Characterizing User Comprehension in the STIR/SHAKEN Anti-Robocall Standard

The Federal Communication Commission (FCC) has taken action against the increasing number of spam calls by mandating service providers implement STIR/SHAKEN, a framework for authenticating Caller ID. Specifically, STIR/SHAKEN provides users with a series of alerts representing the various potential states of authentication of an incoming call. While these states have a clear definition in the standards, it is unclear whether end users can interpret these states and whether they will ultimately help users defend themselves against robocalls. In this paper, we perform the first survey of consumer preferences (n=806) for how carriers should react to specific authentication types. We then evaluate user interpretation of warning designs representing various STIR/SHAKEN authentication states. Finally, we explore how users interpret and plan to react to these different states through interviews (n=20). The results suggest that users have difficulty fully understanding the output from STIR/SHAKEN due to personal preference, understanding of authentication states, and the impact of design. This misunderstanding leads to unintended interpretations and behavior. In so doing, we show that significant design challenges must be overcome for STIR/SHAKEN to reach its full potential as a means of mitigating robocalls.