The FCC on August 1 voted to adopt enhanced Truth in Caller ID rules that will subject a broader range of “spoofed” calls to new heftier statutory civil penalty and potentially criminal sanctions for willful and knowing violations of these FCC requirements. Companies using spoofing technology should have until early 2020 to assess their operations to ensure compliance prior to these amended rules taking effect.
At its Open Meeting, the FCC adopted a Report and Order (R&O) to amend the current Truth in Caller ID rules. The text of the was released on August 5, 2019 and largely remains unchanged since the release of the . It appears that the rules adopted build upon the framework the FCC proposed in its Notice of Proposed Rulemaking from in February 2019 (click for our earlier summary of the Notice). Overall, the Second R&O mirrors most of the FCC’s original proposals. The differences we highlight below are relatively technical, reflecting the FCC’s attempt to grapple with and clarify the scope of rule changes in light of foreseeable business use cases that may cause problems that the RAY BAUM’S Act intended to prevent.
At its open meeting, the FCC stressed that these new rules were strongly supported by a May 2019 joint filing by forty-two state attorneys general, which applauded the FCC’s “proactive, multi-pronged approach to battle the noxious intrusion of illegal robocalls, as well as malicious caller ID spoofing in voice, alternative voice, and text message services.” This filing stated that “it is no coincidence that the number of robocalls is exploding at the same time there is a similar explosion in scams perpetrated via telephone.” This coalition of state attorneys general called for new FCC rules promoting blocking of illegally spoofed calls beyond what the FCC authorized in its 2017 Call Blocking Order (which the FCC expanded upon in June 2019, see our coverage here) and called for voice providers to intensify their traceback efforts on calls that originate or pass through their networks.
Extending Jurisdictional Reach to Calls Originating Outside of the United States
The new Truth in Caller ID rule will prohibit Caller ID spoofing to include
no person in the United States, nor any person outside the United States if the recipient is in the United States, shall, with the intent to defraud, cause harm, or wrongfully obtain anything of value, knowingly cause, directly, or indirectly, any caller identification service to transmit or display misleading or inaccurate caller identification information in connection with any voice service or text messaging service.
Commissioner Michael O’Rielly, along with other commenters, have reservations about the extraterritorial reach of these new rules. “I must admit that some of the new statutory provisions give me pause. . . . [T]he expanded extraterritorial jurisdiction may prove difficult to execute in uncooperative nations and come back to bite us in other contexts,” said Commissioner O’Rielly at the Open Meeting.
In anticipation of legal challenges that the FCC does not have extraterritorial jurisdiction over communications initiated outside of the United States, the FCC found that no treaty or statutory language contravenes the FCC’s authority to “work with [its] international counterparts on caller ID spoofing issues.” The D.C. Circuit Court, in the past, had examined the FCC’s jurisdiction over establishing international accounting rate benchmarks and held that the extraterritorial assertion of regulatory authority was not unlawful because it did not violate any treaty obligations. The amended Truth in Caller ID rules are meant to fall under this same jurisdictional framework.
Clarifying Four Corners of “Voice Service” and “Text Messaging Service”
The FCC determined that the term “text message” under its rules would include all “short message service” (SMS) or “multimedia message service” (MMS). Because neither of these terms were defined by legislation or by other FCC rules, the FCC adopted the same description in its 2018 Wireless Messaging Service Declaratory Ruling to define these two terms. Thus, in spite of objections from CTIA, “text message” will include “messages sent from a person or entity using Common Short Codes administered by the Common Short Code Administration. These refer to “5- to 6- digit codes typically used by enterprise for communicating with consumers at high volume” as an addressing mechanism using the SMS and MMS protocols.
CTIA and other commenters had argued that since there are specific administration processes already in place for enterprises to register for these short codes, the likelihood of a person spoofing a short code is slim. They also suggested that blocking short codes for spoofing activity would reach beyond the authority delegated to the FCC by the RAY BAUM’S Act. After the release of the draft Second R&O, CTIA met with FCC staff and reemphasized that there was no evidence of fraud that exists in the context of short code use. Moreover, equating short codes with text messages would be a departure from past FCC approach of “refrain[ing] from classifying short codes as a component of messaging service,” which the agency reaffirmed in December 2018.
The FCC was not convinced that “Caller ID associated with a Short Code message cannot be spoofed.” Nevertheless, the final version of the R&O added clarification that short codes will be interpreted as text message only for purposes of section 503 of the RAY BAUM’S Act and the Truth in Caller ID rules. The FCC “make[s] no finding with respect to any other Commission jurisdiction over Short Codes.”
The final R&O also added clarification on which other forms of messaging will be excluded from “text messages” subject to these amended rules. To the extent that Rich Communications Services (RCS) or other messages that are not SMS or MMS will be sent over IP-enabled messaging services to other users of the same messaging service, these amended rules do not apply. The FCC drew this distinction because Congress had been aware of these messaging protocols for some time and in the legislation continued to exempt “any message sent over an IP-enabled messaging service that is not SMS or MMS” from the scope of the RAY BAUM’S Act.
Consistent with the draft R&O, “voice services” subject to the enhanced anti-spoofing rules include “one-way VoIP services that allow customers of such services to send voice communications to any end user who uses North American Numbering Plan resources” regardless of whether the NANP resources would be directly provided to customers. The FCC drew from its experience in observing that “malicious caller ID spoofing often relies on ‘dialing platforms’ or ‘third party platforms’” that “can be used for sending either live or pre-recorded robocalls” and that these are not all “directly interconnected to the PSTN” (public switched telephone network). The FCC concluded that excluding this category of calls would necessarily “exclude significant amounts of unlawful spoofing,” contrary to the Congressional intent expressed in section 503 of the RAY BAUM’S Act.
“Real-time, two-way voice communications between and among closed user groups that do not use 10-digit telephone numbers or N11 service codes” were excluded from the definition of “voice service” for the same reason, consistent with the FCC’s approach of previous years.
Strengthening Enforcement Authority?
Once these new rules go into effect, the FCC will have two years to investigate any calls and text messages within the broader scope above and to initiate an enforcement proceeding against these callers through a notice of inquiry. A violation may lead to $10,000 civil penalty for each violation or $30,000 for each day of a continuing violation not exceeding a total of $1,000,000 for any single act or failure to act. A finding of willful or knowing violation of these rules will also lead to a similar amount of criminal fine or even up to a year of imprisonment.
Despite of the foundation laid by these new rules to expand the FCC’s enforcement authority over overseas callers, text messages, and more categories of voice services, Commissioner Jessica Rosenworcel would like to see more: “There is no public process for holding carriers who put this junk on the line accountable” and the FCC is not “bringing its enforcement authority to bear against carriers aiding and abetting robocallers.” Other commenters also observed that the new rules do not provide for specific processes with which the FCC will be able to collect forfeitures from foreign actors or effectively shut down their operations.
Following the FCC’s release of the final R&O on August 5, 2019, the amended Truth in Caller ID rules are slated to become effective on or about February 6, 2020, or thirty days after its publication in the Federal Register, whichever is later.