This article reflects our opinion on proposed caller ID and STIR/SHAKEN legislation currently being considered in Virginia, Florida, and Missouri, as outlined in the CommLaw Group analysis published earlier this year.
Source: CommLaw Group, “States Push New Caller ID and STIR/SHAKEN Mandates”
The concerns raised below are not theoretical. They are grounded in how modern voice networks actually operate and how enforcement plays out in practice, not how it is imagined on paper.
A National Trust System Cannot Survive State Fragmentation
The renewed push by several states to impose their own caller ID and STIR/SHAKEN mandates reflects a familiar regulatory reflex: when fraud persists, policymakers reach for additional rules, even if those rules target the wrong layer of the system. While these efforts are framed as consumer protection, they fundamentally misunderstand how modern voice networks operate and why STIR/SHAKEN was designed as a federal framework in the first place.
Caller authentication is not a consumer-facing feature. It is a cryptographic trust system embedded deep within call signaling. The federal STIR/SHAKEN framework exists precisely because voice traffic is inherently interstate, often international, and rarely confined to a single jurisdiction. Authentication decisions are made before a call’s final routing path is known and well before any clean determination of state boundaries can be made. Treating authentication as something that can be meaningfully regulated on a state-by-state basis ignores that reality.
The Intrastate vs. Interstate Distinction Breaks Down in Practice
State authority is often justified by invoking “intrastate” calls, but that distinction collapses under technical scrutiny. In modern VoIP networks, numbers are nomadic, users roam, and calls are dynamically routed through cloud infrastructure based on availability, latency, and cost. Overflow and failover routing regularly move calls across state lines, sometimes multiple times, before they terminate.
At the moment a STIR/SHAKEN identity token is created, the network frequently does not know where the call will ultimately terminate. Authentication happens early in the signaling process, not after jurisdiction is resolved. Laws that impose obligations based on intrastate classification therefore demand compliance with conditions that cannot be reliably identified or proven at the time decisions are made. That is not a policy nuance. It is a structural flaw.
Authentication Assumes a Clean Handshake That Rarely Exists
STIR/SHAKEN presumes a clean trust boundary between an originating service provider and a terminating service provider. In real-world deployments, that boundary is often blurred by multiple intermediaries. Calls commonly pass through aggregators, hosted SBC platforms, CPaaS providers, analytics vendors, enterprise middleware, and call screening engines.
Identity headers can be rewritten, stripped, downgraded, or re-signed along the way. Sometimes those changes are intentional. Sometimes they are accidental. Sometimes they are the result of inconsistent implementations across vendors. What matters is that once multiple parties touch the signaling, attribution becomes difficult. When a state mandate penalizes a failed authentication outcome without establishing chain of custody, liability becomes arbitrary. If the originating provider signed correctly but a downstream third party altered the token, it is no longer clear who, if anyone, violated the law.
Enforcement Without Attribution Becomes Pressure, Not Justice
Traceback is often cited as evidence that enforcement can work, but traceback and authentication enforcement are fundamentally different. Traceback is cooperative, federally coordinated, and focused on identifying sources of abuse. Authentication enforcement requires cryptographic forensics, synchronized logs, precise timing, and cooperation across multiple private entities, many of which may have no presence in the enforcing state.
States lack the tools, authority, and visibility required to conduct that level of investigation consistently. What fills the gap is outcome-based enforcement driven by complaints and political pressure. Predictably, that pressure falls on the parties easiest to reach, not the parties most responsible.
Offshore Actors Avoid Accountability, Domestic Providers Absorb Risk
The most damaging calls are overwhelmingly generated by offshore actors who sit outside U.S. jurisdiction. They spoof U.S. numbers, churn providers rapidly, and disappear when scrutiny increases. States cannot fine them, prosecute them, or compel compliance. As a result, enforcement pressure flows downhill to domestic providers with assets, offices, and compliance teams.
Terminating carriers and visible VoIP platforms become enforcement proxies, even when they had no control over origination and no ability to prevent upstream manipulation. This misaligned liability produces predictable behavior. Providers respond defensively by blocking more traffic, treating ambiguity as guilt, and downgrading legitimate enterprise calls. Consumers miss real calls. Businesses lose contact with customers. Trust in voice communications erodes further.
Authentication Alone Cannot Solve a KYC Problem
What is notably absent from most state proposals is a serious focus on onboarding standards. Fraud does not originate in SIP headers. It originates at account creation. Bad actors succeed because they can establish service with minimal scrutiny, obscure beneficial ownership, move traffic quickly, and vanish without consequence.
Strong, enforceable know-your-customer requirements consistently do more to reduce abuse than downstream authentication mandates. Real KYC means verified legal entities, validated identities, accountability tied to payment instruments, behavioral monitoring, and the willingness to terminate customers when abuse appears. It is operationally difficult and commercially uncomfortable, but it works.
Authentication without KYC is theater. A call can be cryptographically authenticated and still be criminal if the upstream identity was never legitimate. State mandates that emphasize authentication outcomes while ignoring onboarding standards regulate symptoms rather than causes.
The Cost of Getting This Wrong
Voice networks depend on coherence. Trust systems depend on shared assumptions. A national authentication framework cannot survive fifty different interpretations of how it should work, how failures should be penalized, and who should be liable. Fragmentation does not increase trust. It undermines it.
If policymakers in Virginia, Florida, Missouri, or elsewhere are serious about reducing spoofing and restoring confidence in voice communications, the path forward is not additional state-level mandates layered on top of federal rules. It is stronger federal enforcement, coordinated traceback, and meaningful KYC. Everything else adds complexity while leaving the real problem untouched.
