Getty Images | Anna Moneymaker
A phone company agreed to pay a $1 million fine for transmitting spoofed robocalls in which a deepfake of President Joe Biden’s voice urged New Hampshire residents not to vote. Lingo Telecom, which is based in Texas, agreed to a settlement with the Federal Communications Commission, the agency announced today.
Lingo Telecom “will pay a $1 million civil penalty and implement a historic compliance plan—the first of its kind secured by the FCC—that will require strict adherence to the FCC’s STIR/SHAKEN Caller ID authentication rules,” the FCC said. The settlement includes “requirements that the company abide by ‘Know Your Customer’ (KYC) and ‘Know Your Upstream Provider’ (KYUP) principles” that focus on vetting call traffic to ensure it is trustworthy, and “requirements that the company more thoroughly verify the accuracy of the information provided by its customers and upstream providers.”
The calls made before New Hampshire’s presidential primary in January were orchestrated by Steve Kramer, a Democratic consultant who was working for a candidate running against Biden. Kramer was indicted on charges of voter suppression and impersonation of a candidate, and the FCC proposed a $6 million fine for Kramer. The calls inaccurately displayed a phone number associated with a prominent New Hampshire political operative.
The FCC originally proposed a $2 million fine for Lingo Telecom before settling for the $1 million penalty in a consent decree issued today. The consent decree resolves the FCC investigation into Lingo Telecom’s apparent violations of rules related to the STIR/SHAKEN Caller ID authentication system.
Telco didn’t verify calls
Lingo Telecom completed 3,978 calls to potential New Hampshire voters on January 21, 2024, on behalf of a customer called Life Corporation. Lingo Telecom signed those calls with A-Level attestations, which indicate that the phone company “is responsible for the origination of the call onto the IP-based service provider voice network, has a direct authenticated relationship with the customer and can identify the customer, and has established a verified association with the telephone number used for the call.”
Lingo Telecom did not actually verify the calls, the consent decree said:
Lingo Telecom explained that its policy was to assign A-level attestations to a customer’s traffic when the Company directly assigned Direct Inward Dialing (DID) numbers to a customer like Life Corporation. If one of these customers, like Life Corporation, also purchased Company Session Initiation Protocol (SIP) trunks that permits the customer to use numbers assigned by other carriers, Lingo Telecom allowed them to “receive an A-level attestation for traffic associated with… non-Lingo provisioned telephone numbers if the customer certified that it ‘will identify its customer and has a verified association with the telephone number used for the call.'”
Lingo Telecom told the FCC that it relied on the certification provided by Life Corporation, which had been a customer of Lingo Telecom for 16 years. “Lingo Telecom took no additional steps beyond those recited above to independently ascertain whether the customers of Life Corporation could legitimately use the telephone number that appeared as the calling party for the New Hampshire presidential primary calls,” the FCC said.
The consent decree states that, going forward, “Lingo Telecom may only apply an A-level attestation to a call if Lingo Telecom itself has provided the Caller Identity to the calling party associated with the Call.” The consent decree’s “Know Your Customer” provisions require Lingo Telecom to obtain more detailed information from customers, while the “Know Your Upstream Provider” provisions require it to obtain more detailed information from other telcos that it transmits calls for.
Lingo Telecom is also barred from accepting “payment in the form of cryptocurrency, gift cards, or cash to transmit or originate calls.” The consent decree is scheduled to be in effect for three years but can be extended by 12 months for each instance of noncompliance.
Source link
