In its first Triennial Report on the Efficacy of the Technologies Used in the STIR/SHAKEN Caller ID Authentication Framework (“Report”), the Federal Communications Commission’s (“Commission”) Wireline Competition Bureau (“Bureau”) found that the technologies used in the STIR/SHAKEN framework are effective at authenticating phone calls when applied correctly. Under the Pallone-Thune Telephone Robocall Abuse Criminal Enforcement and Deterrence Act (“TRACED Act”), the Commission was required to submit a report assessing the efficacy of the STIR/SHAKEN technology to Congress within three years after the TRACED Act’s December 30, 2019, effective date and every three years after that. The TRACED Act also requires the Commission to consider whether it would be in the public interest to revise or replace the STIR/SHAKEN framework based on the Report’s evaluation of its efficacy.
The Report evaluated the efficacy of STIR/SHAKEN using the standard of “how well [the STIR/SHAKEN framework] effectuates the authentication of caller ID information.” The Bureau arrived at its conclusions by reviewing the record developed in response to the Bureau’s August Public Notice, on which we reported previously. The Report noted that the record “strongly support[ed]” the Bureau’s assessment that the STIR/SHAKEN framework has, despite its relatively recent implementation, “proven tremendously successful at authenticating caller ID information for providers that have implemented [it] on their networks.” The Report points to “significant support among stakeholders” to assert that STIR/SHAKEN’s effectiveness will continue to improve over time as more providers fully implement the technology. Accordingly, the Bureau also concluded that it would be premature to consider revising or replacing the STIR/SHAKEN framework.
In a Declaratory Ruling and Order on Reconsideration (“Ruling”), the Commission clarified that callers making non-commercial robocalls to residential numbers may obtain either express consent or express written consent. In addition, the Commission affirmed its 2020 Telephone Consumer Protection Act (“TCPA”) Exemptions Order, which limited non-commercial robocalls to a maximum of three in any 30-day period. Both of these rules had been challenged by petitions for reconsideration.
As background, in December 2020, the Commission adopted new rules that limited non-commercial robocalls made without consent to three calls in a 30-day period (we reported on these rules in January 2021). Previously there was no limit to these calls. In adopting these new rules, it appeared that the Commission made a drafting error that would have required callers making informational robocalls to obtain prior express written consent to exceed the three-call limit. However, under the TCPA and Commission’s rules, informational calls generally require only prior express consent. Consequently, several industry groups sought clarification and reconsideration of the Commission’s consent requirements and three-call limit.
Responding to those requests, the Commission ruled that it “did not intend to require that  callers obtain consent only in writing. . . . [W]e amend [the rule] to make clear that consent for informational (i.e., non-telemarketing) calls to residential telephone numbers can be obtained orally or in writing, consistent with longstanding Commission rules and precedent.” As a result of the Ruling, callers that make informational calls to residential numbers may still make three calls without consent but then must obtain prior express consent to make additional calls.
Concerning the three-call limit, the Commission held that “the adoption of a numerical limit satisfies the requirements of the TRACED Act [and] brings the residential exemptions ‘in line with’ exempted calls to wireless numbers, which contain a numerical limitation on the number of calls that can be made.” Further, the Commission rejected Petitioners’ First Amendment challenges to the call limits holding that “we conclude that our call limitations are narrowly tailored to advance a distinct governmental interest — that is, restoring trust in the residential landline network and advancing the health and safety of life — and thus satisfy strict First Amendment scrutiny.”
The effectiveness of the Commission’s rules had been delayed indefinitely; however, following the Ruling’s publication in the Federal Register, callers will now have to comply with the Commission’s three-call limit by July 20, 2023.
In response to a nationwide robocalling campaign targeting homeowners, the Enforcement Bureau took action against the perpetrators of the scheme — Twilio Inc. (“Twilio”) through which PhoneBurner Inc. (“PhoneBurner”), a Twilio client, facilitated apparently illegal robocalls from MV Realty PBC, LLC (“MV Realty”) a real estate brokerage firm.
The Enforcement Bureau released a Public Notice — also referred to as a K4 Notice — ordering all U.S.-based voice service providers to effectively mitigate, which can include blocking, the apparently unlawful traffic from PhoneBurner and MV Realty. The Public Notice directed all U.S.-based voice service providers to promptly investigate the suspected traffic (detailed in an exhibit attached to the Public Notice). However, under a limited waiver adopted by the Enforcement Bureau, providers that determine PhoneBurner and MVRealty are not customers do not need to report their investigation results (the Commission’s rules normally require all providers to report the results of their investigations). Providers that are required to file reports (i.e., providers for whom PhoneBurner and MVRealty are customers) must do so by February 7, 2023. Failure to mitigate the unlawful traffic from PhoneBurner and MVRealty may subject a provider to enforcement action.
Relatedly, the Enforcement Bureau issued a cease-and-desist letter to Twilio, ordering it to investigate and take steps to address the unlawful traffic from PhoneBurner and MVRealty. The Enforcement Bureau found that Twillio was originating illegal traffic on behalf of PhoneBurner. The letter to Twilio explains that when confronted with the investigation’s findings, Twilio told the Enforcement Bureau and Industry Traceback Consortium that PhoneBurner had obtained the called parties’ consent. However, neither Twilio nor PhoneBurner ever supplied evidence of that consent.
As with previous cease-and-desist letters, Twilio must report the mitigation steps it has taken to the Enforcement Bureau and Traceback Consortium within 48 hours and report the steps it will take to prevent future illegal traffic on its networks within 14 days (February 7, 2023). The letter also warns Twilio that all U.S.-based voice service providers will be permitted to block all traffic from Twilio should it fail to comply with the letter’s requirements.
Noting that Twilio is, thus far, the most prominent and largest provider to receive an Enforcement Bureau cease-and-desist letter, Enforcement Bureau Chief Loyaan A. Egal stated that “‘Know Your Customer’ principles should be at the forefront of all communications service providers’ business practices. It is concerning to see such a large provider allowing this kind of traffic on its networks. I hope and expect Twilio to immediately cease and desist.”