For the vast majority of Americans, robocalls and spam phone calls are a fact of daily life. I get far more robocalls and spam calls than actual calls at this point. I never pick up the phone unless I recognize the number, which has led to me ignoring calls from people I actually want to talk but aren’t in my contacts. First Orion estimates 50 percent of all mobile phone traffic is robocalls or spam, and YouMail puts the total number of robocalls to Americans just in January at 5.2 billion. That’s 167.3 million robocalls a day, or 1,936 robocalls every second, and on pace for at least 62 billion spam calls in 2019. But 2019 is also the year where, if all goes according to plan, robocallers and spammers are going to find much harder to make your phone ring.
In January, T-Mobile became the first carrier to roll out an early version of the STIR (Secure Telephone Identity Revisited) and SHAKEN (Signature-based Handling of Asserted information using toKENs) standards to its customers, working only on its network. STIR/SHAKEN is simple in theory, and complex in execution, but boils down to this: Every outbound gets a certificate verifying that the call is coming from the number is legitimate, no caller ID spoofing allowed (with exceptions made for something like a hospital that may want to have one central callback number). The phone call is passed along to the inbound phone, while the inbound phone’s carrier checks the certificate’s public key against a heavily encrypted private key. If the two match and everything is kosher, the calls is sent through. If not, or the phone call doesn’t have a certificate, then it either gets flagged as suspicious or doesn’t reach your phone at all.
This means there’s now a very small number of people getting a peek at what the future will look like for all us. If you use Samsung Galaxy Note 9 on T-Mobile and get a legitimate, non-spoofed phone call from someone else on T-Mobile, the calls gets “Call Verified” tag attached on your phone screen. For the first time, instead of your carrier warning you that a phone call might be spam or a scam, T-Mobile can assure some of its customers that a phone call is safe to pick up.
If you think this sounds like it won’t do much to stop robocallers and spam callers, you’re right. “It may well be a beginning, but the beginning of the end of robocalls, that’s still quite a ways off,” says Brent Struthers, the director of the Secure Telephone Identity Governance Authority at the Alliance for Telecommunications Industry Solutions (ATIS), an industry group that has been working with carriers on STIR/SHAKEN for over four years. What’s really needed is for every carrier to implement STIR/SHAKEN, so that if a T-Mobile customer calls a Verizon customer, or someone on AT&T calls a Sprint customer, both sides of the call can be authenticated.
Carriers have plenty of incentive to get STIR/SHAKEN up and running. While the FCC under Ajit Pai has has shown little appetite to regulate the telecom industry, the one big exception is robocalls. In a statement released February 13, Pai used both the carrot and the stick urging carriers to get moving. “American consumers are sick and tired of unwanted robocalls,” said Pai. “I applaud those companies that have committed to deploy the SHAKEN/STIR framework in 2019. This goal should be achievable for every major wireless provider, interconnected VoIP operator, and telephone company — and I expect those lagging behind to make every effort to catch up. If it appears major carriers won’t meet the deadline to get this done this year, the FCC will have to consider regulatory intervention.”
When contacted by New York, Verizon, Sprint, AT&T, and T-Mobile all confirmed their commitment to implementing STIR/SHAKEN in 2019. But while T-Mobile has already started rolling out STIR/SHAKEN, it’s very hard to get a sense of when the roll out across all carriers will actually happen beyond it occurring sometime in 2019.
To be fair, there’s still some significant work to be done. Job number one: establishing a third-party governance body that would issue certificates to legitimate carriers. This body would be paid for by carriers, but also independent of them — and the details of who pays what is still an active topic of conversation, which may also be delaying matters. “We hope to have somebody named as a policy administrator in May,” says Struthers, “and that’s as far as we’ve gotten so far. I don’t know if July is realistic, but we’re on track to have a policy administrator up and running this year.”
There’s also the matter of who gets a certificate at all. “If a carrier comes and would like a digital certificate, they have to get approved by the policy administrator,” says Struthers. “We haven’t set those rules out as to who qualifies this point, so that’s yet another thing we’re working on. You can see while we’re implementing this we’re also developing and refining the rules.”
There’s even active discussion of how exactly to display legitimate calls. “Will there be a standard way to show customers, like a lock, a checkmark, or something else to show customers that a number’s been verified?” says Struthers. More ideally, carriers would simply start blocking calls more aggressively. “The customer wouldn’t even have any idea that the calls are not getting through, because they’re not ringing their phone at all,” says Struthers.
Both Struthers and McEachern warn that even in a world where STIR/SHAKEN is fully implemented, there will still be issues. People will fraudulently obtain certificates, or gain access to real numbers and attempt to use those. More complex schemes, where a robocaller farm masks itself as a legitmate enterprise to gain a certificate, will almost certainly be attempted. But it will be much, much easier to start squashing spammers before they really get started.
But STIR/SHAKEN gives carriers and regulators real tools — and real data — to use against robocallers, unlike the current caller ID system, which provides almost no information at all. “Until now, whether it be a whitelist, a blacklist, or the various apps that monitor and block calls, they’re all making decisions based on caller ID that can be spoofed, so they’re all building it on sand,” says Jim McEachern, principal technologist at ATIS. “And what we’re doing is creating a concrete foundation that you can now start building something reliable on.”
“I often liken this to email spam, where 15 years ago we thought that email was going to be unusable because of the growth in spam,” says McEachern. Then things like Bayesian spam filtering and other techniques evolved, to the point where most people rarely see spam. As spam became harder to get in front of people’s eyes, it became less profitable, and is now on the decline around the world.
“My hope is in the next two to five years, people will start going, ‘Oh yeah, remember how bad phone spam used to be? I only got one spam call today,’” says McEachern. That hope may seem distant right now — I got six spam calls while writing this article — but STIR/SHAKEN is the best real shot to fix things.
Long before robocall farms became the plague they are today, Americans still dealt with telemarketers, autodialers, and various phone scammers using the old copper-wire telephone system. And even once STIR/SHAKEN is implemented, robocallers and spam callers won’t simply give up — many have spent years and years perfecting techniques to earn as much as possible. But as it becomes harder to get anyone’s phone to ring, less money will be made. Robocallers and spammers will move to more lucrative schemes, and one day not too long from now, you’ll be able to pick up your phone once again.
