There is a requirement in place on anonymity for both the requestor and the target in the LCS Stage 1, TS 22.071
, and there are or will be regulatory requirements to support anonymity in location services in some countries. It is seen as a basic service requirement that the user should be able to request anonymity at will.
There are various methods available for providing anonymity-support for LCS. One model has been described by the GSM Association in the LS in TD S2-021104 to 3GPP. In short, GSMA's model introduces the following logical architecture.
In this PUSH model the pseudonym of the target UE is always generated for certain LCS clients on behalf of the terminal's subscriber without a specific request.
The PUSH model describes the case when the target UE requests its own location using e.g. SMS or WAP. SMS and WAP functions currently have problems in supporting anonymity, because the SMS/WAP gateways forward the originating MSISDN to the receiver. This weakness may be resolved in practise e.g. such that the SMS or WAP Gateway requests pseudonyms from a common device (PMD), as shown in Figure E.1
. In this process the gateway requests a pseudonym from PMD in signalling step 2 and in signalling step 3 the gateway uses the pseudonym in the service request that it sends to the LCS client. The gateway includes the requesting terminal's verinym, i.e. the MSISDN, in the service response it sends to the terminal in step 9. In this way the LCS client only knows the pseudonym of the terminal and not the verinym. This solution is not LCS specific, since the SMS/WAP gateway inserts pseudonyms in all SMS/WAP messages, which the gateway forwards to the receivers (LCS clients) defined by the operator in advance.
The Liberty Alliance Project has standardized methods that can be used to ensure the anonymity of the target UE in location services using pseudonyms as shown by the example in Figure E.2
below. The specifications of the Liberty Alliance project are publicly available at http://www.projectliberty.org/.
In this PULL model the LCS client requests the pseudonym from the Gateway before accepting the service request from the terminal. The proxy/gateway is a so-called Liberty Enabled Client/Proxy, which also may support standard WAP proxy/gateway functions as described in the appropriate WAP Forum specifications.
The terminal (UE) sends a standard Wireless Transport Protocol (WTP) -request to the Proxy/Gateway.
The proxy/gateway converts the service request into an HTTP-request with a dynamic IP address. This HTTP-request does not contain the MSISDN of the terminal, so it is totally anonymous to the LCS-client.
The LCS-client needs to get an assertion, i.e. a pseudonym, before it can accept to provide location services to the terminal, so it sends a HTTP-response to the Proxy/Gateway, which includes a request for a pseudonym.
The proxy/gateway maps the LCS client's HTTP-response to the HTTP-request it sent in step 2 and thus the proxy/gateway also knows to which terminal the LCS client's HTTP-response is related. The proxy/gateway intercepts and interprets the HTTP-response and finds the pseudonym request. It forwards the pseudonym request to PMD and attaches the terminal's MSISDN to allow the PMD to provide a pseudonym related to this MSISDN. In case PMD needs to contact the target UE user for some reason, e.g. to ask for consent to deliver the pseudonym to this specific LCS-client, this interaction is fully supported in the Liberty Enabled Client/Proxy specification.
The proxy/gateway sends an HTTP-request containing the pseudonym to the LCS-client.
The LCS-client sends a location service request to GMLC using the pseudonym of the target terminal.
The PMD may include the MSISDN in the pseudonym by encrypting it in such a way that GMLC is able to determine the MSISDN itself and in such a case step 7 is not needed. In case GMLC cannot find out the verinym of the terminal itself, it requests from PMD the MSISDN that corresponds to the pseudonym it received from the LCS-client.
GMLC provides location information to the LCS-client using the pseudonym of the target terminal.
The LCS-client sends an HTTP-response to the proxy/gateway containing the requested location specific service content.
The proxy/gateway maps the response to the outstanding request sent in step 1 and delivers the result to the correct terminal using MSISDN.
Note that the mechanism described above is a generalized solution to the problem of transporting something from party 1 (PMD) to party 3 (GMLC) so that intermediate party 2 (LCS-client) cannot find out the real content transferred between party 1 and party 3 (verinym in this case). Also note that since the proxy/gateway does not push any pseudonym in step 2, it is not required to understand the destination application and what information it may need. Step 3 allows any application to request a pseudonym or any information it may need, thus making this a generalized solution, which may be used for many types of applications, not only LCS.
It is to be noted that the Liberty release 1.1 specification has been carefully studied by the EU article 29 committee and found to be in accordance with the current EU privacy requirements. It is stressed, however, that it is the responsibility of someone implementing or deploying a system in accordance with the Liberty Alliance specifications to comply with EU directives and requirements on privacy.
For roaming cases clause 9.1.1
in this specification describes the cases where the pseudonym contains the address(es) of the target UE's Home-GMLC so that the Requesting-GMLC can forward the location request to H-GMLC, which may determine the corresponding verinym itself or request the verinym from its associated PMD.