Content for TR 33.867 Word version: 17.1.0
1 Scope
2 References
3 Definitions of terms, symbols and abbreviations
4 General principles for user consent
...
...
1 Scope p. 7
The scope of present document is to identify and evaluate the requirements and solutions to support user consent for 3GPP services while complying with user privacy considerations.
The details are as follows:
- Review TR 33.849 with regards to the concept of user consent for 3GPP users, and identify what types of data collection and conditions under which the support of the user consent is required; then update them if needed.
- Identify target usage scenarios and trust domains.
- Analyse potential security threats and requirements for conditions under which user sensitive data are collected without user consent, and when user consent indication is not protected.
- Identify potential solutions to address the above security requirements.
2 References p. 7
The following documents contain provisions which, through reference in this text, constitute provisions of the present document.
- References are either specific (identified by date of publication, edition number, version number, etc.) or non-specific.
- For a specific reference, subsequent revisions do not apply.
- For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document.
[1]
TR 21.905: "Vocabulary for 3GPP Specifications".
[2]
TS 23.558: "Architecture for enabling Edge Applications (EA) ".
[3]
TR 33.849: "Study on subscriber privacy impact in 3GPP".
[4]
TS 23.288: "Architecture enhancements for 5G System (5GS) to support network data analytics services".
[5]
TS 23.501: "System architecture for the 5G System (5GS)".
[6]
General Data Protection Regulation, https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:02016R0679-20160504&from=EN .
3 Definitions of terms, symbols and abbreviations p. 7
3.1 Terms p. 7
For the purposes of the present document, the terms given in TR 21.905 and the following apply. A term defined in the present document takes precedence over the definition of the same term, if any, in TR 21.905.
Data controller:
As defined in TR 33.849.
Data processor:
As defined in TR 33.849.
Data subject:
As defined in TR 33.849.
Personal data:
As defined in TR 33.849.
3.2 Symbols p. 8
Void.
3.3 Abbreviations p. 8
For the purposes of the present document, the abbreviations given in TR 21.905 and the following apply. An abbreviation defined in the present document takes precedence over the definition of the same abbreviation, if any, in TR 21.905.
EAS
Edge Application Server
EES
Edge Enabler Server
GPSI
Generic Public Subscription Identifier
MEC
Mobile Edge Computing
MNO
Mobile Network Operator
NF
Network Function
NWDAF
Network Data Analytics Function
PII
Personal Identification Information
4 General principles for user consent p. 8
4.1 Concept of user consent p. 8
Many new applications and use cases in the 5G System require the storage and processing of user data along with the request for providing communication services. In such cases, user consent is required. In the present document user consent means a specific and clear opt-in of the user to indicate permission to the processing and collection of the user's personal data for a specific purpose.
4.2 Background information to existing work p. 8
Privacy is one aspect for which user consent is needed. Privacy aspect has already been studied in detail in TR 33.849, which provides privacy principles that need to be followed in 3GPP when designing new systems, security architectures and protocols. Parts of TR 33.849 are related to user consent and can be taken into account in the present document.
In clause 6.5 of TR 33.849, user consent is introduced as one of the threat mitigation approaches to mitigate the privacy risk, and gives a brief introduction on how explicit user consent can be collected.
In clause 5.3.4 of TR 33.849, conditions which user consent is required for personal information disclosure is defined as: "Personal data disclosure with the purpose to accomplish a certain application/service needs to be under user's consent, unless the disclosure is performed in the legitimate interest of the data subject, e.g. providing a service."
In Annex B of TR 33.849, some regulations related to privacy are introduced.
However, with evolution of 3GPP network, more and more 3GPP services are introduced. Some services can require personal identification information (PII), thus, the identification of target usage case for user consent is necessary.
For different use case, the PII is identified by different identities, e.g., some of them is identified by subscriber ID, i.e., SUPI, and some of them is identified by user IDs. Thus, it is necessary that the source of user consent is identified case by case.
However, as mentioned before, privacy is only one of the drivers for user consent. User consent can also be given or prohibited for non PII.
In summary, different use cases need different solutions for authorization based on user consent. Security issues of how user consent is exchanged among NFs in the network and how they are handled and respected by various features specified by 3GPP will be considered in the present document.
