AINEWS
KYC Won't Stop Robocallers. It Will Just Build a Phone-User Database.
The FCC's proposed identity checks target the onboarding form, not the call routing path, and inherit the same economics that already defeated KYC in banking.
The FCC's proposed identity checks target the onboarding form, not the call routing path, and inherit the same economics that already defeated KYC in banking.
The Federal Communications Commission is asking for comment on a rule that would require every phone customer to hand over a government-issued ID, a home address, and an alternate phone number just to keep their service active. The stated target is illegal robocalls. The mechanism is a telecom identity database. Those are not the same problem.
The FCC's Further Notice of Proposed Rulemaking, adopted April 30, 2026 and published in the Federal Register on May 26 under CG Docket Nos. 17-59 and 02-278, would extend Know-Your-Customer rules originally built for banks to every voice service provider in the country. Under the proposals in the FNPRM, carriers would have to collect and verify names, addresses, government identification, and secondary contact numbers for new and renewing subscribers, retain those records after the relationship ends, and assess penalties on a per-call basis when the data turns out to be wrong. The rule also contemplates consulting law-enforcement watchlists and asks whether KYC could support investigations beyond illegal calls, into organized crime, trafficking, espionage, and influence operations.
None of that touches the actual robocall pipeline. Illegal robocalls work because attackers spoof caller ID at the signaling layer and route calls through carrier networks they do not own. STIR/SHAKEN, the carrier-to-carrier call authentication framework the FCC has spent years rolling out, verifies the call, not the caller. Demanding a passport at signup changes the onboarding form, not the routing path. A criminal who buys a stolen identity for a few dollars and uses it to open a postpaid line now has a fully KYC-compliant account whose calls will still spoof across the public switched telephone network unimpeded.
The economics are the same ones that defeated KYC in finance. Breached personal data is a commodity, sold in bulk and refreshed faster than any reporting cycle can catch up. A telecom identity file that aggregates the same data the financial sector already failed to protect will be stale the day it is built. Determined attackers will buy fresh identities. Lawful users will sit in a database whose contents travel with every breach.
The civil-liberties case is sharper than the economics. Phone service is not optional for most Americans. Employers, doctors, schools, banks, and government agencies all route through it. Treating a phone number as a privilege gated by government identification treats an essential utility as a banking relationship, and puts the cost on people with the least ability to absorb it. As ACLU senior policy analyst Jay Stanley told 404 Media, "with this rulemaking, the government is contemplating taking away people's ability to get a burner phone, which will hurt low-income people, domestic violence victims, and anyone else who cares about their privacy."
Cypherpunk and Bitcoin advocate Jameson Lopp has laid out the same argument in a post that doubles as a call for public comments, and his framing is worth taking seriously even if his privacy-maximalist priors are not universal. A phone number is a precondition for participation in modern life, and the SIM-swap and identity-theft surface created by collecting more personal data at signup falls on the people who already have the most to lose.
The policy tools that target the actual problem already exist. STIR/SHAKEN attestation is live across the major carriers; what is missing is enforcement. The FCC could make carriers financially liable for unauthenticated calls they originate or transit, require traceback for any call that fails attestation, and fine the carriers that carry spoofed traffic rather than the customers whose forms were sloppy. Those interventions raise the attacker's cost at the layer where the attack happens. KYC raises it at a layer the attacker can route around for the price of a fresh identity.
The comment window is open now. Initial comments are due to the FCC's ECFS system by June 25, 2026 under CG Docket 17-59, with reply comments due July 27. The rule's shape is not fixed. The agency is asking whether KYC should apply differently to prepaid and postpaid, whether third-party retail purchases of prepaid SIMs should be covered, and how long records should be retained. Those are real choices, and the docket is the place to make them. What the FCC does not yet have a plan for is how any of this stops a robocall that uses someone else's name to sign up.