Content for  TR 33.867  Word version:  17.1.0

Top   Top   None   None   Next
1…   5…


1  Scopep. 7

The scope of present document is to identify and evaluate the requirements and solutions to support user consent for 3GPP services while complying with user privacy considerations.
The details are as follows:
  • Review TR 33.849 with regards to the concept of user consent for 3GPP users, and identify what types of data collection and conditions under which the support of the user consent is required; then update them if needed.
  • Identify target usage scenarios and trust domains.
  • Analyse potential security threats and requirements for conditions under which user sensitive data are collected without user consent, and when user consent indication is not protected.
  • Identify potential solutions to address the above security requirements.

2  Referencesp. 7

The following documents contain provisions which, through reference in this text, constitute provisions of the present document.
  • References are either specific (identified by date of publication, edition number, version number, etc.) or non-specific.
  • For a specific reference, subsequent revisions do not apply.
  • For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document.
TR 21.905: "Vocabulary for 3GPP Specifications".
TS 23.558: "Architecture for enabling Edge Applications (EA) ".
TR 33.849: "Study on subscriber privacy impact in 3GPP".
TS 23.288: "Architecture enhancements for 5G System (5GS) to support network data analytics services".
TS 23.501: "System architecture for the 5G System (5GS)".

3  Definitions of terms, symbols and abbreviationsp. 7

3.1  Termsp. 7

For the purposes of the present document, the terms given in TR 21.905 and the following apply. A term defined in the present document takes precedence over the definition of the same term, if any, in TR 21.905.
Data controller:
As defined in TR 33.849.
Data processor:
As defined in TR 33.849.
Data subject:
As defined in TR 33.849.
Personal data:
As defined in TR 33.849.

3.2  Symbolsp. 8


3.3  Abbreviationsp. 8

For the purposes of the present document, the abbreviations given in TR 21.905 and the following apply. An abbreviation defined in the present document takes precedence over the definition of the same abbreviation, if any, in TR 21.905.
Edge Application Server
Edge Enabler Server
Generic Public Subscription Identifier
Mobile Edge Computing
Mobile Network Operator
Network Function
Network Data Analytics Function
Personal Identification Information

4  General principles for user consentp. 8

4.1  Concept of user consentp. 8

Many new applications and use cases in the 5G System require the storage and processing of user data along with the request for providing communication services. In such cases, user consent is required. In the present document user consent means a specific and clear opt-in of the user to indicate permission to the processing and collection of the user's personal data for a specific purpose.

4.2  Background information to existing workp. 8

Privacy is one aspect for which user consent is needed. Privacy aspect has already been studied in detail in TR 33.849, which provides privacy principles that need to be followed in 3GPP when designing new systems, security architectures and protocols. Parts of TR 33.849 are related to user consent and can be taken into account in the present document.
In clause 6.5 of TR 33.849, user consent is introduced as one of the threat mitigation approaches to mitigate the privacy risk, and gives a brief introduction on how explicit user consent can be collected.
In clause 5.3.4 of TR 33.849, conditions which user consent is required for personal information disclosure is defined as: "Personal data disclosure with the purpose to accomplish a certain application/service needs to be under user's consent, unless the disclosure is performed in the legitimate interest of the data subject, e.g. providing a service."
In Annex B of TR 33.849, some regulations related to privacy are introduced.
However, with evolution of 3GPP network, more and more 3GPP services are introduced. Some services can require personal identification information (PII), thus, the identification of target usage case for user consent is necessary.
For different use case, the PII is identified by different identities, e.g., some of them is identified by subscriber ID, i.e., SUPI, and some of them is identified by user IDs. Thus, it is necessary that the source of user consent is identified case by case.
However, as mentioned before, privacy is only one of the drivers for user consent. User consent can also be given or prohibited for non PII.
In summary, different use cases need different solutions for authorization based on user consent. Security issues of how user consent is exchanged among NFs in the network and how they are handled and respected by various features specified by 3GPP will be considered in the present document.

Up   Top   ToC