HN Debrief

A Call to Action: Stop the FCC's KYC Regime

  • Privacy
  • Regulation
  • Security
  • Infrastructure
  • Telecom

The post is a call to file comments against an FCC rulemaking that would strengthen know-your-customer requirements for phone providers. The concern is simple: if carriers must tie every line, including prepaid and VoIP service, to a verified real-world identity, they become even bigger repositories of sensitive personal data and a more direct surveillance point for governments and data brokers. The comments mostly treated the proposal as a bad fit for the problem it claims to solve. Spam calls are not mainly a story about anonymous ordinary users slipping through a loophole. They are a story about spoofed caller ID, cheap VoIP numbers, weak enforcement, and old parts of the phone network that still let unauthenticated calls through. That is why several people said the obvious lever is not universal KYC but stricter handling of call attestation, especially blocking or heavily downgrading calls that arrive unverified or through legacy paths.

If you care about privacy, the practical fight is not abstract anti-KYC rhetoric but specific telecom rules about attestation, anonymous calling, and default handling of unverified calls. For operators and founders, assume regulators will keep pushing identity binding into communications systems, so design products around minimizing stored identity data and around user-controlled trust levels instead of mandatory real-name collection.

Discussion mood

Strongly negative. Most commenters saw the FCC proposal as surveillance creep and pointless data collection that will burden legitimate users, enrich telcos and data brokers, and still miss the real sources of spam because spoofing, VoIP resale, and legacy telecom exemptions remain the core problem.

Key insights

  1. 01

    The proposal changes STIR SHAKEN’s purpose

    It reframes STIR/SHAKEN from a network-level claim that a carrier is authorized to use a number into a legal requirement to bind that claim to a KYC-verified person or entity. That is a major shift in liability and operating burden for telecom and VoIP providers. It also explains why people expect lawsuits and market concentration if the rule goes through, because small providers can handle call signing far more easily than they can handle full identity verification and the compliance risk that comes with it.

    If you run telecom-adjacent infrastructure, track this as a compliance expansion, not just an anti-spam tweak. The cost is not the protocol header. The cost is becoming the party legally responsible for identity truth.

      Attribution:
    • 9cb14c1ec0 #1 #2
    • singpolyma3 #1
  2. 02

    Legacy interconnects are the spoofing escape hatch

    Unauthenticated calls still get through because parts of the global phone network cannot carry STIR/SHAKEN information end to end. Calls routed through older TDM systems lose the verification headers, then reappear as merely “unverified” on the other side. That means spoofers do not need to beat modern attestation. They just need to find a route that strips it. The practical effect is that the dirtiest traffic hides inside compatibility paths that carriers keep alive for commercial and international reasons.

    Default treatment of unverified calls matters more than collecting more ID at signup. If your business depends on phone reachability, ask carriers how they classify and deliver low-attestation traffic before you assume “verified calling” is actually protecting your users.

      Attribution:
    • inigyou #1 #2
    • mschuster91 #1
    • simoncion #1
    • gausswho #1
  3. 03

    Anonymous calling and spoofing are different problems

    Several comments sharpened a distinction the policy muddies. A caller should be able to withhold their number without impersonating someone else. Medical offices, abuse-sensitive situations, and tip lines are real use cases for anonymity. Spoofing is different because it forges someone else’s identity. Treating those as the same problem pushes regulators toward universal identity collection when the cleaner solution is to allow “no caller ID” while rejecting false caller ID.

    When you design call or messaging policy, separate “anonymous,” “verified,” and “forged” into different states. Users can make sane choices if the system labels those states clearly. They cannot if everything gets collapsed into “known person or blocked.”

      Attribution:
    • dec0dedab0de #1
    • singpolyma3 #1
    • Zak #1
    • advisedwang #1
    • inigyou #1
  4. 04

    Other countries show KYC is no silver bullet

    People brought real-world counterexamples to the idea that SIM registration fixes spam. Italy was cited as having mandatory identity checks for mobile service while still dealing with scam calls. Others noted Europe is not uniform at all. Some countries and providers still offer little-friction SIMs or eSIMs, while VoIP number issuance and pricing often differ much more than mobile rules do. That shifts the lesson from “copy Europe” to “look at where abusive traffic actually enters the market.”

    Be skeptical of regulatory arguments that point to foreign KYC regimes as proof of effectiveness. Ask which segment changed, mobile, VoIP, cross-border transit, or enforcement, and whether spam actually fell rather than just moving channels.

      Attribution:
    • stackskipton #1
    • reddalo #1 #2
    • cge #1
  5. 05

    Payment rails already provide traceability

    A practical alternative surfaced in the accountability debate. If the goal is traceability for abuse investigations, prepaid or postpaid service paid through a bank card already creates a path back to a legal identity without forcing every carrier to warehouse more subscriber PII. That does not solve every case, but it undercuts the idea that telcos themselves must collect the most sensitive identity data to enable law enforcement access.

    Before adding first-party KYC, check whether downstream payment or platform partners already satisfy your accountability needs. Copying identity data into more systems usually increases breach exposure faster than it increases investigative power.

      Attribution:
    • dghlsakjg #1
    • mindslight #1
    • jameshart #1
    • dataflow #1
    • singpolyma3 #1
  6. 06

    The civic process itself deters privacy-minded opposition

    People who might object to more identity collection ran into an obvious contradiction. Filing an FCC comment can require putting your name and address into a public record, and even the online forms were reported as hostile. That does not just create inconvenience. It filters out exactly the users most sensitive to doxxing, stalking, or data aggregation, which weakens the visible opposition to privacy-invasive rules.

    If you are mobilizing users against a rule, provide step-by-step filing instructions and privacy tradeoffs upfront. Friction in administrative processes is not neutral. It changes who participates and whose concerns make it onto the record.

      Attribution:
    • rib3ye #1
    • sailfast #1
    • themafia #1
    • throwaway1492 #1

Against the grain

  1. 01

    Accountability may justify blocking unverified callers

    A minority view held that the default should favor recipients, not anonymous callers. If a line can reach you, it should be traceable to a real person or at least presented as unverifiable so your provider can block it before the phone rings. That argument does not love carrier KYC for its own sake. It values a communication network where abuse can reliably be tied back to someone and where users can refuse traffic that lacks that property.

    If your product relies on unsolicited outbound contact, expect a future where trust metadata becomes mandatory for deliverability. Anonymous reachability is losing the benefit of the doubt.

      Attribution:
    • jameshart #1 #2
  2. 02

    Some spam is just rented legitimate numbers

    One telecom-focused pushback said many scam calls people describe as “spoofed” may simply come from real local or exchange-matched numbers bought in bulk from VoIP providers. That matters because it means perfect caller-ID authentication would still leave a large spam problem. The abuse model is not always impersonation. Sometimes it is disposable but valid inventory.

    Do not overestimate identity attestation as a complete anti-spam control. You also need provider-side rate limits, reputation systems, and fast shutdown of abusive number inventory.

      Attribution:
    • ChrisMarshallNY #1 #2
    • singpolyma3 #1 #2
  3. 03

    Subscribers are the easiest point to regulate

    One line of reasoning accepted the technical complaints about carriers but still argued the FCC may be targeting subscribers because emergency-access rules and common-carrier obligations make it hard to simply kill off every problematic path. Even if that diagnosis was disputed, it captures the regulatory instinct here: when the network is messy and politically protected, policymakers push checks to the customer edge because it is administratively simpler.

    When regulation hits the endpoint instead of the infrastructure, assume simplicity for the regulator is driving the design. That usually means the compliance burden will land on onboarding, retention, and support teams first.

      Attribution:
    • frollogaston #1
    • collabs #1

In plain english

attestation
In STIR/SHAKEN, the level of confidence a carrier claims about whether the caller is authorized to use the displayed number.
FCC
Federal Communications Commission, the United States agency that regulates interstate communications like phone, radio, television, and parts of the internet.
IP
Internet Protocol, the basic system used to route data across internet networks.
KYC
Know Your Customer, rules or processes that require a company to verify the real identity of its users or customers.
PII
Personally identifiable information, data that can identify a specific person such as name, address, phone number, or government ID details.
STIR/SHAKEN
A set of telecom standards for signing and verifying caller ID information so carriers can tell whether a calling number is likely legitimate.
TDM
Time-Division Multiplexing, an older way of carrying phone calls over traditional telecom networks that often lacks modern identity-verification features.
VoIP
Voice over Internet Protocol, phone service carried over internet networks instead of traditional telephone lines.

Reference links

Official FCC and rulemaking documents

Telecom background and related technical references

KYC and AML background reading

Examples and side references