Rules & Regulations Implementing the Truth in Caller ID Act of 2009

I. INTRODUCTION
1. In this Order, we adopt rules to implement the Truth in Caller ID Act of 2009 (Truth in Caller ID Act, or Act). Caller ID services typically identify the telephone numbers and sometimes the names associated with incoming calls, thus allowing consumers to decide whether or how to answer a phone call based on who appears to be calling. However, caller ID information can be altered or manipulated (“spoofed”). Increasingly, bad actors are spoofing caller ID information in order to facilitate a wide variety of malicious schemes, from identity theft to “swatting” (the practice of placing false emergency calls to law enforcement in order to elicit a response from a Special Weapons and Tactics (SWAT) team).
2. In response to the increasing use of caller ID spoofing to facilitate schemes that defraud consumers and threaten public safety, Congress passed the Truth in Caller ID Act. The Truth in Caller ID Act, and our implementing rules, prohibit any person or entity from knowingly spoofing caller identification information with the intent to defraud, cause harm, or wrongfully obtain anything of value. The Commission can—and will—seek substantial penalties from those who violate the Act and the rules we adopt today.
II. BACKGROUND
3. Caller ID services became possible in the early 1980s when local exchange carriers (LECs) began adopting Signaling System Seven (SS7) signaling techniques, which carriers use to route and manage telephone calls. SS7 techniques place signaling information on a separate transmission channel from the telephone call (i.e., “out-of-band” instead of “in-band” signaling). Separating the signaling information from the voice traffic, along with other features of SS7, enables providers to transmit caller ID information across multiple carriers.
4. In the mid-1990s, the Commission adopted rules governing interstate caller ID and other calling party number (CPN) services offered by telecommunications providers (CPN rules). The CPN rules generally require common carriers that use SS7 signaling techniques to route and manage telephone calls to transport the CPN on interstate calls to interconnecting carriers. Terminating carriers can, but are not required to, display calling party numbers to their subscribers.
5. SS7 signaling techniques do not transmit the name of the calling party along with the number, but many caller ID services are able to display both the phone number of the calling party and the name associated with the calling party. The providers of caller ID services identify the name of the subscriber associated with the calling party by sending a query to a centralized calling name (‘‘CNAM’’) database or directory that associates telephone numbers with names. There are multiple CNAM databases used by providers of caller ID services.
6. Under the Commission’s rules, a calling party can request that his or her calling number and name not be revealed by dialing *67 (or 1167 for rotary phones) before dialing the phone number. Carriers using SS7, or offering or subscribing to any service based on SS7 call set-up functionality, are required to recognize and honor calling parties’ privacy requests. As a result, on a call-by-call basis, most callers have the ability to block a call recipient from seeing the calling party’s telephone number or name. This basic framework reflects the Commission’s balancing of the benefits of caller ID with the privacy issues raised by this and other CPN services.
7. When the Commission first adopted its rules relating to CPN, the use of caller ID services was a new phenomenon. Over time, however, caller ID and other CPN services have become commonplace. Consumers have come to rely on caller ID services to display the phone number and sometimes name associated with an incoming call, and consumers use that information to decide whether or how to answer a phone call. With the proliferation of caller ID services, caller ID spoofing has also become more commonplace. In the past, caller ID spoofing required special equipment or a relatively high degree of technical sophistication. Now anyone can inexpensively spoof their caller ID by using the services of a third-party spoofing provider.
8. The ease with which callers can spoof their caller ID information is a function of the widespread availability of VoIP technology and the growth of third-party caller ID spoofing services. Callers using some interconnected VoIP services can easily alter their caller ID by making a call appear to come from any phone number. Callers who subscribe to legacy telephone services (and interconnected VoIP services) also can easily spoof their caller ID by purchasing caller ID spoofing services from third parties. Caller ID spoofing services are openly advertised on the Internet, and callers can purchase prepaid cards in retail stores and use them for caller ID spoofing services. There are also companies that offer “caller identification management services” to business customers that enable those business customers to transmit modified CPNs. Because the terminating provider often has no direct relationship with the person placing a call, that provider often has no way to determine the accuracy of the caller ID information it receives and provides to its subscribers.
9. As Congress recognized, and as the record demonstrates, not all instances of caller identification manipulation are harmful, and some may be beneficial. Commenters offered a variety of legitimate reasons for altering caller ID information. For example, as discussed in the Caller ID Act NPRM, because many phones are set to refuse calls where the caller ID information is not provided, domestic violence shelters often need to transmit caller ID to complete a call but may have important reasons for not revealing the actual number of the shelter. Likewise, doctors responding to after-hours messages from their patients or other medical providers may want to use their cell phones to return the calls, but choose to transmit their office number rather than their cell phone number as the calling number. The Commission’s own rules require telemarketers to transmit caller identification information, but allow for the substitution of the name and customer service number of the seller on whose behalf the telemarketer is calling, as long as the telephone number provided is one a consumer can use to make a do-not-call request during regular business hours. Carriers may also manipulate caller ID to test equipment to emulate the customer experience or to investigate fraudulent use of the network.
10. While caller ID manipulation may sometimes be in the public interest, it is a practice ripe for abuse. Numerous well-publicized examples of caller ID spoofing led to Congressional concern about the misuse of caller ID systems. The comments received by the Commission underscore the alarming use of caller ID spoofing for malicious purposes. In its comments, the United States Department of Justice (DOJ) describes various scenarios in which bad actors use caller ID spoofing to carry out their schemes. For example, DOJ describes the “particularly insidious form of fraud known as ‘swatting.’” As DOJ explained, “[s]watting refers to the practice of placing false emergency calls to law enforcement for the purpose of eliciting a response from the Special Weapons and Tactics (‘SWAT’) team, usually as a means of revenge.” DOJ also describes the use of caller ID spoofing in connection with stalking and harassment; to carry out identity theft schemes; and to gain unauthorized access to cell phone voicemail. Third-party spoofing providers do not dispute that caller ID is used for nefarious purposes. Indeed, Teltech Systems and Itellas, two providers of caller ID spoofing services that filed comments in response to the Caller ID Act NPRM, both acknowledge that they respond to numerous law enforcement requests for information. The record indicates that the incidence of malicious spoofing is increasing.
11. In order to address the growing problem of caller ID spoofing done for fraudulent or harmful purposes, Congress enacted the Truth in Caller ID Act. The Act makes it “unlawful for any person within the United States, in connection with any telecommunications service or IP-enabled voice service, to cause any caller identification service to knowingly transmit misleading or inaccurate caller identification information with the intent to defraud, cause harm, or wrongfully obtain anything of value.” The Act directs the Commission to issue implementing regulations within six months, provides for additional civil penalties for violations of the Act, and establishes a two-year statute of limitations. On March 9, 2011, the Commission issued the Caller ID Act NPRM seeking comment on proposed rules to implement the Truth in Caller ID Act.
III. IMPLEMENTATION OF THE TRUTH IN CALLER ID ACT
12. Having considered the record in this proceeding, we adopt rules to carry out the Commission’s statutory obligation to implement the Truth in Caller ID Act. The rules we adopt include only modest changes to the rules the Commission proposed in the Caller ID Act NPRM.
13. In amending the Commission’s CPN rules, we adopt rules that prohibit any person or entity in the United States, acting with the intent to defraud, cause harm, or wrongfully obtain anything of value, from knowingly causing, directly or indirectly, any caller identification service to transmit or display misleading or inaccurate caller identification information. The revisions to our CPN rules are modeled on the Act’s prohibition against knowingly engaging in caller ID spoofing with fraudulent or harmful intent. The rules include exemptions based on conduct the Act identifies as exempt from its prohibitions. The revised rules also include new definitions, including several modeled after definitions in the Act. As proposed in the Caller ID Act NPRM, the revised rules also specify that blocking or attempting to block one’s own caller ID is not a violation of the new rules, while clarifying that telemarketers are not relieved of their obligation to transmit caller identification information.
A. Prohibited Practice
14. The principal implementing rule we adopt provides that “no person or entity in the United States shall, with intent to defraud, cause harm, or wrongfully obtain anything of value, knowingly cause, directly or indirectly, any caller identification service to transmit or display misleading or inaccurate caller identification information.” The wording of the prohibition in our rules generally tracks the wording of the prohibition in the Act, and is unchanged from the rule the Commission proposed in the Caller ID Act NPRM.
15. The Act specifies that the prohibited conduct is “in connection with any telecommunications or IP-enabled voice service.” Because we define the terms “caller identification service” and “caller identification information” to encompass the use of telecommunications services and “interconnected VoIP services,” we do not need to specify in the rule that the prohibition encompasses calls made using telecommunications services and IP-enabled voice services, as specified in the Act.
16. We also note that the Act is directed at “any person,” but does not define the term “person.” In order to make clear that the rules are not limited to natural persons and to be consistent with the Commission’s current rules concerning the delivery of CPN, our amendments to the CPN rules use the phrase any “person or entity.” The only commenter that addressed the use of the phrase “person or entity” in the proposed rules supported the Commission’s clarification that the rule applies to both natural persons and other entities.
17. In the Caller ID Act NPRM, the Commission asked about the placement of the term “knowingly” in the proposed rules. As with the proposed rules, the rules we adopt today provide that in order to violate the rules, the person or entity “knowingly” causing transmission or display of inaccurate or misleading caller identification must be the same person or entity that is acting with intent to defraud, cause harm, or wrongfully obtain anything of value. The Truth in Caller ID Act is aimed at prohibiting the use of caller ID spoofing for ill intent. Therefore, we believe that an entity subject to liability for violating the Act must knowingly spoof caller identification information and do so with intent to defraud, cause harm, or wrongfully obtain something of value.
18. Most commenters agreed with the Commission’s proposal to clarify that the word “knowingly” modifies the action of the person or entity engaged in malicious caller ID spoofing because this is the most logical reading of placement of the word in the Truth in Caller ID Act. However, in its reply comments, the Privacy Rights Clearinghouse (PRC) recommends that the Commission change the placement of the word “knowingly” so that it modifies the actions of the caller identification service or modify the rule so that spoofing services are prohibited from knowingly transmitting misleading or inaccurate caller identification information for a party violating the Act. PRC argues that requiring that the same person or entity knowingly cause the transmission or display of misleading or inaccurate caller identification information and have the requisite intent to “defraud, cause harm, or wrongfully obtain anything of value” imposes an unnecessary hurdle to enforcement efforts.
19. We disagree with PRC’s arguments. Based on our reading of the statute, it is not enough that a person or entity intend to defraud, cause harm, or wrongfully obtain anything of value to violate the Truth in Caller ID Act. Rather, the person or entity intending to defraud, cause harm or wrongfully obtain anything of value must facilitate the scheme through the manipulation or alteration of caller identification information. Moreover, adopting a rule in which “knowingly” modifies the action of the caller identification service would not impose liability on caller ID spoofing services for knowingly manipulating caller identification information absent intent to defraud, cause harm, or wrongfully obtain anything of value. Nor would it ease the burden on law enforcement of proving a violation of the Act. Instead, it would require law enforcers to show that the provider of the caller ID service—usually a terminating carrier or VoIP provider—knew that the incoming caller identification information was manipulated or altered. As the Commission noted in the Caller ID Act NPRM, “in many instances the caller identification service has no way of knowing whether or not the caller identification information it has receives has been manipulated.” We do not believe Congress intended to impose liability on caller ID spoofers acting with malicious intent only upon proof that the provider of the call recipient’s caller ID service knew that the caller identification information was manipulated or altered. That would be a perverse result, wholly inconsistent with the intent of the Act and its legislative history.
20. As for PRC’s suggestion that we modify the rule to hold spoofing providers liable for transmitting inaccurate or misleading caller identification information on behalf of someone violating the Act, as discussed below, we choose to follow Congress’ lead in not imposing additional obligations on spoofing providers. We find that the proposed rules and the rules we adopt today are consistent with Congressional intent to focus on whether a person or entity has knowingly manipulated the caller identification information in order to defraud, cause harm, or wrongfully obtain anything of value, and therefore we adopt the prohibition on caller ID spoofing as proposed in the Caller ID Act NPRM. The person or entity that knowingly causes caller ID services to transmit or display misleading or inaccurate information may, in some cases, be a carrier, spoofing provider or other service provider, and we do not exempt such conduct from the purview of our rules.
21. Like the proposed rules, the rules we adopt today address both transmission and display of misleading or inaccurate caller identification information to make clear that, even if a carrier or interconnected VoIP provider transmits accurate caller identification information, it would be a violation for a person or entity to knowingly cause, directly or indirectly, a device that displays caller identification information to display inaccurate or misleading information with the intent to defraud, cause harm, or wrongfully obtain anything of value. We also note that the rules we adopt today cover situations in which a person or entity is “directly or indirectly” causing a caller identification service to transmit or display misleading or inaccurate caller ID. We include the concept of “indirect” action in our rules to foreclose those acting with the requisite harmful intent from arguing that they are not liable merely because they have engaged a third party to cause the transmission or display of inaccurate or misleading caller identification information.
22. In the Caller ID Act NPRM, the Commission sought comment on whether the proposed prohibition on causing any caller identification service to transmit or display “misleading or inaccurate” caller identification information with the “intent to defraud, cause harm, or wrongfully obtain anything of value” provides clear guidance about what actions are prohibited. Commenters generally agreed that the terms in the proposed rule were sufficiently clear. We agree. Although we do not believe it is necessary to offer additional definitions to clarify the meaning of the prohibited actions, we do agree with the National Network to End Domestic Violence (NNEDV) that the term “harm” is a broad concept that encompasses financial, physical, and emotional harm, include stalking, harassment, and the violation of protection and restraining orders. Moreover, NNEDV offers substantial evidence that abusive spouses use third-party caller ID services to harass and stalk their victims. We consider knowing manipulation or alteration of caller identification information for the purpose of harassing or stalking someone to be an egregious violation of the Act and of our rules implementing the Act. We intend to enforce our rules vigorously, including against those who engage in such malicious practices, and we encourage spoofing providers to notify their customers in no uncertain terms that such actions are illegal.
B. Exemptions
23. The Act directs the Commission to exempt from its regulations (i) any authorized activity of a law enforcement agency; and (ii) court orders that specifically authorize the use of caller identification manipulation. Separately, the Act also makes clear that it “does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State or a political subdivision of a State, or of an intelligence agency of the United States.” DOJ requested that the Commission explicitly incorporate lawfully authorized investigative, protective, or intelligence activities into the exemptions to the Commission’s implementing rule. In light of the statutory language specifying that such activities are not prohibited by the Act and DOJ’s request that such activities be included in the exemptions to the Commission’s implementing rule, the proposed rule incorporated the two exemptions specified in the Act, and expanded the exemption for law enforcement activities to cover protective and intelligence activities. No commenters objected to the proposed rule, and AT&T, the only commenter other than DOJ that addressed the exemptions in the proposed rule, supported their adoption. Thus, the record supports our decision to include those exemptions in the rule we adopt today.
24. We decline to adopt any other exemptions from the Act. Commenters have proposed a number of additional exemptions, all of which cover practices that, as described by the commenters themselves, would not violate the plain language of the Act. Some commenters assert that absent additional exemptions, the rules might be misinterpreted to prohibit normal and helpful business practices, such as those designed to facilitate communications with customers. As a result some commenters ask for broad exemptions to the Act. AT&T, for example, asks the Commission to make clear that caller ID manipulation “for legitimate business reasons” is exempt; inContact asks the Commission to “exempt all uses not specifically intended to defraud or deceive consumers”; and USTelecom and Verizon ask the Commission to exempt “any action required by law or permitted under 64.1601(d).” Still other commenters propose exemptions for caller identification manipulation involving specific types of practices or actors. For example, a number of commenters representing telecommunications and VoIP providers express support for an exemption for carriers and providers that transmit caller ID information they receive from their customers or other providers, even if it turns out to be inaccurate. Commmenters that provide call management services for telemarketers and debt collectors, and those that provide caller ID spoofing services to the public, suggest that they should be exempt from responsibility for bad actors, unless the service provider has the necessary intent to defraud, cause harm, or wrongfully obtain anything of value. Companies that provide call management services to telemarketers and debt collectors have also asked the Commission for an exemption allowing manipulation of caller ID information so that a call recipient’s caller ID displays a local number, regardless of where the calling party is located. NNEDV suggests that the Commission exempt victim service providers, and a private investigator requests that the Commission include an exemption for lawful use by licensed private investigators. We do not find any of these exemptions to be necessary or appropriate.
25. The legislative history of the Act makes clear that manipulation or alteration of caller ID information done without the requisite harmful intent does not violate the Act. Nothing in our implementing rules changes that fact. Likewise, the transmission of incorrect caller ID information by carriers and providers acting without the requisite intent to defraud, cause harm or wrongfully obtain anything of value does not violate the Truth in Caller ID Act or our rules implementing the Truth in Caller ID Act. Moreover, we agree with DOJ that “none of the commenters who advocated for a status-based exemption to the Truth in Caller ID Act were able to articulate any scenario whereby legitimate conduct would fall within the prohibitions of the Act.” Like DOJ, we fear that allowing any such exemptions could “create dangerous loopholes under the Act that could be exploited by criminals.” Therefore, we decline to adopt any further exemptions from the Act at this time, primarily because the ones that have been presented to us are unnecessary.

Advertisements