STIR/SHAKEN (S/S) fails to curb telephony abuse due to its inability to cover legacy non-VoIP networks; existing extensions broadcast sensitive metadata in plaintext, lacking request authorization, freshness control, and abuse mitigation—posing severe risks to user privacy and carrier commercial confidentiality. This paper proposes Sidecar, the first distributed system supporting tunable decentralization that securely extends S/S to global heterogeneous telephony networks via a novel secure out-of-band signaling mechanism. Key contributions include: end-to-end encrypted, automatically expiring metadata; real-time abuse detection; and usage-based billing. Sidecar guarantees eventual irrecoverability of data under the minimal assumption of a single honest node. Designed within the Universal Composability framework, its protocol integrates encrypted storage and fine-grained access control, achieving negligible call latency overhead while substantially reducing resource consumption and enhancing both availability and privacy assurance.

The STIR/SHAKEN (S/S) attestation Framework mandated by the United States, Canada, and France to combat pervasive telephone abuse has not achieved its goals, partly because legacy non-VoIP infrastructure could not participate. The industry solution to extend S/S broadcasts sensitive metadata of every non-VoIP call in plaintext to every third party required to facilitate the system. It has no mechanism to determine whether a provider's request for call data is appropriate, nor can it ensure that every copy of that call data is unavailable after its specified expiration. It threatens subscriber privacy and provider confidentiality. In this paper, we present Sidecar, a distributed, privacy-preserving system with tunable decentralization that securely extends S/S across all telephone network technologies. We introduce the notion of secure out-of-band signaling for telephony and formalize its system and security requirements. We then design novel, scalable protocols that realize these requirements and prove their security within the Universal Composability framework. Finally, we demonstrate Sidecar's efficiency with our open-sourced reference implementation. Compared to the current solution, Sidecar 1) protects the confidentiality of subscriber identity and provider trade secrets, 2) guarantees record expiration as long as a single node handling a record is honest, 3) reduces resource requirements while providing virtually identical call-setup times and equivalent or better uptimes, and 4) enables secure pay-per-use billing and integrates mechanisms to mitigate and detect misbehavior. Moreover, Sidecar can be extended to provide the same security guarantees for arbitrary call metadata. Not only is Sidecar a superior approach, it is also a transformative tool to retrofit fragmented global telephony and enable future improvements, such as stronger call authentication and Branded Calling.