FCC Proposes New Rules to Protect Consumers From Illegal Robocalls, To Include a Safe Harbor for Blocked Calls that Fail Caller ID Authentication: Potomac Law

The Federal Communications Commission ("FCC" or "Commission") has released a Declaratory Ruling and Third Further Notice of Proposed Rulemaking on June 7, 2019 in an attempt to further protect consumers from illegal, including spoofed, robocalls. (Docket Nos. CG 17-59 and WC 17-97) The FCC clarifies that voice service providers may utilize "reasonable analytics" to identify and block robocalls on a default basis. At the same time, the FCC is proposing to adopt a rule mandating the implementation (for those voice providers who have not already voluntarily done so) of the industry's SHAKEN/STIR Caller ID authentication and protections for critical calls, including calls to Public Safety Answer Points ("PSAPs"). The rulemaking was published in the Federal Register on June 24, 2019, with comments due on July 24, 2019, and reply comments due on August 23, 2019.

Declaratory Ruling

The Declaratory Ruling provides voice service providers with a number of different options to block illegal robocalls on behalf of consumers. Importantly, the Commission now permits voice service providers to begin providing call-blocking services by default if the provider is using "reasonable analytics," using a variety of metrics, to identify unwanted calls, so long as they also give consumers the right to opt-out of the call blocking programs. Significantly, the FCC observes that the previous reliance on having customers opt-into such blocking programs, "appears to have slowed the development of call-blocking programs in the United States." [1] The Commission views the solution to poor adoption of call-blocking programs is to simplify the process for consumers "by providing anti-robocall tools on an opt-out basis." [2] The Commission will further require those voice providers that offer an opt-out call-blocking program to provide sufficient information so customers can make an informed choice as to whether or not to opt-out of the call-blocking program. Such information should include the types of calls that may be blocked; the risk of blocking wanted calls; and how a consumer can opt-out of a call-blocking program; all provided in clear, easily understandable language. [3]

Conversely, if a voice provider utilizes a call-blocking program based upon white-listing, i.e. using the consumer's own contact lists to block calls not appearing on the consumer's contact lists, that will require an affirmative opt-in from the consumer.

Voice providers utilizing call-blocking tools on an opt-out basis are also required to establish a point-of-contact for legitimate callers to report the erroneous blocking of their calls, such as customer notifications or other legitimate business calls to existing customers. The Commission will also allow those callers to petition the FCC to seek review of the voice provider's call-blocking program if its legitimate calls are being unreasonably blocked. The Commission also encourages these voice providers to notify callers when their calls have been blocked.

Third Further Notice of Proposed Rulemaking

In its associated FNPRM, the Commission seeks comment on a number of other issues relating to the further implementation of rules and programs to curb robocalling.

Many of these proposals for comment center on the SHAKEN/STIR Caller ID authentication program, which FCC Chairman Pai has called on all the major voice service providers (wireline, wireless and Voice over Internet Protocol) to "voluntarily" implement by the end of 2019. The SHAKEN/STIR Caller ID authentication process requires attestation from the voice service provider that 1) it is responsible for the origination of the call onto the network; 2) that the voice service provider has a direct, authenticated relationship with the customer and can identify that customer; and 3) the voice service provider has established a verified association with the number used for the call. [4] The Commission seeks comment on whether it should require all major voice service providers to adopt the SHAKEN/STIR Caller ID authentication framework if any of them fail to meet the end of 2019 deadline for voluntary implementation of it. The Commission also asks how to define what is a "major" voice service provider. [5] Assuming major voice providers implement the framework by year-end 2019, what steps and timing should be required for other voice service providers to implement the SHAKEN/STIR framework? What should the FCC's role be in governing SHAKEN/STIR and what should be the standards for measuring implementation, such as signing of calls on an intercarrier basis? How should the FCC document compliance? Should it require certifications? How should costs be recovered by voice service providers to implement SHAKEN/STIR?

The Commission also seeks comment on a proposed safe harbor for voice service providers that implement call-blocking programs for calls that have not been properly authenticated under the SHAKEN/STIR framework (due to a malicious actor spoofing another number to circumvent authentication). Specifically, the Commission proposes to provide safe harbor for voice service providers that choose to block calls that fail authentication under the SHAKEN/STIR framework. But, the Commission also asks if a legitimate call may fail authentication under SHAKEN/STIR and be blocked, such as in the instance when a certificate inadvertently expires? Should the proposed safe harbor apply to unassigned calls from a particular category of service provider, such as when a service provider participates in SHAKEN/STIR but fails to sign certain calls? Are there any protections that should be established to ensure that wanted calls are not blocked? Are there costs and benefits to implementing a safe harbor of blocking calls based SHAKEN/STIR authentication?

The FCC also seeks comment on a proposed requirement that any service provider that offers call-blocking services to maintain a "Critical Calls List" of numbers that it will not block, and what numbers should be placed on such lists. How should emergency outbound numbers be defined? Should there be a master "Critical Calls List" or should each voice service provider maintain its own list? Should there be other entities, both governmental and private, other that emergency responder contact numbers, that included on the "Critical Calls List", such as schools, hospitals, local governments, fraud and weather alerts, and the like? Should the Commission limit "Critical Calls List" protections to only those calls for which Caller ID can be authenticated? And, how can a "Critical Calls List" be sufficiently protected from spoofing?

Finally, the Commission proposes rules to implement elements of the RAY BAUM Act that expand prohibitions against spoofing Caller IDs to callers originating calls from outside of the United States and proposes to extend new prohibitions against spoofing caller information using alternative text and voice services (see our previous alert for more information on this here). As part of this rulemaking, the Commission seeks comment on how Caller ID authentication, specifically SHAKEN/STIR, will impact illegal robocalls originating outside of the United States.

Comments on these proposals are due Wednesday, July 24, 2019, with reply comments due Friday, August 23, 2019.

If you have questions about this rulemaking or other related robocalling initiatives, please contact Douglas G. Bonner or Katherine Barker Marshall.

______________________________________________________________

[1] In the Matter of In the Matter of Advanced Methods to Target and Eliminate Unlawful Robocalls Call Authentication Trust Anchor, Declaratory Ruling and Third Further Notice of Proposed Rulemaking, CG Docket No. 17-59 WC Docket No. 17-97, ¶29 (Rel. June 7, 2019)

[2] Id.

[3] Id. at ¶ 33.

[4] Id. at FN 45.

[5] Id. at ¶ 71