In the past, privacy has been taken into account in the design of 3GPP systems. Examples of this include the use of temporary identities such as the T-IMSI and confidentiality protection of the user plane traffic. The work with privacy has been included as a part of the work with defining security for the 3GPP systems and the privacy requirements have been handled as a subset of the security requirements.
Even though 3GPP has worked with privacy since the start, the responsibility became more direct in the end of 2011, when the SA3 updated its terms of reference to explicitly include privacy. There has also been an increased awareness of privacy related questions in o3GPP. This has led to more questions regarding privacy when they define new functions. These are reasons why privacy needs to be treated, not only as a part of security, but as a topic in its own right to raise the assurance that it is taken care of properly.
A core part of increasing the assurance around privacy is to establish a baseline for privacy which ensures that an articulated set of privacy principles are kept when designing 3GPP systems.
The present document presents privacy principles that should followed in 3GPP when designating new systems, security architectures and protocols. Not only will such principles provide guidance on what needs to be considered and to some extent how, but their mere existence will serve as a constant reminder to consider privacy the day-to-day work. In addition, some principles/technologies can be a reference for vendors' products design. Also, it can be an aid for operators when working with subscriber data whose collection and use may not be in scope of the 3GPP specifications.
The present document studies the subscriber privacy impact in 3GPP. In particular, the goals of the present document are:
Identify and understand privacy related key issues impacting 3GPP networks.
Identify and potentially harmonize privacy requirements, e.g. MDT/SON.
Identify existing/ongoing work relevant to 3GPP privacy issues in external standard bodies, for potential reuse in 3GPP, e.g. RFC 6973.
Identify privacy risk mitigation approaches and establish privacy handling guidelines/principle and/or best practices for 3GPP for future specifications.
It is not an objective of the study to examine all existing 3GPP specifications in retrospect with respect to privacy.
The following documents contain provisions which, through reference in this text, constitute provisions of the present document.
References are either specific (identified by date of publication, edition number, version number, etc.) or non-specific.
For a specific reference, subsequent revisions do not apply.
For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document.
TS 33.222: "Generic Authentication Architecture (GAA); Access to network application functions using Hypertext Transfer Protocol over Transport Layer Security (HTTPS)".
For the purposes of the present document, the terms and definitions given in TR 21.905 and the following apply. A term defined in the present document takes precedence over the definition of the same term, if any, in TR 21.905.
Attacker:
entity with malicious intent that compromises the privacy of a user by obtaining personal data, e.g. user data and traffic data.
Authorized:
entity involved in the communication that is acting on behalf of one of the other entities and this other entity has agreed to this e.g. by signing a contract or settings etc.
Communication:
Communication takes place between at least two entities and is using at least one protocol. It may consist of a series of messages.
Communication Initiator:
node (e.g. ME) that initiates the start of a communication to one or several recipients.
Communication phase:
group of messages which are part of a communication.
Data controller:
Natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
Data processor:
Natural or legal person, public authority, agency or any other body which processes Personal Data on behalf of the Data Controller.
Data subject:
An identified or identifiable person to whom specific Personal Data relates. It is someone who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more specific factors (physical, physiological, mental, economic, cultural, social).
Eavesdropper:
A passive attacker observing with a malicious intent.
Home operator:
The PLMN operator, with whom the user has the subscription.
Identity:
Any subset of a user's attributes that can uniquely distinguish the user from others. Users may have multiple identities for use in different services.
Identifiable:
A property in which a users' identity is capable of being known to an observer or attacker.
Intermediary:
entity where the communication or parts of thereof from the communication initiator to the recipient is passing through.
Location:
geographical information where the terminal resides. This might be a GPS coordinate or some other local data (e.g. CellID or country).
Observer:
entity that observes a communication; this can be for a legitimate purpose or illegitimate purpose. An observer may only be an observer for some layers of a communication.
Operating administrator and maintenance personal:
person, who administrates/maintains privacy information during its whole life time or is responsible for administration and/or maintenance, may be also responsible for privacy issues like privacy storage in network element.
Personal data:
any information relating to an identified or identifiable natural person ('data subject').
Identifiable person:
one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to his physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Recipient:
The secondary end-point of a communication.
Requested Service:
service that the user agreed to potentially use.
Service provider:
3GPP operator - home or visited - (e.g. location services) or a third party provider acting on behalf of the operator and offering a service to the user;
A third party service provider who use operator's network to provide service (e.g. MTC service provider) and has a co-operation with the visited or home operator.
A third party service provider who just uses the network connectivity to provide service, but has no business relationship with the operator.
User:
Data subject with 3GPP subscription
Visited operator:
An operator of a PLMN, which is not the home operator.
For the purposes of the present document, the abbreviations given in TR 21.905 and the following apply. An abbreviation defined in the present document takes precedence over the definition of the same abbreviation, if any, in TR 21.905.
CDR
Charging Data Record
CHR
Call History Records
GPS
Global Positioning System
MDT
Minimization of Drive Tests
MR
Measurement Report
MTC
Machine Type Communication
PII
Personal Identifiable Information
SIMTC
System Improvements for Machine Type Communication