Maintaining a Robust Device Identity System: Introducing the GSMA TAC and IMEI Integrity Framework

Among the GSMA’s many roles is that of sole global arbiter for device identity among mobile devices, which it carries out by overseeing the TAC Allocation system. Every mobile device with a 3GPP transceiver – which includes not only cellular phones but modems, IoT devices, wearables, tablets and other equipment types – must be assigned a 15-digit International Mobile Equipment Identity, or IMEI number. The first 8 digits of an IMEI are the Type Allocation Code, or TAC number, which indicates the precise model of the device bearing it. This system brings order to what would otherwise be an unknowable mass, comprising billions of devices worldwide.

The TAC system thereby enables a range of services catering to operators, retailers, law enforcement agencies, insurers and others who routinely need to identify individual mobile devices. Such services help to deter device theft, verify insurance claims, identify counterfeiting, and return lost devices to their rightful owners; they also empower operators to better plan network provisioning, and target precision marketing and support services.

For these initiatives to remain viable, however, something more fundamental must be ensured: the integrity of the TAC system itself. For device identity to work – and for the range of services and activities that flow from it to be possible – all device manufacturers must play by the same rules. It must be the case, for instance, that an IMEI number is truly unique, and that a device bearing a particular TAC number is truly of the precise model it purports, or confidence in the system could be at risk.

That’s why the GSMA makes it a priority to maintain the accuracy of this system, and it is doing this through the activities associated with the TAC / IMEI Integrity Framework. The GSMA has no powers to forcibly stop illegal or otherwise non-compliant TAC / IMEI activity – that is not our role. What we can do, however, is to make the information and tools available that help maintain the integrity of the system, and act as a hub for reporting of non-compliance. By using educational and coordinating methods, we aim to drive down the number of erroneous IMEI numbers at large, and maximise confidence in the ecosystem to the benefit of all concerned.

One such method is the TAC Data Challenge. The GSMA Terminal Steering Group, who oversee the implementation of the GSMA’s strategy for device identification, have devised a quick and easy way for organisations who access TAC data through GSMA Device Database, including operators, governments and regulators, to report TAC data errors and help keep the data as accurate as possible. If an organisation is thought to have allocated TAC with inaccurate information, they will be contacted by our helpdesk and given 4 weeks to consider and respond to the challenge, and remedy the error if a fault is confirmed.

In the same vein, the Non-Compliant TAC / IMEI Reporting Process was recently launched to enable regulators and other organisations like manufacturers and retailers to report non-compliant TAC or IMEI, including but not limited to cloned or counterfeit TAC or IMEI. We will then offer support to the brands and OEMs who are affected to help them become compliant – however if that non-compliance is deliberate in nature, we could also share information with customs authorities and local law enforcement officials.

The GSMA has also launched TAC Market Watch, to proactively monitor markets where there appears to be an increased presence of non-compliant and fake or cloned TAC or IMEI.

As the body responsible for overseeing the TAC allocation process, the GSMA is also best-placed to provide compliance training to help relevant stakeholders to avoid making errors in the first place. We have developed a set of TAC Allocation Training Modules, which are available in English and Chinese, and hold regular training sessions around the world to ensure those with a hand in device identity know how to conduct their responsibilities effectively. If your organisation plays a role in this area, we invite you to consult the materials presented here. If you have any questions about this or another aspect of the device identity ecosystem, please do get in touch.