After adopting orders reflecting the majority of implementation deadlines set by the TRACED Act and the Supreme Court’s highly anticipated TCPA decision interpreting the statutory definition of automatic telephone dialing system in the first half of 2021, all eyes are on what the FCC has planned. Midsummer seems like a good time for a year-to-date review to track where the FCC has been and where it is headed next in its TCPA oversight and enforcement roles.
STIR/SHAKEN Call Authentication Framework
Last week, the FCC adopted its January 2021 proposal and issued a Report and Order establishing what the FCC describes as “a fair and consistent process” that a voice service provider can use to challenge a decision by the STIR/SHAKEN framework Governance Authority to strip that provider of the “digital token” that authenticates calls on that provider’s Internet-Protocol (IP) networks.
The STIR/SHAKEN framework grants “digital tokens” to voice service providers that follow a path to eligibility. A digital token is an indication that the provider meets three FCC-established eligibility criteria and has executed a signed agreement stating that it will follow a number of specifications. The eligibility criteria are the provider has a current FCC Form 499A filing, the provider has been assigned an Operating Company Number, and the provider has certified participation in the STIR/SHAKEN framework or compliance with the FCC’s Robocall Mitigation Program requirements. But if the Governance Authority or the Policy Administrator finds that a provider has breached its signed agreement, has compromised its “digital token,” or otherwise is no longer compliant with SHAKEN/STIR program requirements (such as the Service Provider Code Token Access Policy, last updated May 2021), then the provider’s “digital token” can be revoked.
Revoking the “digital token” will also invalidate a voice service provider’s STIR/SHAKEN digital certificate, which is a big deal for the provider and its customers. The STIR/SHAKEN framework is premised upon end-to-end verification of a call’s identity header using the digital certificate assigned to each provider as the call transmits from one provider network to another. As many regular readers of our blog may recall, the FCC in June 2019 and July 2020 adopted a “call-blocking by default” framework that, among other things, shields voice service providers from liability when they block calls from transmitting through their networks “based on reasonable analytics that incorporate caller ID authentication information.” The majority of IP-based voice service providers (except those approved for an exemption in December 2020 or approved for delayed compliance in September 2020) have also implemented the STIR/SHAKEN call-authentication framework by June 30, 2021, (after the FCC rejected requests to extend that deadline in March 2021) as required by the TRACED Act and FCC implementing order’s requirement. For these reasons, revoking a voice service provider’s authentication “digital token” means that calls initiating or transmitting through that provider might break the “end-to-end chain of trust” and are likely to be blocked by other providers on a network level.
Because of the importance of these “digital tokens,” the FCC decided that its Wireline Competition Bureau (WCB) would retain an oversight role to adjudicate appeals from “any voice service provider aggrieved by” the Governance Authority’s token-revocation decisions. This WCB process will follow the Governance Authority’s own appeal process in order to “enable the dispute to fully develop before potentially reaching the Commission.” An aggrieved provider must make a filing to request WCB review within 60 days after exhausting the Governance Authority appeal, and the WCB must make a decision within 180 days after the request for review is filed “except in extraordinary circumstances” or “when actions outside the [WCB]’s control delay [its] review.” The WCB will review the request in the first instance (a de novo review), and WCB decisions can then be appealed to the full FCC for its review. Some readers might recognize that this process is very similar to the appeals process in the universal service programs.
Most significantly, as soon as the Governance Authority makes a decision to revoke a token, the voice service provider can no longer maintain possession or actively use its “digital token.” But until its window for seeking appeal has lapsed or its appeal to the WCB has resulted in a final decision, the provider is not considered in violation of the FCC’s STIR/SHAKEN rules.
This week also concluded the comment cycle for more proposed rules in the STIR/SHAKEN framework proceeding. While the June 30, 2021, implementation date for most large IP-based voice service providers has passed, many small providers have been granted a delayed deadline of June 30, 2023, for compliance with the STIR/SHAKEN call-authentication framework by the FCC, as authorized by TRACED Act. The FCC has observed however that robocallers appear to have adapted their strategy to begin primarily using smaller voice service providers to originate their illegal calls in an attempt to circumvent the effectiveness of the STIR/SHAKEN call-authentication framework. Faced with this challenge, the FCC proposed a list of measures in a Third Further Notice of Proposed Rulemaking (FNPRM) on May 21, 2021.
For example, the FCC proposed to “shorten the deadline from two years to one [until June 30, 2022] for the subset of small voice providers that are at a heightened risk of originating an especially large amount of robocall traffic.” In addition to soliciting real-time data from voice service providers to support the FCC’s robocall volume analysis, the FCC invited commenters to suggest ways to define and identify these high-risk small voice providers. The FCC also appears to be interested in balancing “the benefit that will result from shortening the extension” against “the burdens and barriers of implementing STIR/SHAKEN for” these high-risk small voice providers. The comment cycle on these proposals ended on August 9, 2021.
Robocall Mitigation Program
September 28, 2021, will mark the effective date of a new form of “call blocking”: the FCC rules will begin prohibiting intermediate and terminating voice service providers from accepting traffic from voice service providers that failed to file certifications addressing their STIR/SHAKEN authentication framework compliance efforts and robocall mitigation methods before June 30, 2021 in the Robocall Mitigation Database that the FCC opened on April 20, 2021. This prohibition currently would also apply to “a foreign voice service provider that uses North American Numbering Plan resources … to send voice traffic to residential or business subscribers in the United States” that fail to file in the Robocall Mitigation Database. We note that this particular portion of the new call-blocking requirements is the subject of two pending petitions for reconsideration filed by CTIA and the Voice on the Net Coalition, the comment cycle for which closed on February 8, 2021.
September 28, 2021, will also be the day before the one-year anniversary of the FCC’s initial implementation of the Robocall Mitigation Program under the TRACED Act. This development was significant because the FCC substantially expanded the scope of the Robocall Mitigation Program beyond the TRACED Act mandate. While the TRACED Act only required voice service providers that are permitted to delay compliance with the STIR/SHAKEN framework to “implement an appropriate robocall mitigation program,” the FCC ultimately decided that “all voice service providers—not only those granted an extension—[must] file certifications with the Commission regarding their efforts to stem the origination of illegal robocalls on their networks.” A compliant certification must state whether the provider’s traffic is “fully, partially, or not yet signed with STIR/SHAKEN,” disclose the types of “extension or extensions received” from the FCC, enumerate “specific reasonable steps taken under a program to avoid originating illegal robocalls, and [demonstrate] a commitment to respond to traceback requests and to cooperate with investigating and stopping illegal robocalls.”
Numbering Resources
On August 5, 2021, the FCC also voted unanimously on more proposals meant to implement the TRACED Act’s mandate that the FCC “examine whether and how to modify [its] policies to reduce access to numbers by” providers of interconnected voice-over-IP (VoIP) services. The FNPRM would require that VoIP providers complete additional certifications as part of the direct access to the numbers application process. These certifications include that the provider “will use numbering resources lawfully, will not encourage nor assist and facilitate illegal robocalls, illegal spoofing, or fraud, and will take reasonable steps to cease origination, termination, and/or transmission of illegal robocalls once discovered”; and that the provider “has filed in the Robocall Mitigation Database” and has fully or partly implemented STIR/SHAKEN caller ID authentication or a robocall mitigation program, as applicable.
If the FCC adopts these rules, VoIP providers would also have to “disclose foreign ownership information,” and “update the [FCC] … within 30 days of any change to the ownership information.” The FCC would also delegate authority to the Wireline Competition Bureau “to reject an application for direct access authorization if an applicant has … been found to have originated or transmitted illegal robocalls.”
While these rules that the FCC seeks to amend currently only apply to interconnected VoIP providers that apply for and receive FCC authorization for direct access to numbers, the FCC is also considering whether to expand these requirement to “one-way VoIP providers or other entities that use numbers.” So far, the FCC does not appear to plan to impose these requirements on voice service providers that currently rely on secondary access to numbers through a traditional telecom carrier.
Comments and reply comments to these proposals are due 30 days and 60 days (respectively) after the FNPRM is published in the Federal Register. As of the time of this posting, this Federal Register publication has not occurred.
Reassigned Numbers Database
Good news for some businesses that have been asking about the risk of unwittingly calling an unintended recipient: The beta test for the FCC’s Reassigned Numbers Database began on July 1, 2021, and and will run through September 30, 2021. Even better news: callers and caller agents can use the database without charge during this time and still qualify for the safe harbor that the FCC adopted in 2018.
It indeed has taken some time since the FCC unveiled its blueprint for the Reassigned Numbers Database to help callers that are eager to determine whether a telephone number has been reassigned from the consumer they intend to reach to a new person or entity. According to the FCC, this beta period is meant for “callers and caller agents to understand their usage needs prior to signing up for a paid subscription,” as well as to test and provide feedback for the system.
The accuracy and functionality of the Reassigned Numbers Database are largely dependent on the preparation and continued data input of service providers. Following their internal record-keeping and number-aging-tracking efforts that began last summer, service providers began reporting permanent disconnections of their subscribers on a monthly basis on April 15, 2021, based on meticulous technical specifications announced by the Database Administrator on January 15, 2021 for compiling data files.
TCPA Amended Exemptions
One of the biggest FCC events in the TCPA realm in 2020 was the amendment of nine TCPA exemptions that the FCC adopted on December 30, 2020. Yet, eight months later, the majority of these amendments remain pending, as the Federal Register announced on February 25, 2021, that they are “delayed indefinitely.” Meanwhile, two petitions for reconsideration of the adopted amendments based on the same confusion that our TCPA team discussed in February 2021 remain pending.
State of “Call Blocking”
Besides USTelecom’s May 6, 2021, petition for reconsideration of the Fourth Report and Order that the FCC adopted in December 30, 2020, the “Call Blocking by Default” proceeding did not see much action in the first half of 2021.
Like this post, the FCC on June 29, 2021, published its Second Call Blocking Report to summarize its recent efforts on the implementation of call blocking and caller ID authentication frameworks since the release of the First Call Blocking Report in February 2019. The Second Call Blocking Report compiles updates on a number of call-blocking issues, such as the availability and effectiveness of call-blocking tools offered to consumers and updates on how the FCC’s actions in the last two years have affected illegal calls, 911 services, and public safety.
In the Second Call Blocking Report, the FCC took pride in its “multi-pronged approach that includes aggressive enforcement, consumer education, and creating an effective regulatory environment that enables and encourages phone companies and others to proactively stop unwanted robocalls from ever reaching customers” and pledged to “build on this foundation and continue to use every tool at its disposal to combat and prevent illegal robocalls.” This sentiment was again highlighted by Acting FCC Chair Jessica Rosenworcel at the August 2021 Open Meeting: “If you want to stop robocalls, you need to look far and wide. You need to identify every policy and every practice that makes it possible for these nuisance calls to get through. That’s what we do here.”