26. The Caller ID Act NPRM proposed adding definitions to the Commission’s CPN rules for “Interconnected VoIP service”; “Caller identification information”; “Caller identification service”; and “information regarding the origination” of a call. We adopt the proposed definitions for all four of those terms, with slight modifications to the definitions of “Caller identification service” and “information regarding the origination.”
27. Interconnected VoIP service. The Truth in Caller ID Act covers caller ID spoofing done “in connection with any telecommunications service or IP-enabled voice service.” As mentioned above, the rules we adopt today use the term “interconnected VoIP service” instead of “IP-enabled voice service.” We define “interconnected VoIP service” to have the same meaning given that term in section 9.3 of the Commission’s rules. We do this because the Act specifies that the term IP-enabled voice service has the “meaning given that term by section 9.3 of the Commission’s regulations (47 C.F.R. 9.3) as those regulations may be amended by the Commission from time to time.” Section 9.3 of the Commission’s rules defines “interconnected VoIP service,” not “IP-enabled voice service.” Therefore, to be consistent with the apparent intent of Congress in enacting the Truth in Caller ID act, we limit the scope of the rule’s coverage to telecommunications services and interconnected VoIP services.
28. DOJ and some other commenters recommend that we adopt rules that cover VoIP services more expansively than the Commission’s definition of “interconnected VoIP” service in section 9.3 of its rules does. We find that the Act’s incorporation of the Commission’s rule defining interconnected VoIP service calls for applying the current definition found in section 9.3 (as it may be amended over time). Consequently, the rules we adopt today use the term “interconnected VoIP service” and specify that it has the same meaning given the term “interconnected VoIP service” in 47 C.F.R. § 9.3 as it currently exists or may hereafter be amended. However, we are cognizant of the importance of protecting consumers from malicious caller ID spoofing as broadly as possible. To that end, we raise this issue in the Report to Congress for further consideration.
29. Caller identification information. We define “caller identification information” to mean “information provided by a caller identification service regarding the telephone number of, or other information regarding the origination of, a call made using a telecommunications service or interconnected VoIP service.” This is the definition the Commission proposed in the Caller ID Act NPRM and no commenters offered any reason not to use this definition.
30. Caller identification service. We define “caller identification service” to mean “any service or device designed to provide the user of the service or device with the telephone number of, or other information regarding the origination of, a call made using a telecommunications service or interconnected VoIP service.” Unlike the proposed rule, the definition of “caller identification service” that we adopt today does not explicitly reference automatic number identification (ANI) because, as discussed below, we have defined “information regarding the origination” to include “billing number information, including charge number, ANI, or pseudo-ANI.” By including such billing number information in the definition of “information regarding the origination” we effectively include within the definition of “caller identification service” any service or device designed to provide the user with any form of the calling party’s billing number, including charge number, ANI, or pseudo-ANI.
31. Information regarding the origination (of a call). The definitions of “caller identification information” and “caller identification service” in the Act and in the rules we adopt today both use the phrase “the telephone number of, or other information regarding the origination of, a call.” We define “information regarding the origination” to mean any: (1) telephone number; (2) portion of a telephone number, such as an area code; (3) name; (4) location information; (5) billing number information, including charge number, ANI, or pseudo-ANI; or (6) other information regarding the source or apparent source of a telephone call. The definition we adopt today mirrors the proposed definition, but adds “billing number information including charge number, ANI, or pseudo-ANI” to the types of information that constitute “information regarding the origination.” We add these types of information to the definition of “information regarding the origination” in response to commenters’ concerns about the importance of transmission of accurate billing information, including charge number, ANI and pseudo-ANI, to caller identification services used by emergency services providers.
32. Our current rules relating to the delivery of CPN services define ANI as referring to the “delivery of the calling party’s billing number by a local exchange carrier to any interconnecting carrier for billing or routing purposes, and to the subsequent delivery of such number to end users.” The Caller ID Act NPRM sought comment on whether the Commission should use a different definition of ANI for purposes of the Truth in Caller ID Act, and in particular, whether the Commission should include a definition of ANI that encompasses charge party numbers delivered by interconnected VoIP providers. Some commenters requested that the Commission revise the current definition of ANI to encompass billing numbers delivered by interconnected VoIP providers. The terms ANI, calling party number, and charge number in section 64.1600 of our rules are used in sections of the rule that we have not addressed in this rulemaking; therefore we decline to amend those definitions at this time. Other commenters more generally suggested that the Commission make sure to include billing numbers, charge number, ANI and pseudo-ANI information within the ambit of the rule.
33. Spoofing caller identification information transmitted to emergency services providers is a particularly dangerous practice, and one that Congress was particularly concerned about when adopting the Truth in Caller ID Act. ANI and pseudo-ANI are the foundations of the emergency services routing infrastructure in the United States and derive their data exclusively from information maintained in the records of the originating carrier. The delivery of accurate information for any person who dials 911 or seeks assistance via 10-digit emergency and non-emergency numbers is fundamental to ensuring that the correct identifying information is transmitted with those calls. While this information may not be subject to manipulation by callers in the ordinary course, if an individual or entity did spoof ANI, the individual could conceal his or her identity and location, and could tie up public response capacity by initiating spoofed calls designed to cause the dispatch of responders to locations where no emergency is at hand. Given the rapid evolution of technology, and the consequences of spoofing ANI and pseudo-ANI, we find that the delivery of caller identification information to E911 public safety answering points (PSAPs), which use ANI or pseudo-ANI to look up the caller’s name and location information on emergency calls, should be considered a type of “information regarding the origination” of a call.
34. The Caller ID Act NPRM sought comment on whether there are other things that should be included in the definition, specifically, information transmitted in the SS7 Jurisdiction Information Parameter (JIP) code that provides information about the location of a caller who has ported his number or is calling over a mobile service. As the record demonstrates, use of the JIP code can benefit law enforcement and public safety, and can be used for improved routing for emergencies. Therefore, we clarify that “location information” includes information transmitted in the SS7 JIP code. However, in encompassing information transmitted in the JIP code within our definition, we do not require that any providers, including CMRS and VoIP providers, populate the JIP in signaling data.
D. Caller ID Blocking
35. The Truth in Caller ID Act specifies that it is not intended to be construed to prevent or restrict any person from blocking the transmission of caller identification information. The legislative history shows that Congress intended to protect and preserve subscribers’ ability to block the transmission of their own caller identification information to called parties. Consequently, like the proposed rules, the rules we adopt today provide that a person or entity that blocks or seeks to block a caller identification service from transmitting or displaying that person or entity’s own caller identification information shall not be liable for violating our rules implementing the Truth in Caller ID Act.
36. Although our rules generally allow callers to block caller ID, as discussed in the Caller ID Act NPRM, telemarketers are required to transmit caller identification information, and the phone number they transmit must be one that a person can call to request placement on a company-specific do-not-call list. This requirement allows consumers to more easily identify incoming telemarketing calls and to make informed decisions about whether to answer particular calls. It also facilitates consumers’ ability to request placement on company-specific do-not-call lists. Additionally, the requirement assists law enforcement investigations into telemarketing complaints. Therefore, our rules specify that they “do not relieve any person or entity that engages in telemarketing, as defined in section 64.1200(f)(10), of the obligation to transmit caller identification information under section 64.1601(e).”
E. Third-Party Spoofing Services
37. As discussed above, one of the reasons that it is easy for anyone to spoof their caller ID is that third-party caller ID spoofing services are widely available and inexpensive. There are typically four steps to the process of using a third-party caller ID spoofing service to spoof a call, as illustrated in Figure 1. First, the customer places a call to a company-controlled toll free or POTS line number. Second, after the first call is connected, the customer enters a personal identification number and then enters the number he or she wants to substitute as the caller ID that is transmitted to the called party. Third, the customer enters the phone number he or she wants to call; and fourth, the spoofing provider—or the carrier it uses—delivers the call to the terminating carrier serving the called number with the requested substitute number transmitted as the caller’s CPN.
38. Recognizing the role spoofing providers play in facilitating caller ID spoofing, the Commission sought comment on whether the Commission may, and should, adopt rules imposing obligations on providers of caller ID spoofing services when they are not themselves acting with intent to defraud, cause harm, or wrongfully obtain anything of value. More specifically, the Commission also sought comment on whether it should impose record-keeping requirements on caller ID spoofing providers. In addition, the Commission sought comment on a proposal made by DOJ, and supported by the Minnesota Attorney General, to adopt rules requiring “public providers of caller ID spoofing services to make a good-faith effort to verify that a user has the authority to use the substituted number, such as by placing a one-time verification call to that number.”
39. Although Itellas and Teltech, the two third-party caller ID spoofing services that commented on the Caller ID Act NPRM, indicate that they do maintain records of the calls they facilitate and that they cooperate with law enforcement investigations, there is little support among the commenters for the adoption of rules requiring third-party spoofing providers to maintain records. The third-party spoofing providers strongly object to any rule requiring them to verify that their customers have a right to use the phone number they choose to spoof. Itellas and TelTech both argue that requiring users of caller ID services to verify that they have authority to use the spoofed number would be pointless and ineffective, because people or entities using caller ID spoofing to carry out a criminal enterprise can purchase the software to spoof caller ID rather than use a third-party provider. They also argue that verification cannot establish a caller’s intent, and absent malintent there can be no violation of the Truth in Caller ID Act. As TelTech explains, “[u]sing a number you do not have permission to spoof is not illegal under the Act.” In its reply comments, NNEDV agrees that verification requirements would be inconsistent with the intent expressed in the legislative history of the Act, which recognized the importance of caller ID spoofing to protect victims of domestic violence. According to NNEDV, a verification requirement “would endanger victims and ‘domestic violence shelters that provide false caller ID number (sic) to prevent call recipients from discovering the location of victims.’” Although NNEDV objects to DOJ’s proposal that the Commission impose verification requirements on caller ID spoofing services, it does propose that the Commission require spoofing services to give prominent notice that use of their services in violation of the Truth in Caller ID Act is unlawful.
40. We are very concerned about the harmful effects of caller ID spoofing done with malicious intent. We also recognize that requiring caller ID spoofing services to verify that users have the authority to use the substitute number would likely reduce the use of caller ID spoofing to further criminal schemes, and could simplify law enforcement efforts to determine who is behind a caller ID spoofing scheme. Likewise, the public would benefit from having third-party caller ID spoofing providers clearly and conspicuously notify their users about the practices prohibited by the Truth in Caller ID Act. However, we are not convinced that it is appropriate for the Commission to impose such obligations on third-party caller ID spoofing service providers at this time. In crafting the Truth in Caller ID Act, we believe that Congress intended to balance carefully the drawbacks of malicious caller ID spoofing against the benefits provided by legitimate caller ID spoofing. The Act prohibits spoofing providers, like all other persons and entities in the United States, from knowingly spoofing caller ID with malicious intent. However, the Act does not expressly impose additional obligations on providers of caller ID spoofing services. Following Congress’ lead, we decline to impose additional obligations on third-party spoofing providers at this time.
41. We are cognizant of the fact that spoofing providers can, and sometimes do, detect and prevent some types of illegitimate manipulation of caller ID spoofing. Itellas, for example, noted in its comments that its system does not allow customers to call or display 911, in order to prevent use of its service for swatting. Itellas’ system also prevents its customers from using a specific spoofed number when placing calls to toll free numbers in order to prevent users from using the phone number associated with a stolen credit card or with a specific bank account to activate the credit card, or to transfer money from the compromised bank account. In its comments, TelTech represents that it has closed accounts that it has identified as appearing to be used to commit crimes, including money transfer fraud, activation of stolen credit cards, or identity theft. However, spoofing services do not necessarily know the intent with which their customers place spoofed calls. Once the Commission’s rules are in force, we will have the opportunity to determine whether the current rules are sufficient to deter malicious caller ID spoofing. If they are not, we can revisit the issue. In the meantime, we raise the issue of liability for third-party providers in the report the Act requires the Commission to submit to Congress.
42. We want to make clear that our decision not to impose additional obligations on third-party caller ID spoofers in no way immunizes them from the obligation to comply with the Act. Where a caller ID spoofing service causes, directly or indirectly, the transmission or display of false or misleading caller ID information with the intent to defraud, cause harm, or wrongfully obtain anything of value, such service will be in violation of the Truth in Caller ID Act and our rules. Our conclusion follows from a natural reading of the statute, which applies to any “person” who causes caller ID services to transmit misleading or inaccurate caller ID information. Likewise, although we do not decide the matter here, liability questions would arise if the totality of the circumstances demonstrated that a third-party spoofing provider had promoted its services to others as a means to defraud, cause harm, or wrongfully obtain anything of value.
43. Caller ID Unmasking. As mentioned in the Caller ID Act NPRM, some entities—often the same ones that offer spoofing services—also offer the ability to unmask a blocked number, effectively stripping out the privacy indicator chosen by the calling party. We remain deeply concerned about these unmasking services, which circumvent the privacy protections afforded by the Commission’s CPN rules. The record reflects concern regarding these services as well. However, the record is not sufficiently robust to support amendments to our rules at this time. The Commission will consider whether to take further rulemaking action to address these services in the future. In the meantime, we take this opportunity to remind carriers of their obligations to honor callers’ privacy requests.
F. Amendments to the Commission’s Enforcement Rules
44. The Act provides for additional forfeiture penalties for violations of subsection 227(e) of the Communications Act, and new procedures for imposing and recovering such penalties. In order to fully implement the Truth in Caller ID Act, the Commission proposed amendments to its forfeiture rule, 47 C.F.R. § 1.80. The proposed amendments specified the forfeiture penalties the Commission proposed to assess for violations of the Truth in Caller ID Act, and proposed procedures for imposing penalties and recovering such penalties. The Commission also proposed some minor revisions to our forfeiture rules to address issues not directly related to the Truth in Caller ID Act. For the reasons discussed below, we now adopt the proposed amendments to our forfeiture rules, with some minor modifications.
45. Amount of Penalties. The Act specifies that the penalty for a violation of the Act “shall not exceed $10,000 for each violation, or 3 times that amount for each day of a continuing violation, except that the amount assessed for any continuing violation shall not exceed a total of $1,000,000 for any single act or failure to act.” These forfeitures are in addition to penalties provided for elsewhere in the Communications Act. Therefore, to implement these provisions of the Truth in Caller ID Act, we adopt the Commission’s proposal to amend section 1.80(b) of our rules to include a provision specifying the maximum amount of additional fines that can be assessed for violations of the Truth in Caller ID Act. In the interest of consistency and clarity, we also amend the text and chart in Section III of what is now the “Note to Paragraph (b)(5)” to include information about the maximum additional forfeitures provided for by the Truth in Caller ID Act.
46. The Truth in Caller ID Act establishes the maximum amount of additional forfeiture penalties the Commission can assess for a violation of the Act, but it does not specify how the Commission should determine the forfeiture amount in any particular situation. In order to provide guidance about the factors the Commission will use in determining the amount of penalty it will assess for violations of the Truth in Caller ID Act, we adopt the Commission’s proposal to employ the balancing factors the Commission typically considers when determining the amount of a forfeiture penalty. Those factors are set out in section 503(b)(2)(E) of the Communications Act and section 1.80(b)(4) of the Commission’s rules. The balancing factors include “the nature, circumstances, extent, and gravity of the violation, and, with respect to the violator, the degree of culpability, any history of prior offenses, ability to pay, and such other matters as justice may require.” These factors allow the Commission to properly consider the specific facts of each case when determining an appropriate forfeiture penalty.
47. Procedure for Determining Penalties. With respect to the procedure for determining or imposing a penalty, the Act provides that “[a]ny person that is determined by the Commission, in accordance with paragraphs (3) and (4) of section 503(b) [of the Communications Act], to have violated this subsection shall be liable to the United States for a forfeiture penalty.” It also states that “[n]o forfeiture penalty shall be determined under clause (i) against any person unless such person receives the notice required by section 503(b)(3) or section 503(b)(4) [of the Communications Act].” As the Commission indicated in the Caller ID Act NPRM, taken together, sections 503(b)(3) and 503(b)(4) allow the Commission to impose a forfeiture penalty against a person through either a hearing or a written notice of apparent liability (NAL), subject to certain procedures. The Truth in Caller ID Act makes no reference to section 503(b)(5) of the Communications Act, which states that the Commission may not assess a forfeiture under any provision of section 503(b) against any person, who: (i) “does not hold a license, permit, certificate, or other authorization issued by the Commission”; (ii) “is not an applicant for a license, permit, certificate, or other authorization issued by the Commission”; or (iii) is not “engaging in activities for which a license, permit, certificate, or other authorization is required,” unless the Commission first issues a citation to such person in accordance with certain procedures. As the Commission explained in the Caller ID Act NPRM, that omission suggests that Congress intended to give the Commission the authority to proceed expeditiously to stop and, where appropriate, assess a forfeiture penalty against, any person or entity engaged in prohibited caller ID spoofing without first issuing a citation. Having received no comments disagreeing with the Commission’s proposed approach, we find that it is appropriate and consistent with Congressional intent to adopt rules that allow the Commission to determine or impose a forfeiture penalty for a violation of section 227(e) against “any person,” regardless of whether that person holds a license, permit, certificate, or other authorization issued by the Commission; is an applicant for any of the identified instrumentalities; or is engaged in activities for which one of the instrumentalities is required.
48. We also adopt rules that amend section 1.80(a) of our rules to add a new subsection (4) providing that forfeiture penalties may be assessed against any person found to have “violated any provision of section 227(e) of the Communications Act or of the rules issued by the Commission under section 227(e) of that Act.” In contrast to section 503(b)(1)(B) of the Communications Act, which provides for a forfeiture penalty against anyone who has “willfully or repeatedly” failed to comply with any provisions of the Communications Act, or any regulations issued by the Commission under the Act, the Truth in Caller ID Act does not require “willful” or “repeated” violations to justify imposition of a penalty. Therefore, we adopt new section 1.80(a)(4), in accordance with Congressional direction that the Commission have authority to assess a forfeiture penalty for all violations of section 227(e) or of the rules issued by the Commission under that section of the Act.
49. Statute of Limitations. The Truth in Caller ID Act specifies that “[n]o forfeiture penalty shall be determined or imposed against any person under [section 227(e)(5)(i)] if the violation charged occurred more than 2 years prior to the date of issuance of the required notice or notice of apparent liability.” We note that this differs from the more general limitations provision of section 503(b)(6) of the Communications Act, which provides for a one-year statute of limitations in most cases. Given the explicit language of the Truth in Caller ID Act, however, we find that the longer two-year statute of limitations applies to enforcement of the Truth in Caller ID Act.
50. Miscellaneous. We also take this opportunity to revise the undesignated paragraph in section 1.80(a) to address issues not directly related to implementation of the Truth in Caller ID Act and to redesignate that undesignated text as “Note to paragraph 1.80(a).” First, with respect to the proposed revisions, in order to ensure that the language in the rule encompasses the language used in all of the statutory provisions, we amend the rule to specify that the forfeiture amounts set forth in section 1.80(b) are inapplicable “to conduct which is subject to a forfeiture penalty or fine” under the various statutory provisions listed. (Emphasis added). Second, we amend the rule to change the references to sections 362(a) and 362(b) to sections 364(a) and 364(b) respectively, in order that the statutory provision references match those used in the Communications Act, rather than the sections of the U.S. Code. Third, we delete section 503(b) from the list of statutory provisions to which the forfeiture amounts in section 1.80(b) do not apply, because the inclusion was in error; section 1.80(b) implements the forfeiture amounts of section 503(b), and so the penalties set forth in section 1.80(b) apply to forfeiture under section 503(b).
IV. PROCEDURAL ISSUES
A. Paperwork Reduction Act
51. This document does not contain new or modified information collection requirements subject to the Paperwork Reduction Act of 1995 (PRA), Public Law 104-13. In addition, therefore, it does not contain any new or modified information collection burdens for small business concerns with fewer than 25 employees, pursuant to the Small Business Paperwork Relief Act of 2002, Public Law 107-198, see 44 U.S.C. 3506(c)(4).
B. Congressional Review Act
52. The Commission will send a copy of this Report and Order in a report to be sent to Congress and the Government Accountability Office pursuant to the Congressional Review Act, see 5 U.S.C. § 801(a)(1)(A).
C. Final Regulatory Flexibility Certification
53. The Regulatory Flexibility Act of 1980, as amended (RFA) requires that a regulatory flexibility analysis be prepared for rulemaking proceedings, unless the agency certifies that “the rule will not have a significant economic impact on a substantial number of small entities.” The RFA generally defines “small entity” as having the same meaning as the terms “small business,” “small organization,” and “small governmental jurisdiction.” In addition, the term “small business” has the same meaning as the term “small business concern” under the Small Business Act. A small business concern is one which: (1) is independently owned and operated; (2) is not dominant in its field of operation; and (3) satisfies any additional criteria established by the Small Business Administration (SBA).
54. In this Report and Order, the Commission adopts rules implementing the Truth in Caller ID Act. The Truth in Caller ID Act and the implementing rules we adopt today prohibit any person or entity in the United States from knowingly altering or manipulating caller identification information with the intent to defraud, cause harm, or wrongfully obtain anything of value. The Caller ID Act NPRM sought comment on benefits and burdens that would be imposed on small entities by the proposed rules and sought comment on an initial regulatory flexibility analysis (IRFA). No commenters sought to argue that the proposed rules would have a significant impact on a substantial number of small entities. Indeed, no commenters raised any concerns about the impact of the proposed rules on small entities, as such.
55. The NPRM also sought comment on whether the Commission may, and should, adopt rules imposing obligations on providers of caller ID spoofing services when they are not themselves acting with intent to defraud, cause harm, or wrongfully obtain anything of value. It also sought comment more specifically on whether the Commission should impose record-keeping requirements on caller ID spoofing providers, as well as on a proposal made by DOJ and supported by the Minnesota Attorney General to adopt rules requiring “public providers of caller ID spoofing services to make a good-faith effort to verify that a user has the authority to use the substituted number, such as by placing a one-time verification call to that number. In this Order, we decline to impose any additional obligations on providers of caller ID spoofing services at this time. Therefore, to the extent that such requirements would have had an economic impact on some small entities, that impact will not occur. Indeed, the record contains nothing showing that the cost of compliance obligations would be economically significant or would affect a substantial number of small entities. Indeed, based on the record before us, we are persuaded that a substantial number of small businesses do not engage in caller ID spoofing with the intent to defraud, cause harm, or wrongfully obtain anything of value, and those that do are already prohibited from doing so by the Truth in Caller ID Act. Therefore, we certify that the requirements of this Report and Order will not have a significant economic impact on a substantial number of small entities. The Commission will send a copy of the Report and Order including a copy of this final certification, in a report to Congress pursuant to the Small Business Regulatory Enforcement Fairness Act of 1996, see 5 U.S.C. § 801(a)(1)(A). In addition, the Report and Order and this certification will be sent to the Chief Counsel for Advocacy of the Small Business Administration, and will be published in the Federal Register. See 5 U.S.C. § 605(b).
D. Accessible Formats
56. To request materials in accessible formats for people with disabilities (braille, large print, electronic files, audio format), send an e-mail to firstname.lastname@example.org or call the Consumer and Governmental Affairs Bureau at (202) 418-0531 (voice), (202) 418-7365 (TTY).
V. ORDERING CLAUSES
57. Accordingly, IT IS ORDERED that, pursuant to section 2 of the Truth in Caller ID Act of 2009, Pub. L. No. 11-331, and Sections 1, 4(i), 4(j), 227, and 303(r) of the Communications Act of 1934, as amended, 47 U.S.C. §§ 151, 154(i), 154(j), 227 and 303 (r), this Report and Order, with all attachments, IS ADOPTED.
58. IT IS FURTHER ORDERED that Parts 1 and 64 of the Commission’s rules are amended as set forth in Appendix A.
59. IT IS FURTHER ORDERED that pursuant to sections 1.4(b)(1) and 1.103(a) of the Commission’s rules, 47 C.F.R. §§ 1.4(b)(1), 1.103(a), this Report and Order SHALL BE EFFECTIVE 30 days after publication of a summary in the Federal Register.
60. IT IS FURTHER ORDERED that the Commission’s Consumer and Governmental Affairs Bureau, Reference Information Center, SHALL SEND a copy of this Report and Order, including the Final Regulatory Flexibility Certification, to the Chief Counsel for Advocacy of the Small Business Administration.
FEDERAL COMMUNICATIONS COMMISSION