The Ultimate Guide to STIR/SHAKEN: What You Need to Know to Avoid Spam Labels

Robocalls have become a prevalent issue recently, with individuals receiving a significant number of unwanted calls every day. In the US alone, consumers receive an average of 4 billion robocalls per month. 

The combination of robocalls and caller ID spoofing makes it challenging for individuals to identify and avoid unwanted or fraudulent calls. This allows criminals to carry out illegal activities such as scams.

To combat this problem, The Federal Communications Commission (FCC) has been promoting measures for STIR SHAKEN compliance to stop robocalls and caller ID spoofing since 2014. In response, the telecommunications industry has developed the STIR/SHAKEN framework and technical standards to address this issue.

What does STIR/SHAKEN mean?

STIR (Secure Telephony Identity Revisited) and SHAKEN (Signature-based Handling of Asserted information using toKENs) are two standards that work together for STIR SHAKEN compliance to combat the problem of robocalls and caller ID spoofing.

Secure Telephony Identity Revisited (STIR)

STIR is an authentication protocol that creates a digital certificate to verify the caller’s identity. This certificate, as a token, is then attached to the call. The certificate serves as a way to confirm that the phone number displayed on the caller ID is linked to the entity making the call. It establishes a secure caller identity. 

Signature-based Handling of Asserted information using toKENs (SHAKEN)

SHAKEN is the implementation of STIR used to validate the token and certificate on the recipient’s end. 

It includes technical standards for 

✅ Creating the digital certificate

✅ Attaching the token to the call, and 

✅ Checking the token’s validity. 

Together, STIR and SHAKEN ensure the authenticity of the caller ID information. This reduces fraudulent robocalls and provides a higher level of security for consumers.

What are the benefits of the STIR/SHAKEN framework?

Implementing STIR/SHAKEN compliance can provide several advantages for you, such as:

• Increased trust: Implementing STIR/SHAKEN technology builds trust with your contacts by giving them a higher level of assurance that the calls they receive are not fraudulent.
• An increased answer rate: A ‘Verified’ sign associated with your caller ID increases the chances of contacts answering your calls.
• Reputation protection: Authenticating your calls with STIR/SHAKEN makes them less likely to be blocked or marked as spam by the recipient’s phone. This protects your reputation as an organization.
• Compliance with regulations: STIR/SHAKEN can help you meet regulatory requirements related to robocalls and caller ID spoofing. This enables you to avoid potential fines or penalties.
• Cost saving: Implementing STIR/SHAKEN technology can help you save money spent on making calls getting marked as ‘spam’. 

Let us assist you with registering for STIR/SHAKEN. Enable it now. 

How does STIR/SHAKEN compliance work?

STIR/SHAKEN verifies the authenticity of a caller’s phone number using digital certificates and encryption.

When a call is made, the originating telephone service provider (TSP) applies a digital signature to the caller’s phone number, which is sent along with the call to the receiving TSP. The receiving TSP uses a public key to validate the signature and confirm the authenticity of the caller’s phone number. The call is authenticated if the signature is valid and the caller ID is displayed to the recipient. If the signature is invalid or missing, the call is flagged as potentially fraudulent, and the caller ID is not displayed.

STIR/SHAKEN compliance also works in tandem with the database of phone numbers that should not be used for telemarketing or other unwanted call types.

A typical STIR/SHAKEN workflow involves several steps when a call is made and received. However, the entire process takes only seconds, and there are no significant delays in connecting the call.

Here is a general overview of the process:

1. The caller places a call.
2. Caller’s carrier generates a digital certificate: The caller’s carrier generates a digital certificate that verifies the caller’s identity. This certificate includes information such as the caller’s phone number, name, and a digital signature.
3. Caller’s carrier attaches the certificate to the call: The caller’s carrier attaches the digital certificate to the call in the form of a token. The token is sent along with the call as it travels through the phone network.
4. Recipient’s carrier retrieves the token: When the call reaches the recipient’s carrier, it retrieves the token from the call.
5. Recipient’s carrier validates the certificate: The recipient’s carrier checks the token against its own database of legitimate certificates to ensure that it is valid. 
6. Call is forwarded or blocked: If the certificate is valid, it means that the caller ID information is authentic, and the recipient’s carrier can forward the call to the recipient’s phone. If the certificate is not valid, the recipient’s carrier can block the call or mark it as spam.
7. Caller ID displayed on recipient’s phone: If the call is forwarded, the recipient’s phone will display the caller’s name and phone number on the screen, as well as the validation status of the certificate.

STIR/SHAKEN attestation levels

In the STIR/SHAKEN framework, there are several levels of attestation that indicate the degree of authenticity of the caller ID information. These attestation levels are based on the level of validation that is performed on the digital certificate. 

Here are the different attestation levels used in the STIR/SHAKEN framework:

1. [A] Full attestation: The carrier identifies the caller and verifies that the caller is authorized to use the phone number as the caller ID for outgoing robocalls.
2. [B] Partial attestation: The carrier confirms the identity of the caller, but it is uncertain if they are authorized to use the phone number as the caller ID for outgoing robocalls.
3. [C] Gateway attestation: When the carrier is unable to confirm the attestation as level A or B, it’s set as level C. This is typically used for calls made to international numbers.

The attestation levels do not necessarily indicate the trustworthiness of a call. Additional analysis will continue to determine if a call is unwanted, a scam, or illegal, regardless of its attestation level. 

What will happen if you don’t do anything about STIR/SHAKEN compliance?

Without the ability to authenticate your caller ID, you may see lower answer rates and increased complaints from your contacts. Additionally, it may also have an impact on your organization’s reputation, as your contacts may see you as untrustworthy.

How to implement STIR/SHAKEN

Organizations can seek assistance from their calling software provider to guide them through the process and ensure that it is done correctly.

STIR/SHAKEN compliance legislation

STIR/SHAKEN is a set of technical standards that have been adopted by the Federal Communications Commission (FCC) in the United States and by the Canadian Radio-television and Telecommunications Commission (CRTC) in Canada.

If you use robocalls, you may be subject to a number of legal requirements and governmental regulations related to the use of STIR/SHAKEN. 

Here are some examples:

1. FCC’s TRACED Act: In the United States, the Federal Communications Commission (FCC) has issued a mandate that all telecom/voice service providers must implement the STIR/SHAKEN framework, as part of the TRACED Act. 
2. TCPA (Telephone Consumer Protection Act): In the United States, the TCPA is a federal law that regulates telemarketing calls, including robocalls. Organizations that use robocalls must comply with the TCPA’s requirements. This includes obtaining prior express written consent from consumers before making robocalls, and providing a way for consumers to opt-out of receiving robocalls.
3. CRTC’s regulations: The Canadian Radio-television and Telecommunications Commission (CRTC) has recommended service providers to implement STIR/SHAKEN, but it is not mandating the implementation. 
4. Other regulations: In addition to the regulations of the FCC and CRTC, there may be other regulations or laws in different countries that organizations must comply with when using robocalls.

SHAKEN/STIR and CallHub

The process includes providing a few details about your organization for STIR/SHAKEN compliance to the carrier. Once submitted, the carrier will verify it and assign an attestation level to your account. See how to enable STIR/SHAKEN on CallHub and what details you need to share. 

Featured image: Photo by Kampus Production

FAQs on stir/shaken compliance guide

Sindhu Prabhu

A marketer with 5+ years of experience. Loves sharing insights on making campaigns work better, connecting with your audience effectively, and using smart communication strategies that deliver results.