In re: Numbering Policies for Modern Communications, 2NPRM

FEDERAL COMMUNICATIONS COMMISSION

Washington, DC 20554

In the Matter of

Numbering Policies for Modern Communications; Telephone Number Requirements for IP-Enabled Service Providers; Implementation of TRACED Act Section 6(a) – Knowledge of Customers by Entities with Access to Numbering Resources

WC Docket Nos. 13-97; 07-243; 20-67

Relating to the

Second Report and Order and Second Further Notice of Proposed Rulemaking

Issued September 22, 2023

Comments of

Electronic Privacy Information Center

Consumer Action

November 29, 2023

I. Introduction and Summary.

            The Electronic Privacy Information Center (EPIC)[1] and Consumer Action[2] file these comments in response to the Second Report and Order and Second Further Notice of Proposed Rulemaking (FNPRM) regarding “Numbering Policies for Modern Communications” issued on September 22, 2023.[3] We appreciate the Federal Communication Commission (Commission or FCC)’s recognition of the problem of unlawful and unwanted robocalls.

            We emphasize how short-term number rentals (rented DIDs)[4] coupled with automated number rotation for outbound calls (rotating ANIs)[5]—collectively referred to here as telephone numbers (TNs)—undermine any gains achieved by STIR/SHAKEN. We urge the Commission to curb use of rotating TNs for outbound calls, hold number resellers liable for any misuse of the numbering resources to which they provide access, and revoke authorization to access numbering resources where appropriate. The Commission’s protective measures should apply not only to prospective applicants requesting access to numbering resources but also to VoIP providers with pre-existing authorization for direct access to numbers and to telecommunication providers. We also oppose the Commission delaying action pending additional reports from the North American Numbering Council (NANC) and urge the Commission to revive its still fully-funded audit program after more than 15 years of inactivity, per NANC’s recommendation. We further note that the current dynamic of impunity in short-term use of numbering resources also results in an increased threat of exhaustion of numbering resources.

II. STIR/SHAKEN is undermined by rented, rotating TNs used for outbound calls.

            The purpose of STIR/SHAKEN is to establish reliable caller ID information by authenticating that the number being used is validly used by the caller. However, when “dynamic caller ID”[6] or “rotating ANI”[7] methods are used—whereby a caller cycles through multiple numbers to prevent the called party from identifying them and to circumvent downstream provider analytics that block or label problematic numbers—validity of number use is largely irrelevant to identifying the calling source and whether the caller will likely harm the called party. This problem is amplified when coupled with the caller’s short-term use of those numbers.

            As we have argued before,[8] the identity and actual telephone number of the caller is functionally obscured when a caller uses a disposable number that is local to the called party. When disposable numbers are used and randomly rotated, from the called party’s perspective no meaningful connection exists between the number used to call them and the person who is calling them, even if the number displayed is not actually spoofed and has received attestation to that effect. Notably, US Telecom has agreed that the Commission should do more to stop misuse of rented DIDs.[9]

III. The Commission should prohibit use of rotating TNs on outbound calls and hold resellers liable for downstream misuse of numbering resources.

The Commission asks how it might enforce its rules for direct access and numbering.[10] The Commission also asks how it would or should hold direct access authorization holders accountable for illegal or inappropriate use of its assigned numbers by indirect access recipients.[11] We urge the Commission to prohibit use of rotating TNs in outbound calls, hold the direct access authorized VoIP providers liable for downstream misuse of their numbering resources, and revoke authorization where appropriate.

The Commission should prohibit use of rotating TNs in outbound calls. This is a known methodology in illegal robocall campaigns,[12] and it is not clear that there is any legitimate purpose for this practice. In fact, the practice is already explicitly illegal in the case of scams under 47 U.S.C. § 227(e), which prohibits knowingly transmitting misleading or inaccurate caller ID information with the intent to defraud, cause harm, or wrongfully obtain anything of value. We urge the Commission to extend a similar prohibition to all calls, not merely scam calls, to protect consumers from bad actors obscuring their identity through use of rotating TNs, which undermines the fundamental goals of STIR/SHAKEN.[13] Because the fraudsters who use rotating TNs are unlikely to comply with Commission regulations, the Commission should not only prohibit direct access authorized VoIP providers from offering a service that permits rotating TNs but also require VoIP providers to use analytics to detect when a caller is rapidly rotating TNs and block those calls before they reach consumers.

In addition (or as an alternative) to requiring direct access authorized VoIP providers to have a Know Your Customer (KYC) policy, the Commission should use authorities including those under 47 U.S.C. § 251(e)(1)[14] and section 6(a) of the TRACED Act[15] to hold direct access authorized VoIP providers accountable for the downstream misuse of numbering resources. Because a KYC policy may or may not actually be in place, accurate, or enforced,[16] the Commission should hold the direct access authorized VoIP providers liable for scams or other illegal calls perpetrated by the customers to whom they provide access to numbering resources or by any callers to whom those customers provided direct or indirect access to the numbering resources. For example, if Reseller A sells access to its numbering resources to Customer B, who in turn resells access to Entity C, who gives access to Caller D, who then makes illegal calls using those numbers, Reseller A would be responsible for Caller D’s illegal activity. The providers with direct access to numbers can indemnify themselves through contracts with the entities to which they directly resell, holding their customers accountable for the entities to which those customers resell and any further downstream provider reselling the number to the party responsible for the misuse. Holding those with direct access to numbering resources responsible for misuse will better ensure that resellers exercise care as to whom they grant access to U.S. phone numbers.

The Commission additionally proposes to revoke authorizations due to non-compliance, ineligibility, false statements, or when in the public interest.[17] From a consumer protection perspective, we agree that revocation is proper, especially where fines for non-compliance and/or liability for misconduct fail to correct the issue (e.g., where financial consequences amount to a “cost of doing business”).[18] The Commission should be explicit that its authority applies to all users of numbering resources, direct or indirect.

We encourage the Commission to implement measures that are likely to change actual behavior in the marketplace and not just put additional demand on the agency’s own capacity to enforce ineffective compliance activities.

We also agree with the Commission that there are consumer protection and anti-competitiveness concerns raised by asymmetrically imposing this regulation on new applicants but not providers with pre-existing authorizations, so the Commission should require it of entities with pre-existing authorizations as well.[19] For similar reasons, we additionally urge the Commission to impose these requirements on all voice service providers with direct access to telephone numbers and not merely on VoIP providers. However, to the extent the Commission believes that the scope of this current rulemaking is not broad enough to include non-VoIP voice service providers, it should not delay the implementation of its current proposals. We encourage the Commission to undertake further rulemaking to address this issue if it feels it cannot incorporate this pro-competitive and pro-consumer measure within the scope of this proceeding.

IV. The Commission should follow the NANC’s recommendation to use the FCC’s established, budgeted-for audit process to address number brokering and mischaracterization rather than delay action pending another NANC report.

The Commission should audit the use of numbering resources immediately. We are opposed to the Commission delaying action pending a report from the NANC[20] (although we do not oppose the Commission seeking such reports).[21] Earlier this year, the NANC noted that “[t]he FCC established a comprehensive audit program and codified its audit process. Estimated audit expenses are included in the NANPA budget, but no monies have been drawn against the audit budget line item in recent years.”[22] Indeed, the most recent time these funds were actually used appears to have been 2006,[23] despite a process codified in 2000 to use audits to ensure providers needed the numbers they requested[24] and $200,000 allocated annually to ensure that this auditing process occurs every year.[25] The Commission should utilize this program in Fiscal Year 2024, auditing entities most likely to be overstating their need for numbering resources or most likely to be misusing the numbering resources to which they have been granted access, including but not limited to those that offer services for the short-term rental of numbers.

V. Exploitation of access to numbering resources leads to premature exhaustion of area codes.

Predictably, renting numbering resources in bulk to be used disposably creates an artificial scarcity in the number pool. To use an overly simplified analogy: if a child were to drink water from a cup and grab a new cup for their next sip of water, then repeat with a new, different cup for each sip of water, it would seem like the household needed more cups than it actually did. In a similar manner, the pool of numbering resources will be exhausted faster when callers make use of numbers disposably rather than reusing existing numbers. State utility regulators have also called attention to this issue,[26] as have both the Commission[27] and the NANC.[28] We do not ask or suggest any additional action from the Commission specific to this issue at this time but merely emphasize it here as additional negative consequences that will continue to result from anything short of an immediate curtailing of this misuse of numbering resources.

VI. Conclusion

            We appreciate the Commission’s continued attention to the various methods bad actors use to reach called parties who do not wish to be called at the expense of trust in the American phone system. We urge the Commission to act immediately to curtail the role played by disposable use of numbering resources, by utilizing its audit program, and by holding providers with direct access to numbers accountable for downstream misuse of those numbers that they assign.

Respectfully submitted November 29, 2023.

---

[1] The Electronic Privacy Information Center (EPIC) is a public interest research center in Washington, D.C. EPIC was established in 1994 to protect privacy, freedom of expression, and democratic values in the information age.

[2] Consumer Action has been a champion of underrepresented consumers nationwide since 1971. A nonprofit 501(c)(3) organization, Consumer Action focuses on consumer education that empowers low and moderate-income and limited English-speaking consumers to financially prosper. It also advocates for consumers in the media and before lawmakers to advance consumer rights and promote industry-wide change.

[3] In re Numbering Policies for Modern Communications, Telephone Number Requirements for IP-Enabled Service Providers, Implementation of TRACED Act Section 6(a) – Knowledge of Customers by Entities with Access to Numbering Resources, Second Report and Order and Second Further Notice of Proposed Rulemaking, WC Dkt. Nos. 13-97, 07-243, 20-67 (Rel. Sept. 22, 2023), https://docs.fcc.gov/public/attachments/FCC-23-75A1.pdf [hereinafter FNPRM]. The Proposed Rule was published in the Federal Register at 88 Fed. Reg. 74,098 (Oct. 30, 2023) and is available at https://www.federalregister.gov/documents/2023/10/30/2023-23903/numbering-policies-for-modern-communications.

[4] “DID” refers to direct inward dial service, which in this discussion is interchangeable with telephone numbers (TNs). Despite their name, as described below it is when they are used for outbound calling that they are most likely to be problematic.

[5] “ANI” refers to automated number identification, which in this discussion is interchangeable with telephone numbers (TNs).

[6] See Comments of NCLC and EPIC, In re Call Authentication Trust Anchor, WC Dkt. No 17-97, at 4 (June 5, 2023), https://www.fcc.gov/ecfs/search/search-filings/filing/10605050535175 [hereinafter NCLC CATA Comment].

[7] See, e.g., outboundANI, https://www.outboundani.com/services (“outboundANI’s machine learning algorithms automatically change out problematic phone numbers to give them time to rest.”) (last visited Nov. 28, 2023); DeNovoLab, YouTube, https://www.youtube.com/watch?v=7cmrZDfcpLA (Nov. 8, 2022) (“This tutorial demonstrates how to use DNL Class 4 Fusion switch to assign random ANI to outbound calls.”).

[8] See NCLC CATA Comment at 1.

[9] See Reply Comments of US Telecom – The Broadband Association, In re Call Authentication Trust Anchor, WC Dkt. No 17-97, at 3 n 13 (July 5, 2023), https://www.fcc.gov/ecfs/search/search-filings/filing/1070508154864 (“Separately, USTelecom agrees with National Consumer Law Center and the Electronic Privacy Information Center that the FCC should address how bad actors are obtaining access to real numbers, including through number rental.”).

[10] See FNPRM at ¶ 90.

[11] See id. at ¶ 91.

[12] See, e.g., Comments of EPIC and NCLC, In re Numbering Policies for Modern Communications, WC Dkt. No. 13-97 at 4 (Oct. 14, 2021), https://www.fcc.gov/ecfs/search/search-filings/filing/10153018018985 (citing David Frankel, Illegal Robocalls For Fun & Profit, https://legalcallsonly.org/wp-content/uploads/Hiya-HowTo-2019.pdf (Sept. 25, 2019)).

[13] See, e.g., FNPRM at ¶ 70.

[14] The Commission has “authority to set policy with respect to all facets of numbering administration in the United States.” Numbering Policies for Modern Communications et al., WC Dkt. Nos. 13-97 et al., Report and Order, 30

FCC Rcd 6839, 6878, ¶ 78 (2015) (citing to Implementation of Local Competition Provisions of the Telecommunications Act of 1996, Interconnection Between Local Exchange Carriers and Commercial Mobile Radio Service Providers, CC Dkt. 96-98, 95-185, and 92-237, et al., Second Report and Order and Memorandum Opinion and Order, 11 FCC Rd 19392, 19512, para. 271 (1996)); see also id. (“Moreover, the obligation to ensure that numbers are available on an equitable basis is reasonably understood to include not only how numbers are available but to whom, and on what terms and conditions.”).

[15] Pallone-Thune Telephone Robocall Abuse Criminal Enforcement and Deterrence Act, Pub. L. No. 116-105 § 6(a)(1) (2019) (TRACED Act) (directing the Commission to undertake a proceeding to modify its policies regarding access to numbering resources in order to reduce access by bad actors, including by imposing requirements on voice service providers given access to number resources to take sufficient steps to know their customers).

[16] For example, in the context of the Robocall Mitigation Database (RMD), the Commission initiated the process for removing twenty providers for deficient filings. See, e.g., FCC Seeks to Remove Companies from Robocall Mitigation Database (Oct. 16, 2023), https://www.fcc.gov/document/fcc-seeks-remove-companies-robocall-mitigation-database. See also Protecting Americans from Robocalls, 118th Cong. (2023), S. Comm. on Comm, Science, and Trans., Subcomm. on Commc’ns, Media, & Broadband at timestamp 1:48:36 (Oct. 24, 2023), https://www.commerce.senate.gov/2023/10/protecting-americans-from-robocalls (“…so many are thumbing their nose at a requirement with the mitigation plan. Submitting blank documents, documents that are intended to be rude or menus or whatever nonsense is also being submitted shows that it’s not working, that there’s a loophole somewhere that’s been created, that there’s no attention to the prosecution side if you will or the requirements for the mitigation plan…”).

[17] See, e.g., FNPRM at ¶¶ 63, 65, 66, 82.

[18] See id. at ¶ 64. The Commission can address due process concerns by using a model akin to what it has implemented for the RMD, see 47 CFR § 64.1200(n)(5), although EPIC maintains that this process gives bad actors too many and prolonged opportunities to continue abusing resources and scamming called parties.

[19] See, e.g., FNPRM at ¶¶ 81, 82.

[20] Chris Frascella is currently a member of NANC’s Numbering Administration Oversight Working Group (NAOWG) but was a non-voting member of NANC and not a member of any NANC Working Group when the report cited infra note 22 was developed and published.

[21] See, e.g., FNPRM at ¶¶ 46, 53, 68.

[22] North American Numbering Council, Report and Recommendation on the Feasibility of Individual Telephone Number (ITN) Pooling Trials and Alternative Means for Conserving Numbering Resources, 31 (Jan. 31, 2023), https://www.fcc.gov/files/finalnaowgnancitnapprovedreport02282023 [hereinafter Final NAOWG NANC ITN Approved Report].

[23] See Welch & Co., LLP, Billing and Collection Agent Report For period ending May 31, 2006, to NANC, at 1 (June 5, 2006), https://x20b6c.p3cdn1.secureserver.net/wp-content/uploads/2014/08/NANC-May-2006.pdf (noting $171,063 spent on carrier audits). This is the most recent report in which carrier audit funds were actually used; future reports indicate a variance equal to the total amount budgeted, see, e.g., NANP Fund balance statement cited infra note 25.

[24] See Second Report and Order, Order on Reconsideration in CC Docket No. 96-98 and CC Docket No. 99-200, and Second Further Notice of Proposed Rulemaking in CC Docket No. 99-200 at ¶ 82 (Dec. 7, 2000), https://docs.fcc.gov/public/attachments/FCC-00-429A1.pdf (“In addressing need verification measures in the First Report and Order, we adopted a more verifiable, needs-based approach to allocating initial and growth numbering resources predicated on proof that carriers need numbering resources when, where, and in the quantity requested. We find that an audit program is an important adjunct to these measures.”).

[25] See, e.g., NANP Fund, Statement of Changes in Fund Balance Oct. 2022 to Sept. 2023, at 3 line 9 (Oct. 2023), https://x20b6c.p3cdn1.secureserver.net/wp-content/uploads/2023/10/September-2023.pdf (noting $200,000 variance between actual results and budget as of Sept. 30, 2023).

[26] See, e.g., FNPRM ¶ 46 n 152 (citing to Mich. PSC Comments at 3; Neb. PUC Comments at 2-3; Pa. PUC Comments at 3-4; W. Va. PSC Reply at 2-3); see also NANPA 2022 Annual Report, at 35 Table 4-8, https://nationalnanpa.com/reports/2022_NANPA_Annual_Report.pdf (noting that 90% of CO codes [also known as prefixes, exchanges, or NXX codes] were opened for pool replenishment purposes).

[27] See, e.g., FNPRM ¶¶ 10, 46, 51, 68.

[28] See, e.g., Final NAOWG NANC ITN Approved Report at 22 (“Additionally, there is anecdotal evidence of brokering of geographic telephone numbers and potentially mischaracterization of inventories on semi-annual NRUF reporting. Some of these numbering practices may have the potential to inefficiently consume telephone number resources. For example, brokering may falsely represent numbers as in use when in fact they are allocated for sale by an entity that is taking advantage of a perceived loophole in the numbering rules.”).