APA Comments
Coalition Reply Comments in Improving the Effectiveness of the Robocall Mitigation Database
WC Dkt. 24-213; MD Dkt. 10-234 (Nov. 2024)
Before the
FEDERAL COMMUNICATIONS COMMISSION
Washington, D.C. 20554
In the Matter of Improving the Effectiveness of the Robocall Mitigation Database; Amendment of Part 1 of the Commission’s Rules, Concerning Practice and Procedure, Amendment of CORES Registration System
WC Docket No. 24-213; MD Docket No. 10-234
Reply Comments of CTIA, USTelecom – THE BROADBAND ASSOCIATION, Electronic Privacy Information Center, NATIONAL CONSUMERS LEAGUE, AND PUBLIC KNOWLEDGE
I. Introduction and Summary
CTIA, USTelecom – The Broadband Association (“USTelecom”), the Electronic Privacy Information Center (“EPIC”), the National Consumers League (“NCL”), and Public Knowledge (“PK”) (together the “Joint Commenters”)[1] respectfully submit these reply comments in response to the Federal Communications Commission’s (“FCC” or “Commission”) Notice of Proposed Rulemaking (“NPRM”) seeking comment on proposals to “ensure and improve the overall quality of submissions” to the Robocall Mitigation Database (“RMD” or “Database”).[2] The Joint Commenters share Congress’s and the Commission’s goals of protecting consumers from illegal and unwanted robocalls and strengthening trust in the voice network, as discussed in the initial comments filed by the Joint Commenters independently. Moreover, the Joint Commenters applaud the Commission’s dedication to promoting “the highest level of diligence when providers submit required information” to the RMD.[3]
There is consensus in the record, including among the Joint Commenters, that the Commission can best promote the quality and accuracy of information submitted to the RMD by using its existing authority to closely analyze the substance of RMD filings and to remove facially deficient filings submitted by providers. Doing so has broader benefits for the wider STIR/SHAKEN ecosystem while also strengthening protections against foreign originated robocalls, as providers removed from the RMD are subject to token revocation and blocking by downstream providers. In addition, the Commission should continue issuing mandatory blocking orders against bad actors that have been removed from the RMD. To further bolster its efforts to clean up the RMD, the Commission should expand the agency’s Private Entity and Robocall Spoofing Portal (“Private Entity Reporting Portal”) or develop a new intake mechanism—like a referral portal or dedicated FCC email address—to allow private industry to assist the Commission in flagging potentially deficient RMD filers.
To complement its efforts to remove deficient filers from the RMD, the Commission should take other steps to ensure the filings in the RMD are complete and accurate. As one step, the Commission should ensure its confidentiality standards are being applied to confidentiality claims in RMD submissions and should consider offering guidance on those standards to help mitigate filing of confidentiality claims with insufficient support. Finally, as several commenters suggest, the Commission should adopt additional procedures to help ensure the completeness and accuracy of filings, including notice and cure procedures.
The Joint Commenters encourage the Commission to focus on implementing the above proposals instead of adopting additional front-end requirements for filers, and other commenters agree. Addressing deficient filings already in the RMD, and expeditiously removing those filers, is the best way the Commission can ensure the effectiveness of the RMD while also creating benefits for the broader robocall mitigation ecosystem.
II. The Commission should prioritize purging deficient submissions from the RMD.
The Joint Commenters reiterate their appreciation for the Commission’s efforts to enhance the quality and utility of the RMD and supports the NPRM’s proposals that are appropriately focused on deterring bad actors from submitting facially deficient filings.[4] To further these important initiatives, the Joint Commenters encourage the Commission to focus on closely scrutinizing false, misleading, or otherwise deficient filings submitted in the RMD, and quickly removing such filers from the RMD. As CTIA explained in its opening comments, the Commission can leverage its existing two-step removal process to remove facially deficient filers; the Commission should remove from the RMD deficient filings that are not corrected within 30 days of the completion of the agency’s two-step removal process.[5] Indeed, the initial comments highlighted numerous examples of deficient RMD submissions, and additional commenters similarly emphasized the presence of “egregiously noncompliant” RMD submissions.[6] USTelecom similarly noted the presence of robocall mitigation plans (“RMPs”) consisting of nothing more than irrelevant “promotional materials”, while another submission contained nothing more than the company’s address.[7]
As emphasized by other commenters in this proceeding, the Joint Commenters agree that the presence of such facially deficient certifications erodes the “chain of trust” the RMD was designed to address,[8] and obstructs the Commission’s transparency and accountability measures.[9] Moreover, the Joint Commenters agree that the providers with filings that are “facially deficient more than eighteen months after the Commission updated its requirements” should be removed from the RMD so long as they “have received ample notice about and have had ample time to comply with the Commission’s requirements for the RMD.”[10]
Removing deficient filers from the RMD also has other downstream benefits. For example, a more accurate RMD provides a stronger foundation for the STIR/SHAKEN ecosystem. The RMD is meant to serve as a resource for regulators and entities in the voice ecosystem.[11] If providers are in the RMD, the Secure Telephone Identity Governance Authority (“STI-GA”) has established procedures that allow providers to rely on their RMD filings and status as a way of showing, among other factors, that they may be qualified to hold a STIR/SHAKEN token. If a provider is removed from the RMD, the STI-GA’s policy is to revoke that provider’s service provider code (“SPC”) token.[12] So, by removing facially deficient RMD filings, the Commission can help ensure that such providers are not able to sign calls. Stronger, more aggressive oversight of the RMD also can help mitigate the risk of illegal foreign-originated robocalls. By removing facially deficient providers that are based abroad, the Commission can help protect consumers from illegal foreign originated robocalls. Although the Commission’s enforcement jurisdiction over foreign voice service providers is less direct,[13] expedited removal from the RMD is well within its regulatory purview,[14] and when a provider is removed from the RMD, that provider is subject to permissive blocking by downstream providers.
As a result, the Joint Commenters urge the Commission to “focus its efforts on using its existing rules to remove facially deficient filers from the RMD in a timely manner, which will effectively target bad actors without introducing unnecessary complexity.”[15]
III. Commenters support continued blocking of providers that have been removed from the RMD.
Consistent with the views of several other commenters, the Joint Commenters urge the Commission to continue its practice of imposing mandatory blocking orders against providers that have been removed from the RMD.[16] Indeed, as USTelecom correctly notes, a mandatory Commission order to block traffic from a provider not listed in the RMD is a “highly effective tool” to halt illegal robocalls.[17] And as CTIA explained in its opening comments, although permissive blocking is a helpful tool to clean up voice traffic that is potentially harmful, it does not obligate providers to cease carrying traffic like a mandatory blocking order resulting from RMD removal.[18] Accordingly, the Joint Commenters encourage the Commission to continue to leverage the RMD to help inform its mandatory blocking orders.
IV. There is record support for creating mechanisms to report deficient RMD filers.
The Joint Commenters agree with proposals for the Commission to create additional ways for stakeholders to report potentially deficient filings to the Commission. The Commission could do so in several ways, such as by either: (a) expanding its Private Entity Reporting Portal (b) developing a separate RMD referral portal that would allow providers and the public to assist the FCC in identifying potential bad actors abusing the RMD;[19] or (c) creating a dedicated FCC email address to field such reports. As USTelecom notes, “there is no reason for the Commission to carry this burden alone,”[20] and, “[t]here may be occasions when providers can more easily spot something suspicious.”[21]
Whichever approach the Commission chooses would “streamline the process for formal reporting of suspicious filings” and encourage “reporting on a more consistent basis.”[22] And as CTIA stated in its initial comments, this would allow industry and public interest stakeholders to bolster strained Commission resources while ensuring due process protections remain in place by allowing the Enforcement Bureau to determine whether a particular RMD submission constitutes a violation of the agency’s rules.[23] To help benefit other stakeholders as well, the Commission can log these reports according to various criteria, such as reports of RMD certifications containing insufficient contact details, the unresponsive nature of a provider’s robocall mitigation contact, or other recurring themes.
In addition, the Joint Commenters support updating the RMD’s search functions to enable the public to more efficiently search the database. As CTIA suggested, the Commission should update the RMD’s architecture to enable third parties to search the Database by: (1) specific fields (e.g., state, other address fields, etc.); and (2) affiliates and subsidiaries of individuals and companies listed therein.[24] The Commission should make the RMD searchable not just by keyword, but also by state and other address fields, by Operating Company Number,[25] and by company principals and officers, for example, and enable downloads of search results for review. As several commenters suggested, these types of commonsense changes will allow other stakeholders to flag potential bad actors for Commission review to help complement staffs’ existing efforts.
V. Commenters support applying appropriate scrutiny over RMD confidentiality claims and the creation of multiple new entities per filer.
Commenters also agree that the Commission should take steps to scrutinize confidentiality claims more closely in RMD filings, consistent with the agency’s rules[26] and guidance.[27] As USTelecom correctly notes, the Commission’s Protective Order guiding confidential filings in the RMD[28] does not afford an “entire [RMD] submission” confidential treatment.[29] Indeed, “[t]he spirit of the Protective Order encourages filers mark only the information that meets the criteria of confidential or highly confidential.”[30] Moreover, “[b]ad actors may abuse confidentiality protections, marking significant portions of their robocall mitigation plans as confidential to avoid public scrutiny. USTelecom encourages the Commission to be strict in limiting the information filers mark as confidential.”[31] To help deter insufficient confidentiality claims, the Commission should consider publishing guidance on how it evaluates confidentiality claims and best practices for submitting claims in the RMD context specifically.
Relatedly, the Commission should take steps to deter bad actors from creating new entities to refile after being kicked out of the Database. Accordingly, the Joint Commenters agree with USTelecom’s proposal that the Commission should elevate RMD filings for further review “when an individual that is associated with a certain number of apparently unaffiliated entities submits a new filing. . . .”[32]
VI. The record supports the Commission adopting additional procedures to help prevent deficient filings.
To help ensure the completeness of filings, the Commission should implement a process to notify filers of facial deficiencies in filings and provide a reasonable time for filers to address them. Specifically, the Commission should allow a period of three to five business days for filers to confirm receipt of the notification and affirm they are working to fix those errors flagged by the Commission. Clerical errors and administrative oversights are bound to happen, and the Commission should provide filers a reasonable process for addressing these types of issues. Doing so would reduce burdens for Commission staff by addressing inadvertent filing errors on the front-end, rather than having to identify and clean up the database later. It would also better target the Commission’s database clean-up efforts toward substantive filing issues.
After focusing on removing deficient filers, setting up the intake mechanism for referrals, and taking the steps noted here to ensure complete filings, the Commission could consider additional steps. For example, as USTelecom suggested, if the Commission requires multi-factor authentication, then it must be done in a way that does not unnecessarily burden compliant providers. These later actions could be targeted at incentivizing accuracy and completeness of filings, and discouraging new deficient RMD certifications from being submitted.
VII. Conclusion
As discussed above, the Joint Commenters strongly support the Commission’s objective to improve the quality and accuracy of RMD filings. To accomplish this, many commenters agree that the Commission should use its existing authority to remove facially deficient filings from the RMD and continue to issue mandatory blocking orders against such providers. The Commission should also allow the public to assist the agency by facilitating reporting on potential bad actors abusing the RMD by creating an intake mechanism to do so. The Joint Commenters also encourage the Commission to closely scrutinize confidentiality claims made in RMD filings, and to refrain from imposing additional authentication measures or filing fees on Database access. By taking these actions, the Commission can help enhance the accuracy of the RMD and maximize its utility as a critical tool in the fight against illegal and unwanted robocalls.
[1] These reply comments are intended to highlight areas of agreement between the Joint Commenters. As such, these reply comments are supplemental to, and do not displace, each of the Joint Commenters’ initial comments.
[2] Improving the Effectiveness of the Robocall Mitigation Database; Amendment of Part 1 of the Commission’s Rules, Concerning Practice and Procedure, Amendment of CORES Registration System, WC Docket No. 24-213, MD Docket No. 10-234, Notice of Proposed Rulemaking, FCC 24-85, ¶ 1 (2024) (“NPRM”).
[3] Id. ¶ 3.
[4] Comments of CTIA, WC Docket No. 24-213, MD Docket No. 10-234, at 4 (filed Oct. 15, 2024) (“CTIA Comments”); Comments of the Electronic Privacy Information Center, Public Knowledge, and the National Consumers League, WC Docket No. 24-213, MD Docket No. 10-234, at 1-2 (filed Oct. 15, 2024) (“EPIC, NCL, PK Comments”).
[5] CTIA Comments at 4-5; EPIC, NCL, PK Comments, at 11-13.
[6] See EPIC, NCL, PK Comments at 6 (“Upon accessing the database on October 15, 2024, there were 9,333 total entries, of which 609 claimed their STIR/SHAKEN implementation status was “N/A”; 601 did not offer a contact phone number; and 423 entries without a phone number also did not have any other entries or reported aliases in other databases.”) (footnotes omitted).
[7] Comments of USTelecom – The Broadband Association, WC Docket No. 24-213, MD Docket No. 10-234, at 2 (filed Oct. 16, 2024) (“USTelecom Comments”).
[8] Id. at 2.
[9] EPIC, NCL, PK Comments at 6.
[10] Id.
[11] For example, the Industry Traceback Group relies on the RMD “as an authoritative source of information for providers, given that they must certify to the information they submit, including to obtain their contact information when first identified in tracebacks.” Comments of the Industry Traceback Group, WC Docket No. 24-213, MD Docket No. 10-234, at 1 (filed Oct. 11, 2024) (“ITG Comments”).
[12] See Policy Decision 003: SPC Token Revocation Policy, Secure Telephone Identity Governance Authority, Version 2.2, at 2 (Apr. 16, 2024), https://cdn.atis.org/stiga.atis.org/2024/05/03194349/240416-Policy-003-SPC-token-Revocation-Policy-v2-2-FINAL.pdf.
[13] The Commission has previously “emphasized” that its rules “do not constitute the exercise of jurisdiction over foreign voice service providers.” Viettel Business Solutions Company et al., EB-TCD-23-00034918, Removal Order, DA 24-152, ¶ 3 (EB Feb. 22, 2024); see also Call Authentication Trust Anchor, WC Docket No. 17-97 Second Report and Order, FCC 20-136, ¶ 99, n.370 (2020). The FCC further emphasized that its rules do “not require foreign voice service providers” to file a certification in the RMD, although intermediate providers and terminating voice service providers are prohibited from accepting traffic from foreign voice service providers who do not appear in the RMD. Id. n.347 (emphasis in original); see also, 47 C.F.R. § 64.6305(g)(2).
[14] CTIA Comments at 10.
[15] Id.
[16] See, e.g., Joint Comments of INCOMPAS and the Cloud Communications Alliance, WC Docket No. 24-213, MD Docket No. 10-234, at 7 (filed Oct. 15, 2024) (“CCA and INCOMPAS Comments”).
[17] USTelecom Comments at 3.
[18] CTIA Comments at 9-10.
[19] Id. at 15.
[20] USTelecom Comments at 4.
[21] Id.
[22] Id. at 4-5.
[23] CTIA Comments at 15-16.
[24] Id. at 10-11.
[25] USTelecom Comments at 7.
[26] 47 C.F.R. § 0.459(b).
[27] See generally, Enforcement Bureau Reminds Public That Requests for Confidentiality Must Cover Only Material Warranting Confidential Treatment Under the Commission’s Rules, Public Notice, DA 20-579 (rel. June 18, 2020).
[28] Wireline Competition Bureau Adopts Protective Order for Robocall Mitigation Program Descriptions, Public Notice and Protective Order, 36 FCC Rcd 14562, 14566, ¶ 2 (WCB 2021) (“Protective Order”).
[29] USTelecom Comments at 5.
[30] Id.
[31] Id.
[32] Id.
Support Our Work
EPIC's work is funded by the support of individuals like you, who allow us to continue to protect privacy, open government, and democratic values in the information age.
Donate