47 USC 227b – Call authentication
(a) Definitions
In this section:
(1) STIR/SHAKEN authentication framework
The term “STIR/SHAKEN authentication framework” means the secure telephone identity revisited and signature-based handling of asserted information using tokens standards proposed by the information and communications technology industry.
(2) Voice service
The term “voice service”—
(A) means any service that is interconnected with the public switched telephone network and that furnishes voice communications to an end user using resources from the North American Numbering Plan or any successor to the North American Numbering Plan adopted by the Commission under section 251(e)(1) of this title; and
(B) includes—
(i) transmissions from a telephone facsimile machine, computer, or other device to a telephone facsimile machine; and
(ii) without limitation, any service that enables real-time, two-way voice communications, including any service that requires internet protocol-compatible customer premises equipment (commonly known as “CPE”) and permits out-bound calling, whether or not the service is one-way or two-way voice over internet protocol.
(b) Authentication frameworks
(1) In general
Subject to paragraphs (2) and (3), and in accordance with paragraph (6), not later than 18 months after December 30, 2019, the Commission shall—
(A) require a provider of voice service to implement the STIR/SHAKEN authentication framework in the internet protocol networks of the provider of voice service; and
(B) require a provider of voice service to take reasonable measures to implement an effective call authentication framework in the non-internet protocol networks of the provider of voice service.
(2) Implementation
The Commission shall not take the action described in paragraph (1) with respect to a provider of voice service if the Commission determines, not later than 12 months after December 30, 2019, that such provider of voice service—
(A) in internet protocol networks—
(i) has adopted the STIR/SHAKEN authentication framework for calls on the internet protocol networks of the provider of voice service;
(ii) has agreed voluntarily to participate with other providers of voice service in the STIR/SHAKEN authentication framework;
(iii) has begun to implement the STIR/SHAKEN authentication framework; and
(iv) will be capable of fully implementing the STIR/SHAKEN authentication framework not later than 18 months after December 30, 2019; and
(B) in non-internet protocol networks—
(i) has taken reasonable measures to implement an effective call authentication framework; and
(ii) will be capable of fully implementing an effective call authentication framework not later than 18 months after December 30, 2019.
(3) Implementation report
Not later than 12 months after December 30, 2019, the Commission shall submit to the Committee on Energy and Commerce of the House of Representatives and the Committee on Commerce, Science, and Transportation of the Senate a report on the determination required under paragraph (2), which shall include—
(A) an analysis of the extent to which providers of voice service have implemented the call authentication frameworks described in subparagraphs (A) and (B) of paragraph (1), including whether the availability of necessary equipment and equipment upgrades has impacted such implementation; and
(B) an assessment of the efficacy of the call authentication frameworks described in subparagraphs (A) and (B) of paragraph (1) in addressing all aspects of call authentication.
(4) Review and revision or replacement
Not later than 3 years after December 30, 2019, and every 3 years thereafter, the Commission, after public notice and an opportunity for comment, shall—
(A) assess the efficacy of the technologies used for call authentication frameworks implemented under this section;
(B) based on the assessment under subparagraph (A), revise or replace the call authentication frameworks under this section if the Commission determines it is in the public interest to do so; and
(C) submit to the Committee on Energy and Commerce of the House of Representatives and the Committee on Commerce, Science, and Transportation of the Senate a report on the findings of the assessment under subparagraph (A) and on any actions to revise or replace the call authentication frameworks under subparagraph (B).
(5) Extension of implementation deadline
(A) Burdens and barriers to implementation
Not later than 12 months after December 30, 2019, and as appropriate thereafter, the Commission—
(i) shall assess any burdens or barriers to the implementation required by paragraph (1), including—
(I) for providers of voice service to the extent the networks of such providers use time-division multiplexing;
(II) for small providers of voice service and those in rural areas; and
(III) the inability to purchase or upgrade equipment to support the call authentication frameworks under this section, or lack of availability of such equipment; and
(ii) in connection with an assessment under clause (i), may, upon a public finding of undue hardship, delay required compliance with the 18-month time period described in paragraph (1), for a reasonable period of time, for a provider or class of providers of voice service, or type of voice calls, as necessary for that provider or class of providers or type of calls to participate in the implementation in order to address the identified burdens and barriers.
(B) Delay of compliance required for certain non-internet protocol networks
Subject to subparagraphs (C) through (F), for any provider or class of providers of voice service, or type of voice calls, only to the extent that such a provider or class of providers of voice service, or type of voice calls, materially relies on a non-internet protocol network for the provision of such service or calls, the Commission shall grant a delay of required compliance under subparagraph (A)(ii) until a call authentication protocol has been developed for calls delivered over non-internet protocol networks and is reasonably available.
(C) Robocall mitigation program
(i) Program required
During the time of a delay of compliance granted under subparagraph (A)(ii), the Commission shall require, pursuant to the authority of the Commission, that any provider subject to such delay shall implement an appropriate robocall mitigation program to prevent unlawful robocalls from originating on the network of the provider.
(ii) Additional requirements
If the consortium registered under section 13(d) identifies a provider of voice service that is subject to a delay of compliance granted under subparagraph (A)(ii) as repeatedly originating large-scale unlawful robocall campaigns, the Commission shall require such provider to take action to ensure that such provider does not continue to originate such calls.
(iii) Minimization of burden
The Commission shall make reasonable efforts to minimize the burden of any robocall mitigation required pursuant to clause (ii), which may include prescribing certain specific robocall mitigation practices for providers of voice service that have repeatedly originated large-scale unlawful robocall campaigns.
(D) Full participation
The Commission shall take reasonable measures to address any issues in an assessment under subparagraph (A)(i) and enable as promptly as reasonable full participation of all classes of providers of voice service and types of voice calls to receive the highest level of trust. Such measures shall include, without limitation, as appropriate, limiting or terminating a delay of compliance granted to a provider under subparagraph (B) if the Commission determines in such assessment that the provider is not making reasonable efforts to develop the call authentication protocol described in such subparagraph.
(E) Alternative methodologies
The Commission shall identify, in consultation with small providers of voice service and those in rural areas, alternative effective methodologies to protect customers from unauthenticated calls during any delay of compliance granted under subparagraph (A)(ii).
(F) Revision of delay of compliance
Not less frequently than annually after the first delay of compliance is granted under subparagraph (A)(ii), the Commission—
(i) shall consider revising or extending any delay of compliance granted under subparagraph (A)(ii);
(ii) may revise such delay of compliance; and
(iii) shall issue a public notice with regard to whether such delay of compliance remains necessary, including—
(I) why such delay of compliance remains necessary; and
(II) when the Commission expects to achieve the goal of full participation as described in subparagraph (D).
(6) No additional cost to consumers or small business customers
The Commission shall prohibit providers of voice service from adding any additional line item charges to consumer or small business customer subscribers for the effective call authentication technology required under paragraph (1).
(7) Accurate identification
Not later than 12 months after December 30, 2019, the Commission shall issue best practices that providers of voice service may use as part of the implementation of effective call authentication frameworks under paragraph (1) to take steps to ensure the calling party is accurately identified.
(c) Safe harbor and other regulations
(1) In general
Consistent with the regulations prescribed under subsection (j) of section 227 of this title, as added by section 10, the Commission shall, not later than 1 year after December 30, 2019, promulgate rules—
(A) establishing when a provider of voice service may block a voice call based, in whole or in part, on information provided by the call authentication frameworks under subsection (b), with no additional line item charge;
(B) establishing a safe harbor for a provider of voice service from liability for unintended or inadvertent blocking of calls or for the unintended or inadvertent misidentification of the level of trust for individual calls based, in whole or in part, on information provided by the call authentication frameworks under subsection (b);
(C) establishing a process to permit a calling party adversely affected by the information provided by the call authentication frameworks under subsection (b) to verify the authenticity of the calling party’s calls; and
(D) ensuring that calls originating from a provider of voice service in an area where the provider is subject to a delay of compliance with the time period described in subsection (b)(1) are not unreasonably blocked because the calls are not able to be authenticated.
(2) Considerations
In establishing the safe harbor under paragraph (1), consistent with the regulations prescribed under subsection (j) of section 227 of this title, as added by section 10, the Commission shall consider limiting the liability of a provider of voice service based on the extent to which the provider of voice service—
(A) blocks or identifies calls based, in whole or in part, on the information provided by the call authentication frameworks under subsection (b);
(B) implemented procedures based, in whole or in part, on the information provided by the call authentication frameworks under subsection (b); and
(C) used reasonable care, including making all reasonable efforts to avoid blocking emergency public safety calls.
(d) Rule of construction
Terms Used In 47 USC 227b
- customer premises equipment: means equipment employed on the premises of a person (other than a carrier) to originate, route, or terminate telecommunications. See 47 USC 153
- individual: shall include every infant member of the species homo sapiens who is born alive at any stage of development. See 1 USC 8
Nothing in this section shall preclude the Commission from initiating a rulemaking pursuant to its existing statutory authority.