BREAKING NEWS:
No, I’m not talking about a James Bond adaptation for the theater, but then again, I’m also not really talking about the theater in general. In fact, this story goes beyond Broadway, Manhattan, or even the Big Apple itself.
New York State Senator John C. Liu (D – 16th Senate District) is sponsoring S8470, titled “An act to amend the general business law, in relation to enacting the Robocall Identification and Notification for Guarding consumers act.” Dubbed the “RING Act,” this bill is seemingly straightforward; all carriers in the state of New York will be required to ensure caller IDs display the STIR/SHAKEN attestation level assigned to the call, and they must do so in common sense language that was approved by the Public Service Commission‘s Commissioner.
What is STIR/SHAKEN?
If you're already familiar with the system, feel free to skip ahead. But for those newer to telecom, or for anyone trying to explain this to their legal or compliance teams, here's the quick overview: STIR/SHAKEN (SS) is a framework that verifies caller identity by assigning a "trust score" of sorts to calls as they pass through the network. These scores—called attestation levels—are labeled A, B, or C, with A being the highest.
The goal? Stop spoofed and scam calls. Think of it as a digital passport system for phone calls.
It was introduced as part of the TRACED Act, a law passed by Congress to help trace bad calls back to their origin. That law also led to SS, which was supposed to separate good-faith callers from bad actors.
The idea was: if you’re a verified caller with nothing to hide, your calls would get an A and be delivered cleanly. A C attestation might signal a lower trust level and more likelihood of being blocked or labeled as SPAM.
You can read about it in more detail on the FCC’s website, or you can read a more summarized version posted by Sinch, one of the world’s largest VoIP carriers.
How the Call Path Works (and Why It Matters)
Now that we’ve covered what STIR/SHAKEN is meant to do, let’s look at where it starts to break down, specifically when calls travel through complex networks involving multiple carriers.
When you make a phone call, it’s not a straight line from the caller to the called party. If you, like me, had to make your own toys as a kid, you may have created a telephone using two solo cups with a string between them. If you’ve never done that – it’s a fun trick to try with your kids to demonstrate how sound waves travel through solid objects (keep that string tight).
But in real-world telecom, the call path is less like a taut string and more like a highway system in the Chicagoland area.
Imagine trying to drive from the suburbs to downtown Chicago. You may start on I80, but then you branch to I94, then I90, then I55, then Lakeshore Drive, and so on until you finally arrive at one of the most beautiful skylines in this great country. While a straight line can logically be drawn between your starting point and your destination, the reality is that you didn’t take a straight line, you had to switch highways (they call them “expressways” up there) at several intersections, transferring your drive from one roadway to another.
A phone call works the same way. Let’s say you are making a call from your cell phone. It’s going to leave your device, hit the closest tower, travel to a central office, and from there it can be routed down any number of paths until it gets to the person you are calling. All along the way, any number of “intermediary” carriers can help pass the call along.
Here’s where things start to unravel.
With the rise of VoIP (Voice over IP), calls can originate from almost anywhere in the world and at incredibly low cost. But these same VoIP systems can hand off calls to traditional (TDM) networks along the way. And every time the call switches paths, there’s a risk that STIR/SHAKEN data gets stripped, lost, or downgraded.
For example, let’s say a call starts with a full “A” attestation. It hits a TDM network, which can’t carry the SS data. Once the call re-enters a VoIP path, the system has no memory of the original source. So, what happens? That call gets stamped with a “C” by default.
The kicker: the caller has no control or visibility into this process. They may have done everything right but their call now looks suspicious purely because of the route it took.
In an effort to stop that, the TRACED Act was passed by Congress with mixed results. At the heart of the TRACED Act was the ability for enforcement agencies to trace a call back to its origin. In my opinion, this is a good thing; bad actors can now be easily tracked down to their point of origin, and appropriate enforcement actions can be taken to shut them down. Remember those horrible auto warranty calls? The traceback requests were used to track those bad actors down and put an end to that madness.
Another key aspect of the TRACED Act was the implementation of STIR/SHAKEN (explained above). While it was originally told to the industry that this move would be the deathblow to bad callers, paving the way for those of us who were acting in good faith, it really ended up being largely useless (in my humble opinion). We were all led to believe that A-level calls would be successfully delivered with no issue, whereas calls with no attestation would be blocked, or, at the very least, they would be more susceptible to SPAM labeling. B would be a tossup. It sounded great, but it didn’t work out that way.
Why STIR/SHAKEN Isn’t Working?
Great intentions don’t always equal great outcomes. Shortly after the introduction of SS, legitimate callers saw a rise in SPAM labeling of their calls, while bad calls seemed to get through just fine. Why? There can be several factors, but we will dive into just a few here.
1. Call ManipulationWhile it may sound shady, call manipulation is actually a normal part of routing traffic through various networks. As we covered earlier, a call might start with a strong attestation but lose that data when it hops across a TDM network.
But even within VoIP systems, manipulation can happen in ways that affect attestation.
Carriers may reformat the caller ID to comply with their own routing standards like applying the E.164 format, which requires a +1 before U.S. phone numbers. While that sounds harmless, reformatting a number mid-call can break the STIR/SHAKEN signature or invalidate it altogether. Once that happens, the call may get downgraded, flagged, or simply mistrusted by the next carrier in the chain.
And again, the originating caller has no control or visibility into any of this. They’re often in the dark about how their legitimate calls are being manipulated or labeled along the way.
Bad Guys Will Be…Bad. It may shock you to read this (he said with full sarcasm), but bad guys don’t just run call centers – they can be carriers, too. “Bad” could seem to infer true malfeasance, but when I use that term, I also loop in those who view themselves as “entrepreneurs” trying to aggressively build a business while operating “in the gray.” They may have lax standards when it comes to their KYC (Know Your Customer) process, and they may justify allowing any traffic because they believe that all calls are protected by the First Amendment.
I’ll save my thoughts on that for another article, but in either case, whether out of intent or ignorance, carriers may sign all calls on their network with an “A” to maximize customer (caller, not called party) satisfaction with little regard to the nature of the call itself. To that end, there is little to stop a bad actor from getting an “A”. The FCC has done a great job in shutting down some bad actors, but many of them have prepared for this and have about a dozen backups/shelf companies waiting in the wings.
3. Better Caller Verification Was Never the IntentAmong my favorite in the flaws of SS is the comment about how attestation was never intended to help weed out bad calls from the good. I can’t tell you how many times I heard this promise in DC pre-SS, but, like so many political promises, post implementation we are told that this was never the intent. You’d think by now we’d learn to believe the opposite of lawmakers at least 50% of the time. In any regard, the current story is that the attestation level is only designed to help determine how confident the carriers were in the caller being authorized to use the caller ID in play. I don’t even know what to say to that one…
4. Adoption is Inconsistent
You can ask 30 experts and hear AT LEAST 30 different reasons why they believe that SS is broken, but at the end of the day, the bigger issue is the adoption level. I spoke with one senior policy maker for a large, reputable carrier, and I asked her exactly how her team utilizes the attestation level to determine treatment/deliverability of a call. While I expected an answer perhaps too complex for even my understanding, I received something much simpler, much more concise than I could have anticipated. Two words, actually – “We don’t.” I asked her to elaborate, but she said there wasn’t really more to the story. Her team had observed that they only received an attestation on about 70% of the calls that reached her network, and, at the time, they had low confidence in the accuracy of the attestations they DID receive. She went on to voice her own concerns about providing attestations – even for numbers they assign to their clients. If a reseller entered their network, they needed to provide their own signing, otherwise, this carrier would give everything a C.
Implications on Blocking and Labeling
As the leader in monitoring caller ID mislabeling and providing redress for compliant callers, we have only observed limited relation between the attestation level and the display on a caller ID. From what we have observed, numbers with less than an “A” level attestation are only more likely to be labeled as SPAM when they have low call volume and have only recently been assigned to or used by the caller. Beyond that VERY limited use case, we haven’t seen much value, and again, we have observed MANY truly SPAM/scam calls with A level attestation.
Blocking and labeling seems to be more driven by sentiment and crowdsource feedback than anything else. For example, how quickly a called party swipes to ignore a call or how long a call lasts are often taken into consideration as determining sentiment. The thought being that having mostly short or unanswered calls indicates you are a spammer. This would explain why pharmacies are regularly mislabeled; their calls are, by design, short duration and most recipients know, when they see their pharmacy on their caller ID the day after they called in the refill, that it is a notification that the prescription is ready and therefore there is no need to answer. So, while not at all SPAM, the carriers think so. Likewise, if you try to call your three colleagues to figure out where to meet at the airport, but they all send you to voicemail because you happen to call right when they are going through airport security, you are likely to get flagged as SPAM. Oh, you didn’t know that can happen to YOUR personal cell phone number? It happens all the time….
Will the RING Act Help?
That depends. The impact on the consumer will be interesting for sure. Before we begin to speculate, we would need to see how the PSC (Public Service Commission) converts attestation levels to messaging.
Saying “Gateway Attestation” (C Level) is not going to mean anything to anyone, so do they try to say “low confidence”? That might fit, I guess, but does telling someone “Full Attestation” (A Level) or “Full Confidence” open the door for encouraging the called party to answer a potentially harmful call?
Should a caller answer a “SPAM Likely” call with an A Attestation? How about a non-SPAM labeled call with a C?
How many data points are we going to give people to determine if they should answer that call? Remember, you only have about 30 seconds to make that decision…
Is it even possible?
Keep in mind that cell phones have very limited capacity around the text they can receive today to display caller ID, and adding any additional data points, graphics, etc. will likely require a substantial update to the phone’s operating system. I’m sure you have seen branded calling, but did you know that the functionality of that relies on the software on the cell phone itself?
There is a new generation of branded caller ID coming, and one of the major constraints it will have is only being supported on newer devices with the latest software. Perhaps an even greater limitation is the carrier supporting that phone, as they have to not only enable it in the phone’s operating system, but also on their network! With Branding, the carriers make money on delivering the display, and if they are slow to advance that effort, where is their incentive to do something that will bring them nothing other than more complaints about inaccurate caller ID displays?
While we are on the topic of technical limitations, how will this apply to landlines? I’m sure you remember those. Believe it or not, the common industry estimates say anywhere from 20-30% of homes still have a landline, and many businesses still have them on every desk. Since the language doesn’t have any specific limitations to just “residential lines” – a term that has been heavily argued under the TCPA – this could easily apply to ALL phones. Will there be an incentive for manufacturers of these dying devices to create an update to display an attestation level? The bill proposes this only apply where technically feasible. So, if the cellular carriers and various phone manufacturers simply choose to not add this capability, is this bill rendered largely useless?
So, Why Do It?
That’s the real question.
In my final thoughts, I have to ask the simple question as to why this is necessary. The vast majority of Americans receive calls on their cellular phones, and the cellular providers all offer some form of free SPAM analytics software. Is this an acknowledgement that this process is broken? If so, why aren’t we putting more emphasis on fixing that mess than adding just one more regulation that isn’t going to get us anywhere? Granted, keeping in mind that New York has been under a state of emergency since 2020, which prohibits most, if not all, telemarketing, maybe this is a wash?
While the future is uncertain, it will be interesting to see if other states jump on this bandwagon.
Right now, we see about 66% of phone numbers assigned to our customers labeled as SPAM, typically in error. If you think I’m exaggerating, reach out to a member of our team. We’d be happy to do a scan of your phone numbers – at no cost – to see how far off that mark we are.
