Update (April 1, 2020): The Federal Communications Commission voted unanimously to finalize the anti-robocall order on March 31, 2020, complying with instructions the commission received from Congress. The order "requires all originating and terminating voice service providers to implement STIR/SHAKEN in the Internet Protocol (IP) portions of their networks by June 30, 2021, a deadline that is consistent with Congress’s direction in the recently-enacted TRACED Act," the FCC said. As we wrote earlier, the FCC plans a one-year deadline extension for small phone providers. The FCC also voted to seek public comment on how "to promote caller ID authentication on voice networks that do not rely on IP technology," meaning older landline networks.

Original story from March 6, 2020 follows: Phone companies would be required to deploy technology that prevents spoofing of Caller ID under a plan announced today by Federal Communications Commission Chairman Ajit Pai.

Pai framed it as his own decision, with his announcement saying the chairman "proposed a major step forward... to protect consumers against spoofed robocalls." But in reality the FCC was ordered by Congress and President Trump to implement this new rule. The requirement on the FCC was part of the TRACED Act that was signed into law in December 2019. Pai previously hoped that all carriers would deploy the technology voluntarily.

"I'm excited about the proposal I'm advancing today: requiring phone companies to adopt a caller ID authentication framework called STIR/SHAKEN," Pai said in his announcement. "Widespread implementation will give American consumers a lot more peace of mind when they pick up the phone." The FCC will vote on the measure at its March 31 meeting.

The STIR and SHAKEN protocols use digital certificates, based on public-key cryptography, to verify the accuracy of Caller ID. STIR/SHAKEN would work best if all phone companies adopt it because it can only verify Caller ID when both the sending carrier and receiving carrier have deployed the technology. Robocallers who spoof real numbers to hide their identities would get flagged by STIR/SHAKEN. Depending on how each carrier implements it, flagged calls could be passed on to consumers with a warning or be blocked entirely.

Carriers have already been adopting STIR/SHAKEN, but Pai said not all companies have done so. "Last year, I demanded that major phone companies voluntarily deploy STIR/SHAKEN, and a number of them did," Pai said. "But it's clear that FCC action is needed to spur across-the-board deployment of this important technology."

STIR/SHAKEN can be used by mobile phone providers and home VoIP services, but landline providers have said they can't deploy it on the older TDM services that run on traditional copper phone lines. That won't change with the FCC action, as the underlying US law and Pai's proposal only "require originating and terminating voice service providers to implement STIR/SHAKEN in the Internet Protocol (IP) portions of their networks."

The requirement would apply to big carriers by June 30, 2021 and to small and rural providers one year later. In addition to mobile providers, companies that offer IP-based phone service over cable or fiber lines would have to comply.

Robocalls from outside US a major problem

While STIR/SHAKEN might help reduce robocalls or slow their growth, it's not enough on its own to solve the large and complicated robocall problem. For one thing, a lot of robocalls originate from overseas. The FCC recently sent letters to seven US-based voice providers "that accept foreign call traffic and terminate it to US consumers," saying these companies' services are "being used as a gateway into the United States for many apparently illegal robocalls that originate overseas." In a related action, the Department of Justice sued two small companies that allegedly connected hundreds of millions of fraudulent robocalls from Indian call centers to US residents.

The new US law that ordered the FCC to require SHAKEN/STIR gave the FCC discretion on how to regulate calls from overseas. Congress told the FCC to "consider" how the commission can "establish obligations on international gateway providers that are the first point of entry for these calls into the United States, including potential requirements that such providers verify with the foreign originator the nature or purpose of calls before initiating service." But it's up to the FCC on whether to take further action on that point.

We asked Pai's office if his plan will have any impact on spoofed calls that originate from overseas and will update this article if we get an answer. The full text of Pai's plan hasn't been released yet.