Consumer Protection

Consumer Protection

With the growing economic and social importance of mobile services, particularly the mobile internet, there is a corresponding need to ensure the more than five billion people currently connected via these services can continue to enjoy them safely and securely. The challenge is providing this protection while also ensuring users have control over their privacy and personal data.

It is essential for the mobile industry, therefore, to deliver safe and secure technologies, services and apps that inspire trust and confidence. At the same time, there is a need to educate consumers about potential risks and raise awareness of the steps they can take to avoid those risks.

The mobile industry takes consumer protection seriously. The GSMA and its members play a leading role in developing and implementing appropriate safety and security solutions, technical standards and protocols. They also work with governments, multilateral organisations and non-governmental organisations to address concerns related to consumer protection by:

  • Defining, sharing and promoting global best practice.
  • Building and participating in cross-sector coalitions.
  • Educating consumers and businesses in the safe use of mobile technologies and applications.
  • Commissioning research that offers real-world insight and evidence.

The following pages provide a small indication of the work undertaken by the mobile industry to ensure consumers continue to be appropriately protected and informed as they enjoy the full range of benefits that mobile technology makes possible.

Addressing Cybersecurity Challenges

The internet and mobile connectivity have become ever-more pervasive and embedded in daily life, so there is a corresponding need to ensure people can continue to use these increasingly essential services safely and securely. The mobile industry has worked to educate consumers while incorporating new features and enhancing existing security capabilities such as encryption, integrity checking and user identification validation into mobile services, minimising the potential for fraud, identity theft and other possible threats.

Governments and policymakers have put in place measures to prevent cyberattacks, which are not only harmful and criminal, but undermine trust in digital services. National and regional strategies have been adopted in many countries to strengthen resilience, build capacity and fight cybercrime.

‘Cybersecurity’ is not often clearly defined1 and can cover a number of areas. Generally, it refers to the protection, by any means, of network-related systems and devices and the software and data they contain. As such, cybersecurity typically comprises the protection of technical infrastructure, procedures and workflows, physical assets, national security as well as the confidentiality, integrity and availability (CIA triad) of information.

The mobile industry has a long history of providing secure products and services to its customers in the following ways:2

Protecting network infrastructure and devices. Operators are constantly improving standards, deploying better versions of technology, identifying risks and reducing vulnerabilities. They test networks for weaknesses and build their capacity to detect and deter malicious attacks on current-generation and future networks. The GSMA and its members support the principles of 'security-by-design' to be applied across the value chain.

Protecting public safety. Mobile networks are considered to constitute critical national infrastructure in many jurisdictions and they play a key role in protecting the public, for example by enabling people to call emergency services. Operators have a legal obligation to assist law enforcement agencies, which they do while being supportive of human rights concerns.

Protecting consumers from fraud. Fraudulent attacks take many forms, such as identity theft, financial fraud, phishing, SMiShing or vishing, where victims are tricked to reveal sensitive personal information and service access credentials. Operators implement solutions to prevent the use of networks to commit fraud and the use of devices to harm consumers.

Protecting consumer privacy. Information security implies that information, including personal data, is not accessible or disclosed to unauthorised individuals, entities or processes, and that it is maintained, complete and available, throughout its life. The GSMA has done extensive work on data protection and data privacy.

Given that risks are dynamic and not confined to national borders, sustained, international multi-stakeholder cooperation is key in all areas of security to manage risks. Furthermore, robust security measures must be adopted by the entire digital value chain. Looking ahead, mobile operators and the GSMA will remain engaged in a number of activities, including:

  • Continuing to invest in the security of their own networks, devices and services and building the capacity to detect and deter malicious attacks, improving preparedness and incidence response.
  • Contributing to the development of globally recognised, industry-led, voluntary consensus security standards, assurance programmes and conformity assessment schemes.
  • Participating in capacity building and in public-private partnerships to share best practices with other stakeholders.

1. A useful overview of definitions can be found in ENISA’s report: Definition of Cybersecurity – Gaps and overlaps in standardisation.
2. GSMA Report: Safety, Privacy and Security Across the Mobile Ecosystem for All (2013).

CP_Collaborating_on_Solutions

Children and Mobile Technology

Background

Young children and teenagers are enthusiastic users of mobile technology. Young people’s knowledge of mobile applications and platforms often surpasses that of parents, guardians and teachers, and children now use social networking services more than their parents.

For growing numbers of young people, mobile technology is an increasingly important tool for communicating, accessing information, enjoying entertainment, learning, playing and being creative. As mobile technology becomes increasingly embedded into everyday life, mobile phone operators can play an important role in protecting and promoting children’s rights.

Mobiles can be key enablers to access:

⦁ Skills for employment.
⦁ Enhanced formal and informal education and learning.
⦁ Information and services to aid in health, well-being and support.
⦁ Improved social and civic engagement.
⦁ Opportunities to play and to be creative.

Mobile devices increasingly play a role in formal education and informal learning. In developing and rural areas, as well as places where certain people — girls in particular — are excluded from formal education, mobile connectivity offers new opportunities to learn.

Like any tool, mobile devices can be used in ways that cause harm, so children require guidance in order to benefit from mobile technologies safely and securely.

The mobile industry has taken active steps in the area of safe and responsible use of mobile services by children. The GSMA has played a leading role in self-regulatory initiatives dealing with issues such as parental controls, education and awareness.

Debate

What potential harm are children exposed to in the online environment?
How can all stakeholders navigate tensions between differing child rights in the digital world?

Industry Position

Mobile devices and services enhance the lives of young people. This perspective needs to be embraced, encouraged and better understood by all stakeholders to ensure young people get the maximum benefits from mobile technology.

Addressing safe and responsible use of mobile by children and young people is best approached through multi-stakeholder efforts.

Working closely with Unicef, the GSMA and its mobile operator members — as well as a range of other organisations including the International Centre for Missing and Exploited Children (ICMEC) and INHOPE — hold national and regional multi-stakeholder workshops on the issue. These workshops bring together policymakers, NGOs, law enforcement and industry, to facilitate the development of collaborative approaches to safe and responsible use of the internet.

Through its mYouth programme, the GSMA also works closely with Child Helpline International to foster collaboration between mobile operators and child helplines in promoting children’s rights — in particular their right to be heard — and to work together on areas of mutual concern, such as safer internet.

The GSMA takes part in international initiatives related to safeguarding children online, including contributing to the ITU’s Child Online Protection programme, and actively engages with governments and regulators looking to address this issue. Through its Capacity Building programme, for example, the GSMA helps policymakers better understand children’s use of technology, and discusses strategies for encouraging young people to become positive, engaged, responsible and resilient users of digital technology.

Young people are critical to the evolution of the mobile sector as they represent the first generation to have grown up in a connected, always-on world. They are future consumers and innovators who will deliver the next wave of innovation in mobile.

Resources

UNICEF Guidelines for Industry on Child Online Protection website
UNICEF Tools for companies in the ICT sector website
ICT Coalition website
GSMA mYouth website
GSMA and Child Helpline International: Internet safety resources
Global Kids Online: Research Results

Our partnership with the GSMA, now in its fourth year, is one of our most productive and engaging. Children everywhere are ever more digital and mobile; GSMA’s leading-edge policy and practice on keeping children safe and productive in their ever-changing digital environments are vital in enhancing the knowledge and capacity of our member child helplines to prevent harm and respond to children and young people.
— Sheila Donovan, Executive Director, Child Helpline International

Deeper Dive

Collaboration in Action

Growing numbers of young people are leading digital lives, and when they encounter problems in their digital lives, many will reach out to child helplines for support and guidance.

And while many child helplines have already built up experience in this area, globally there is still a number of them who are in the early stages of development and would benefit from guidance on these issues. GSMA and Child Helpline International (CHI) wanted to extend their support to child helplines that fall into the latter category, by harnessing the experience of experts in this field from a range of stakeholder groups.

In May 2016, GSMA and Child Helpline International co-hosted an intensive one-day workshop. This session brought together expertise from the child helpline community, the Child Helpline International youth panel, mobile operators and other industry players, NGOs, child online safety experts — including a specialist child and adolescent psychiatrist — and law enforcement.

The workshop was used to kick-start the process for creating a series of high-level guides for child helpline counsellors and volunteers on nine of the more common or challenging digital issues that lead young people to seek advice from helplines. The nine guides were launched in November 2016 and cover: cyberbullying, discrimination and hate speech, grooming, illegal content, inappropriate content, privacy, sexual extortion, sexual harassment and unsolicited contact.

The guides were created with child helplines and their counsellors and volunteers in mind — in particular those for whom internet safety issues were relatively new or where counsellor guidance and training was still under development. Each guide was created using input from experts from a range of fields who then also reviewed and approved the content. The guides are purposely high level in order to accommodate differing local contexts, with each guide providing a definition and some examples of the issue, options for discussion with the child or a parent/carer, practical and technical advice, as well as any ‘red flags’ that counsellors should look out for.

The 30th anniversary of the UN Convention on the Rights of the Child

The year 1989 was significant, as it marked both the agreement of the UN Convention on the Rights of the Child (UNCRC) and the birth of the World Wide Web.

The UNCRC sets out a number of child-specific needs and rights that children, everywhere, are entitled to in order to survive and thrive, to learn and grow, and to reach their full potential. It outlines children’s rights to education, information, privacy and the highest attainable standard of health. It also outlines their rights to leisure and play, to be heard, as well as to protection from violence, sexual exploitation and abuse.

The provisions in the UNCRC were set out and agreed without knowledge of the technology revolution that would follow shortly after, and yet — as the UNCRC reaches its 30th anniversary — they remain as important and relevant in today’s connected world as they were for children at the time of its creation.

The GSMA supports its members as they seek to enable the safe and positive realisation of the many opportunities afforded through connectivity, whilst taking steps to mitigate potential risks.

As UNICEF’s State of the World’s Children 2017 report notes, the internet “...reflects and amplifies the best and worst of human nature. It is a tool that will always be used for good and for ill. Our job is to mitigate the harms and expand the opportunities digital technology makes possible.”

Cross-Border Flows of Data

Background

The global digital economy depends on cross-border flows of data to deliver crucial social and economic benefits to individuals, businesses and governments.

When data is allowed to flow freely across national borders, it enables organisations to operate, innovate and to access solutions and support anywhere in the world. Enabling cross-border flows of data can help organisations adopt data-driven digital transformation strategies that ultimately benefit individuals and society. Policies that inhibit the free flow of data through unjustified restrictions or local data storage requirements can have an adverse impact on consumers, businesses and the economy in general.1

Cross-border flows of personal data are currently regulated by a number of international, regional and national instruments and laws intended to protect individuals’ privacy, the local economy or national security.

While many of these instruments and laws adopt common privacy principles, they do not create an interoperable regulatory framework that reflects the realities, challenges and potential of a globally connected world. Emerging frameworks such as the Asia-Pacific Economic Co-operation (APEC) Cross-Border Privacy Rules and the EU’s Binding Corporate Rules allow organisations to transfer personal data generally under certain conditions. These frameworks contain accountability mechanisms and are based on internationally accepted data protection principles.

However, their successful adoption is undermined by the implementation by governments of ‘data localisation’ (also known as ‘data sovereignty’) rules that impose local storage requirements or use of local technology.2 Such localisation requirements can be found in a variety of sector- and subject-specific rules created for financial service providers, the public sector or to maintain professional confidentiality. They are sometimes imposed by countries in the belief that supervisory authorities can more easily scrutinise data that is stored locally.3

1. International Chamber of Commerce Report: Trade in the Digital Economy, 2016; ECIPE Report: The Cost of Data Localisation, 2014.
2. Emory Law Journal: Anupam Chander and Uyen Le, Data Nationalism, 2015; Hague Institute for Global Justice: Jonah Force Hill, The Growth of Data Localization Post-Snowden, 2014.
European Commission Report: Building a European Data Economy Communication, 2017.

Debate

How can industry, legislators, regulators and civil society engage effectively to develop policy that supports cross-border flows of data?
How can data protection safeguards adequately address the legitimate concerns of governments that seek to impose localisation requirements?

Industry Position

Cross-border flows of data play a key role in innovation, competition and economic and social development. Governments can facilitate these data flows in a way that is consistent with consumer privacy and local laws by supporting industry best practices and frameworks for the movement of data and by working to make these frameworks interoperable.

Governments can also ensure that these frameworks have strong accountability mechanisms, and that the authorities can play a role in overseeing/monitoring their implementation. Governments should only impose measures that restrict cross-border data flows if they are absolutely necessary to achieve a legitimate public policy objective. The application of these measures should be proportionate and not arbitrary or discriminatory against foreign suppliers or services.

Mobile Network Operators (MNOs) welcome frameworks such as the APEC Cross-Border Privacy Rules or the EU’s Binding Corporate Rules, which allow accountable organisations to transfer data globally, provided they meet certain criteria. Such mechanisms are based on commonly recognised data privacy principles and require organisations to adopt a comprehensive approach towards data privacy.

This encourages more effective protection for individuals than formalistic administrative requirements, while helping to realise potential social and economic benefits. Such frameworks should be made interoperable across countries and regions to the greatest extent possible. This would stimulate convergence between different approaches to privacy, while promoting appropriate standards of data protection, allowing accountable companies to build scalable and consistent data privacy programmes.

Requirements for companies to use local data storage or technology create unnecessary duplication and cost for companies and there is little evidence that such policies produce tangible benefits for local economies or improved privacy protections for individuals.
To the extent that governments need to scrutinise data for official purposes, MNOs would encourage them to achieve this through existing lawful means and appropriate intergovernmental mechanisms that do not restrict the flow of data.

The GSMA and its members believe that cross-border data flows can be managed in ways that safeguard the personal data and privacy of individuals and remain committed to working with stakeholders to ensure that restrictions are only implemented if they are necessary to achieve a legitimate public policy objective.

Resources

United Nations Conference on Trade and Development (UNCTAD) Report: Data Protection Regulations and International Data Flows, 2016
White Paper: Christopher Kuner, Reality and Illusion in EU Data Transfer Regulation Post Schrems, 2016
International Chamber of Commerce Report: Trade in the Digital Economy, 2016
Business and Industry Advisory Committee to the OECD Report: The Flow of Data Across Borders — A BIAC Trade Committee Policy Perspective, 2016

Deeper Dive

National Data Privacy Regimes Should be Based on Shared,Core Principles and Provide Flexibility in Implementation

The challenge when regulating for data privacy, including cross-border flows of data, is to put in place measures that consistently provide consumers with confidence in existing and new services, without limiting service adoption or imposing significant additional costs on service providers.

To achieve this, it is crucial for privacy regulation to be based on shared core principles which, according to United Nations Conference on Trade and Development (UNCTAD) sit “at the heart of most national [privacy] laws and international regimes” as well as industry initiatives. This would allow companies to treat data consistently across their operations, innovate more rapidly, achieve larger scale and reduce costs. Consumers will also benefit from wider choice, improved quality and lower prices of services.

The 2009 Madrid Resolution on International Standards for the Protection of Personal Data and Privacy,1 for example, encourages consistent international protection of personal data and embraces privacy approaches from all five continents. As well as being designed “to ease the international flow of personal data, essential in a globalized world”, the resolution advocates six privacy principles to be adopted by policymakers:

at800-in-the-United-Kingdom

Similar principles are reflected repeatedly in laws and policy initiatives around the world such as the Council of Europe Convention 108, the OECD Guidelines, the EU General Data Protection Regulation, the US Federal Trade Commission’s Fair Information Practice Principles and the APEC Privacy Framework. The mobile industry has also adopted the GSMA Mobile Privacy Principles to give consumers confidence that their personal data is being properly protected, irrespective of service, device or country.

1 See: www.privacyconference2011.org/htmls/ adoptedResolutions/2009_Madrid/2009_M1.pdf

Localisation Rules Risk Undermining the Protection of Personal Data

There are several reasons countries seek to impose data localisation rules, including the belief that supervisory authorities can more easily scrutinise data that is stored locally. An additional common reason is the desire to protect individual privacy and ensure it meets the expectations and standards of that country. However, there are solutions and principles that can mitigate these risks without restricting data flows and the benefits that ensue.

Restrictions do not necessarily lead to better protection for personal data. For example, a fragmented approach results in inconsistent protection (e.g., differences across jurisdictions and sectors in what can be stored and for how long) and causes confusion impacting the secure management of personal data. Fragmentation through localisation may also create barriers that make investments in security protection prohibitively expensive. Collectively, this may undermine efforts by mobile network operators and other service providers to develop privacy-enhancing technologies and services to protect consumers.

A key concern is that cross-border flows of data are currently regulated by a patchwork of international, regional and national instruments and laws. This does not create an interoperable regulatory framework that reflects the realities of a globally connected world. As a result, there is a need for frameworks that permit cross-border flows of data to be made interoperable across countries and regions to the greatest extent possible. Interoperability creates greater legal certainty and predictability, allowing companies to build scalable and accountable data protection and privacy frameworks.

Interoperable frameworks would also help foster appropriate mechanisms to ensure data is managed in ways that safeguard the rights and interests of consumers and citizens. Frameworks that incorporate effective accountability mechanisms can help strengthen and protect important rights that help individuals and economies flourish. For example, efforts to make the APEC Cross Border Privacy Rules system and EU Binding Corporate Rules interoperable have the potential to benefit industry, digital trade and consumer interests and rights.

Flows of data across borders are important for societal and economic reasons. Without them, we frustrate not only economic growth, but also potential benefits to society of digital transformation. It is therefore incumbent on governments, regulators, industry and civil society groups to reject localisation measures and instead find ways to enable the flow of data while protecting individuals.

Electromagnetic Fields and Device Safety

Background

According to the World Health Organization (WHO), there are no established health risks from the radio signals of mobile devices that comply with international safety recommendations.

However, research has shown a possible increased risk of brain tumours among long-term users of mobile phones. As a result, in May 2011, radio signals were classified as a possible human carcinogen by the International Agency for Research on Cancer. Health authorities have advised that given scientific uncertainty and the lack of support from cancer trend data, this classification should be understood as meaning that more research is needed. They have also reminded mobile phone users that they can take practical measures to reduce exposure, such as using a hands-free kit or text messaging.

Mobile phone compliance is based on an assessment of the specific absorption rate (SAR), which is the amount of radio frequency (RF) energy absorbed by the body.

Mobile phones use adaptive power control to transmit at the minimum power required for call quality. When coverage is good, the RF output level may be similar to that of a home cordless phone.

Some parents are concerned about whether mobile phone use or the proximity of base stations to schools, day-care centres or homes could pose a risk to children. National authorities in some countries have recommended precautionary restrictions on phone use by younger children, while others, such as the US Food and Drug Administration (FDA), have concluded that current scientific evidence does not justify measures beyond international safety guidelines.

A comprehensive health-risk assessment of radio signals, including those of mobile phones, is being conducted by the WHO. The conclusions are expected in 2018.

Debate

Is there a scientific justification for mobile phone users to limit their exposure?

Do radio signals from mobile phones present a risk to children?

Where can people turn to find the latest research and recommendations?

Industry Position

Governments should adopt the international limit for SAR recommended by the WHO and require compliance declarations from device makers based on international technical standards.

We encourage governments to provide information and voluntary practical guidance to consumers and parents, based on the position of the WHO.

The GSMA believes parents should have access to accurate information so they can make up their own mind about when and if their children should use wireless technologies.

Concerned individuals can choose to limit their exposure by making shorter calls, using text messaging or using hands-free devices that can be kept away from the head and body. Bluetooth earpieces use very low radio power and reduce exposure.

The SAR is determined by the highest certified power level in laboratory conditions. However, the actual SAR level of the phone during use can be well below this value. Differing SAR values do not mean differing levels of safety.

Resources

World Health Organization International EMF Project website
International Agency for Research on Cancer Monograph on Radiofrequency Fields website
GSMA Mobile and Health — independent expert review website
Mobile & Wireless Forum SAR Tick Programme website
ITU EMF Guide website

Deeper Dive

Health Authorities on the Science

A large number of studies have been performed over the last two decades to assess whether mobile phones pose a potential health risk. To date, no adverse health effects have been established as being caused by mobile phone use.
— WHO Fact Sheet 193, October 2014

The results of epidemiological studies in the period reviewed confirm that no higher risk of brain tumors is observed in cell phone users. This conclusion coincides with those of other systematic reviews and risk assessments in the same period by agencies and competent international committees in the evaluation of the effects of electromagnetic fields on health.
— Scientific Advisory Committee on Radiofrequency and Health — CCARS (Spain), 2017

Altogether, it provides no or at most little indication of a risk for up to approximately 15 years of mobile phone use. No empirical data is available for longer use; however, cancer rates in Sweden and other countries do not show any increase that might be attributed to the massive mobile phone use that started in the beginning of this century. There are no indications from the few studies with cultured cells, that RF fields are capable of initiating a tumour. Many animal studies have been performed using a large spectrum of tumour types and long term, often lifelong, exposure. With very few exceptions, no effect of RF exposure on tumour growth and development has been found.
— Swedish Radiation Safety Authority, 2016

The Committee considers it unlikely that exposure to radiofrequency fields, which is associated with the use of mobile telephones, causes cancer. The animal data indicates a possibility of a promoting effect, but it is not clear whether this could explain the increased risk for tumours in the brain, head and neck that has been observed in some epidemiological studies. The Committee feels it more likely that a combination of bias, confounding and chance might be an explanation for the epidemiological observations.
— Health Council of the Netherlands, 2016

Personal Control Over Exposure

Mobile phone users who remain concerned about the possible risks of EMF can make small changes to reduce their exposure significantly. Mobile phones increase their transmission power when the signal is weak, when they are in motion and when they are in rural areas. To decrease exposure, callers may choose to use their mobile phone more when they are outside, in one spot and in urban areas. They may also choose to use a hands-free device or Bluetooth earpiece.

CP_Elect_Fields_Device_Safety_img

Electromagnetic Fields and Health

Background

Research into the safety of radio signals, which has been conducted for more than 50 years, has led to the establishment of human exposure standards that provide protection against all established health risks.

The World Health Organization (WHO) and the International Telecommunication Union (ITU) recommend that governments adopt the radio-frequency exposure limits developed by the International Commission on Non-Ionizing Radiation Protection (ICNIRP). These were reviewed and updated in 2018.

The WHO set up the International EMF Project in 1996 to assess the health and environmental effects of exposure to electromagnetic fields (EMF) from all sources.

The strong consensus of expert groups and public health agencies, such as the WHO, is that no health risks have been established from exposure to the low-level radio signals used for mobile communications.

However, research has suggested a possible increased risk of brain tumours among long-term users of mobile phones. As a result, in May 2011, the International Agency for Research on Cancer classified radio signals as a possible human carcinogen.

Health authorities have advised that given scientific uncertainty and the lack of support from cancer trend data, this classification should be understood as meaning that more research is needed. They have also reminded mobile phone users that they can take practical measures to reduce exposure, such as using a hands-free kit or text messaging.

New applications, such as 5G, wireless IoT and wearable devices, will be designed to comply with existing exposure limits. The international exposure guidelines are not technology specific and are periodically reviewed.

Debate

Does using a mobile phone regularly, or living near a base station, have any health implications?
Are there benefits in adopting EMF limits for mobile networks or devices?
Are new methods needed to assess compliance of advanced antennae planned for 5G deployment?
Should there be particular restrictions to protect children, pregnant women or other potentially vulnerable groups?

Industry Position

National authorities should implement EMF-related policies based on established science, in line with international recommendations and technical standards.

  • Large differences between national limits and international guidelines can cause confusion and increase public anxiety. Consistency is vital, and governments should:
  • Base EMF-related policy on reliable information sources, including the WHO, trusted international health authorities and expert scientists.
  • Set a national policy covering the siting of masts, balancing effective network roll out with consideration of public concerns.
  • Accept mobile operators’ declarations of compliance with international or national radio frequency levels using technical standards from organisations such as the International Electrotechnical Commission (IEC) and ITU.
  • Actively communicate with the public, based on the positions of the WHO, to address concerns.

Parents should have access to accurate information so they can decide when and if their children should use mobile phones. The current WHO position is that international safety guidelines protect everyone in the population with a large safety factor, and that there is no scientific basis to restrict children’s use of phones or the locations of base stations. We encourage governments to provide information and voluntary practical guidance to consumers and parents, based on the position of the WHO.
The mobile industry works with national and local governments to help address public concern about mobile communications. Adoption of evidence-based national policies concerning exposure limits and antenna siting, public consultations and information can reassure citizens.
Ongoing, high-quality research is necessary to support health-risk assessments, develop safety standards and provide information to inform policy development. Studies should follow good laboratory practice for EMF research and be governed by contracts that encourage open publication of findings in peer-reviewed scientific literature.

Resources

WHO International EMF Project website
International Agency for Research on Cancer Monograph on Radiofrequency Fields website GSMA Report: Mobile Communications and Health
GSMA Report: Arbitrary Radio Frequency Exposure Limits — Impact on 4G Network Deployment
GSMA Report: LTE Technology and Health
GSMA Report: Smart Meters: Compliance with Radio Frequency Exposure Standards
GSMA Report: 5G, the Internet of Things (IoT) and Wearable Devices GSMA Mobile and Health — Independent Expert Review website
Mobile & Wireless Forum SAR Tick Programme website
ITU EMF Guide website

Deeper Dive

A Global Look at Mobile Network Exposure Limits

The World Health Organization (WHO) endorses the guidelines of the International Commission for Non-Ionizing Radiation Protection (ICNIRP) and encourages countries to adopt them. While many countries have adopted this recommendation, some have chosen to adopt other limits or additional measures regarding the siting of base stations.

This map shows the approach to radio frequency (RF) exposure limits countries have adopted for mobile communication antenna sites. Much of the world follows the ICNIRP 1998 guidelines or those of the US Federal Communications Commission.

In some cases (e.g., China and Russia) historical limits have not been updated to reflect more recent scientific knowledge. In other cases, RF limits applicable to mobile networks may be the result of arbitrary reductions, as a political response to public concern.

Excluding countries or territories with unknown limits, 126 apply ICNIRP, 11 follow the FCC limits from 1996, and 36 have other limits. Although the map uses only one colour for the ‘other’ category, there are many differences between these countries in the limit values and their application.

Health Authorities on the Science

A large number of studies have been performed over the last two decades to assess whether mobile phones pose a potential health risk. To date, no adverse health effects have been established as being caused by mobile phone use.
— WHO Fact Sheet 193, October 2014

The results of epidemiological studies in the period reviewed confirm that no higher risk of brain tumors is observed in cell phone users. This conclusion coincides with those of other systematic reviews and risk assessments in the same period by agencies and competent international committees in the evaluation of the effects of electromagnetic fields on health.
— Scientific Advisory Committee on Radiofrequency and Health — CCARS (Spain), 2017

Whether mobile phone use causes brain tumours or not was mainly addressed using time trends studies in the last two years. The results were not entirely consistent but mainly point towards a lack of association. Whereas these time series studies do not suffer from recall and selection bias, which is of concern for case-control studies, they are vulnerable to secular time trends. Changes in coding praxis or improved diagnostic tools and thus better detection rate may produce an apparent increase or a decrease in the incidence of brain tumours or specific subtypes. The few indications of changing incidence are thus rather attributed to such methodological limitations than actual changes in risk.
— Swedish Radiation Safety Authority, 2018

Advanced Antenna Technologies

Many of the antennae used for 5G will look similar to those in use today. Advanced antenna technologies, such as beam-forming, require the use of arrays of antennae to optimise the delivery of the wanted radio signal to connected mobile devices.

As shown above, a conventional base station antenna transmits a radio signal to a wide area regardless of how many users are connected. Advanced beam forming antennae transmit radio signals only to connected users, reducing unwanted exposure.
Beamforming involves combining the signal from multiple antennae to improve performance. However, operation at higher frequencies means that while some could be larger, the size of many of the antennae is expected to be similar to that of existing installations.

CP_Elect_Fields_Health_img

eWaste

Background

Electronic waste — also known as e-waste or waste electrical and electronic equipment (WEEE) — is a type of waste generated when devices related to the Information and Communications Technology (ICT) industry reach the end of their life. Parts and materials that make up e-waste usually contain precious or high-value metals that can be recycled at the end of a device’s useful life. However, they can also contain hazardous materials that must be treated responsibly and in compliance with environmental legislation. Some used electronic equipment may be suitable for re-use, perhaps after repair and refurbishment.

As part of the ICT sector, mobile operators generate e-waste during periods of technological renewal and also through the normal supply of products (such as routers, mobile phones and tablets) to customers.
Mobile operators around the world have developed WEEE management programmes both as compliance measures to conform to current legislation, and also in their desire to meet their own sustainability and corporate social responsibility goals.

However, in some regions, such as Latin America, there are limited legal frameworks specifically covering e-waste management. Unfortunately, this also means there is a lack of clarity around the concept of extended producer responsibility (EPR).

Usually, EPR rules firmly establish the roles and responsibilities of producers, importers and distributors for equipment in the e-waste chain. The absence of clear rules means operators in Latin America are finding it difficult to manage the e-waste generated through their operations. In some cases, they have even had to take on 100 per cent of the operational and financial responsibility for the management of their customers’ e-waste, whereas in most other regions the responsibility is shared among a range of parties including equipment manufacturers, importers and distributors.

In addition, operators have faced other challenges such as a dearth of qualified e-waste managers in some countries, the high costs of e-waste transport and storage, and restrictions (from the Basel Convention) on the export of equipment to countries where it could be treated appropriately.

Debate

How should the responsibility for processing e-waste be shared out among a range of industry parties, including operators, equipment manufacturers, importers and distributors?
How is it possible to distinguish between e-waste and used electronic equipment destined for re-use?

Industry Position

The effective management of WEEE at a country and company level must be based on specific regulatory frameworks that recognise the environmental risks that e-waste presents and also the potential for efficient resource recovery. This is to ensure there is no ambiguity among the various parties who are responsible for e-waste management as to how they must act in order to conform to the agreed guidelines.

Mobile operators have long recognised the importance of WEEE management.

This is why, in regions such as Latin America, they have actively sought to draw attention to loopholes in the legal system and communicate the challenges they have faced during the development of their WEEE management programmes. Moreover, they continue to look for ways to collaborate with the environmental authorities in order to define effective legal frameworks that promote environmentally responsible WEEE management.

With this in mind, they have come up with a number of proposals for regions where there is currently a lack of robust legal frameworks in place:

Environmental and telecommunications authorities should work together to design, promote and implement policies, standards, laws, regulations and programmes for responsible WEEE management.

Guidelines that recognise the principle of EPR should be created by relevant environmental authorities and developed into legal frameworks for e-waste management.

WEEE management programmes should include measures to promote recycling in order to extend the lifespan of devices and material recovery. These need to explain the importance of these processes for the re-use of materials, so they can in turn increase the economic value of devices collected for re-use or recycling.

Governments, manufacturers, importers, distributors and WEEE management companies should work together to create e-waste awareness campaigns aimed at the general public. These campaigns will help create a culture of WEEE recycling, foster buy-in across all sectors of society and drive improved results when all the parties involved begin implementing WEEE management campaigns.

Resources

GSMA & United Nations University Report: eWaste in Latin America — Statistical Analysis and Policy Recommendations
GSMA, IDB & South Pole Report: Technology for Climate Action in Latin America Step Initiative website
United Nations University, International Telecommunication Union & International Solid Waste Association Report: The Global E-waste Monitor 2017 Quantities, Flows, and Resources

Illegal Content

Background

Today, mobile networks not only offer traditional voice and messaging services, but also provide access to virtually all forms of digital content via the internet. In this respect, mobile operators offer the same service as any other internet service provider (ISP). This means mobile networks are inevitably used, by some, to access illegal content, ranging from pirated material that infringes intellectual property rights (IPR) to racist content or child sexual abuse material (child pornography).

Laws regarding illegal content vary considerably. Some content, such as child sexual abuse material, is considered illegal around the world, while other content, such as dialogue that calls for political reform, is illegal in some countries while being protected by ‘freedom of speech’ rights in others.

Communications service providers, including mobile network operators and ISPs, are not usually liable for illegal content on their networks and services, provided they are not aware of its presence and follow certain rules (e.g., ‘notice and takedown’ processes to remove or disable access to the illegal content as soon as they are notified of its existence by the appropriate legal authority).

Mobile operators are typically alerted to illegal content by national hotline organisations or law-enforcement agencies. When content is reported, operators follow procedures according to the relevant data protection, privacy and disclosure legislation. In the case of child sexual abuse content, mobile operators use terms and conditions, notice and takedown processes and reporting mechanisms to keep their services free of this material.

Debate

  • Should all types of illegal content — from IPR infringements to child sexual abuse content — be subject to the same reporting and removal processes?
    What responsibilities should fall to governments, law enforcement or industry in the policing and removal of illegal content?
    Should access to illegal content on the internet be blocked by ISPs and mobile operators?

Industry Position

The mobile industry is committed to working with law enforcement agencies and appropriate authorities, and to having robust processes in place that enable the swift removal or disabling of confirmed instances of illegal content hosted on their services.

ISPs, including mobile operators, are not qualified to decide what is and is not illegal content, the scope of which is wide and varies between countries. As such, they should not be expected to monitor and judge third-party material, whether it is hosted on, or accessed through, their own network.

National governments decide what constitutes illegal content in their country; they should be open and transparent about which content is illegal before handing enforcement responsibility to hotlines, law-enforcement agencies and industry.

The mobile industry condemns the misuse of its services for sharing child sexual abuse content. The GSMA’s Mobile Alliance Against Child Sexual Abuse Content provides leadership in this area and works proactively to combat the misuse of mobile networks and services by criminals seeking to access or share child sexual abuse content.

Regarding copyright infringement and piracy, the mobile industry recognises the importance of proper compensation for rights holders and prevention of unauthorised distribution.

Resources

GSMA Reference Document: Mobile Alliance Against Child Sexual Abuse Content
Interpol Crimes Against Children website
International Centre for Missing & Exploited Children: Model Legislation & Global Review INHOPE website
GSMA and UNICEF: Notice and Takedown — Company Policies and Practices to Remove Online Child Sexual Abuse Material
GSMA Guide: Hotlines — Responding to Reports of Illegal Online Content
GSMA and Child Helpline International: Internet Safety Guides (see, in particular, Grooming, Illegal Content, Sexual Extortion of Children)
WePROTECT Global Alliance Model National Response

Deeper Dive

Mobile Alliance Against Child Sexual Abuse Content

The Mobile Alliance Against Child Sexual Abuse Content was founded by an international group of mobile operators within the GSMA to work collectively on obstructing the use of the mobile environment by individuals or organisations wishing to consume or profit from child sexual abuse content.

Alliance members have made the commitment to:

⦁ Implement technical mechanisms to restrict access to websites or URLs identified by an appropriate, internationally recognised agency as hosting child sexual abuse content.
⦁ Implement ‘notice and take-down’ processes to enable the removal of any child sexual abuse content posted on their own services.
⦁ Support and promote hotlines or other mechanisms for customers to report child sexual abuse content discovered on the internet or on mobile content services.

Through a combination of technical measures, cooperation and information sharing, the Mobile Alliance is working to stem, and ultimately reverse, the growth of online child sexual abuse content around the world.

The Mobile Alliance also contributes to wider efforts to eradicate online child sexual abuse content by publishing guidance and toolkits for the benefit of the whole mobile industry. For example, it has produced a guide to establishing and managing a hotline in collaboration with INHOPE, the umbrella organisation for hotlines, and a guide to implementing notice and take-down processes with UNICEF.

In the 10 years that have passed since the founding of the Mobile Alliance, changes to the digital ecosystem — including the increase in online interactivity and user-generated content — have altered the nature of online child sexual exploitation and abuse. For example, hotlines are increasingly seeing self-generated content (also known as ‘sexting’) being shared online. Child helplines are receiving calls from children related to ‘sexual extortion’. This is where a young person is blackmailed by an offender using self-produced sexual images or videos of the young person to make further sexual or financial demands. GSMA and the Mobile Alliance members continue to work with their external partners to monitor emerging issues and seek additional ways to contribute to the wider efforts to address them. For example, they are collaboratively developing guidance for child helpline counsellors on internet safety issues (including illegal content and sexual extortion) and members are running internet safety consumer education and awareness campaigns on an ongoing basis

Mobile Alliance Procedures To Stop Child Sexual Abuse Content

CP_Illegal_Content_img

Internet Governance

Background

Internet governance involves a wide array of activities related to the policy and procedures of the management of the internet. It encompasses legal and regulatory issues such as privacy, cybercrime, intellectual property rights and spam. It is also, for example, concerned with technical issues related to network management and standards and economic issues such as taxation and internet interconnection arrangements.

Because mobile industry growth is tied to the evolution of internet-enabled services and devices, decisions about the use, management and regulation of the internet will affect mobile service providers and other industry players and their customers.

Internet governance requires input from diverse stakeholders, relating to their interests and expertise in technical engineering, resource management, standards and policy issues, among others. Interested and relevant stakeholders will vary from issue to issue.

Debate

Who ‘owns’ the internet?
Should certain countries or organisations be allowed to have greater decision-making powers than others?
How should a multi-stakeholder model be applied to internet governance?

Industry Position

The multi-stakeholder model for internet governance and decision making should be preserved and allowed to evolve.

Internet governance should not be managed through a single institution or mechanism, but be able to address a wide range of issues and challenges relevant to different stakeholders more flexibly than traditional government and intergovernmental mechanisms.

The internet should be secure, stable, trustworthy and interoperable, and no single institution or organisation can or should manage it.

Collaborative, diverse and inclusive models of internet governance decision-making are requisite to participation by the appropriate stakeholders.

The decentralised development of the internet should continue, without being controlled by any particular business model or regulatory approach.

Some questions warrant a different approach at the local, national, regional or global level. An effective and efficient multi-stakeholder model ensures that the stakeholders, within their respective roles, can participate in the consensus-building process for any specific issue.

Technical aspects related to the management and development of internet networks and architecture should be addressed through standards bodies, the Internet Engineering Task Force (IETF), the Internet Architecture Board (IAB) and other forums.

Economic and transactional issues such as internet interconnection charges are best left to commercial negotiation, consistent with commercial law and regulatory regimes.

Resources

The Internet Governance Forum website
World Summit on the Information Society WSIS+10 website
The Internet Society Internet Governance website
UNESCO Internet Governance website

Global internet governance must be transparent and inclusive, ensuring full participation of governments, civil society, private sector and international organisations, so that the potential of the internet as a powerful tool for economic and social development can be fulfilled.
— Joint press release from the governments of the USA and Brazil, June 2015

Mandated Government Access

Background

Mobile network operators are often subject to a range of laws and/or licence conditions that require them to support law enforcement and security activities in countries where they operate. These requirements vary from country to country and have an impact on the privacy of mobile customers.

Where they exist, such laws and licence conditions typically require operators to retain data about their customers’ mobile service use and disclose it, including customers’ personal data, to law enforcement and national security agencies on lawful demand. They may also require operators to have the ability to intercept customer communications following lawful demand.

Such laws provide a framework for the operation of law enforcement and security service surveillance and guide mobile operators in their mandatory liaison with these services.
However, in some countries, there is a lack of clarity in the legal framework to regulate the disclosure of data or lawful interception of customer communications.

This creates challenges for industry in protecting the privacy of its customers’ information and their communications.

Legislation often lags behind technological developments. For example, it may be the case that obligations apply only to established telecommunications operators but not to more recent market entrants, such as those providing internet-based services, including Voice over IP (VoIP), video or instant messaging.

In response to public debate concerning the extent of government access to mobile subscriber data, a number of major telecommunications providers (such as AT&T, Deutsche Telekom, Orange, Rogers, SaskTel, Sprint, T-Mobile, TekSavvy, TeliaSonera, Telstra, Telus, Verizon, Vodafone and Wind Mobile) as well as internet companies (such as Apple, Amazon, Dropbox, Facebook, Google, LinkedIn, Microsoft, Pinterest, Snapchat, Tumblr, Twitter and Yahoo!) publish ‘transparency reports’, which provide statistics relating to government requests for disclosure of such data.

Debate

What is the correct legal framework to achieve a balance between a government’s obligation to ensure its law-enforcement and security agencies can protect citizens, and the rights of those citizens to privacy?

Should all providers of communication services be subject to the same interception, retention and disclosure laws on a technology neutral basis?

Would further transparency about the number and nature of the requests that governments make assist the debate, improve government accountability and bolster consumer confidence?

Industry Position

Governments should ensure they have a proportionate legal framework that clearly specifies the surveillance powers available to national law enforcement and security agencies.

Any interference with the right to privacy of telecommunications customers must be in accordance with the law.

The retention and disclosure of data and the interception of communications for law enforcement or security purposes should take place only under a clear legal framework and using the proper process and authorisation specified by that framework.

There should be a legal process available to telecommunications providers to challenge requests which they believe to be outside the scope of the relevant laws.

The framework should be transparent, proportionate, justified and compatible with human rights principles, including obligations under applicable international human rights conventions, such as the International Convention on Civil and Political Rights.

Given the expanding range of communications services, the legal framework should be technology neutral.

Governments should provide appropriate limitations of liability or indemnify telecommunications providers against legal claims brought in respect of compliance with requests and obligations for the retention, disclosure and interception of communications and data.

The costs of complying with all laws covering the interception of communications and the retention and disclosure of data should be borne by governments. Such costs and the basis for their calculation should be agreed in advance.

The GSMA and its members are supportive of initiatives that seek to increase government transparency and the publication by government of statistics related to requests for access to customer data.

Resources

United Nations General Assembly Report: Guiding Principles on Business and Human Rights — Implementing the United Nations “Protect, Respect and Remedy” Framework Sixth Form Law — Malone v. The United Kingdom website
High Court Judgement: Data Retention and Investigatory Powers Act 2014 (“DRIPA”)
UK Investigatory Powers Review Report: A Question of Trust
Office of the Privacy Commissioner of Canada website

Deeper Dive

Trending Towards Transparency

There is an important global public debate about the scope, necessity and legitimacy of the legal powers that government authorities use to access the communications of private individuals. ICT firms are increasingly reporting the demands of governments for communications data where it is legal to do so. These reports have revealed the degree to which government intelligence and law enforcement agencies rely on such information.
Many of the largest communications and internet content providers (including AT&T, Deutsche Telekom, Telenor, Verizon, Vodafone, Apple, Dropbox, Facebook, Google, LinkedIn, Microsoft, Twitter and Yahoo!) publish periodic transparency reports.

Typically, these reports include how many of these requests resulted in the disclosure of customer information. They reveal the frequency of such requests and also some detail about the kind of information accessed. This can include customer account information, the interception of communications and metadata, which can reveal an individual’s location, interests or relationships. Mobile operators often have no option but to comply with such requests, but they are increasingly pressing for greater transparency about the nature and scale of government access.

Questions have also arisen as to the role that telecommunications network and service providers play in relation to such access. For example, misunderstandings can arise about the level to which mobile network operators have the technical capacity to intercept communications. Intercepting standard phone calls or SMS messages to and from specific users is technically possible and lawful interception requirements and capabilities have been described in the global mobile standards for decades.

However, communications between users using an internet-based platform, known as an over-the-top (OTT) service, is generally beyond the reach of mobile network operators. OTT messaging applications are usually encrypted, with messages not stored by the mobile network operators nor decryption keys made available to them. So operators can neither access or provide messages’ content, even on receipt of lawful requests. Both internet companies and mobile network operators may find themselves in a difficult position — bound to meet their obligations to provide lawful access, while assuring their customers that they protect private user information.

To further support their commitment to transparency, some operators have joined forces with internet companies and other stakeholders in initiatives such as the Global Network Initiative (GNI). The GNI brings together telecommunications operators, major internet companies, leading academics, civil society organisations, and investors to advance privacy and freedom of expression in the information and communications technology (ICT) sector. In March 2017, seven operators — Millicom, Nokia, Orange, Telefónica, Telenor Group, Telia Company and Vodafone — joined an expanded GNI after having previously promoted transparency through the Telecommunications Industry Dialogue. These companies committed to the GNI Principles on Freedom of Expression and Privacy, which provide direction and guidance to the ICT industry and its stakeholders in protecting and advancing the enjoyment of these human rights globally.

Civil society organisations have contributed to the advancement of these issues by trying to provide trustworthy measures of transparency. Ranking Digital Rights (RDR) publishes an annual report on telecoms and internet companies disclosed commitments, policies and practices that affect users’ privacy and freedom of expression. The RDR calls for governments to allow encryption and publish their own transparency reports, to make it clear what information they demanded from companies and why.

The debate can be heated on both sides — those who argue that law enforcement agencies require broad access in order to fight crime versus those who challenge the government’s level of inquiry into private lives and strive to maintain citizens’ rights to privacy in the digital age. GSMA members maintain that transparency reporting brings valid information to the public and policymakers, raising key questions about the balance between government access and privacy.

Case Study

National Regulatory Approaches to Government Access

Increasingly, as witnessed in the UK, France, Germany and Australia, laws are being proposed that would require service providers to capture and retain communications data and grant the government systematic access to this information.

In the UK, communications service providers are required to separately retain a range of account and communications data and must ensure the data can be disclosed in a timely manner to UK law enforcement agencies, the security services and a number of prescribed public authorities under the UK Regulation of Investigatory Powers Act (RIPA). Prescribed authorities can also seek a warrant from the Secretary of State to intercept communications.The two main objectives of RIPA are to regulate the investigatory powers of the state and to set the legitimate expectations for citizens’ privacy. As RIPA is subject to oversight by the Surveillance Commissioner and the Interception Commissioner, citizens can seek redress for alleged unlawful access to their data or communications, and service providers operating in the UK can raise concerns about the validity of requests.

In April 2014, the European Court of Justice ruled that the EU Data Retention Directive is ‘invalid’ as it violated two basic rights — respect for private life and protection of personal data. The European Commission has emphasised that the decision of whether to introduce national data-retention laws is a national decision and consequently, the UK and a number of other countries in the European Union are reviewing their data-retention laws, which required communications service providers to store communications data for up to two years.

Meanwhile, in May 2015, the German government outlined plans for a new data-retention law which would require telecoms companies to retain ‘traffic data’ relevant to communications and hand them over (under certain conditions) to Germany’s law enforcement and security agencies. Germany’s privacy campaigners questioned whether the plans were constitutional adding that, in their opinion, the German government had not sufficiently outlined why the retention of the data is necessary.

In July 2015, the French Parliament approved a bill that allows intelligence agencies to tap phones and emails without seeking permission from a judge. The new law requires communications providers and internet service providers to hand over customers’ data upon request, if the relevant customers are linked to a ‘terrorist’ inquiry. Protesters from civil liberties groups claimed the bill would legalise intrusive surveillance methods without guarantees for individual freedom and privacy.

Australia’s new Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 requires telecommunication service providers to retain for two years certain telecommunications metadata prescribed by regulations. This two-year retention period equals the maximum allowed under the EU’s earlier Data Retention Directive which the EU’s Court of Justice ruled as invalid.

Mandated Service Restriction Orders

Background

In a number of countries, customers of prepaid or pay-as-you-go services can anonymously activate their subscriber identity module (SIM) card by simply purchasing credit, as formal user registration is not required. Around 150 governments around the world 1 have mandated prepaid SIM registration citing a perceived, but unproven, link between the introduction of such policies and the reduction of criminal and anti-social behaviour. Mandated prepaid SIM registration is most prevalent in Africa, where 90 per cent of UN-recognised states have such laws.

Some governments — including the Czech Republic, the United Kingdom and the United States — have decided against mandating registration of prepaid SIM users, concluding that the potential loopholes and implementation challenges outweigh the merits.

SIM registration can, however, allow many consumers to access value-added mobile and digital services that would not otherwise be available to them as unregistered users, including identity-linked services such as mobile money, e-health and e-government services.

For a SIM registration policy to lead to positive outcomes for consumers, it must be implemented in a pragmatic way that takes into account local market circumstances, such as the ability of mobile operators to verify customers’ identity documents. If the registration requirements are disproportionate to consumers’ ability to meet them in a specific market, mandating this policy may lead to implementation challenges and unforeseen consequences. For example, it could unintentionally exclude vulnerable and socially disadvantaged consumers or refugees who lack the required identity documents. It might also lead to the emergence of a black market for fraudulently registered or stolen SIM cards, based on the desire by some mobile users, including criminals, to remain anonymous.

Debate

To what extent do the benefits of mandatory prepaid SIM registration outweigh the costs and risks?
What factors should governments consider before mandating such a policy?

Industry Position

The GSMA discourages the use of SROs. Governments should only resort to SROs in exceptional and pre-defined circumstances, and only if absolutely necessary and proportionate to achieve a specified and legitimate aim that is consistent with internationally recognised human rights and relevant laws.

In order to aid transparency, governments should only issue SROs to operators in writing, citing the legal basis and with a clear audit trail to the person authorising the order. They should inform citizens that the service restriction has been ordered by the government and has been approved by a judicial or other authority in accordance with administrative procedures laid down in law. They should allow operators to investigate the impacts on their networks and customers and to communicate freely with their customers about the order. If it would undermine national security to do so at the time when the service is restricted, citizens should be informed as soon as possible after the event.

Governments should seek to avoid or mitigate the potentially harmful effects of SROs by minimising the number of demands, the geographic scope, the number of potentially affected individuals and businesses, the functional scope and the duration of the restriction.

For example, rather than block an entire network or social media platform, it may be possible for the SRO to target particular content or users. In any event, the SRO should always specify an end date. Independent oversight mechanisms should be established to ensure these principles are observed.

Operators can play an important role by raising awareness among government officials of the potential impact of SROs. They can also be prepared to work swiftly and efficiently to determine the legitimacy of the SRO once it has been received. This will help establish whether it has been approved by a judicial authority, whether it is valid and binding and whether there is opportunity for appeal, working with the government to limit the scope and impact of the order. Procedures can include guidance on how local personnel are to deal with SROs and the use of standardised forms to quickly assess and escalate SROs to senior company representatives.

All decisions should first and foremost be made with the safety and security of the operators’ customers, networks and staff in mind, and with the aim of being able to restore services as quickly as possible.

Resources

Australian government draft guidelines on website blocking 
Global Network Initiative and the Telecommunications Industry Dialogue Joint Statement: Service Restrictions
Telia Company form for assessment and escalation of SROs

Mandatory Registration of Prepaid SIMs

Background

In a number of countries, customers of prepaid or pay-as-you-go services can anonymously activate their subscriber identity module (SIM) card by simply purchasing credit, as formal user registration is not required. Around 150 governments around the world1 have mandated prepaid SIM registration citing a perceived, but unproven, link between the introduction of such policies and the reduction of criminal and anti-social behaviour. Mandated prepaid SIM registration is most prevalent in Africa, where 90 per cent of UN-recognised states have such laws.

Some governments — including the Czech Republic, the United Kingdom and the United States — have decided against mandating registration of prepaid SIM users, concluding that the potential loopholes and implementation challenges outweigh the merits.

SIM registration can, however, allow many consumers to access value-added mobile and digital services that would not otherwise be available to them as unregistered users, including identity-linked services such as mobile money, e-health and e-government services.

For a SIM registration policy to lead to positive outcomes for consumers, it must be implemented in a pragmatic way that takes into account local market circumstances, such as the ability of mobile operators to verify customers’ identity documents. If the registration requirements are disproportionate to consumers’ ability to meet them in a specific market, mandating this policy may lead to implementation challenges and unforeseen consequences. For example, it could unintentionally exclude vulnerable and socially disadvantaged consumers or refugees who lack the required identity documents. It might also lead to the emergence of a black market for fraudulently registered or stolen SIM cards, based on the desire by some mobile users, including criminals, to remain anonymous.

Debate

To what extent do the benefits of mandatory prepaid SIM registration outweigh the costs and risks?
What factors should governments consider before mandating such a policy?

Industry Position

While registration of prepaid SIM card users can deliver valuable benefits to citizens, governments should not mandate it.

To date, there has been no empirical evidence that mandatory SIM registration directly leads to a reduction in crime. Where a decision to mandate the registration of prepaid SIM users has been made, we recommend that governments take into account global best practices and allow registration mechanisms that are flexible, proportionate and relevant to the specific market, including the level of official ID penetration in that market and the timing of any national identity roll-out plans.

If these conditions are met, the SIM registration exercise is more likely to be effective and lead to more accurate customer databases. Furthermore, a robust customer verification and authentication system can enable mobile operators to facilitate the creation of digital identity solutions, empowering customers to access a variety of mobile and non-mobile services.

We urge governments who are considering the introduction or revision of mandatory SIM-registration to take the following steps prior to finalising their plans:

  • Consult, collaborate and communicate with mobile operators before, during and after the implementation exercise.
  • Balance national security demands against the protection of citizens’ rights, particularly where governments mandate SIM registration for security reasons.
  • Set realistic timescales for designing, testing and implementing registration processes.
  • Provide certainty and clarity on registration requirements before any implementation.
  • Allow and/or encourage the storage of electronic records and design registration processes that are administratively ‘light’.
  • Allow and/or encourage the SIM-registered customer to access other value-added mobile and digital services.
  • Support mobile operators in the implementation of SIM-registration programmes by contributing to joint communication activities and to their operational costs.

1. GSMA Report: Access to Mobile and Proof of Identity.

Resources

GSMA report: Mandatory registration of prepaid SIM cards — Addressing challenges through best practice
GSMA White Paper: Mandatory Registration of Prepaid SIM Card Users
GSMA Report: Regulatory and Policy Trends Impacting Digital Identity and the Role of Mobile
GSMA-World Bank Green Paper: Digital Identity — Towards Shared Principles for Public and Private Sector Cooperation
London School of Economics Academic Paper: The Rise of African SIM Registration — Mobility, Identity, Surveillance & Resistance
 GSMA Mobile Connect website
Simon Fraser University Academic Paper: Privacy Rights and Prepaid Communication Services

Mobile Devices: Counterfeit

Background

A counterfeit mobile device explicitly infringes the trademark or design of an original or authentic ‘branded' product, even where there are slight variations to the established brand name.

Due to their illicit nature, these mobile devices are typically shipped and sold on black markets globally, by organised criminal networks. As a result, there is limited awareness among consumers and governments about the true scale and impact of counterfeit mobile devices.

It is estimated that almost one in five mobile devices may be counterfeit.1  This has negative effects for consumers who risk lower quality, safety, security, environmental health and privacy assurances. It also impacts governments who forego tax and duties and must contend with increased crime. Industry players are also affected, as it can harm their trademarks and brands.

Some countries are considering the implementation of national white lists to combat counterfeit, smuggled and non-homologated devices. The purpose of white lists is to indicate which devices are permitted access to the networks. Operators implement device blocking capabilities on their local networks and connect with the national white list to ensure permitted devices are allowed network access.

However, counterfeit mobile devices are not easy to identify and block, given that many have IMEIs that appear legitimate. It is now commonplace for counterfeiters to hijack IMEI number ranges allocated to legitimate device manufacturers for use in their products and this makes it more difficult to differentiate between authentic and counterfeit products.

Debate

How can governments and other stakeholders best address the issue of counterfeit mobile devices?
How can anti-counterfeit measures be framed to also consider consumers who have unwittingly purchased counterfeit devices?

Resources

IMEI Services provided by the GSMA
GSMA Device Check Platform
OECD Report: Trade in Counterfeit ICT Goods
The WCO Tool in the Fight Against Counterfeiting website

Industry Position

The mobile industry supports the need for legal and product integrity in the device market and is increasingly concerned about the negative impact of counterfeit devices on consumer welfare and society in general.

Although mobile operators and legitimate vendors cannot stop the production and distribution of counterfeit devices, multi-stakeholder collaboration can help combat the issue at the source. In particular, national law enforcement and customs agencies should take measures to stop the production and exportation of counterfeit devices in their jurisdictions. It is essential that information on crime patterns and specific criminal activity relating to counterfeit devices is provided by national agencies to appropriate international bodies, such as Interpol and the World Customs Organization, to facilitate action in other jurisdictions by the relevant agencies.
GSMA has made its IMEI database available to the World Customs Organization to establish a global security gateway where customs officers can verify the authenticity of mobile device identities online. National customs agencies are advised to systematically make use of this facility as part of a rigorous set of measures to monitor the importation of mobile devices. The database is made available to national customs agencies directly.

The GSMA encourages operators to deploy systems like Equipment Identity Registers (EIR) and to connect to the GSMA’s IMEI Database. Using the GSMA’s global Type Allocation Code (TAC) list of all legitimate device identity number ranges, operators can block devices with invalid IMEIs.

National authorities should study which factors, such as import duties and taxation levels, contribute to the local demand for counterfeit devices. The potential of reduced tax levels to narrow the gap between the cost of counterfeit/smuggled and legitimate devices should be carefully considered with a view to making the black market a less lucrative place in which to trade.

Some countries are considering the implementation of national white lists to combat counterfeit, smuggled and non-homologated devices. White lists can be successful if they are linked with the GSMA TAC list for verification of the legitimate TAC/IMEI holders. If national import verification systems and national device homologation systems exist these should also be linked to the national white list. Some implementations propose that customers register their details and devices centrally. GSMA is opposed to central customer registrations since they are unnecessary — the subscriber identities associated with each device can be established by the network operators without the need for consumer action.

Where national authorities are considering introducing a white list system and the pursuant blocking of devices, they should consider offering an amnesty to existing consumers who have non-compliant devices, as the loss to consumers and the social, economic and security impact on the country of the immediate blocking of huge quantities of devices is significant. In addition, it is recommended that the funding model for such systems should not place a burden on the end users (i.e., consumers and network operators) since they are not the cause of the underlying issue. White list systems should also not be applied to roamers who might be denied service without cause.

1. According to figures from OECD, 2017

Mobile Devices: Theft

Background

Policymakers in many countries are concerned about the incidence of mobile device theft, particularly when organised crime becomes involved in the bulk export of stolen devices to other markets.

For many years, the GSMA has led industry initiatives to block stolen mobile devices, based on a shared database of the unique identifiers of devices reported lost or stolen. Using the International Mobile Equipment Identifier (IMEI) of mobile devices, the GSMA maintains a central list — known as the GSMA Black List — of all devices reported lost or stolen by mobile network operators’ customers. The GSMA IMEI Database that hosts the GSMA blacklisting service is available to other network operators around the world to ensure those devices transported to other countries are also denied network access.

The efficient blocking of stolen devices on individual network Equipment Identity Registers (EIRs) depends on the secure implementation of the IMEI in all mobile devices. Leading device manufacturers have agreed to support a range of measures to strengthen IMEI security, and progress is monitored by the GSMA.

Debate

What can industry do to prevent mobile phone theft?
What are the policy implications of this rising trend?

Resources

GSMA & OAS Briefing Paper: Theft of Mobile Terminal Equipment
GSMA IMEI Database website
GSMA Reference Document: Anti-Theft Device Feature Requirements
GSMA Mobile Phone Theft - Consumer Advice
GSMA Mobile Device Theft website

Industry Position

The mobile industry has led numerous initiatives and made great strides in the global fight against mobile device theft.

Although the problem of device theft is not of the industry’s creation, the industry is part of the solution. When lost or stolen mobile devices are rendered useless, they have significantly reduced value, removing the incentive for thieves to target them.

The GSMA encourages its member operators to deploy EIRs on their networks to deny connectivity to any stolen device. Operators should connect to the GSMA IMEI Database and share their own network’s black list to ensure devices stolen from their customers can be blocked on any other networks that also connect to the database. These black list solutions have been in place on some networks for many years.

To better enable a range of stakeholders to combat device crime, GSMA provides services that allow eligible parties such as law enforcement, device traders and insurers to check the status of devices against the GSMA Black List.

IMEI blocking, when complimented with additional measures undertaken by, and in consultation with, a variety of stakeholders, can be the cornerstone of a highly effective anti-theft campaign.

Consumers that have had their devices stolen are particularly vulnerable to their personal data being used to commit a range of additional crimes. Industry, law enforcement agencies and regulators are recommended to provide anti-theft consumer education material on their websites reflecting the advice and measures appropriate to their market.

The concept of a ‘kill switch’ — a mechanism allowing mobile device users to remotely disable their stolen device — has received much attention. The GSMA supports device-based anti-theft features and has defined feature requirements that could lead to a global solution. These high-level requirements have set a benchmark for anti-theft functionality, while allowing the industry to innovate.

The deployment of persistent endpoint security solutions on mobile devices can also help render devices useless and unattractive to criminals by preventing those devices from working on non-mobile networks, such as Wi-Fi, where EIR blocking would otherwise be ineffective.

National authorities have a significant role to play in combatting this criminal activity. It is critical that they engage constructively with the industry to ensure the distribution of mobile devices through unauthorised channels is monitored and that action is taken against those involved in the theft or illegal distribution of stolen devices.

A coherent cross-border information sharing approach involving all relevant stakeholders increases the effectiveness of national measures. GSMA advocates the sharing of stolen device data internationally for blocking and status checking purposes and the GSMA IMEI Database facilitates this function. Only if regulation allows stolen device information to be shared across all countries will the deterrent have most impact.

Some national authorities have proposed national white lists or black lists with ongoing centralised customer registration requirements to combat device theft. These systems are unnecessary, as blacklisting systems are sufficient and less complex or expensive to implement and maintain.

In markets where a national white list or black list exists, lost and stolen device information can be exchanged between mobile network operators through the GSMA IMEI Database. Alternatively, if a national device blacklisting system is already in place, and is compliant with the GSMA’s requirements, it may be connected to the GSMA Black List.

Mobile Network and Device Security

Background

Security attacks threaten all forms of ICT, including mobile technologies. Consumer devices are targeted for a variety of reasons, from changing the IMEI number of a mobile phone to re-enable it after theft, through to data extraction or the use of malware to perform functions that have the potential to cause harm to users.

Mobile networks use encryption technologies to make it difficult for criminals to eavesdrop on calls or to intercept data traffic. Legal barriers to the deployment of cryptographic technologies have been reduced in recent years and this has allowed mobile technologies to incorporate stronger and better algorithms and protocols, which remain of significant interest to hackers and security researchers.

Recent years have seen a significant increase in interest in protocols such as SS7 and Diameter, which support interconnection between network operators to support mobile services. The GSMA has led a range of industry initiatives to ensure network operators are aware of the risks and the mitigation options open to them to protect their networks and their customers.

The GSMA's work and recommendations have been acknowledged by regulators around the world as being sufficient to eliminate the need for regulation.

The GSMA plays a key role in coordinating the industry response to security incidents and it has developed and launched a Coordinated Vulnerability Disclosure (CVD) programme. This allows the GSMA to work with a range of stakeholders, including its operator members, security researchers and industry suppliers, to ensure an appropriate response to threats that could affect services, networks or devices.

The GSMA's Warning Advice and Reporting Point (WARP) helps coordinate the mobile ecosystem worldwide, and provides crucial support around security challenges. Drawing on the collective knowledge of mobile operators, vendors and security professionals, WARP collects and disseminates information and advice on security incidents within the mobile community — in a trusted and anonymised way. Stakeholders from the mobile ecosystem are encouraged to join WARP to collectively address the critical security issues faced by the industry, its partners and its customers.

GSMA’s Fraud and Security Group acts as a centre of expertise to drive the industry’s management of fraud and security matters. The group seeks to maintain or increase the protection of mobile operator technology and infrastructure, and customer identity, security and privacy, so that the industry’s reputation stays strong and mobile operators remain trusted partners in the ecosystem.

Debate

How secure are mobile voice and data technologies and what is being done to mitigate the risks?
Do emerging technologies and services create new opportunities for criminals?
What will the 5G security landscape look like?

Industry Position

The protection and privacy of customer communications is at the forefront of operators’ concerns.

The protection and privacy of customer communications is at the forefront of operators’ concerns.

The mobile industry makes every reasonable effort to protect the privacy and integrity of customer and network communications. The barriers to compromising mobile security are high and research into possible vulnerabilities has generally been technically quite complex.

While no security technology is guaranteed to be unbreakable, practical attacks on mobile services are rare, as they tend to require considerable resources, including specialised equipment, computer processing power and a high level of technical expertise beyond the capability of most people.

Reports of eavesdropping are not uncommon, but such attacks have not taken place on a wide scale, and UMTS and LTE networks are considerably better protected against eavesdropping risks than GSM networks. Moreover, 5G technology boasts a host of new security capabilities that further enhance protection levels.

The GSMA supports global security standards for emerging services and acknowledges the role that SIM-based secure elements have played in protecting users and mobile services because the SIM card has proven itself to be resilient to attack. The Embedded Universal Integrated Circuit Card (UICC) approach that has been defined by GSMA, and is being rolled out by industry, inherits the best security properties from the SIM and is designed to build on the protection levels achieved in the past.

The GSMA constantly monitors the activities of hacker groups, as well as researchers, innovators and a range of industry stakeholders, to improve the security of communications networks. Our ability to learn and adapt can be seen in the security improvements implemented from one generation of mobile technology to the next.

Resources

GSMA Security Accreditation Scheme website
GSMA Security Advice for Mobile Phone Users website
GSMA Coordinated Vulnerability Disclosure website
GSMA Warning Advice and Reporting Point Website

Number Resource Misuse and Fraud

Background

Many countries have serious concerns about number-resource misuse, a practice whereby calls never reach the destination indicated by the international country code. Instead they are terminated prematurely, through carrier and/or content provider collusion, to revenue-generating content services without the knowledge of the ITU-T assigned number-range holder.

This abuse puts such calls outside any national regulatory controls on premium-rate and revenue-share call arrangements, and is a key contributing factor to International Revenue Share Fraud (IRSF) perpetrated against telephone networks and their customers. Perpetrators of IRSF are motivated to generate incoming traffic to their own services with no intention of paying the originating network for the calls. They then receive payment quickly, long before other parties within the settlement process.

Misuse also affects legitimate telephony traffic, as high-risk number ranges can be blocked as a side-effect.

Debate

How can regulators, number-range holders and other industry players collaborate to address this type of misuse and the resulting fraud?

Resources

ITU-T Misuse of an E.164 International Numbering Resource website

Facts and Figures

Top 10 Countries Whose Numbering Resources Are Being Abused

CP_Number_Res_Misuse_Fraud_img

Industry Position

Number-resource misuse has a significant economic impact for many countries, so multi-stakeholder collaboration is key.

The telecommunications fraud carried out as a consequence of number-resource misuse is one of the topics being addressed by the GSMA Fraud and Security Group, a global conduit for best practice with respect to fraud and security management for mobile network operators. The Fraud and Security Group’s main focus is to drive industry management of mobile fraud and security matters to protect operators and consumers, and safeguard the mobile industry’s trusted reputation.

The Fraud and Security Group supports European Union guidelines under which national regulators can instruct communications providers to withhold payment to downstream traffic partners in cases of suspected fraud and misuse.

The group believes that national regulators can help communications providers reduce the risk of number-resource misuse by enforcing stricter management of national numbering resources. Specifically, regulators can:

  • Ensure national numbering plans are easily available, accurate and comprehensive.
  • Implement stricter controls over the assignment of national number ranges to applicants and ensure the ranges are used for the purpose for which they have been assigned.
  • Implement stricter controls over leasing of number ranges by number-range assignees to third parties.

The Fraud and Security Group shares abused number ranges among its members and with other fraud-management industry bodies. It also works with leading international transit carriers to reduce the risk of fraud that arises as a result of number-resource misuse, and with law enforcement agencies to support criminal investigations in this area.

Best Practice

Recommended Operator Controls to Reduce Exposure to Fraud from Number-Resource Misuse

  • Implement controls at the point of subscriber acquisition and controls to prevent account takeover.
  • Remove the conference or multi-call facility from a mobile connection unless specifically requested, as fraudsters can use this feature to establish up to six simultaneous calls.
  • Remove the ability to call forward to international destinations, particularly to countries whose numbering plans are commonly misused.

  • Utilise the GSMA high-risk ranges list, so that unusual call patterns to known fraudulent destinations can raise alarms or be blocked.
  • Ensure roaming usage reports received from other networks are monitored 24x7, preferably through an automated system.
  • Ensure that up-to-date tariffs, particularly for premium numbers, are applied within roaming agreements.
  • Implement the Barring of International Calls Except to Home Country (BOIEXH) function for new or high-risk subscriptions.

Privacy

Background

Research shows that mobile customers are concerned about their privacy and want simple and clear choices for controlling how their private information is used. They also want to know they can trust companies with their data. A lack of trust can act as a barrier to growth in economies that are increasingly data driven.

One of the major challenges faced by the growth of the mobile internet is that the security and privacy of people’s personal information is regulated by a patchwork of geographically-bound privacy regulations, while the mobile internet service is, by definition, international. Furthermore, in many jurisdictions the regulations governing how customer data is collected, processed and stored vary considerably between market participants. For example, the rules governing how personal data is treated by mobile operators may be different to those governing how it can be used by internet players.

This misalignment between national privacy laws and global standard practices that have developed within the internet ecosystem makes it difficult for operators to provide customers with a consistent user experience. Equally, the misalignment may cause legal uncertainty for operators, which can deter investment and innovation. The inconsistent levels of protection also create risks that consumers might unwittingly provide easy access to their personal data, leaving them exposed to unwanted or undesirable outcomes such as identity theft and fraud.

Debate

How can policymakers help create a privacy framework that supports innovation in data use while balancing the need for privacy across borders, irrespective of the technology involved?
How is responsibility for ensuring privacy across borders best distributed across the mobile internet value chain?
What role does self-regulation play in a continually evolving technology environment?
What should be done to allow data to be used to support the social good and meet pressing public policy needs?

Industry Position

Currently, the wide range of services available through mobile devices offers varying degrees of privacy protection. To give customers confidence that their personal data is being properly protected — irrespective of service or device — a consistent level of protection must be provided.

Mobile operators believe that customer confidence and trust can only be fully achieved when users feel their privacy is appropriately protected.

The necessary safeguards should derive from a combination of internationally agreed approaches, national legislation and industry action. Governments should ensure legislation is technology neutral and that its rules are applied consistently to all players in the internet ecosystem.

Because of the high level of innovation in mobile services, legislation should focus on the overall risk to an individual’s privacy, rather than attempting to legislate for specific types of data. For example, legislation must deal with the risk to an individual arising from a range of different data types and contexts, rather than focusing on individual data types.

The mobile industry should ensure privacy risks are considered when designing new apps and services, and develop solutions that provide consumers with simple ways to understand their privacy choices and control their data.

The GSMA is committed to working with stakeholders from across the mobile industry to develop a consistent approach to privacy protection and promote trust in mobile services.

Resources

GSMA Mobile and Privacy website
GSMA Report: Safety, privacy and security across the mobile ecosystem
GSMA Report: Consumer Research Insights and Considerations for Policymakers
GSMA Report: Mobile Privacy Principles — Promoting a user-centric privacy framework for the mobile ecosystem
GSMA Report: Privacy Design Guidelines for Mobile Application Development
GSMA Report: Mobile Privacy and Big Data Analytics
GSMA Presentation: IoT Privacy by Design Decision Tree

Deeper Dive

Smart Privacy Practice and Regulation

A combination of smart data privacy practices and smart data privacy regulation is required to sustain consumers’ trust in the digital ecosystem that has evolved rapidly around them.

The GSMA has developed nine Mobile Privacy Principles as well as a range of resources to promote good practice. These resources include the GSMA’s Privacy Design Guidelines for Mobile Application Development, considerations that should be taken into account when engaging in Big Data analytics and a privacy-by-design decision tree for use in developing IoT products and services. They seek to strike a balance between protecting privacy and enabling organisations to achieve commercial, public policy and societal goals.

If organisations adopt comprehensive policies, processes and practices to protect the privacy of individuals — and can easily demonstrate these safeguards are effective — they will strengthen trust among consumers and regulators. Equally, if governments adopt smart data privacy rules, they can establish a regulatory environment that stimulates the digital economy while also unleashing its benefits for consumers and citizens.

While governments must ensure smart data privacy laws take account of citizen's privacy concerns, they must also recognise that these rules can have important consequence beyond the protection of privacy. As a result, when drafting these rules, governments must take into consideration how these laws sit within an economic and societal context.

Policymakers around the world have been studying the EU’s General Data Protection Regulation (GDPR) and other regional and national frameworks or laws to inform their own legislative proposals. Among the lessons learned are that smart data privacy rules are:

  • Horizontal, meaning they apply to all processing of personal data rather than focusing on just one technology or sector. This reduces the need for sectoral rules or operating licences that subject network operators to an additional set of competing privacy obligations.
  • Principles-based, allowing innovation to thrive without having to reinvent the rules every time new technologies or business methods are introduced.
  • Risk-based, encouraging companies to focus on preventing harm (for example, by setting a threshold for reporting of data breaches rather than mandating that all breaches are reported), or encouraging organisations to implement privacy-by-design and privacy impact assessment processes.
  • Based on the idea of accountability, holding companies to account, but allowing them to innovate and comply in a way that makes sense for their business and rewarding those that embed a culture of privacy in their organisations.
  • Open to data flows, allowing data to cross borders provided there are sufficient safeguards to protect an individual’s privacy (see the Cross-Border Flows of Data section in this handbook).

Best Practice

Mobile Privacy Principles

  • The GSMA has published a set of universal Mobile Privacy Principles, which describe how mobile consumers’ privacy should be respected and protected.
  • Openness, transparency and notice
    Responsible persons (e.g., application or service providers) shall be open and honest with users and will ensure users are provided with clear, prominent and timely information regarding their identity and data privacy practices.
  • Purpose and use
    The access, collection, sharing, disclosure and further use of personal information shall be limited to legitimate business purposes, such as providing applications or services as requested by users, or to otherwise meet legal obligations.
  • User choice and control
    Users shall be given opportunities to exercise meaningful choice and control over their personal information.

  • Respect user rights
    Users should be provided with information about, and an easy means to exercise, their rights over the use of their personal information.
  • Security
    Personal information must be protected, using reasonable safeguards appropriate to the sensitivity of the information.
  • Education
    Users should be provided with information about privacy and security issues and ways to manage and protect their privacy.
  • Children and adolescents
    An application or service that is directed at children and adolescents should ensure that the collection, access and use of personal information is appropriate in all given circumstances and is compatible with national law.
  • Data minimisation and retention
    Only the minimum personal information necessary to meet legitimate business purposes should be collected and otherwise accessed and used. Personal information must not be kept for longer than is necessary for those legitimate business purposes or to meet legal retention obligations.

Privacy and Big Data

Background

Increases in computing power and falling prices of information technology systems make it possible to process huge volumes of data, from a variety of sources and in a range of formats, at greater speed than ever before. As a result, it is now possible to analyse all of the data from one or more large datasets, rather than relying on smaller samples of data. Importantly, this allows meaningful insights to be drawn, where appropriate, from mere correlations in the data rather than having to identify causal connections. These capabilities are often referred to as Big Data analytics techniques.

At the same time, the Internet of Things (IoT) is equipping an ever-increasing number of devices with sensors that collect and communicate data.

Together, these capabilities represent a sea change in society’s ability not only to create new products and services, but also to solve some of the most pressing public policy needs of our time — from road management in congested and polluted urban areas to understanding and preventing the spread of diseases.

Mobile network operators (MNOs) will increasingly use the information they collect for Big Data initiatives. They have an important role to play as responsible stewards of that data and potentially as facilitators in a future marketplace for access to this type of data.

However, Big Data capabilities also give rise to questions about security and privacy and how these important concerns can be addressed.

Debate

How can MNOs and policymakers help society realise the benefits of Big Data analytics in a privacy protective manner and in compliance with applicable laws?
How can the GSMA further trust among stakeholders involved in the collection and analytics of data?

Resources

GSMA Report: Mobile Privacy and Big Data Analytics
GSMA Report: Mobile Privacy Principles — Promoting Consumer Privacy in the Mobile Ecosystem
GSMA Privacy Design Guidelines for Mobile Applications website
OECD Data-driven Innovation for Growth and Well-being website
FTC Report: Big Data — A Tool for Inclusion or Exclusion?

Industry Position

The mobile industry recognises the societal benefits that can result from Big Data and wants to unlock the huge potential of Big Data analytics in a way that respects well-established privacy principles and fosters an environment of trust.

New laws are not necessary to address Big Data analytics and the IoT. Rather, MNOs recognise that existing privacy principles apply in these areas. Rules that restrict the legitimate use of data or metadata should be qualified and proportional to the risk of privacy harm that consumers might suffer if their data is misused. These rules should also be applied consistently across different industry sectors and types of technology.

MNOs are well-placed to understand the potential risks to individuals and groups from Big Data analytics and can implement measures to avoid or mitigate those risks.

New insights derived from the data will often give rise to new uses — or ‘purposes of processing’ — that had not been considered or identified when the data was initially collected. Accordingly, privacy frameworks must recognise this potential and make such uses possible.

MNOs can address these types of challenges and increase trust between industry stakeholders and consumers by:

Building on previous privacy initiatives, such as the GSMA Mobile Privacy Principles and the Privacy Design Guidelines for Mobile Application Development.

Finding innovative ways to provide meaningful choice, control and transparency to individuals about what data is collected and how it is used. For example, this could be addressed through user-friendly dashboards or signals from IoT devices that are easily discoverable by smartphones.

Thinking carefully about the impact on individuals (and groups) of the insights derived from Big Data and the actions or decisions that may be taken based on those insights.

Reducing the risk of re-identification of individuals after data has been processed where this may raise privacy concerns.

Establishing clarity on responsibilities between parties when collaborating on Big Data analytics projects.

Incorporating ethical decision-making into governance models.

Equally, governments can ensure their country and citizens gain the most benefit from the potential of Big Data by:

  • Understanding how Big Data analytics works and the context in which it takes place.
  •  Accommodating innovative approaches to transparency and consent.
  • Developing and adopting practical industry guidelines and self-regulatory measures that seek to harness, rather than hinder, Big Data analytics.

Signal Inhibitors

Background

Signal inhibitors, also known as jammers, are devices that generate interference or otherwise intentionally disrupt communication services. In the case of mobile services, they interfere with the communication between the mobile terminal and the base station. Their use by private individuals is banned in countries such as Australia, the United Kingdom and the United States.

In some regions, such as Latin America, signal inhibitors are used to prevent the illegal use of mobile phones in specific locations, such as prisons. However, blocking the signal does not address the root cause of the problem — wireless devices illegally ending up in the hands of inmates who then use them for illegal purposes.

Moreover, signal inhibitors don’t prevent mobile devices from connecting to Wi-Fi networks, as they don’t affect the frequency bands used by Wi-Fi routers. As a result, signal inhibitors don’t block people from using over-the-top voice applications to make calls to phone networks.

Mobile network operators invest heavily to provide coverage and capacity through the installation of radio base stations. However, the indiscriminate use of signal inhibitors compromises these investments by causing extensive disruption to the operation of mobile networks, reducing coverage and leading to the deterioration of service for consumers.

Debate

Should governments or private organisations be allowed to use signal inhibitors that interfere with the provision of mobile voice and data services to consumers?
Should the marketing and sale of signal inhibitors to private individuals and organisations be prohibited?

Resources

GSMA Public Policy Position: Signal Inhibitors in Latin America
GSMA Report: Safety, Privacy and Security Across the Mobile Ecosystem
GSMA Report: Signal-Blocking Solutions — Use of Jammers in Prisons

Industry Position

In some Latin American countries, such as Colombia, El Salvador, Guatemala and Honduras, governments are promoting the deployment of signal inhibitors to limit the use of mobile services in prisons. The GSMA and its members are committed to working with governments to use technology as an aid for keeping mobile phones out of sensitive areas, as well as co-operating on efforts to detect, track and prevent the use of smuggled devices.

However, it is vital that a long-term, practical solution is found that doesn’t negatively impact legitimate users, nor affect the substantial investments that mobile operators have made to improve their coverage.

The nature of radio signals makes it virtually impossible to ensure that the interference generated by inhibitors is confined, for example, within the walls of a building. Consequently, the interference caused by signal inhibitors affects citizens, services and public safety. It restricts network coverage and has a negative effect on the quality of services delivered to mobile users. Furthermore, inhibitors cause problems for other critical services that rely on mobile communications. For example, during an emergency they could limit the ability of mobile users to contact emergency services via numbers such as 999, 911 or 112, and they can interfere with the operation of mobile-connected alarms or personal health devices.

The industry’s position is that signal inhibitors should only be used as a last resort and only deployed in coordination with operators. This coordination must continue for the total duration of the deployment of the devices — from installation through to deactivation — to ensure that interference is minimised in adjacent areas and legitimate mobile phone users are not affected.

Furthermore, to protect the public interest and safeguard the delivery of mobile services, regulatory authorities should ban the use of signal inhibitors by private entities and establish sanctions for private entities that use or commercialise them without permission from relevant authorities. The import and sale of inhibitors or jammers must be restricted to those considered qualified and authorised to do so and their operation must be authorised by the national telecommunications regulator.

Nevertheless, strengthening security to prevent wireless devices being smuggled into sensitive areas, such as prisons, is the most effective measure against the illegal use of mobile devices in these areas, as it would not affect the rights of legitimate users of mobile services.