Implementation of the Truth in Caller ID Act

AGENCY:

Federal Communications Commission.

ACTION:

Final rule.

SUMMARY:

In this Report and Order (Order), the Commission adopts rules to implement the Truth in Caller ID Act of 2009 (Truth in Caller ID Act, or Act). The Truth in Caller ID Act, and the Commission's implementing rules, prohibit any person or entity from knowingly altering or manipulating caller identification information with the intent to defraud, cause harm, or wrongfully obtain anything of value.

DATES:

Effective August 19, 2011.

ADDRESSES:

Federal Communications Commission, 445 12th Street, SW., Washington, DC 20554.

FOR FURTHER INFORMATION CONTACT:

Lisa Hone, Wireline Competition Bureau, (202) 418-1580.

SUPPLEMENTARY INFORMATION:

This is a summary of the Commission's Report and Order (Order) in WC Docket No. 11-39, FCC 11-100, adopted June 20, 2011, and released June 22, 2011. In this Order, the Commission adopts rules to implement the Truth in Caller ID Act of 2009. Caller ID services typically identify the telephone numbers and sometimes the names associated with incoming calls, thus allowing consumers to decide whether or how to answer a phone call based on who appears to be calling. However, caller ID information can be altered or manipulated (“spoofed”). Increasingly, bad actors are spoofing caller ID information in order to facilitate a wide variety of malicious schemes. In response to the increasing use of caller ID spoofing to facilitate schemes that defraud consumers and threaten public safety, Congress passed the Truth in Caller ID Act. The Truth in Caller ID Act, and the Commission's implementing rules, prohibit any person or entity from knowingly spoofing caller identification information with the intent to defraud, cause harm, or wrongfully obtain anything of value.

Synopsis of Report and Order

I. Implementation of the Truth in Caller ID Act

1. Having considered the record in this proceeding, we adopt rules that prohibit any person or entity in the United States, acting with the intent to defraud, cause harm, or wrongfully obtain anything of value, from knowingly causing, directly or indirectly, any caller identification service to transmit or display misleading or inaccurate caller identification information. The revisions to the Commission's Calling Party Number (CPN) rules are modeled on the Act's prohibition against knowingly engaging in caller ID spoofing with fraudulent or harmful intent. The rules include exemptions based on conduct the Act identifies as exempt from its prohibitions. The revised rules also include new definitions, including several modeled after definitions in the Act. As proposed in the Caller ID Act NPRM, 76 FR 16367, the revised rules also specify that blocking or attempting to block one's own caller ID is not a violation of the new rules, while clarifying that telemarketers are not relieved of their obligation to transmit caller identification information.

A. Prohibited Practice

2. The principal implementing rule we adopt provides that “no person or entity in the United States shall, with intent to defraud, cause harm, or wrongfully obtain anything of value, knowingly cause, directly or indirectly, any caller identification service to transmit or display misleading or inaccurate caller identification information.” The wording of the prohibition in our rules generally tracks the wording of the prohibition in the Act, and is unchanged from the rule the Commission proposed in the Caller ID Act NPRM.

3. The Act specifies that the prohibited conduct is “in connection with any telecommunications or IP-enabled voice service.” Because we define the terms “caller identification service” and “caller identification information” to encompass the use of telecommunications services and “interconnected VoIP services,” we do not need to specify in the rule that the prohibition encompasses calls made using telecommunications services and IP-enabled voice services, as specified in the Act.

4. We also note that the Act is directed at “any person,” but does not define the term “person.” In order to make clear that the rules are not limited to natural persons and to be consistent with the Commission's current rules concerning the delivery of CPN, our amendments to the CPN rules use the phrase any “person or entity.” By contrast, the amendments to the Commission's forfeiture rules use the term “person” in order to be consistent with use of the term “person” in the forfeiture rules. In both cases, we intend for the entities covered to be those within the scope of the definition of “person” in the Communications Act. The only commenter that addressed the use of the phrase “person or entity” in the proposed rules supported the Commission's clarification that the rule applies to both natural persons and other entities.

5. In the Caller ID Act NPRM, the Commission asked about the placement of the term “knowingly” in the proposed rules. As with the proposed rules, the rules we adopt today provide that in order to violate the rules, the person or entity “knowingly” causing transmission or display of inaccurate or misleading caller identification must be the same person or entity that is acting with intent to defraud, cause harm, or wrongfully obtain anything of value. The Truth in Caller ID Act is aimed at prohibiting the use of caller ID spoofing for ill intent. Therefore, we believe that an entity subject to liability for violating the Act must knowingly spoof caller identification information and do so with intent to defraud, cause harm, or wrongfully obtain something of value.

6. Most commenters agreed with the Commission's proposal to clarify that the word “knowingly” modifies the action of the person or entity engaged in malicious caller ID spoofing because this is the most logical reading of placement of the word in the Truth in Caller ID Act. However, in its reply comments, the Privacy Rights Clearinghouse (PRC) recommends that the Commission change the placement of the word “knowingly” so that it modifies the actions of the caller identification service or modify the rule so that spoofing services are prohibited from knowingly transmitting misleading or inaccurate caller identification information for a party violating the Act. PRC argues that requiring that the same person or entity knowingly cause the transmission or display of misleading or inaccurate caller identification information and have the requisite intent to “defraud, cause harm, or wrongfully obtain anything of value” imposes an unnecessary hurdle to enforcement efforts.

7. We disagree with PRC's arguments. Based on our reading of the statute, it is not enough that a person or entity intend to defraud, cause harm, or wrongfully obtain anything of value to violate the Truth in Caller ID Act. Rather, the person or entity intending to defraud, cause harm or wrongfully obtain anything of value must facilitate the scheme through the manipulation or alteration of caller identification information. Moreover, adopting a rule in which “knowingly” modifies the action of the caller identification service would not impose liability on caller ID spoofing services for knowingly manipulating caller identification information absent intent to defraud, cause harm, or wrongfully obtain anything of value. Nor would it ease the burden on law enforcement of proving a violation of the Act. Instead, it would require law enforcers to show that the provider of the caller ID service—usually a terminating carrier or VoIP provider—knew that the incoming caller identification information was manipulated or altered. As the Commission noted in the Caller ID Act NPRM, “in many instances the caller identification service has no way of knowing whether or not the caller identification information it receives has been manipulated.” We do not believe Congress intended to impose liability on caller ID spoofers acting with malicious intent only upon proof that the provider of the call recipient's caller ID service knew that the caller identification information was manipulated or altered. That would be a perverse result, wholly inconsistent with the intent of the Act and its legislative history.

8. As for PRC's suggestion that we modify the rule to hold spoofing providers liable for transmitting inaccurate or misleading caller identification information on behalf of someone violating the Act, as discussed below, we choose to follow Congress' lead in not imposing additional obligations on spoofing providers. We find that the proposed rules and the rules we adopt today are consistent with Congressional intent to focus on whether a person or entity has knowingly manipulated the caller identification information in order to defraud, cause harm, or wrongfully obtain anything of value, and therefore we adopt the prohibition on caller ID spoofing as proposed in the Caller ID Act NPRM. The person or entity that knowingly causes caller ID services to transmit or display misleading or inaccurate information may, in some cases, be a carrier, spoofing provider or other service provider, and we do not exempt such conduct from the purview of our rules. Indeed, we believe that caller ID spoofing done to wrongfully avoid payment of intercarrier compensation charges—whether by the originating provider, an intermediate carrier, or other intermediate entity—would be a violation of our rules.

9. Like the proposed rules, the rules we adopt today address both transmission and display of misleading or inaccurate caller identification information to make clear that, even if a carrier or interconnected VoIP provider transmits accurate caller identification information, it would be a violation for a person or entity to knowingly cause, directly or indirectly, a device that displays caller identification information to display inaccurate or misleading information with the intent to defraud, cause harm, or wrongfully obtain anything of value. We also note that the rules we adopt today cover situations in which a person or entity is “directly or indirectly” causing a caller identification service to transmit or display misleading or inaccurate caller ID. We include the concept of “indirect” action in our rules to foreclose those acting with the requisite harmful intent from arguing that they are not liable merely because they have engaged a third party to cause the transmission or display of inaccurate or misleading caller identification information.

10. In the Caller ID Act NPRM, the Commission sought comment on whether the proposed prohibition on causing any caller identification service to transmit or display “misleading or inaccurate” caller identification information with the “intent to defraud, cause harm, or wrongfully obtain anything of value” provides clear guidance about what actions are prohibited. Commenters generally agreed that the terms in the proposed rule were sufficiently clear. We agree. Although we do not believe it is necessary to offer additional definitions to clarify the meaning of the prohibited actions, we do agree with the National Network to End Domestic Violence (NNEDV) that the term “harm” is a broad concept that encompasses financial, physical, and emotional harm, include stalking, harassment, and the violation of protection and restraining orders. Moreover, NNEDV offers substantial evidence that abusive spouses use third-party caller ID services to harass and stalk their victims. We consider knowing manipulation or alteration of caller identification information for the purpose of harassing or stalking someone to be an egregious violation of the Act and of our rules implementing the Act. We intend to enforce our rules vigorously, including against those who engage in such malicious practices, and we encourage spoofing providers to notify their customers in no uncertain terms that such actions are illegal.

B. Exemptions

11. The Act directs the Commission to exempt from its regulations (i) any authorized activity of a law enforcement agency; and (ii) court orders that specifically authorize the use of caller identification manipulation. Separately, the Act also makes clear that it “does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State or a political subdivision of a State, or of an intelligence agency of the United States.” DOJ requested that the Commission explicitly incorporate lawfully authorized investigative, protective, or intelligence activities into the exemptions to the Commission's implementing rule. In light of the statutory language specifying that such activities are not prohibited by the Act and DOJ's request that such activities be included in the exemptions to the Commission's implementing rule, the proposed rule incorporated the two exemptions specified in the Act, and expanded the exemption for law enforcement activities to cover protective and intelligence activities. No commenters objected to the proposed rule, and AT&T, the only commenter other than DOJ that addressed the exemptions in the proposed rule, supported their adoption. Thus, the record supports our decision to include those exemptions in the rule we adopt today.

12. We decline to adopt any other exemptions from the Act. Commenters have proposed a number of additional exemptions, all of which cover practices that, as described by the commenters themselves, would not violate the plain language of the Act. Some commenters assert that absent additional exemptions, the rules might be misinterpreted to prohibit normal and helpful business practices, such as those designed to facilitate communications with customers. As a result some commenters ask for broad exemptions to the Act. AT&T, for example, asks the Commission to make clear that caller ID manipulation “for legitimate business reasons” is exempt; inContact asks the Commission to “exempt all uses not specifically intended to defraud or deceive consumers”; and USTelecom and Verizon ask the Commission to exempt “any action required by law or permitted under § 64.1601(d).” Still other commenters propose exemptions for caller identification manipulation involving specific types of practices or actors. For example, a number of commenters representing telecommunications and VoIP providers express support for an exemption for carriers and providers that transmit caller ID information they receive from their customers or other providers, even if it turns out to be inaccurate. Commenters that provide call management services for telemarketers and debt collectors, and those that provide caller ID spoofing services to the public, suggest that they should be exempt from responsibility for bad actors, unless the service provider has the necessary intent to defraud, cause harm, or wrongfully obtain anything of value. Companies that provide call management services to telemarketers and debt collectors have also asked the Commission for an exemption allowing manipulation of caller ID information so that a call recipient's caller ID displays a local number, regardless of where the calling party is located. NNEDV suggests that the Commission exempt victim service providers, and a private investigator requests that the Commission include an exemption for lawful use by licensed private investigators. We do not find any of these exemptions to be necessary or appropriate.

13. We note that those commenters that requested that the Commission exempt manipulation of caller ID information in order to display a local phone number, asked in the alternative that the Commission clarify that manipulating caller ID to display a local number is not a violation of the Act. We agree that such a practice is not in and of itself a violation of the Act. We note, however, that if the display of a “spoofed” local number is done as part of a scheme to defraud, cause harm, or wrongfully obtain anything of value, then the person or entity perpetrating the scheme would be in violation of the Act.

14. The legislative history of the Act makes clear that manipulation or alteration of caller ID information done without the requisite harmful intent does not violate the Act. Nothing in our implementing rules changes that fact. Likewise, the transmission of incorrect caller ID information by carriers and providers acting without the requisite intent to defraud, cause harm or wrongfully obtain anything of value does not violate the Truth in Caller ID Act or our rules implementing the Truth in Caller ID Act. Moreover, we agree with DOJ that “none of the commenters who advocated for a status-based exemption to the Truth in Caller ID Act were able to articulate any scenario whereby legitimate conduct would fall within the prohibitions of the Act.” Like DOJ, we fear that allowing any such exemptions could “create dangerous loopholes under the Act that could be exploited by criminals.” Therefore, we decline to adopt any further exemptions from the Act at this time, primarily because the ones that have been presented to us are unnecessary.

C. Definitions

15. The Caller ID Act NPRM proposed adding definitions to the Commission's CPN rules for “Interconnected VoIP service”; “Caller identification information”; “Caller identification service”; and “information regarding the origination” of a call. We adopt the proposed definitions for all four of those terms, with slight modifications to the definitions of “Caller identification service” and “information regarding the origination.”

16. Interconnected VoIP service. The Truth in Caller ID Act covers caller ID spoofing done “in connection with any telecommunications service or IP-enabled voice service.” As mentioned above, the rules we adopt today use the term “interconnected VoIP service” instead of “IP-enabled voice service.” We define “interconnected VoIP service” to have the same meaning given that term in § 9.3 of the Commission's rules. We do this because the Act defines “IP-enabled voice service” by reference to § 9.3 of the Commission's regulations, as they may be amended. Section 9.3 of the Commission's rules defines “interconnected VoIP service,” not “IP-enabled voice service.” Therefore, to be consistent with the apparent intent of Congress in enacting the Truth in Caller ID act, we limit the scope of the rule's coverage to telecommunications services and interconnected VoIP services.

17. DOJ and some other commenters recommend that we adopt rules that cover VoIP services more expansively than the Commission's definition of “Interconnected VoIP” service in § 9.3 of its rules does. We find that the Act's incorporation of the Commission's rule defining interconnected VoIP service calls for applying the current definition found in § 9.3 (as it may be amended over time). Consequently, the rules we adopt today use the term “interconnected VoIP service” and specify that it has the same meaning given the term “interconnected VoIP service” in 47 CFR 9.3 as it currently exists or may hereafter be amended. However, we are cognizant of the importance of protecting consumers from malicious caller ID spoofing as broadly as possible. To that end, we raise this issue in the Report to Congress for further consideration.

18. Caller identification information. We define “caller identification information” to mean “information provided by a caller identification service regarding the telephone number of, or other information regarding the origination of, a call made using a telecommunications service or interconnected VoIP service.” This is the definition the Commission proposed in the Caller ID Act NPRM and no commenters offered any reason not to use this definition.

19. Caller identification service. We define “caller identification service” to mean “any service or device designed to provide the user of the service or device with the telephone number of, or other information regarding the origination of, a call made using a telecommunications service or interconnected VoIP service.” Unlike the proposed rule, the definition of “caller identification service” that we adopt today does not explicitly reference automatic number identification (ANI) because, as discussed below, we have defined “information regarding the origination” to include “billing number information, including charge number, ANI, or pseudo-ANI.” By including such billing number information in the definition of “information regarding the origination” we effectively include within the definition of “caller identification service” any service or device designed to provide the user with any form of the calling party's billing number, including charge number, ANI, or pseudo-ANI.

20. Information regarding the origination (of a call). The definitions of “caller identification information” and “caller identification service” in the Act and in the rules we adopt today both use the phrase “the telephone number of, or other information regarding the origination of, a call.” We define “information regarding the origination” to mean any: (1) Telephone number; (2) portion of a telephone number, such as an area code; (3) name; (4) location information; (5) billing number information, including charge number, ANI, or pseudo-ANI; or (6) other information regarding the source or apparent source of a telephone call. The definition we adopt today mirrors the proposed definition, but adds “billing number information including charge number, ANI, or pseudo-ANI” to the types of information that constitute “information regarding the origination.” We add these types of information to the definition of “information regarding the origination” in response to commenters' concerns about the importance of transmission of accurate billing information, including charge number, ANI and pseudo-ANI, to caller identification services used by emergency services providers.

21. Our current rules relating to the delivery of CPN services define ANI as referring to the “delivery of the calling party's billing number by a local exchange carrier to any interconnecting carrier for billing or routing purposes, and to the subsequent delivery of such number to end users.” The Caller ID Act NPRM sought comment on whether the Commission should use a different definition of ANI for purposes of the Truth in Caller ID Act, and in particular, whether the Commission should include a definition of ANI that encompasses charge party numbers delivered by interconnected VoIP providers. Some commenters requested that the Commission revise the current definition of ANI to encompass billing numbers delivered by interconnected VoIP providers. The terms ANI, calling party number, and charge number in § 64.1600 of our rules are used in sections of the rule that we have not addressed in this rulemaking; therefore we decline to amend those definitions at this time. Other commenters more generally suggested that the Commission make sure to include billing numbers, charge number, ANI and pseudo-ANI information within the ambit of the rule.

22. Spoofing caller identification information transmitted to emergency services providers is a particularly dangerous practice, and one that Congress was particularly concerned about when adopting the Truth in Caller ID Act. ANI and pseudo-ANI are the foundations of the emergency services routing infrastructure in the United States and derive their data exclusively from information maintained in the records of the originating carrier. The delivery of accurate information for any person who dials 911 or seeks assistance via 10-digit emergency and non-emergency numbers is fundamental to ensuring that the correct identifying information is transmitted with those calls. While this information may not be subject to manipulation by callers in the ordinary course, if an individual or entity did spoof ANI, the individual could conceal his or her identity and location, and could tie up public response capacity by initiating spoofed calls designed to cause the dispatch of responders to locations where no emergency is at hand. Given the rapid evolution of technology, and the consequences of spoofing ANI and pseudo-ANI, we find that the delivery of caller identification information to E911 public safety answering points (PSAPs), which use ANI or pseudo-ANI to look up the caller's name and location information on emergency calls, should be considered a type of “information regarding the origination” of a call.

23. The Caller ID Act NPRM sought comment on whether there are other things that should be included in the definition, specifically, information transmitted in the SS7 Jurisdiction Information Parameter (JIP) code that provides information about the location of a caller who has ported his number or is calling over a mobile service. As the record demonstrates, use of the JIP code can benefit law enforcement and public safety, and can be used for improved routing for emergencies. Therefore, we clarify that “location information” includes information transmitted in the SS7 JIP code. However, in encompassing information transmitted in the JIP code within our definition, we do not require that any providers, including CMRS and VoIP providers, populate the JIP in signaling data.

D. Caller ID Blocking

24. The Truth in Caller ID Act specifies that it is not intended to be construed to prevent or restrict any person from blocking the transmission of caller identification information. The legislative history shows that Congress intended to protect and preserve subscribers' ability to block the transmission of their own caller identification information to called parties. Consequently, like the proposed rules, the rules we adopt today provide that a person or entity that blocks or seeks to block a caller identification service from transmitting or displaying that person or entity's own caller identification information shall not be liable for violating our rules implementing the Truth in Caller ID Act.

25. Although our rules generally allow callers to block caller ID, as discussed in the Caller ID Act NPRM, telemarketers are required to transmit caller identification information, and the phone number they transmit must be one that a person can call to request placement on a company-specific do-not-call list. This requirement allows consumers to more easily identify incoming telemarketing calls and to make informed decisions about whether to answer particular calls. It also facilitates consumers' ability to request placement on company-specific do-not-call lists. Additionally, the requirement assists law enforcement investigations into telemarketing complaints. Therefore, our rules make clear that persons or entities engaged in telemarketing remain obligated to transmit caller identification information.

E. Third-Party Spoofing Services

26. As discussed above, one of the reasons that it is easy for anyone to spoof their caller ID is that third-party caller ID spoofing services are widely available and inexpensive. There are typically four steps to the process of using a third-party caller ID spoofing service to spoof a call. First, the customer places a call to a company-controlled toll free or POTS line number. Second, after the first call is connected, the customer enters a personal identification number and then enters the number he or she wants to substitute as the caller ID that is transmitted to the called party. Third, the customer enters the phone number he or she wants to call; and fourth, the spoofing provider—or the carrier it uses—delivers the call to the terminating carrier serving the called number with the requested substitute number transmitted as the caller's CPN.

27. Recognizing the role spoofing providers play in facilitating caller ID spoofing, the Commission sought comment on whether the Commission may, and should, adopt rules imposing obligations on providers of caller ID spoofing services when they are not themselves acting with intent to defraud, cause harm, or wrongfully obtain anything of value. More specifically, the Commission also sought comment on whether it should impose record-keeping requirements on caller ID spoofing providers. In addition, the Commission sought comment on a proposal made by DOJ, and supported by the Minnesota Attorney General, to adopt rules requiring “public providers of caller ID spoofing services to make a good-faith effort to verify that a user has the authority to use the substituted number, such as by placing a one-time verification call to that number.”

28. Although Itellas and Teltech, the two third-party caller ID spoofing services that commented on the Caller ID Act NPRM, indicate that they do maintain records of the calls they facilitate and that they cooperate with law enforcement investigations, there is little support among the commenters for the adoption of rules requiring third-party spoofing providers to maintain records. The third-party spoofing providers strongly object to any rule requiring them to verify that their customers have a right to use the phone number they choose to spoof. Itellas and TelTech both argue that requiring users of caller ID services to verify that they have authority to use the spoofed number would be pointless and ineffective, because people or entities using caller ID spoofing to carry out a criminal enterprise can purchase the software to spoof caller ID rather than use a third-party provider. They also argue that verification cannot establish a caller's intent, and absent malintent there can be no violation of the Truth in Caller ID Act. As TelTech explains, “[u]sing a number you do not have permission to spoof is not illegal under the Act.” In its reply comments, NNEDV agrees that verification requirements would be inconsistent with the intent expressed in the legislative history of the Act, which recognized the importance of caller ID spoofing to protect victims of domestic violence. According to NNEDV, a verification requirement “would endanger victims and `domestic violence shelters that provide false caller ID number (sic) to prevent call recipients from discovering the location of victims.'” Although NNEDV objects to DOJ's proposal that the Commission impose verification requirements on caller ID spoofing services, it does propose that the Commission require spoofing services to give prominent notice that use of their services in violation of the Truth in Caller ID Act is unlawful.

29. We are very concerned about the harmful effects of caller ID spoofing done with malicious intent. We also recognize that requiring caller ID spoofing services to verify that users have the authority to use the substitute number would likely reduce the use of caller ID spoofing to further criminal schemes, and could simplify law enforcement efforts to determine who is behind a caller ID spoofing scheme. Likewise, the public would benefit from having third-party caller ID spoofing providers clearly and conspicuously notify their users about the practices prohibited by the Truth in Caller ID Act. However, we are not convinced that it is appropriate for the Commission to impose such obligations on third-party caller ID spoofing service providers at this time. In crafting the Truth in Caller ID Act, we believe that Congress intended to balance carefully the drawbacks of malicious caller ID spoofing against the benefits provided by legitimate caller ID spoofing. The Act prohibits spoofing providers, like all other persons and entities in the United States, from knowingly spoofing caller ID with malicious intent. However, the Act does not expressly impose additional obligations on providers of caller ID spoofing services. Following Congress' lead, we decline to impose additional obligations on third-party spoofing providers at this time.

30. We are cognizant of the fact that spoofing providers can, and sometimes do, detect and prevent some types of illegitimate manipulation of caller ID spoofing. Itellas, for example, noted in its comments that its system does not allow customers to call or display 911, in order to prevent use of its service for swatting. Itellas' system also prevents its customers from using a specific spoofed number when placing calls to toll free numbers in order to prevent users from using the phone number associated with a stolen credit card or with a specific bank account to activate the credit card, or to transfer money from the compromised bank account. In its comments, TelTech represents that it has closed accounts that it has identified as appearing to be used to commit crimes, including money transfer fraud, activation of stolen credit cards, or identity theft. However, spoofing services do not necessarily know the intent with which their customers place spoofed calls. Once the Commission's rules are in force, we will have the opportunity to determine whether the current rules are sufficient to deter malicious caller ID spoofing. If they are not, we can revisit the issue. In the meantime, we raise the issue of liability for third-party providers in the report the Act requires the Commission to submit to Congress.

31. We want to make clear that our decision not to impose additional obligations on third-party caller ID spoofers in no way immunizes them from the obligation to comply with the Act. Where a caller ID spoofing service causes, directly or indirectly, the transmission or display of false or misleading caller ID information with the intent to defraud, cause harm, or wrongfully obtain anything of value, such service will be in violation of the Truth in Caller ID Act and our rules. Our conclusion follows from a natural reading of the statute, which applies to any “person” who causes caller ID services to transmit misleading or inaccurate caller ID information. Likewise, although we do not decide the matter here, liability questions would arise if the totality of the circumstances demonstrated that a third-party spoofing provider had promoted its services to others as a means to defraud, cause harm, or wrongfully obtain anything of value.

32. Caller ID Unmasking. As mentioned in the Caller ID Act NPRM, some entities—often the same ones that offer spoofing services—also offer the ability to unmask a blocked number, effectively stripping out the privacy indicator chosen by the calling party. We remain deeply concerned about these unmasking services, which circumvent the privacy protections afforded by the Commission's CPN rules. The record reflects concern regarding these services as well. However, the record is not sufficiently robust to support amendments to our rules at this time. The Commission will consider whether to take further rulemaking action to address these services in the future. In the meantime, we take this opportunity to remind carriers of their obligations to honor callers' privacy requests.

F. Amendments to the Commission's Enforcement Rules

33. The Act provides for additional forfeiture penalties for violations of subsection 227(e) of the Communications Act, and new procedures for imposing and recovering such penalties. In order to fully implement the Truth in Caller ID Act, the Commission proposed amendments to its forfeiture rule, 47 CFR 1.80. The proposed amendments specified the forfeiture penalties the Commission proposed to assess for violations of the Truth in Caller ID Act, and proposed procedures for imposing penalties and recovering such penalties. The Commission also proposed some minor revisions to our forfeiture rules to address issues not directly related to the Truth in Caller ID Act. For the reasons discussed below, we now adopt the proposed amendments to our forfeiture rules, with some minor modifications.

34. Amount of Penalties. The Act specifies that the penalty for a violation of the Act “shall not exceed $10,000 for each violation, or 3 times that amount for each day of a continuing violation, except that the amount assessed for any continuing violation shall not exceed a total of $1,000,000 for any single act or failure to act.” These forfeitures are in addition to penalties provided for elsewhere in the Communications Act. Therefore, to implement these provisions of the Truth in Caller ID Act, we adopt the Commission's proposal to amend section 1.80(b) of our rules to include a provision specifying the maximum amount of additional fines that can be assessed for violations of the Truth in Caller ID Act. In the interest of consistency and clarity, we also amend the text and chart in Section III of what is now the “Note to Paragraph (b)(5)” to include information about the maximum additional forfeitures provided for by the Truth in Caller ID Act.

35. The Truth in Caller ID Act establishes the maximum amount of additional forfeiture penalties the Commission can assess for a violation of the Act, but it does not specify how the Commission should determine the forfeiture amount in any particular situation. In order to provide guidance about the factors the Commission will use in determining the amount of penalty it will assess for violations of the Truth in Caller ID Act, we adopt the Commission's proposal to employ the balancing factors the Commission typically considers when determining the amount of a forfeiture penalty. Those factors are set out in section 503(b)(2)(E) of the Communications Act and § 1.80(b)(4) of the Commission's rules. The balancing factors include “the nature, circumstances, extent, and gravity of the violation, and, with respect to the violator, the degree of culpability, any history of prior offenses, ability to pay, and such other matters as justice may require.” These factors allow the Commission to properly consider the specific facts of each case when determining an appropriate forfeiture penalty.

36. Procedure for Determining Penalties. With respect to the procedure for determining or imposing a penalty, the Act provides that “[a]ny person that is determined by the Commission, in accordance with paragraphs (3) and (4) of section 503(b) [of the Communications Act], to have violated this subsection shall be liable to the United States for a forfeiture penalty.” It also states that “[n]o forfeiture penalty shall be determined under clause (i) against any person unless such person receives the notice required by section 503(b)(3) or section 503(b)(4) [of the Communications Act].” As the Commission indicated in the Caller ID Act NPRM, taken together, sections 503(b)(3) and 503(b)(4) allow the Commission to impose a forfeiture penalty against a person through either a hearing or a written notice of apparent liability (NAL), subject to certain procedures. The Truth in Caller ID Act makes no reference to section 503(b)(5) of the Communications Act, which states that the Commission may not assess a forfeiture under any provision of section 503(b) against any person, who: (i) “Does not hold a license, permit, certificate, or other authorization issued by the Commission”; (ii) “is not an applicant for a license, permit, certificate, or other authorization issued by the Commission”; or (iii) is not “engaging in activities for which a license, permit, certificate, or other authorization is required,” unless the Commission first issues a citation to such person in accordance with certain procedures. As the Commission explained in the Caller ID Act NPRM, that omission suggests that Congress intended to give the Commission the authority to proceed expeditiously to stop and, where appropriate, assess a forfeiture penalty against, any person or entity engaged in prohibited caller ID spoofing without first issuing a citation. Having received no comments disagreeing with the Commission's proposed approach, we find that it is appropriate and consistent with Congressional intent to adopt rules that allow the Commission to determine or impose a forfeiture penalty for a violation of section 227(e) against “any person,” regardless of whether that person holds a license, permit, certificate, or other authorization issued by the Commission; is an applicant for any of the identified instrumentalities; or is engaged in activities for which one of the instrumentalities is required.

37. We also adopt rules that amend § 1.80(a) of our rules to add a new subsection (4) providing that forfeiture penalties may be assessed against any person found to have “violated any provision of section 227(e) of the Communications Act or of the rules issued by the Commission under section 227(e) of that Act.” In contrast to section 503(b)(1)(B) of the Communications Act, which provides for a forfeiture penalty against anyone who has “willfully or repeatedly” failed to comply with any provisions of the Communications Act, or any regulations issued by the Commission under the Act, the Truth in Caller ID Act does not require “willful” or “repeated” violations to justify imposition of a penalty. Therefore, we adopt new § 1.80(a)(4), in accordance with Congressional direction that the Commission have authority to assess a forfeiture penalty for all violations of section 227(e) or of the rules issued by the Commission under that section of the Act.

38. Statute of Limitations. The Truth in Caller ID Act specifies that “[n]o forfeiture penalty shall be determined or imposed against any person under [section 227(e)(5)(i)] if the violation charged occurred more than 2 years prior to the date of issuance of the required notice or notice of apparent liability.” We note that this differs from the more general limitations provision of section 503(b)(6) of the Communications Act, which provides for a one-year statute of limitations in most cases. Given the explicit language of the Truth in Caller ID Act, however, we find that the longer two-year statute of limitations applies to enforcement of the Truth in Caller ID Act.

39. Miscellaneous. We also take this opportunity to revise the undesignated paragraph in § 1.80(a) to address issues not directly related to implementation of the Truth in Caller ID Act and to redesignate that undesignated text as “Note to paragraph 1.80(a).” First, with respect to the proposed revisions, in order to ensure that the language in the rule encompasses the language used in all of the statutory provisions, we amend the rule to specify that the forfeiture amounts set forth in § 1.80(b) are inapplicable “to conduct which is subject to a forfeiture penalty or fine” under the various statutory provisions listed. (Emphasis added.) Second, we amend the rule to change the references to sections 362(a) and 362(b) to sections 364(a) and 364(b) respectively, in order that the statutory provision references match those used in the Communications Act, rather than the sections of the U.S. Code. Third, we delete section 503(b) from the list of statutory provisions to which the forfeiture amounts in § 1.80(b) do not apply, because the inclusion was in error; § 1.80(b) implements the forfeiture amounts of section 503(b), and so the penalties set forth in § 1.80(b) apply to forfeiture under section 503(b).

Procedural Issues

A. Paperwork Reduction Act

40. This document does not contain new or modified information collection requirements subject to the Paperwork Reduction Act of 1995 (PRA), Public Law 104-13. In addition, therefore, it does not contain any new or modified information collection burdens for small business concerns with fewer than 25 employees, pursuant to the Small Business Paperwork Relief Act of 2002, Public Law 107-198, see 44 U.S.C. 3506(c)(4).

B. Congressional Review Act

41. The Commission will send a copy of this Report and Order in a report to be sent to Congress and the Government Accountability Office pursuant to the Congressional Review Act, see 5 U.S.C. 801(a)(1)(A).

C. Final Regulatory Flexibility Certification

42. The Regulatory Flexibility Act of 1980, as amended (RFA) requires that a regulatory flexibility analysis be prepared for rulemaking proceedings, unless the agency certifies that “the rule will not have a significant economic impact on a substantial number of small entities.” The RFA generally defines “small entity” as having the same meaning as the terms “small business,” “small organization,” and “small governmental jurisdiction.” In addition, the term “small business” has the same meaning as the term “small business concern” under the Small Business Act. A small business concern is one which: (1) Is independently owned and operated; (2) is not dominant in its field of operation; and (3) satisfies any additional criteria established by the Small Business Administration (SBA).

43. In this Report and Order, the Commission adopts rules implementing the Truth in Caller ID Act. The Truth in Caller ID Act and the implementing rules we adopt today prohibit any person or entity in the United States from knowingly altering or manipulating caller identification information with the intent to defraud, cause harm, or wrongfully obtain anything of value. The Caller ID Act NPRM sought comment on benefits and burdens that would be imposed on small entities by the proposed rules and sought comment on an initial regulatory flexibility analysis (IRFA). No commenters sought to argue that the proposed rules would have a significant impact on a substantial number of small entities. Indeed, no commenters raised any concerns about the impact of the proposed rules on small entities, as such.

44. The NPRM also sought comment on whether the Commission may, and should, adopt rules imposing obligations on providers of caller ID spoofing services when they are not themselves acting with intent to defraud, cause harm, or wrongfully obtain anything of value. It also sought comment more specifically on whether the Commission should impose record-keeping requirements on caller ID spoofing providers, as well as on a proposal made by DOJ and supported by the Minnesota Attorney General to adopt rules requiring “public providers of caller ID spoofing services to make a good-faith effort to verify that a user has the authority to use the substituted number, such as by placing a one-time verification call to that number. In this Order, we decline to impose any additional obligations on providers of caller ID spoofing services at this time. Therefore, to the extent that such requirements would have had an economic impact on some small entities, that impact will not occur. Indeed, the record contains nothing showing that the cost of compliance obligations would be economically significant or would affect a substantial number of small entities. Indeed, based on the record before us, we are persuaded that a substantial number of small businesses do not engage in caller ID spoofing with the intent to defraud, cause harm, or wrongfully obtain anything of value, and those that do are already prohibited from doing so by the Truth in Caller ID Act. Therefore, we certify that the requirements of this Report and Order will not have a significant economic impact on a substantial number of small entities. The Commission will send a copy of the Report and Order including a copy of this final certification, in a report to Congress pursuant to the Small Business Regulatory Enforcement Fairness Act of 1996. See 5 U.S.C. 801(a)(1)(A). In addition, the Report and Order and this certification will be sent to the Chief Counsel for Advocacy of the Small Business Administration, and will be published in the Federal Register. See 5 U.S.C. 605(b).

Ordering Clauses

45. Accordingly, it is ordered that, pursuant to section 2 of the Truth in Caller ID Act of 2009, Public Law 11-331, and sections 1, 4(i), 4(j), 227, and 303(r) of the Communications Act of 1934, as amended, 47 U.S.C. 151, 154(i), 154(j), 227 and 303(r), this Report and Order, with all attachments, is adopted.

46. It is further ordered that parts 1 and 64 of the Commission's rules are amended.

47. It is further ordered that pursuant to §§ 1.4(b)(1) and 1.103(a) of the Commission's rules, 47 CFR 1.4(b)(1), 1.103(a), this Report and order shall be effective 30 days after publication of a summary in the Federal Register.

48. It is further ordered that the Commission's Consumer and Governmental Affairs Bureau, Reference Information Center, shall send a copy of this Report and Order, including the Final Regulatory Flexibility Certification, to the Chief Counsel for Advocacy of the Small Business Administration.

List of Subjects

47 CFR Part 1

• Penalties

47 CFR Part 64

• Communications common carriers
• Caller identification information
• Telecommunications
• Telegraph
• Telephone

Final Rules

For the reasons discussed in the preamble, the Federal Communications Commission amends 47 CFR parts 1 and 64 as follows:

PART 1—PRACTICE AND PROCEDURE

1. The authority citation for part 1 is revised to read as follows:

Authority: 15 U.S.C. 79 et seq.; 47 U.S.C. 151, 154(i), 154(j), 155, 157, 225, 227, 303(r), and 309.

2. Amend § 1.80 as follows:

a. Revise paragraph (a)(3)

b. Designate the undesignated paragraph following (a)(4) as “Note to Paragraph (a)” and revise it;

c. Redesignate paragraphs (a)(4), (b)(3), (b)(4), (b)(5), and (c)(3), as paragraphs (a)(5), (b)(4), (b)(5), (b)(6), and (c)(4), respectively;

d. Redesignate “Note to Paragraph (b)(4)” as “Note to paragraph (b)(5)” and revise it;

e. Add new paragraphs (a)(4), (b)(3), and (c)(3);

f. Revise redesignated paragraph (b)(4); and

g. Revise paragraph (d).

PART 64—MISCELLANEOUS RULES RELATING TO COMMON CARRIERS

3. The authority citation for part 64 is revised to read as follows:

Authority: 47 U.S.C. 154, 254(k), 227; secs. 403(b)(2)(B), (c), Pub. L. 104-104, 100 Stat. 56. Interpret or apply 47 U.S.C. 201, 218, 222, 225, 226, 207, 228, and 254(k) unless otherwise noted.

4. Section 64.1600 is amended by redesignating paragraphs (c), (d), (e), and (f) as paragraphs (e), (f), (i), and (j) respectively and by adding new paragraphs (c), (d), (g), and (h) to read as follows:

5. Section 64.1604 is redesignated as section 64.1605, and a new section 64.1604 is added to read as follows: