Background

Young children and teenagers are enthusiastic users of mobile technology. Young people’s knowledge of mobile apps and platforms often surpasses that of their parents, guardians and teachers, and children now use social networking services more than their parents.

For growing numbers of young people, mobile technology is an increasingly important tool for communicating, accessing information, enjoying entertainment, learning, playing and being creative. As mobile technology becomes increasingly embedded in everyday life, mobile operators have an important role to play in protecting and promoting children’s rights.

For children and youth, mobile devices can be key to accessing:

• Employment skills;
• Enhanced formal and informal education and learning;
• Information and services to aid in health and well-being;
• Improved social and civic engagement; and
• Opportunities to play and be creative.

Increasingly, mobile devices are playing a role in formal education and informal learning. For people in low- and middle-income countries (LMICs) and rural areas, as well as areas where certain groups – girls in particular – are excluded from formal education, mobile connectivity offers new opportunities to learn.

Like any tool, a mobile device can be used in ways that cause harm, so young people require guidance to benefit from mobile technologies safely and securely.

The mobile industry has taken active steps to support the safe and responsible use of mobile services by children. The GSMA plays a leading role in voluntary industry initiatives, including education and awareness.

Debate

What potential harm are children exposed to in the online environment?

How can all stakeholders navigate the tensions between different child rights in the digital world?

Background

The global digital economy depends on cross-border flows of data to deliver crucial social and economic benefits to individuals, businesses and governments.

When data is allowed to flow freely across borders, it enables organisations to adopt data-driven digital transformation strategies that benefit individuals and society. Policies that inhibit the free flow of data through unjustified restrictions or local data storage requirements can have an adverse impact on consumers, businesses and the economy in general.¹²

Cross-border flows of personal data are currently regulated by several international, regional and national instruments and laws that are intended to protect the privacy of individuals, the local economy or national security.

While many of these instruments and laws adopt common privacy principles, they do not create an interoperable regulatory framework that reflects the realities, challenges and potential of a globally connected world. Emerging frameworks, such as the Asia-Pacific Economic Cooperation (APEC) Cross- Border Privacy Rules and the EU Binding Corporate Rules, allow organisationsto transfer personal data under certain conditions. They contain accountability mechanisms and are based on internationally accepted data protection principles.

However, their successful adoption is undermined by governments increasingly implementing data localisation rules (also known as ‘data sovereignty’) that impose local storage requirements or use of local technology.¹³ Such localisation requirements can be found in a variety of sector- and subject-specific rules. The restrictive measures are sometimes imposed by countries based on the belief that supervisory authorities can more easily control and scrutinise data that is stored locally.¹⁴  This can be counterproductive from a data security perspective if the storage of data runs the risk of creating ‘honey pots’ where data stored in a single place with no backup can attract cyberattacks.

Today, bilateral and multilateral trade agreements are incorporating more modern trading arrangements that recognise the potential of digital trade powered by open, cross-border data flows. These can act as a catalyst for continued growth that facilitates trade and improves productivity and economic well-being. Examples of frameworks and fora include the Global Cross Border Data Rules (CBPR) Forum, the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), the ASEAN Regional Comprehensive Economic Partnership (RCEP), the African Continental Free Trade Area (AfCFTA) and the EU Binding Corporate Rules (BCR).

Debate

How can industry, legislators, regulators and civil society engage effectively to develop policy that supports cross-border flows of data?

How can data protection safeguards adequately address the legitimate concerns of governments that seek to impose localisation requirements?

Background

The internet and mobile connectivity have become ever more pervasive, making it vital to ensure that people can use increasingly essential services reliably, safely and securely.

Cyberattacks are not only harmful and criminal, but also undermine trust in digital services. The mobile industry is continually working to educate consumers while also incorporating new features and enhancing existing security capabilities to minimise the potential for fraud, identity theft and other possible threats. This includes encryption, integrity checking and user identity validation. Governments and policymakers have put measures in place to prevent cyberattacks, and national and regional strategies have been adopted in many countries to strengthen resilience, build capacity and fight cybercrime.

Cybersecurity covers several areas,¹⁵ but generally refers to the protection of network-related systems and devices and the software and data they contain. It typically comprises the protection of technical infrastructure, procedures and workflows, physical assets, national security and the confidentiality, integrity and availability (‘CIA triad’) of information. The mobile industry has a long history of providing secure products and services to customers ¹⁶

Protecting network infrastructure and devices

Mobile operators test for vulnerabilities and detect and deter malicious attacks on current generation and future networks. The GSMA and its members support the principles of ‘security by design’ being applied across the value chain. The GSMA itself plays a central role in coordinating activities and leads industry- wide initiatives and programmes, such as the Fraud and Security Group (FASG), the Security Accreditation Scheme (SAS) and the Network Equipment Security Assurance Scheme (NESAS), which together provide a security assurance framework to facilitate security improvements across the mobile industry.

Protecting public safety

Mobile networks are considered critical national infrastructure in many jurisdictions, and the services they support play a key role in protecting the public. The laws and regulations applicable to mobile operators, including telecoms licence conditions, often require them to take on additional responsibilities and assist law enforcement agencies.

Protecting consumers from fraud

Fraudulent attacks take many forms, such as identity theft, financial fraud, phishing, smishing or vishing, where victims are tricked into revealing sensitive personal information and service access credentials. Mobile operators implement and offer solutions to prevent the use of networks to commit fraud and the use of devices to harm consumers.

Protecting consumer privacy

Information security implies that information, including personal data, is not accessible or disclosed to unauthorised individuals, entities or processes, and that it is maintained,complete and available throughout its life. The GSMA has undertaken extensive work on data protection and data privacy.

Debate

In the context of 5G implementation and the expanding web of IoT devices, services and AI, how can policymakers ensure that cybersecurity is the responsibility of everyone in the mobile ecosystem?

What is needed to facilitate a more holistic response to cybersecurity?

Background

Research shows that mobile customers are concerned about their privacy and want simple and clear choices for controlling how their private information is used. They also want to know they can trust companies with their data. A lack of trust can act as a barrier to growth in economies that are increasingly data-driven.

One of the major challenges created by the growth of mobile internet is that the security and privacy of personal information is regulated by a patchwork of geographically bound privacy regulations, while the mobile internet is, by definition, international. In many jurisdictions, the regulations governing how customer data is collected, processed and stored vary considerably between market participants. For example, the rules governing how personal data is treated by mobile operators may be different to those governing how it can be used by internet players.

This misalignment between national privacy laws and global standard practices makes it difficult for mobile operators to provide customers with a consistent user experience. It may also cause legal uncertainty for operators, which can deter investment and innovation. Inconsistent levels of protection also increase the risk of consumers unwittingly providing easy access to their personal information, leaving them exposed to unwanted or undesirable outcomes such as identity theft and fraud.

Debate

How can policymakers help create a privacy framework that supports

innovation in data use while balancing the need for privacy across borders, regardless of the technology involved?

How is responsibility for ensuring privacy across borders best distributed across the mobile internet value chain?

What role does self-regulation play in a continually evolving technology environment?

What should be done to allow data to be used to support the social good and meet pressing public policy needs?

Background

The roll-out of 5G and the Internet of Things (IoT) is enabling organisations to process more real-world data in real time. The use of artificial intelligence (AI) systems, including generative AI (GenAI), supports data analysis on a significant scale and in an autonomous way, resulting in faster decision-making and the design of effective new solutions for economies and society at large. In the telecoms industry, AI and advanced data analytics are used, among other things, to optimise and automate networks, avoid service outages, reduce power consumption and CO₂ emissions, increase security and prevent fraud.

Mobile operators also provide AI capabilities to third parties on a commercial basis, such as delivering AI as a platform capability or employing AI to process mobile network data analytics for governments, traffic planning authorities, energy providers and other commercial organisations.

Recent and rapid advances in AI are also presenting challenges which, if not properly addressed, can exacerbate issues such as breaches of privacy, the spread of misinformation and disinformation and security risks. Some international bodies have worked to create a framework for AI development, including UNESCO’s Recommendation on the Ethics of Artificial Intelligence, and the EU’s AI Act which aims to address the risks generated by specific uses of AI.

The mobile industry has developed the AI Ethics Playbook and a related self- assessment questionnaire, both of which are practical tools to help organisations consider how to ethically design, develop and deploy AI systems.  The playbook explains how AI systems should be responsibly designed, developed and deployed in accordance with the principles of fairness, human agency and oversight, privacy and security, safety and robustness, transparency and explainability and accountability, and with full consideration of the potential environmental impact.

Debate

How can the mobile industry and legislators help society realise the benefits of AI in a responsible way that protects privacy and complies with applicable laws?

How can the mobile industry help increase trust in AI among its stakeholders and society at large?

Are new laws and regulations required for AI?

Industry position

As the adoption of AI accelerates, it is vital that systems are designed, developed and deployed responsibly while upholding an individual’s right to privacy and protecting personal data. Governments and regulators can help create a flourishing environment by ensuring that laws and regulations are not onerous, and that they support innovation, provide certainty and build trust.

As providers of mobile infrastructure, mobile operators encourage governments to consider the implications of legislation for the industry, including the potential impact on technology uptake and future economic efficiency gains through the use of AI systems. A risk-based approach should be taken when developing AI laws and regulations to ensure appropriate safeguards are in place while promoting innovation and competition. Ideally, these should be standardised and applied internationally and consistently to enable AI solutions to benefit from economies of scale.

Governments should facilitate and fund further research and development and investment in AI and mobile data-related solutions in both the public and private sectors. To foster an environment that attracts AI talent, it is important that governments invest in capacity building to ensure policymakers and regulators are guided by best practice and in digital skills to help citizens and industry keep pace with rapidly evolving AI technology.

The mobile industry recognises the potential societal benefits of AI and seeks to unlock its potential in a way that respects well- established privacy-by-design principles. Mobile operators are committed to the responsible use of AI in their operations, customer interactions and external products and services to protect customers and employees and ensure that AI operates fairly and reliably.

Resources

The Mobile Industry and AI, GSMA, February 2023

The AI Ethics Playbook: Implementing Ethical Principles into Everyday Business, GSMA, February 2022

AI Ethics Assessment, GSMA

Mobile Privacy and Big Data Analytics, GSMA, February 2017

Privacy Design Guidelines for Mobile Application Development, GSMA, February 2012 Data-Driven Innovation: Big Data for Growth and Well-Being, OECD, October 2015

Background

Research into the safety of radio signals has been conducted for several decades and underpins the human exposure limits that provide protection to all people (including children) against all established health risks.

The WHO and ITU encourage governments to adopt the radio frequency electromagnetic field (RF-EMF) exposure limits developed by the International Commission on Non-Ionizing Radiation Protection (ICNIRP). These were reviewed and updated in 2020.

New applications, such as 5G, wireless IoT and wearable devices, are designed to comply with relevant exposure limits. The international exposure guidelines are not technology-specific and apply to all mobile technologies, including 5G.

The strong consensus of expert groups and public health agencies, including the WHO, is that no health risks have been established from exposure to the radio signals of mobile devices and mobile network antennas that comply with international safety recommendations.

However, research has suggested a possible increased risk of brain tumours among long-term users of mobile phones. As a result, in May 2011, the International Agency for Research on Cancer (IARC) classified radio signals as a possible human carcinogen. Health authorities advise that, given the scientific uncertainty and lack of supporting evidence from cancer trend data, this classification should be understood to mean that more research is needed. They also remind mobile phone users of practical measures for individuals to reduce exposure, such as using a hands-free device or text messaging.

Mobile phones are tested for compliance with exposure limits when operating at maximum power. A mobile phone typically operates at a much lower power level.

For mobile networks, whether 2G, 3G, 4G or 5G, the typical levels in publicly accessible areas are a small fraction of the exposure limits and similar to broadcast services.

A comprehensive health-risk assessment of radio signals is being conducted by the WHO. The conclusions are expected in 2024.

Debate

Does using a mobile phone regularly or living near a base station have any health implications?

Are there benefits to adopting the updated international EMF limits for mobile networks or devices?

Should there be specific restrictions to protect children, pregnant women or other potentially vulnerable groups?

Background

Today, mobile networks not only offer traditional voice and messaging services, but also provide access to virtually all forms of digital content via the internet. In this respect, mobile operators offer the same service as any other internet service provider (ISP). This means mobile networks are inevitably used to access illegal content, ranging from pirated material that infringes intellectual property rights (IPR) to racist content or child sexual abuse material (child pornography).

Laws regarding illegal content vary considerably. Some content, such as child sexual abuse material, is considered illegal around the world, while other content, such as dialogue that calls for political reform, is illegal in some countries but is protected by rights to freedom of expression in others.

Communications service providers, including mobile operators and ISPs, are not usually liable for illegal content on their networks and services, provided they are not aware of its presence and follow certain rules (e.g. ‘notice and takedown’ processes to remove or disable access to the illegal content as soon as they are notified of its existence by the appropriate legal authority).

Mobile operators are typically alerted to illegal content by national hotline organisations or law enforcement agencies. When content is reported, operators follow procedures based on relevant data protection, privacy and disclosure legislation. In the case of child sexual abuse content, mobile operators use terms and conditions, notice and takedown processes and reporting mechanisms to keep their services free of this material.

Debate

Should all types of illegal content, from IPR infringements to child sexual abuse content, be subject to the same reporting and removal processes?

What responsibilities should governments, law enforcement or industry have in the policing and removal of illegal content?

Should access to illegal content on the internet be blocked by ISPs and mobile operators?

Internet governance involves an array of activities related to the policy and procedures of the management of the internet. It encompasses legal and regulatory issues, such as privacy, cybercrime, intellectual property rights and spam. It is also concerned with technical issues related to network management and standards, and economic issues such as taxation and internet interconnection arrangements.

Because the growth of the mobile industry is tied to the evolution of internet-enabledservices and devices, decisions about the use, management and regulation of the internet affect mobile service providers and other industry players and their customers.

Internet governance requires input and collaboration from diverse stakeholders relating to their interests and expertise in technical engineering, resource management, standards and policy issues, among others. Relevant stakeholder groups will vary depending on the specific internet governance issues that are being addressed.

Debate

Who ‘owns’ the internet?

Should certain countries or organisations be allowed to have greater decision- making powers than others about the management of the internet?

How should a multistakeholder model be applied to internet governance?

“Only a concerted joint global effort by governments, businesses, the technical community and civil society will produce a governance architecture that is as generic, scalable and transnational as the internet itself. No single actor or group of actors can solve this alone.”

– Vint Cerf, Chief Internet Evangelist at Google and Co-inventor of the Internet Protocol suite, February 2018

Background

Mobile operators are often subject to a range of laws and/or licence conditions that require them to support law enforcement and security activities in countries where they operate. These requirements vary from country to country and have an impact on the privacy of mobile customers.

Where they exist, such laws and licence conditions typically require operators to retain data about their customers’ mobile service use and disclose it, including their personal data, to law enforcement and national security agencies  on lawful demand. They may also require operators to have the ability to intercept customer communications following lawful demand.

Such laws provide a framework for the operation of law enforcement and security service surveillance and guide mobile operators in their mandatory liaison with these services. However, in some countries, there is a lack of clarity in the legal framework to regulate the disclosure of data or lawful interception of customer communications. This creates challenges for the industry in protecting the privacy of its customers’ information and their communications.

Legislation often lags behind technological developments. For example, obligations may apply only to established telecommunications operators but not to more recent market entrants, such as those providing internet-based services, including Voice over IP (VoIP), video or instant messaging

In response to public debate concerning the extent of government access to mobile subscriber data, a number of major telecommunications providers (such as AT&T, Deutsche Telekom, Orange, Rogers, SaskTel, Sprint, T-Mobile, TekSavvy, TeliaSonera, Telstra, Telus, Verizon, Vodafone and Wind Mobile), as well as internet companies (such as Apple, Amazon, Dropbox, Google, LinkedIn, Meta, Microsoft, Pinterest, Snapchat, Tumblr, Yahoo! and X), publish ‘transparency reports’ that provide statistics relating to government requests for disclosure of such data.

Debate

What is the correct legal framework to achieve a balance between a government’s obligation to ensure that its law enforcement and security agencies can protect citizens and the rights of those citizens to privacy?

Should all providers of communications services be subject to the same interception, retention and disclosure laws on a technology-neutral basis?

Would greater transparency about the number and nature of requests governments make assist the debate, improve government accountability and bolster consumer confidence?

Background

From time to time, mobile operators receive orders from government authorities to restrict services on their networks.

These service restriction orders (SROs) require operators to shut down or restrict access to their mobile network, network service or over-the-top (OTT) service.

Orders include blocking particular apps or content, restricting data bandwidth and degrading the quality of SMS or voice services. In some cases, mobile operators would risk criminal sanctions or the loss of their licence if they disclosed that they had been issued with an SRO.

SROs can have serious consequences. For example, national security can be undermined if powers are misused and public safety can be endangered if emergency services and citizens are unable to communicate with one another. Freedom of expression, freedom of assembly, freedom to conduct business and other human rights can also be affected.

Individuals and businesses can also be affected by an SRO, and can become unable to pay friends, suppliers or salaries. This can have a knock-on effect on credit and investment plans, ultimately damaging a country’s reputation for managing the economy and foreign investment and discouraging donor countries from providing funds or other resources.

MNOs also suffer. Not only do they sustain financial losses from the suspension of services and damage to their reputation, but their local staff can also face pressure from authorities and possibly even public retaliation.

Debate

What factors and alternatives should governments consider before planning an SRO?

What tools and methods can be used to avoid the need for an SRO or to avoid negative impacts if an SRO is the only option?

Background

In several countries, customers of prepaid or pay-as-you-go (PAYG) services can anonymously activate their subscriber identity module (SIM) card simply by purchasing credit, as formal user registration is not required. At the end of 2020, 72% of mobile subscriptions were prepaid²⁰and some 150 governments around the world²¹ have mandated prepaid SIM registration, citing a perceived but unproven link between the introduction of such policies and the reduction of criminal and anti-social behaviour. Mandated prepaid SIM registration is most prevalent in African countries, where SIM registration is required to identify the user.

Some governments, including the Czech Republic, UK and USA, have decided against mandating registration for prepaid SIM users, concluding that the potential loopholes and implementation challenges outweigh the merits.

SIM registration can, however, allow many consumers to access value-added mobile and digital services that would not otherwise be available to them as unregistered users, including identity-linked services such as mobile money, e-health and e-government services.

For a SIM registration policy to create positive outcomes for consumers, it must be implemented in a pragmatic way that takes local market conditions into account, such as the ability of mobile operators to verify customer IDs. If registration requirements are too onerous for a customer to meet, mandating a SIM registration policy may lead to implementation challenges and unforeseen consequences. For example, it could unintentionally exclude vulnerable and socially disadvantaged consumers or refugees who lack the required IDs. It might also lead to the emergence of an underground market for fraudulently registered or stolen SIM cards, driven by the desire of some mobile users, including criminals, to remain anonymous.

Debate

To what extent do the benefits of mandatory prepaid SIM registration outweigh the costs and risks?

What factors should governments consider before mandating such a policy?

Background

It is important to distinguish between misinformation and disinformation. Misinformation is information that is false but not created with the intent to cause harm. Disinformation is information that is false and deliberately created and shared to harm a person, social group, organisation or country. Another commonly used term is malinformation, which is true information shared intentionally to cause harm.

Mobile operators do not typically host content, but they can nevertheless be affected by false information. In particular, misinformation linking 5G and the COVID-19 pandemic has had direct consequences for the industry, such as attacks on telecommunications equipment and staff.

Through its work with the mobile industry, the GSMA provides access to factual information including independent expert reports on EMF and health.

The European Commission is regulating misinformation and disinformation through the Digital Services Act (DSA),²² which came into force in November 2022, following the Commission’s concerns regarding the growing influence of online platforms in political discussions, disinformation campaigns, fake news dissemination in the lead-up to elections and the societal impact of hate speech.

Debate

Who determines whether information is true or false?

What are the most effective mechanisms to deal with misinformation and disinformation?

Background

A counterfeit mobile device explicitly infringes the trademark or design of an original or authentic branded product, even where there are slight variations to the established brand name.

Due to their illicit nature, these mobile devices are typically shipped and sold in shadow or underground markets by

organised criminal networks. It is estimated that almost one in five mobile devices may be counterfeit.23 This has far-reaching negative impacts. Consumers risk lower quality, safety, security, environmental health and privacy assurances. Governments forgo taxes and duties and must contend with increased crime. Industry players are also affected, as it can harm the trademarks and brands of legitimate device manufacturers and the substandard performance of counterfeit devices can have implications for mobile operators.

Some countries have introduced national lists of homologated (approved) devices to combat counterfeiting, smuggling and tax evasion. The purpose of homologated lists is to indicate which devices are permitted access to mobile networks. Mobile   operators add device-blocking capabilities to their local networks and connect with the national homologated list to ensure only permitted devices are allowed network access.

However, counterfeit mobile devices are not easy to identify and block, given that many have International Mobile Equipment Identity (IMEI) numbers that appear legitimate. It is common for counterfeiters to hijack IMEI number ranges allocated to legitimate device manufacturers for use in their products, which makes it more difficult to differentiate between authentic and counterfeit products.

Debate

How can governments and other stakeholders best address the issue of counterfeit mobile devices?

Background

Policymakers in many countries are concerned about the incidence of mobile device theft, particularly when organised crime becomes involved in the trafficking of stolen devices to other markets.

The GSMA has been leading industry initiatives to block stolen mobile devices based on a shared database of the unique identifiers of devices reported lost or stolen. Using the IMEI of mobile devices, the GSMA Device Registry maintains a central list, known as the GSMA Block List, of devices reported lost or stolen by mobile customers. The GSMA Device Registry is accessible to mobile operators around the world to ensure that stolen devices transported to other countries can be denied network access.

The effectiveness of blocking stolen devices on individual network EIRs depends on the secure implementation of the IMEI in all mobile devices. Leading devicemanufacturers are  encouraged to support a range of measures to strengthen IMEI security and reliability in accordance with GSMA-defined security requirements.

Debate

What can industry do to prevent mobile phone theft?

What are the policy implications of this rising trend?

Background

Security attacks can affect all technology, including mobile devices. Mobile operators use encryption technologies to deter criminals from eavesdropping and intercepting traffic.

The barriers to compromising mobile security are high, and research into possible vulnerabilities has generally been technically complex. While no security technology is guaranteed to be unbreakable, practical attacks on mobile services are rare because they tend to require considerable resources, including specialised equipment, computer processing power and a high level of technical expertise beyond the capability of most people.

Reports of eavesdropping are not uncommon, but such attacks have not taken place on a wide scale and 4G and 5G networks are considerably better protected against eavesdropping risks than earlier generation networks. 5G technology boasts a host of new security capabilities that further enhance protection levels.

Debate

How secure are mobile voice and data technologies and what is being done to mitigate the risks?

Do emerging technologies and services create new opportunities for criminals?

How is 5G, and all the capabilities it brings, affecting the security landscape?

Background

Signal inhibitors, also known as jammers, are devices that generate interference or otherwise intentionally disrupt communications services. In the case of mobile services, they interfere with communication between the mobile terminal and the base station. Their use by private individuals is banned in countries such as Australia, the UK and the USA.

In some regions, such as Latin America, signal inhibitors are used to prevent the illegal use of mobile phones in specific locations, such as prisons. However, blocking the signal does not address the root of the problem: wireless devices illegally ending up in the hands of inmates who then use them for illegal purposes.

Moreover, signal inhibitors do not prevent mobile devices from connecting to Wi-Fi networks because they do not affect the frequency bands used by Wi-Fi routers.

As a result, signal inhibitors do not block people from using OTT voice applications to make calls to phone networks.

Mobile operators provide coverage and capacity by investing heavily in the installation of radio base stations. However, the indiscriminate use of signal inhibitors compromises these investments by causing extensive disruption to the operation of mobile networks, reducing coverage and forcing a deteriorated service for consumers.

Debate

Should governments or private organisations be allowed to use signal inhibitors that interfere with the provision of mobile

voice and data services to consumers?

Should the marketing and sale of signal inhibitors to private individuals and organisations be prohibited?