Compliance and Enforcement and Telecom Decision CRTC 2018-32
References: Compliance and Enforcement and Telecom Notice of Consultation 2017-4, as amended, and Compliance and Enforcement and Telecom Regulatory Policy 2016-442
Ottawa, 25 January 2018
Public record: 1011-NOC2017-0004 and 8665-C12-201507576
Measures to reduce caller identification spoofing and to determine the origins of nuisance calls
In Compliance and Enforcement and Telecom Regulatory Policy 2016-442, the Commission indicated that it would initiate a proceeding to review the progress that is being made on caller identification (ID) authentication.
Based on this review, the Commission determines that authentication and verification of caller ID information for Internet Protocol (IP) voice calls should be implemented by Canadian telecommunications service providers (TSPs) by no later than 31 March 2019 to empower Canadians to better protect themselves against nuisance calls. TSPs are required to report on their progress. The Commission requests that the CRTC Interconnection Steering Committee (CISC) submit a consolidated industry progress report to the Commission every six months, beginning six months from the date of this decision.
The Commission also determines that the telecommunications industry should establish a Canadian administrator for the issuance of certificates that would be required for authentication and verification of IP-based voice calls.
The Commission further determines that Canadian TSPs are to develop a call traceback process, and requests that CISC file a report regarding such a process with the Commission for its review and approval within nine months of the date of this decision. Once the Commission has reviewed the report, it will decide what further measures may be required, including whether to mandate TSPs’ participation in a call traceback process.
The Commission is prepared to take further action if it becomes clear that the telecommunications industry is not taking sufficient measures to protect Canadians against nuisance calls.
- In Compliance and Enforcement and Telecom Regulatory Policy 2016-442, the Commission, among other things, found that Canadian consumers did not have access to sufficient technical solutions to protect themselves from nuisance calls.Footnote 1 Accordingly, the Commission took steps to introduce measures to block all calls in Canada that contain blatantly illegitimate caller identification (caller ID) information. The Commission also clarified the terms under which telecommunications service providers (TSPs) could and should provide opt-in call filtering services that would intercept and redirect suspected nuisance calls on behalf of subscribers to those services. Those measures complement the rules for the National Do Not Call List, as well as the rules regarding telemarketing and the use of automatic dialing-announcing devices (ADADs) to make calls, collectively referred to as the Unsolicited Telecommunications Rules (UTRs), and are part of a layered approach, similar to that used in cybersecurity, with a range of choices of mitigating techniques, that provides the flexibility to respond to an evolving ever-changing threat.
- The Commission notes that regulatorsFootnote 2 and carriers in other jurisdictions have made significant efforts to reduce nuisance calls by using various measures and techniques, and that additional measures may be required to further reduce nuisance calls and to provide consumers with tools they can use to protect themselves. In this regard, the Commission noted in Compliance and Enforcement and Telecom Regulatory Policy 2016-442 that there had been significant developments regarding caller ID authentication since the close of the record of the proceeding that led to that decision, and indicated that it intended to launch a follow-up proceeding to further consider measures intended to mitigate caller ID spoofing.Footnote 3
- In January 2017, the Commission initiated this follow-up proceeding with the issuance of Compliance and Enforcement and Telecom Notice of Consultation 2017-4. In that notice, the Commission sought comments on measures intended to trace and identify the source of a nuisance call, as well as information and comments on
- the implementation, use, and effectiveness of technical solutions to authenticate caller ID information for wireline, wireless, and voice over Internet Protocol (VoIP) networks in Canada;
- the implementation, use, and effectiveness of mechanisms to trace and identify the source of a call;
- any barriers to implementation that would need to be addressed to facilitate these solutions and mechanisms; and
- what regulatory measures, if any, that would need to be established to ensure that Canadians have confidence in the displayed caller ID information.
- The Commission received interventions from the following: the Alliance for Telecommunications Industry Solutions (ATIS); Anthony Rutkowski; Bragg Communications Incorporated, carrying on business as Eastlink; the Canadian Cable Systems Alliance; the Canadian Internet Registry Authority (CIRA); the Canadian Network Operators Consortium Inc.; Cogeco Communications Inc.; Comwave Networks Inc; Distributel Communications Limited; Freedom Mobile Inc.; the Incumbent Carriers Group (consisting of Bell Canada, Bell Mobility Inc., Télébec, Limited Partnership, and Northwestel Inc.) [ICG]; the Independent Telecommunications Providers Association (ITPA); Neustar Inc. (Neustar); Primus Management ULC; Quebecor Media Inc., on behalf of Videotron Ltd. (Videotron);Footnote 4 Rogers Communications Canada Inc. (RCCI); Shaw Telecom G.P. (Shaw); TBayTel; TekSavvy Solutions Inc.; and the Canadian VoicePeering Project (VoicePeering).
- Based on the record of this proceeding, the Commission has identified the following issues to be addressed in this decision:
- Are there technical solutions, and what are the appropriate regulatory measures, if any, to re-establish trust in caller ID information?
- Are there mechanisms, and what are the appropriate regulatory measures, if any, for determining the origins of nuisance calls?
Are there technical solutions, and what are the appropriate regulatory measures, if any, to re-establish trust in caller ID information?
- As caller ID spoofing provides anonymity, thereby facilitating illegal or fraudulent activities, Canadians are growing increasingly weary of receiving nuisance calls. Caller ID spoofing has become a significant problem with the introduction of VoIP services as callers do not generally have the ability to alter the caller ID in legacy circuit-switched networks.Footnote 5 Canadians are therefore no longer able to reliably trust that the caller ID is authentic and they are therefore not always certain of who is calling them. This impinges on the privacy of Canadians and exposes them to potential harm.
- The question before the Commission and the telecommunications industry is how to re-establish consumer trust in the authenticity and veracity of caller ID.
- The Internet Engineering Task Force (IETF)Footnote 6 has developed a technical standard, referred to as STIRFootnote 7 that would provide a means for call-originating TSPs to certify the identity of callers, thus enabling the caller’s identity to be validated. In conjunction with STIR, ATIS has developed a framework, referred to as SHAKEN, for the implementation of STIR in IP-based service providers’ networks.
- Pursuant to STIR/SHAKEN, TSPs certify the extent to which a given caller’s identity can be trusted. This information is transmitted using “tokens” and is used by the called party, or their TSP, to verify the authenticity of the caller ID (i.e. determine the extent to which the caller ID can be trusted). This process is dependent upon one or more central authorities that administer(s) and issue(s) certificates to TSPs.
Positions of parties
- RCCI noted that over 90% of voice telephone traffic in Canada provides fully authenticated and attested caller ID, and contended that the introduction of STIR/SHAKEN for this type of voice traffic would be redundant. RCCI further suggested, as a possible near-term alternative to STIR/SHAKEN, that the Commission could require TSPs to attest or certify the caller ID of each telephone call originator. RCCI noted, however, that it would be difficult to impose such a requirement on users of private branch exchanges (PBXs), and also noted that this alternative does not address the authenticity of caller ID information for calls originating from abroad and terminating in Canada.
- The ICG agreed with RCCI and other parties that spoofed calls do not generally originate from Canadians TSPs. However, the ICG disagreed with RCCI’s interim solution and supported the implementation of STIR/SHAKEN given that, in the absence of STIR/SHAKEN, called parties (or their TSP) would be without information on the validity of the caller ID, and would therefore be unable to distinguish between legitimate calls (e.g. calls from trusted Canadian TSPs) and illegitimate calls (e.g., calls from foreign sources with spoofed caller ID to look like they originated from trusted Canadian TSPs).
- TSPs and other parties generally recognized that STIR/SHAKEN could be deployed, in the future, to restore Canadians’ trust in caller ID.
- VoicePeering offered to establish a Canadian test bed for STIR/SHAKEN; CIRA supported this suggestion. Shaw noted that it intends to participate in the U.S. STIR/SHAKEN trial being conducted by Neustar and ATIS.
- Parties generally agreed that a Canadian entity would be required to administer and issue certificates to TSPs if STIR/SHAKEN standards were to be implemented in Canada. CIRA indicated that it could fulfill this function. Other parties suggested that this function could be fulfilled by the Canadian Numbering Administration Consortium (CNAC) or the Canadian Local Number Portability Consortium (CLNPC), as an extension of their existing mandate. It was further suggested that a technical approach similar to that used for HTTPS/DNSFootnote 9 in the Internet domain could be used.
- However, TSPs generally expressed the view that it is premature to deploy the STIR/SHAKEN technology, or to provide detailed comments on its operation and effectiveness, given that STIR/SHAKEN and the subordinate standards have yet to be finalized and incorporated into other industry organizations’ standards, such as those developed by GSMA,Footnote 10 3GPP, Footnote 11 and CableLabs.
- TSPs also indicated that there is no existing equipment to support the deployment of STIR/SHAKEN, and that compatible network equipment for IP-based networks would generally be available by 2020. TSPs further noted that STIR/SHAKEN could not be deployed on legacy circuit-switched networks due to the lack of vendor support for the underlying equipment.
- TSPs argued that a broad implementation of STIR/SHAKEN, both in Canada and worldwide, would be required for this technology to be effective. It was also noted that TSPs may not consistently implement the tiered approach for assigning a level of trust in caller ID, as contemplated by SHAKEN, and that an inconsistent approach would ultimately erode the utility of deploying this technology.
- Parties also noted that handset manufacturers would need to implement STIR/SHAKEN so that devices are capable of displaying information regarding the authenticity and veracity of caller ID information in order for consumers to gain the benefits of STIR/SHAKEN. Parties noted, however, that this information will only be able to be displayed on IP and wireless (IMS/VoLTEFootnote 12enabled) phones. The view was also expressed that a consumer education or outreach program may be required to ensure that Canadians can effectively determine the extent to which they could trust caller ID information.
- Parties noted that STIR/SHAKEN do not yet support calling name display (CNAM) authentication, and that if this capability is to be incorporated into these standards, there will need to be a unique Canadian CNAM specification, as this information is provided differently in Canada than in the United States. In the United States, CNAM is provided by a look-up to separate databases, while in Canada this information is provided by the originating network. Parties indicated that this in itself is a serious problem, as it might not be addressed by equipment vendors.
- The ITPA, supported by TBayTel, stated that it is too early to consider the implementation of STIR/SHAKEN in Canada, since small service providers, such as the small incumbent local exchange carriers (ILECs) and others, would be unable to fully participate in any CRTC Interconnection Steering Committee (CISC)Footnote 13 process at this point due to resource limitation.
- Parties generally indicated that it would be premature to impose regulatory measures to expedite the implementation of STIR/SHAKEN.
Commission’s analysis and determinations
- The Commission reiterates that a layered approach is required to reduce nuisance calls received by Canadians. In addition to the measures it has already taken to protect the privacy of Canadians, the Commission considers it imperative to restore Canadians’ trust in caller ID information.
- It is not feasible to prevent caller ID spoofing that primarily originates from VoIP services given that these services are not provided within a closed, managed environment. Accordingly, the Commission considers that consumers must be provided with a means of determining the authenticity and veracity of a caller’s identity to determine the extent to which they trust that information.
- The Commission considers that STIR/SHAKEN is likely the only current viable solution that can provide consumers with a measure of additional trust in caller ID. The Commission further considers that STIR/SHAKEN will increase the effectiveness of opt-in call filtering solutions and network-level blocking of nuisance calls with blatantly illegitimate caller ID.
- While spoofed calls primarily originate from VoIP services, customers on all types of networks are bothered by nuisance calls. The Commission recognizes that it is not possible to deploy STIR/SHAKEN on legacy circuit-switched networks given that the associated equipment is no longer vendor-supported. However, the Commission considers this to be a diminishing concern as
- ILEC networks are migrating to IP-based network technologies;
- circuit-switched mobile networks are converting to VoLTE, which is dependent on an IP-based core;
- almost all cable and competitive local exchange carrier networks are already IP-based or will soon be; and
- many TSPs already exchange traffic over IP interconnections.
- Notwithstanding the foregoing, the Commission expects TSPs to develop and implement solutions, to the largest extent possible, that will extend the benefits of STIR/SHAKEN to legacy circuit-switched and other non-IP networks, as well as the associated handsets.
- It is expected that STIR/SHAKEN and the subordinate standards will be completed in 2018. The Commission expects Canadian TSPs to be actively involved in the development of these standards and the testing of the equipment that is developed based upon these standards to ensure that unique Canadian requirements are incorporated. While the initial release of these standards may not include provisions to ensure the authenticity and veracity of CNAM, the Commission considers that this would not prevent TSPs from deploying STIR/SHAKEN to restore trust in calling numbers.
- The Commission notes that North American telecommunications networks are highly integrated and employ many of the same technologies and methodologies. It is therefore noteworthy that the Federal Communications Commission (FCC) in the United States is actively exploring the use of STIR/SHAKEN as part of measures to reduce nuisance calls in that country.
- The Commission considers that Canadian TSPs should be able to develop and implement solutions based on STIR/SHAKEN by no later than 31 March 2019.
- The Commission agrees with the parties that participated in the proceeding that a Canadian administrator should be established to issue and administer certificates in support of STIR/SHAKEN. The Commission further notes that the telecommunications industry has successfully established consortia and other governing bodies to accomplish similar goals, and that the industry is therefore well placed to establish a Canadian certificate administrator.
- Accordingly, the Commission expects, by 31 March 2019, that
- TSPs will implement measures to authenticate and verify caller ID for all IP-based voice calls; and
- the telecommunications industry will establish a Canadian certificate administrator.
- In order to monitor the industry’s progress, TSPs are required to submit to CISC a report every six months, beginning six months after the date of this decision, on their efforts and progress in implementing authentication/verification measures for caller ID. The Commission requests that CISC consolidate the TSP reports into a single report to be submitted to the Commission. The TSP and CISC reports are to include the following information:
- the status of TSPs’ readiness in terms of network changes, if any;
- the status and results of equipment testing and participation in those tests; and
- statistics identifying
- the percentage of authentication/verification enabled trunks used for IP voice traffic to the total number of voice trunks;
- the percentage by month of the number of authenticated/verified voice calls to total number of voice calls; and
- tracking by the level of authentication (i.e. trusted, partial trust, no trust) for calls delivered to customers.
- In addition, the CISC report should also include
- the status of authentication/verification standards, such as STIR/SHAKEN and their subordinate standards, and any other related standards; and
- identification of Canadian specific requirements in the standards and the efforts that are being taken to incorporate these requirements into the appropriate standards.
- The Commission notes that if it is not satisfied with the industry’s progress in implementing authentication/verification measures for voice calls, it may consider imposing regulatory measures to ensure that consumers have the tools they need to protect themselves from nuisance calls.
Are there mechanisms, and what are the appropriate regulatory measures, if any, for determining the origins of nuisance calls?
- As a result of caller ID spoofing, the telephone number displayed on a consumer’s Call Display cannot always reliably be used to determine the originating point of nuisance calls. When caller ID is spoofed, the only way to determine a call’s origin is to trace the path that a call travelled from the end-point to the originating point. This path can involve a number of different networks.
Positions of parties
- Parties to the proceeding generally did not support the implementation of a call traceback process. In particular, the ICG suggested that, at this time, efforts would be better spent on call filtering services and authentication processes.
- In the event that a call traceback process is implemented, the ICG advised against a retail level (i.e. consumer-initiated) traceback process as it would create false expectations for consumers that nuisance calls would cease. The ICG also noted that new tariff provisions would be needed for a call traceback service. In addition, the ICG indicated that the Commission would need to create a condition under sections 24 and 24.1 of the Telecommunications Act (the Act) compelling all TSPs to co-operate in call traceback activities.
- RCCI noted that the Commission would need to develop enforcement procedures in order to act on the results of call tracebacks.
- RCCI, Shaw, and Videotron suggested that this matter should be referred to CISC to develop a detailed methodology for tracing calls in a multi-network environment.
Commission’s analysis and determinations
- The Commission notes that it has the authority to request information from TSPs as part of investigations into alleged non-compliance with the UTRs. The Commission notes, however, that the efficiency and effectiveness of its efforts to trace the origins of nuisance calls is hindered by the lack of a standardized process. In particular, the current approach
- is often lengthy in the absence of agreed-upon service standards and given that it involves manual processes that may rely on multiple individuals within a given TSP;
- may raise concerns regarding the information to be shared, including personal information; and
- may not be successful, even for calls that originate in Canada, if Canadian TSPs do not retain records of call routing details for a sufficient period of time.
- The Commission further notes that TSPs already co-operate, in certain instances, to trace the origins of nuisance or malicious calls on their networks. However, this collaborative approach is dependent upon the sharing of information between TSPs on a voluntary basis. If TSPs refuse to co-operate when requested by another TSP, the traceback terminates at that point.
- The call traceback process contemplated in Compliance and Enforcement and Telecom Notice of Consultation 2017-4 would be available for use by TSPs and the Commission to determine the source of nuisance calls. The Commission did not contemplate that this process and call traceback results would be available to retail customers directly given, among other things, the burden that this would place on TSPs. In this regard, the Commission also reiterates, in the case of harassing or threatening calls, that consumers have access to a pay-per-use Call Trace feature by dialing a code on their phone, which records information regarding the last call they received for review by the appropriate law enforcement agencies.Footnote 14
- The Commission notes that a national standardized call traceback process has been established in the United Kingdom and a similar initiative is being contemplated in the United States.Footnote 15 The Commission is of the view that for a call traceback process to function properly, it requires the co-operation and participation of all TSPs.
- The Commission considers that a standardized industry-wide call traceback process is needed in order to determine the origin of nuisance calls. This will enable corrective actions to be taken at or close to the source of these calls, thereby reducing the volume of nuisance calls and further protecting the privacy of Canadians.Footnote 16
- In light of all of the above, the Commission requests that CISC develop an industry-wide call traceback process and file a report regarding such a process with the Commission within nine months from the date of this decision for Commission review and approval. The report should include the following:
- a list of the specific and detailed information required by all parties to complete a call traceback, and that must be shared to trace the origin of a call;
- a description of the roles and responsibilities of all parties involved in call traceback;
- a description of the steps that have been taken, will be taken, or could be taken to automate the call traceback process to the largest extent possible; and
- service standards regarding the timeliness for sharing information between parties, and guidelines for the retention of call detail records.
- Once the Commission has received and reviewed the report, it will decide what further measures may be necessary, including whether to mandate TSPs’ participation in a call traceback process.
- The Policy DirectionFootnote 17 states that the Commission, in exercising its powers and performing its duties under the Act, shall implement the policy objectives set out in section 7 of the Act in accordance with paragraphs 1(a), (b), and (c) of the Policy Direction.
- The policy objectives set out in paragraphs 7(a), (b), (f), (g), (h), and (i)Footnote 18 of the Act are advanced by the determinations in this decision.
- Consistent with subparagraph 1(a)(ii) of the Policy Direction, the Commission’s determinations in this decision
- are efficient and proportionate to their purpose, given that they are targeted to
- reducing false caller ID information provided to Canadians so that they are able to take the appropriate actions in responding to incoming calls; and
- reducing nuisance calls to Canadians by being able to determine the source of these types of calls so that the appropriate action can be taken to prevent these calls from being made in the future; and
- interfere with the operation of competitive market forces to the minimum extent necessary to meet policy objectives by providing flexibility to the industry to develop and deploy protective measures that best meet the needs and circumstances of both the industry and its subscribers.
- are efficient and proportionate to their purpose, given that they are targeted to
- Consistent with subparagraph 1(b)(iii) of the Policy Direction, the Commission’s determinations in this decision are symmetrical and competitively neutral given that they apply broadly to the entire industry.
- Measures to reduce caller identification spoofing and to determine the origins of nuisance calls, Compliance and Enforcement and Telecom Notice of Consultation CRTC 2017-4, 9 January 2017; as amended by Compliance and Enforcement and Telecom Notice of Consultation CRTC 2017-4-1, 2 February 2017
- Empowering Canadians to protect themselves from unwanted unsolicited and illegitimate telecommunications, Compliance and Enforcement and Telecom Regulatory Policy CRTC 2016-442, 7 November 2016
- Date modified: