October Results -- Robocall trends in the new SHAKEN era
NOVEMBER 3, 2021 - Robocalls in the U.S. were up 3.3% in October, according to the YouMail Robocall index. Are SHAKEN and robocall mitigation working? What does the future hold? Let’s have a look.
The Numbers
Is SHAKEN making a difference?
We’ve seen SHAKEN call signing starting to level off at around 25% of calls signed. Unfortunately, SHAKEN won’t be much help with only 25% of calls signed.
We’ve also seen a consistent pattern of robocalls being signed with partial (B) and gateway (C) attestation. These calls are more likely to be robocalls than unsigned calls!
What’s going on here?
Some service providers have filed their certification in the Robocall Mitigation Database (RMD) claiming a complete SHAKEN implementation.
These providers haven’t implemented anything. They aren’t on the list of SHAKEN approved service providers maintained by the STI Policy Administrator.
As of this writing, there are 2,761 filings in the RMD (U.S. only, no intermediates) that claim a SHAKEN implementation. There are 390 SHAKEN authorized providers listed on the STI-PA website.
Some of the difference is because the STI-PA list is consolidated, while many providers filed separate certifications in the RMD. But this doesn’t begin to account for all the difference. There are many SHAKEN certifications that cannot be matched with any SHAKEN authorized provider.
How can they do SHAKEN if they aren’t approved? They aren’t doing SHAKEN. They’re getting a downstream provider to sign their calls for them. The downstream provider uses its own SHAKEN credentials, not the SHAKEN credentials of the originating service provider (who doesn’t have SHAKEN credentials).
This is not how the SHAKEN framework was designed. But it is how illegal robocalls are surviving in the early days of SHAKEN.
Is robocall mitigation working?
Voice service providers that aren’t doing SHAKEN are required to do robocall mitigation. How’s that going? Judging by the October numbers, not so well.
Why not?
The FCC Enforcement Bureau recently sent cease-and-desist orders to three voice service providers for originating and transiting illegal robocalls. This story explains how robocall mitigation can fall short.
These three service providers represented each of the three types of SHAKEN implementation types that can be claimed in a robocall mitigation certification filing: no SHAKEN, partial SHAKEN, and complete SHAKEN. With either no SHAKEN or partial SHAKEN, a filer is required to provide a robocall mitigation plan.
The plans provided by these providers were very weak. Robocall mitigation didn’t work because, well, they really weren’t doing much of that.
Remedies
Here are a few things we believe should happen for SHAKEN and robocall mitigation to fulfill its promise:
- The downstream signing provider loophole must be closed. A voice service provider cannot claim a SHAKEN implementation if they are not approved to do SHAKEN.
- SHAKEN participation must be extended. 25% is too low.
- The FCC should begin to phase out the non-IP SHAKEN extension, now that we have SHAKEN for TDM standardized methods available.
- Robocall mitigation should be done with SHAKEN. It should be both, not either/or.
- Robocall mitigation doesn’t work as well when the calling number is spoofed. You need SHAKEN too.
- SHAKEN is intended for caller ID authentication, not robocall mitigation. You need robocall mitigation too.
- You need both, working together, to identify and stop illegal robocalls.