ability to send
arbitrary caller IDs. Will this remain possible/will providers controlling
someone's phone number be required to somehow enable this?

How will this work for call centers that want to send a central well-
publicized inbound number from multiple locations?

Edit: So I read up on the protocol The SIP provider will provide a claim,
signed with their key, confirming that they checked my number.

This leaves the possibility of providers having bypassable checks (I think
mine e.g. let you set an arbitrary caller ID if you edited a HTML dropdown
client-side) and "how to identify which provider is trustworthy", but that
seems a lot easier to solve than the original problem.

------
mehrdadn
Can someone explain what this will translate into in terms of the end-user
experience? For one thing, authentication will be next to useless (at least to
me) if my phone is still going to ring. So does that mean it's not going to
ring for a spoofed number? Also, if it results in tons of voicemail then
that's still going to be quite annoying. (How) is the actual end-user
experience going to be addressed?

~~~
cglong
From my understanding, it basically means all telecoms will be required to do
what T-Mobile already does in the U.S. If I get a call and the reported Caller
ID doesn't match the transmitted one, it reads on my phone as "Scam Likely".

Pixels also have their own solution to this: If that condition occurs, the
Google Assistant will answer the call and auto-decline if it is actually a
robocall.

~~~
mehrdadn
So that means phones will still ring (unless you have a Pixel or something)?
That will still drive people crazy!

~~~
yellow_lead
Some carriers may have the ability to limit calls to customers based on
attestation level. Customer could configure they only want to receive i.e "A"
attested calls. This means the carrier from where the call originated knows
that the customer who made the call owns the number they dialed from.

~~~
mehrdadn
Right, but I guess I'm asking, are plans for this in the works? Because
currently I'm not aware of anything like this, nor of any plans to implement
anything like this. None of the announcements suggest it might be happening
either, so that's why I'm lost as to what the end-user experience would be.

~~~
yellow_lead
I can only speak for one carrier, and the answer as of this moment is no.
Pretty much everyone is struggling to meet the FCCs aggressive timelines and
do interoperability testing with each other. After that is done, maybe. I'm
sure the FCC has upcoming requirements based on this, but to my knowledge
those aren't out yet. If the FCC doesn't make additional requirements, then it
will depend on the carrier's decision. I'm under the assumption that they will
introduce those additional requirements though.

~~~
mehrdadn
I see. Thanks!

------
hirundo
90% of my phone calls are from the same outfit informing me that this is my
last chance to renew the extended warranty on my car. Based on my call history
that recording is officially my best friend. And a very forgiving one given
that it has been my last chance hundreds of times over the past several years.
I hope this regulation won't interfere with our relationship.

~~~
reaperducer
100% of the spam calls on my work phone in the last six months have been
trying to sell me Marriott time shares.

I don't know if it's actually Marriott or not. I suspect it's just one of
those "affiliate marketing" scumbags, but it still makes the brand look bad.

~~~
fortran77
It's not Marriott. I feel a little bad for the big hotel chains whose names
are used by telemarketing scammers because their reputations get tarnished.

------
annoyingnoob
There is something else that recently reduced the spam calls I get,
enforcement: [https://arstechnica.com/tech-policy/2020/02/fcc-accuses-
carr...](https://arstechnica.com/tech-policy/2020/02/fcc-accuses-carriers-of-
being-gateways-for-foreign-robocallers/)

Knowing a number is legitimate is great, going after scammers and those that
support them is better.

------
Negitivefrags
Why is this problem unique to the USA?

I'm not saying I never get spam calls, but I certainly have to scroll back
quite a bit in my phone call history to see the last one.

Also, on the rare occasion I do get a spam call it's always from some random
international country like South Sudan or Oman that I would never expect a
phone call from.

What makes this problem uniquely hard to solve for the USA as opposed to
anywhere else?

~~~
reaperducer
_Why is this problem unique to the USA?_

Every time this topic comes up on HN, someone asks that same question.

Then there's a bunch of responses that are lots of suppositions.

Then several people from small European countries chime in saying they've
never had a spam call.

Then a bunch of Europeans from large countries show up saying they get spam
calls, too, and it's not just an American thing.

"Why is this problem unique to the USA?" is pretty much a meme at this point.

Also...

You start with "Why is this problem unique to the USA?" Then follow
immediately with, "I'm not saying I never get spam calls" which means it's not
unique to the USA. So your first sentence is invalid.

~~~
omginternets
Oh, I can actually weigh in here. In the past ten years, I've spent
significant amounts of time in the US, France and the UK.

In the UK, I get the occasional spam call ("I'm calling with regards to the
recent accident that wasn't your fault..."). At its peak, I got about one such
call per week. It's been months since I've had a spam call.

In France, I got zero. In the 7 years I lived there, I got exactly zero.

Every time I go to the US, I get 2-5 per _day_ ("last chance to renew the
extended warranty on your car").

As is often the case, things are bigger in the US.

~~~
perl4ever
Different people in the US have different experiences. Why is some random
anecdote (assuming it's not made up) good enough to define xxx million people?
I _don 't_ get 2-5 calls per day. My experience is more like what you describe
with the UK. But that could be affected by my being on the do not call list on
one hand, and on the other, occasionally answering a telemarketer by accident
when I'm waiting for another call.

~~~
omginternets
>Why is some random anecdote (assuming it's not made up) good enough to define
xxx million people?

It's not. Who told you it was?

Experience reports are still useful and interesting.

------
bryanmgreen
Right now I use Apple's "Send Unknown Numbers To Voicemail" feature and dear
lord it has saved my life.

Will be nice to go a step further.

------
imajoo
You can see various carriers responses here: [https://www.fcc.gov/call-
authentication](https://www.fcc.gov/call-authentication)

Some have provided timelines (such as AT&T), others skirt around it basically
saying that they offer call SPAM protection already but that they will go
along.

------
ilamont
Kind of curious why it took so long. Spoofed calls for fraud, swatting, etc.
have been around for at least ten years.

~~~
gnopgnip
There are three big issues. Robocalls and spam were not as severe an issue
until relatively recently. Political robocalls in the US are an important part
of how some politicians get elected and raise funds. And these solutions cost
a non trivial amount of money, without increasing revenue directly.

~~~
bmm6o
This is about requiring authentication, not blocking robocalls in general.
Right?

~~~
gnopgnip
Authentication means blocking any calls with spoofed or no info

~~~
bmm6o
Right, but does robocall imply spoofed or no info? Can't they just include
authentication?

------
nsxwolf
Is this going to impact PBX systems that use ANI Information Elements to route
calls and provide caller information to customer service applications, etc?
Spoofing is kind of at the heart of those things.

~~~
skrtskrt
ANIs will still get "spoofed" as there are many legitimate use cases, but you
have to "have permission" to use the number you're spoofing, meaning either
you own the number or your underlying service provider owns it on your behalf.

The legitimate use case is basically: I am placing this outbound call over
VOIP or a different phone line, but I want this ANI to show up on the callee's
phone, so when they call back they go to the correct line (dentist's desk,
software sales line, whatever)

~~~
phs2501
The issue is when I have a automated answering system (asterisk, for a
museum). It rattles off some prerecorded info, possibly with prompting. To
talk to a human, I need to forward the caller (I.e. call and set up a voice
bridge since the caller is already connected to me) to one of our volunteers,
which will be to their cell phone (we are a railway museum and we don't have a
staffed office on weekdays). I want to forward the call with the original
caller's phone as the caller ID so that if they miss the call our volunteer
can call back easily rather than trying some awful game of tag via calling
back the PBX.

~~~
skrtskrt
This should still be available, though it will likely take some work from the
underlying software provider to be compliant.

The goal of the regulation is to cut down spam/scam calling, not legitimate
uses, and the telecom providers know these uses and lobby heavily to make sure
they'll still be allowed to work.

The telecom providers don't like scam calls either, or more specifically they
don't like short calls. All the work and compute power in telecom is used to
set up the call, then the cost of keeping it going is minimal so the longer
the call goes on, the more economical it is for the provider

~~~
rob-olmos
How will it still be available and what underlying software work in Asterisk
is being referred to?

Based on the given situation, the museum won't own the caller's cell phone
number that they're trying to legitimately spoof for their staff's cell phone.

~~~
skrtskrt
You've reached the limit of my knowledge here regarding implementation details
:)

Asterisk is an open-source PBX system.

I _think_ the original call will come in with the correct STIR/SHAKEN-
validated SIP headers and the PBX can forward them as is, see some discussion
here: [https://community.freepbx.org/t/stop-robocalls-
act/60921/5](https://community.freepbx.org/t/stop-robocalls-act/60921/5)

I previously worked at a telecom software company, and I know everyone with
their shit together has been preparing for this for a long time, which is why
I'm not concerned that these common cases should continue working. These
softwares are often built on top of or on a branch of Freeswitch/Asterisk.

~~~
phs2501
Good to know; I admit I haven't looked at the technical side of this. Mostly I
was just providing my "legit" use case for wanting to spoof numbers since I
think a lot of times most people don't realize they exist.

------
Cymen
Any ideas on how this will be implemented? I use voip.ms and I can put in my
cell phone number as my caller ID so I don't need to pay for a DID (basically,
rent a phone number) and calls come back to my cell.

I've thought about some potential SaaS products that would leverage a similar
approach. But I would authenticate the number back to the customer before
allowing it to be used to avoid spam/malicious use.

Based on this:

[https://www.zdnet.com/article/at-t-comcast-successfully-
test...](https://www.zdnet.com/article/at-t-comcast-successfully-test-
shakenstir-protocol-for-fighting-robocalls/)

I'm guessing this is down a layer at the provider level. So in my case,
voip.ms would verify the number I'm using as my caller ID is actually a number
that comes back to me. Right now, I just tested by swapping my wife's cell
number in, they do not validate this. Now I understand how people are spoofing
numbers so easily.

Obvious approach is to voice call or text the number and require the
confirmation code to be entered on the website. Just curious though if there
are other requirements or if this is up to the provider.

------
davidajackson
I don't think SHAKEN/STIR will stop robocalls, because the economics won't
change. It's too easy for foreign robocalls to cycle numbers once one gets
blocked. It will help with impersonation, but I don't believe it will
significantly decrease robocall volume.

I think the telecommunications world will need to adopt whitelisting instead
of blacklisting. I run a whitelist-based robocall blocking service called
CallStop and a lot of customers have straight up given up using their
landline, or their personal number with unknown numbers.

People who claim that whitelisting is a bad solution because it could block an
emergency call don't realize that many people don't answer unknown calls
anymore--and I don't think SHAKEN/STIR will change that.

~~~
ehsankia
Can you extend a bit on that, maybe I'm not understanding the problem right.
Isn't having calls being authenticated the first step before you have
whitelist/blacklist? Once every call can be definitively attached to a given
source, then you can ban any foreign provider that let's these proliferate
completely, no?

~~~
davidajackson
SHAKEN/STIR + Whitelisting is the best solution. SHAKEN/STIR by itself isn't
going to change things too much I think. But it is a step in the right
direction.

Whitelisting without SHAKEN/STIR is still extremely functional.

There are billions of unique American numbers possible, and with 250-500
average contacts per random dial, contact spoofing is not statistically
significant.

~~~
fortran77
Not when you can contact spoof banks, major drug store chains, AppleCare, etc.

~~~
davidajackson
Good point, if they're calling from a specific number. I see of lot of
complaints about companies like FedEx though, where the calls come from random
numbers.

------
megavolcano
I swear to god the number of times I've hung up on people threatening visits
from the FBI because I'm behind on my taxes (spoiler: i'm not) has been
driving me literally insane. Maybe I can actually turn my ringer on my phone
off of silent mode one day.

------
mikorym
Do robocallers spoof the number that gets displayed? I haven't personally seen
that.

------
tomcooks
If you get phonespam whisper at increasingly lower volumes, then out of the
blue shout I HAVE ALREADY TOLD TO YOUR MANAGER TO BLACKLIST MY NUMBER WHAT IS
YOUR SURNAME AND CUSTOMER SUPPORT ID

They usually hang up at 'blacklist'.

------
peter_d_sherman
I think this is a great idea on the one hand...

...But it will equal-and-oppositely create a market, perhaps a black market,
for anonymous voice calls on the other... Perhaps these would be delivered by
an open source Voice-over-IP program which uses an anonymizing P2P network as
its backbone...

Also... will it make any difference for phone calls that originate outside of
our country?

Now, those small observations aside, I think that hard authentication of the
source of phone calls, is a great idea to help combat scammers and
robocalls... I'd use this service myself, and I know other people that would
be immensely benefitted from it...

------
g_p
Sounds like a good first step to solve the problem of how the legacy telecoms
systems were designed in a world of trusted peers federating. End result of
course being spoofed caller ID spam.

Unless I'm missing something though, these measures don't do anything to
address the gaping security hole in mobile networks around roaming
interconnects. That seems to still be a pretty good way to do SMS and call
interception, which are increasingly valuable as phones become the de-facto
2FA channel for access to banking, cryptocurrency services and more.

------
anonymousiam
I've got a FreePBX/Asterisk VoIP PBX and I've thought about running
TeleCrapper2000
([https://hackaday.com/2005/09/08/telecrapper-2000/](https://hackaday.com/2005/09/08/telecrapper-2000/)),
but a better solution is to just put Google Voice in front of it and turn on
"Screen Calls". It does a very effective (although not 100%) job of
eliminating most robo/sales calls.

~~~
ulkesh
The audio delay on Google Voice is too horrible for an impatient person like
myself. I’d love this feature baked into phones. Odd that it’s not yet.

------
cryptonector
About time. How will SS7 get fixed though?

------
wbsun
Finally, although there are still more than a year to wait. Hope there won't
be any extension to this deadline.

Before that, I'll keep allowing calls from my contacts only, and bear the
miserable inconvenience that sometime my packages may take a month to arrive
because of denials of calls from the delivery guy.

~~~
devindotcom
There is in fact an extension for small providers who say they need more time.

------
tiffanyh
How do services like Twilio stay compliant with this regulation?

~~~
davidajackson
I'm guessing they talk with the carriers regularly about being complaint. I
asked them about it recently and they said in a response ticket they were
following along with progressions in authentication. There may be someone who
works for Twilio on this thread that has more info though.

------
YokoZar
I answered my phone today, since maybe people are calling due to everything
that's happening

Turns out they're still doing that robocall scam where they say you won a free
cruise

------
0xff00ffee
Google Voice impact?

~~~
kirykl
Maybe a registry of parties trusted to spoof

~~~
markovbot
What parties are trusted to spoof? Having a telecom industry group play
favorites with who is and isn't allowed to spoof anyone's phone number sounds
like it would be bad.

------
dayaz36
Hold up...does this mean all voip calls need to be authenticated too? Why is
no one talking about the privacy implications of this?

------
zubi
For those who don't live in the US, this entertaining video by John Oliver
might give some context:

[https://www.youtube.com/watch?v=FO0iG_P0P6M](https://www.youtube.com/watch?v=FO0iG_P0P6M)

~~~
7ewis
Ironically, the video is only available in the US.

Had to hop onto my VPN to view.

Edit: Ok, at least not viewable in the UK!

~~~
selectnull
I'm not in the US and I'm able to watch it. Maybe it's not available in your
country, but it is available in at least one other country than US.

------
imprettycool
Because of robo calls I forward all my calls to a disabled voicemail box. My
phone hasn't rung in over 2 years

------
jccooper
Good. That'll solve a lot of problems. Spoofers are about the only thing that
gets through my spam filters now.

------
hkiely
Is this now just a problem on mobile phones in the USA now that we have the no
call list legislation?

~~~
reaperducer
_Is this now just a problem on mobile phones in the USA now that we have the
no call list legislation?_

The Do Not Call list has been around for almost 30 years.

[https://en.wikipedia.org/wiki/Do_not_call_list](https://en.wikipedia.org/wiki/Do_not_call_list)

------
adelHBN
Wait, wasn't this already done? Seriously! We are doing this now. Why has it
taken so long!

------
hammock
What are the privacy implications of this requirement?

~~~
DaniloDias
None. You are already in a weak non-repudiation environment with cell phones.
This solution will reduce some spoofing, but I doubt it will eliminate it.

It will be interesting to see who will be running the CA for these
connections.

------
leowoo91
Wait, caller-id was not authenticated all the time?

~~~
JdeBP
It's a widespread incorrect belief.

* [http://jdebp.uk./FGA/truths-about-telephones.html#CallerID](http://jdebp.uk./FGA/truths-about-telephones.html#CallerID)

------
ronack
Will this also prevent spoofed text messages?

~~~
RKearney
I have never received a spoofed SMS message so I already thought this was
impossible.

~~~
ronack
It's definitely a thing and prevent some SMS use cases due to this security
hole. This new FCC doc only references tracing the original sender.

"The FCC has also called on the industry to “trace back” illegal spoofed calls
and text messages to their original sources."

------
Commodore_64
Nice

------
aalebel33
and all it took was a pandemic

~~~
markovbot
is there any reason to believe this is anything other than the next step in a
long, slow-moving process? SHAKEN/STIR has been being rolled out for a few
years now, IIRC most major players said they were going to have it deployed by
the end 2019 (see response column of table towards the bottom of
[https://www.fcc.gov/call-authentication](https://www.fcc.gov/call-
authentication)), now they're just setting a deadline of June 2021 to start
authenticating calls.

------
throwaway55554
Not soon enough.

------
negus
It is bad news for the US citizens indeed. Unauthenticated phone number is the
last island of privacy in our modern world. Think about it: from some point
all citizens will carry a geolocation tracking device that is directly linked
with their ID. The internet access will also be bound to your ID and so on.
There are better ways to fight spam that do not pose a treat to privacy --
think about email or Facebook. There were tons of spammers, but there are
commercial spam filters that do well now.

I live in a country where cellphone carriers are legally forced to
authenticate users. And this data is used against political opposition and
journalists.

~~~
jeremyjh
No. Per TFA: STIR/SHAKEN enables phone companies to verify that the caller ID
information transmitted with a call matches the caller’s phone number.

~~~
negus
Well, I misunderstood the point. Thanks for the clarification

