STIR/SHAKEN – a possible technology answer to spoof and spam calls?

Spoof robocalls — in other words, when someone answers a call and gets an automated recorded message — are a nuisance and potentially criminally originating scams. For all types of service providers, these calls can also be a costly problem. However, there is now an industry-standard technology-based solution designed to deal with spoof robocalls: STIR/SHAKEN. 

This is potentially good news for telecom providers and the increasing number of channel firms offering IP-based telephony. Already adopted in Canada and the USA, and in France since 2023, conversations are also beginning to take place in other countries. In the UK, the ICO has previously referred to STIR/SHAKEN in relation to addressing nuisance calls.  

There have been previous attempts to limit robocalls, such as the UK’s Telephone Preference Service (TPS) and Corporate Telephone Preference Service (CTPS), which made it possible for people to opt out of receiving market calls. While that had value, those listings did not prevent inbound calls from the international grey market. 

Another initiative has been to pass responsibility for call line identification (CLI) back to the service provider, who can choose to only work with reputable providers and shut down unauthorised calling numbers, but identifying and blocking all these calls is difficult.  

Plus, if a service provider forwards an international call on one of own trunks, if that call is an overseas mobile number or not correctly formatted, then that service provider has the inbound cost, and that can be high, especially if the robocaller is making large volumes of spoof calls. If it is not formatted correctly or is a mobile number from another country, then the service provider catches the inbound cost, which can be high.  

STIR/SHAKEN is based on technology 

An abbreviation of ‘Secure Telephone Identity Revisited and Signature-based Handling of Asserted Information Using toKENs, the STIR/SHAKEN framework takes a different approach completely, using caller ID technology based on industry-wide technical standards and protocols that authenticate and verify IP telephony calls over IP networks. In practice, this means that a call going through interconnected telecom networks is ‘signed’ if it is legitimate, thus dealing with robocalls at source. 

How STIR/SHAKEN is implemented in different countries varies because countries have their own approaches to number management and assignment. For instance, FCC rules already require that most American IP telephony providers implement STIR/SHAKEN in the IP parts of their networks and be able to prove that this has happened. Canada’s CRTC Decision 2021-123 mandates that the country’s telecom service providers, including resellers — must implement STIR/SHAKEN in the IP parts of their networks.  

In Europe, France introduced STIR/SHAKEN in the summer of 2023 as part of its Mécanisme d’authentification des numéros (MAN), devised with considerable input from French telecom operators. MAN’s introduction was preceded by the country’s telecom regulator, ARCEP, commissioning France’s portability management authority, APND, to instigate a mechanism for authenticating calling numbers and messages.  

France’s approach 

As a further measure, France has specified that a French-originating trunk is essential if a provider wants CLI call termination in the country. Any calls with uncertain IDs must also be logged and reported to a national database. While MAN only covers voice at the moment, SMS messages will also be added at some point. 

 While STIR/SHAKEN’s implementation will vary according to each country, France’s approach clearly illustrates how it can work and the subsequent benefits. First, the calling party must notify the receiver that the number is theirs or whether it has come from another source. France applies three certification levels:  The calling party has to identify to the receiver that this number is theirs or is not theirs and has originated from another source. There are three levels of certification:  

A – the number is verified to belong to the user 

B – the number belongs to the tenant, but it is not clear if the CLI belongs to the user 

C – there is no information about the source’s number (for instance, an unidentified international number). 

Decision power 

In A and B certification instances, the terminating party can use the French database to check whether the signature from the service provider is valid. For Certification C cases, the terminating party has to decide how to handle the call (even allow it to go through, depending on the country), but making it evident that the forwarding service provider does not warrant validity.  

Of course, implementing STIR/SHAKEN could represent a lot of work. IP telecom technology vendors, such as unified communications (UC) platform providers, have responded by introducing features that automate STIR/SHAKEN, such as certification being sent with an inbound or forwarded call.  

However, STIR/SHAKEN is still a relatively new topic within the European region. Will it ultimately kill spoof robocalls? That remains to be seen, but any method that can mitigate nuisance or scam calls has to be worth consideration.