Consumer protection
As mobile services have taken on greater economic and social importance, particularly mobile internet, it is vital that the more than 5 billion people currently using these services 1can continue to enjoy them safely and securely. The challenge is providing this protection while also ensuring users have control over their privacy and personal data.
It is therefore essential for the mobile industry to deliver safe and secure technologies, services and apps that inspire trust and confidence. At the same time, consumers need to be educated about potential risks and be aware of the steps they can take to reduce those risks.
The mobile industry takes consumer protection seriously. The GSMA and its members play a leading role in developing and implementing appropriate safety and security solutions, technical standards and protocols. They also work with governments, multilateral organisations and non-governmental organisations (NGOs) to address concerns related to consumer protection. They can do this by:
- Defining, sharing and promoting global best practice.
- Building and participating in multistakeholder fora.
- Educating consumers and businesses in the safe use of mobile technologies and applications.
- Commissioning research that offers real-world insight and evidence.
The following sections illustrate the work undertaken by the mobile industry to ensure consumers are appropriately protected and informed as they enjoy the full range of benefits made possible by mobile technology.
Background
Young people (children and teenagers) are enthusiastic users of mobile technology. Their knowledge of mobile apps and platforms often surpasses that of their parents, guardians and teachers.
For growing numbers of young people, mobile technology is an increasingly important tool for communicating, accessing information, enjoying entertainment, learning, playing and being creative. As mobile technology becomes more embedded in everyday life, mobile operators have an important role to play in protecting and promoting children’s rights.
For young people, mobile devices can be key to accessing:
- Employment skills.
- Enhanced formal and informal education and learning.
- Information and services to aid in health and well-being.
- Improved social and civic engagement.
- Opportunities to play and be creative.
Increasingly, mobile devices are playing a role in formal education and informal learning. For people in Low- and Middle-Income Countries (LMICs) and rural areas, as well as areas where certain groups – girls in particular – are excluded from formal education, mobile connectivity offers new opportunities to learn.
Like any tool, a mobile device can be used in ways that cause harm, so young people require guidance to benefit from mobile technologies safely and securely.
The mobile industry has taken steps to support the safe and responsible use of mobile services by young people. The GSMA plays a leading role in voluntary industry initiatives, including multistakeholder task forces.
Debate
What potential harms are children exposed to in the digital environment?
How can all stakeholders navigate the tensions between different child rights in the digital world?
Industry position
Mobile devices and services can enhance the lives of young people. This perspective needs to be embraced, encouraged and better understood by all stakeholders to ensure young people reap the full benefits of mobile technology.
Encouraging and enabling the safe, positive and responsible use of mobile by children and young people is best approached through multistakeholder efforts that include young people themselves.
Working closely with its partner UNICEF, its mobile operator members and a range of other stakeholders, including young people, the GSMA works to support children’s rights to, through and in the digital environment. The GSMA also works closely with Child Helpline International to foster collaboration between mobile operators and child helplines in promoting children’s rights – in particular, their right to be heard – and to work together on areas of mutual concern, such as a safer internet.
The GSMA takes part in international initiatives related to safeguarding children online, including the ITU Child Online Protection programme, and actively engages with governments and regulators seeking to address this issue. Through its Capacity Building programme, for example, the GSMA helps policymakers better understand children’s use of technology and discusses strategies for encouraging young people to become positive, engaged, responsible and resilient users of digital technology.
Young people are critical to the evolution of the mobile sector because they represent the first generation to have grown up in a connected, always-on world. They are also future consumers and innovators who will deliver the next wave of innovation in mobile.
Resources
Guidelines for Industry on Online Child Protection, UNICEF, 2020
for Companies in the ICT Sector, UNICEF
Enhancing Children’s Lives Through Mobile, GSMA, 2019
Internet Safety Guides, GSMA and Child Helpline International, 2017
Background
The global digital economy depends on cross-border flows of data to deliver crucial social and economic benefits to individuals, businesses and governments. When data is allowed to flow freely across borders, it enables organisations to adopt data-driven digital transformation strategies that benefit individuals and society. Policies that inhibit the free flow of data through unjustified restrictions or local data storage requirements can have an adverse impact on consumers, businesses and the economy in general.
Cross-border flows of personal data are currently regulated by several international, regional and national instruments and laws that are intended to protect the privacy of individuals, the local economy or national security.
While many of these instruments and laws adopt common privacy principles, they do not create an interoperable regulatory framework that reflects the realities, challenges and potential of a globally connected world. Emerging frameworks, such as the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules, the EU Binding Corporate Rules (BCRs) and the OECD Data Free Flow with Trust (DFFT), allow organisations to transfer personal data under certain conditions. They contain accountability mechanisms and are based on internationally accepted data protection principles.
However, their successful adoption is undermined by governments increasingly implementing data localisation rules (also known as ‘data sovereignty’) that impose local storage requirements or use of local technology. Such localisation requirements can be found in a variety of sector- and subject-specific rules. The restrictive measures are sometimes imposed by countries based on the belief that supervisory authorities can more easily control and scrutinise data that is stored locally. This can be counterproductive from a data security perspective if the storage of data runs the risk of creating ‘honey pots’ where data stored in a single place with no backup can attract cyberattacks.
Today, bilateral and multilateral trade agreements are incorporating more modern trading arrangements that recognise the potential of digital trade powered by open, cross-border data flows. These can act as a catalyst for continued growth that facilitates trade and improves productivity and economic well-being. Examples of frameworks and forums include the Global Cross-Border Privacy Rules (CBPR) Forum, the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), the ASEAN Regional Comprehensive Economic Partnership (RCEP), the African Continental Free Trade Area (AfCFTA), EU BCRs, Model Contractual Clauses (MCC) and Privacy Trust Mark (PTM).
Debate
How can industry, legislators, regulators and civil society engage effectively to develop policy that supports cross-border flows of data?
How can data protection safeguards adequately address the legitimate concerns of governments that seek to impose localisation requirements?
How can governments collaborate to achieve evidence-based policy on data localisation?
Industry position
Cross-border data flows play a key role in innovation, competition and economic and social development. Governments can facilitate data flows in a way that is consistent with consumer privacy and local laws by supporting industry best practices and frameworks for the movement of data, and by working to make these frameworks interoperable.
Governments can also ensure that these frameworks have strong accountability mechanisms and authorities have a role in overseeing and monitoring their implementation. Governments should only impose measures that restrict cross-border data flows if they are essential to achieving a legitimate public policy objective. The application of these measures should be proportionate and not arbitrary or discriminatory against foreign suppliers or services.
Mobile operators welcome frameworks such as the APEC CBPR, EU BCR, MCC and PTM, which allow accountable organisations to transfer data globally, provided they meet certain criteria. Such mechanisms are based on commonly recognised data privacy principles and require organisations to adopt a comprehensive approach to data privacy.
The frameworks encourage more effective protection for individuals than formal administrative requirements while also helping to realise potential social and economic benefits. Such frameworks should be made interoperable across countries and regions to the greatest extent possible. This would stimulate the convergence of different approaches to privacy while also promoting appropriate standards of data protection and allowing accountable companies to build scalable and consistent data privacy programmes.
Requirements for companies to use local data storage or technology create unnecessary duplication and costs. There is little evidence that the policies produce tangible benefits for local economies or improved privacy protections for individuals.
To the extent that governments need to scrutinise data for official purposes, mobile operators would encourage them to achieve this through existing lawful means and appropriate intergovernmental mechanisms that do not restrict the flow of data.
The GSMA and its members believe that cross- border data flows can be managed in ways that safeguard the personal data and privacy of individuals. We remain committed to working with stakeholders to ensure that restrictions are only implemented if they are necessary to achieve a legitimate public policy objective.
Resources
Promoting Transparency, Choice and Trust in the Digital Society, GSMA privacy website
Cross Border Data Flows: The Impact of Data Localisation on IoT, GSMA, January 2021
Background
The internet and mobile connectivity are becoming more pervasive, making it vital to ensure that individuals can use essential services reliably, safely and securely. Cyberattacks are not only harmful and criminal, but also undermine trust in digital services.
The mobile industry is continually working to educate their customers while also incorporating new features and enhancing existing security capabilities to minimise the potential for fraud, identity theft and other threats. This includes encryption, integrity checking and user identity validation. Governments and legislators have put requirements in place to prevent cyberattacks, and national and regional strategies have been adopted in many countries to strengthen resilience and build capacity to fight cybercrime.
Protecting public safety
Mobile networks are considered critical national infrastructure in many jurisdictions, and the services they support play a key role in protecting the public. The laws and regulations applicable to mobile operators, including telecoms licence conditions, often require them to take on additional responsibilities and assist law enforcement agencies.
Protecting network infrastructure and devices
The mobile industry has a long history of providing secure products and services to customers. The GSMA and its members support the principles of “secure-by-design” being applied across the value chain, beginning at the very earliest stages of product development, so that security is built in as a fundamental and holistic aspect of design.
Protecting consumers from fraud
Fraudulent attacks take many forms, such as identity theft, financial fraud, phishing, smishing or vishing, where victims are tricked into revealing sensitive personal information and service access credentials. Mobile operators implement and offer solutions to prevent the use of networks to commit fraud and the use of devices to harm consumers.
Protecting consumers from fraud
Fraudulent attacks take many forms, such as SIM swap, financial fraud, phishing, smishing or vishing, where victims are tricked into revealing sensitive personal information or making financial transactions. Mobile operators implement and offer solutions to prevent the use of networks to commit fraud and the use of devices to harm consumers.
Protecting consumer privacy
Information security implies that information, including personal data, is not accessible or disclosed to unauthorised individuals, entities or processes, and that it is maintained, complete and available throughout its life. The GSMA has undertaken extensive work on data protection and data privacy.
The mobile industry, supported by the GSMA, is extremely active in programmes to educate consumers and businesses on how to safely use mobile technologies and the applications they support to minimise illicit behaviour. The GSMA coordinates activities and leads industry-wide initiatives through the Fraud and Security Group (FASG), the Telecommunication Information Sharing and Analysis Centre (T-ISAC), the Security Accreditation Scheme (SAS) and the Network Equipment Security Assurance Scheme (NESAS), which together provide a security assurance framework to facilitate security improvements across the mobile industry.
Debate
How can policymakers ensure that cybersecurity is the responsibility of everyone in the mobile ecosystem?
What is needed to facilitate a more holistic response to cybersecurity?
Industry position
Cybersecurity is the shared responsibility of industry, government and regulators. Every actor in the digital value chain, across all sectors of the digital economy, needs to ensure the appropriate protection of infrastructure, products and services.
Different types of cyberthreats have the potential to undermine the integrity of networks through unauthorised interception of networks. This can be through hardware and software in the mobile value chain, as well as through the use of social engineering where employees and mobile users are deceived into providing information. The mobile industry has been responding to these threats primarily by building more sophisticated security, training employees and conducting awareness-raising campaigns for customers. A holistic approach to dealing with cyber threats is important, with security and privacy embedded in the culture and early stages of product and service development.
While the GSMA provides guidance on a range of mobile security risks and mitigation measures, the mobile industry looks to governments and law enforcement agencies to ensure there are appropriate legal frameworks, resources and processes in place to deter and prosecute criminal behaviour. Borders do not restrict cybersecurity, and it requires national and international cooperation, such as through the Convention on Cybercrime (the Budapest Convention) and the African Union Convention on Cyber Security and Personal Data Protection (the Malabo Convention).
Resources:
Mobile Telecommunications Security Landscape 2023, GSMA, February 2023
Safety, Privacy and Security Across the Mobile Ecosystem, GSMA, November 2022
Cybersecurity: A Governance Framework for Mobile Money Providers, GSMA, September 2019
Cybersecurity and Mobile Money: Prioritising Consumer Trust and Awareness, GSMA, July 2021
Background
Research shows that mobile customers are concerned about their privacy and want simple and clear choices for controlling how their private information is used. They also want to know they can trust companies with their data. A lack of trust can act as a barrier to growth in economies that are increasingly data-driven.
One of the major challenges created by the growth of mobile internet is that the security and privacy of personal information is regulated by a patchwork of geographically bound privacy regulations, while the mobile internet is, by definition, international. In many jurisdictions, the regulations governing how customer data is collected, processed and stored vary considerably between market participants. For example, the rules governing how personal data is treated by mobile operators may be different to those governing how it can be used by internet players.
This misalignment between national privacy laws and global standard practices makes it difficult for mobile operators to provide customers with a consistent user experience. It may also cause legal uncertainty for operators, which can deter investment and innovation. Inconsistent protection and implementation by supervisory authorities also increase the risk of consumers unwittingly providing easy access to their personal information, leaving them exposed to unwanted or undesirable outcomes such as identity theft and fraud.
Debate
How can policymakers help create a privacy framework that supports innovation in data use while balancing the need for privacy across borders, regardless of the technology involved?How is responsibility for ensuring privacy across borders best distributed across the mobile ecosystem?What role does self-regulation play in a continually evolving technology environment?What should be done to allow data to be used to support the social good and meet pressing public policy needs?How can a risk-based approach play an important role in building trust?
Industry position
Currently, the wide range of services available through mobile devices offers varying degrees of privacy protection. To give customers confidence that their personal data is being properly protected, regardless of service or device, a consistent level of security must be provided.
Mobile operators believe that customer confidence and trust are only possible when users feel their privacy is appropriately protected. Safeguards should include a combination of internationally agreed approaches, national legislation and industry action. Governments should ensure legislation is risk-based, technology-neutral and that its rules are applied consistently to all players in the internet ecosystem.
Because of the high level of innovation in mobile services, legislation should focus on the overall risk to an individual’s privacy rather than attempting to legislate specific types of data. For example, legislation must deal with the risk to an individual arising from a range of data types and contexts, rather than focusing on individual data types.
The mobile industry should ensure privacy risks are considered when designing new apps and services and develop solutions that provide consumers with simple ways to understand their privacy choices and control their data.
The GSMA is committed to working with stakeholders from across the mobile industry to develop a consistent approach to privacy protection and promote trust in mobile services.
Resources
Promoting Transparency, Choice and Trust in the Digital Society, GSMA privacy website
Safety, Privacy and Security Across the Mobile Ecosystem, GSMA, November 2022
5G and Data Privacy, GSMA, July 2020
Smart Data Privacy Laws, GSMA, June 2019
Protecting Privacy and Data in the Internet of Things, GSMA, February 2019
Background
Fraud and scams are emerging as significant global threats, often by organised international criminal gangs. Despite not being responsible for perpetrating the crimes, mobile operators are usually the first point of contact for their customers when they are targeted through their mobile device and become victims.
To bypass a mobile network’s technical defences, criminals use social engineering tactics to manipulate individuals who can be employees or consumers, into disclosing personal or sensitive information, or make financial transactions. The use of artificial intelligence (AI) allows criminals to deploy more sophisticated methods and widen their scope and scale to target diverse populations across different regions.
The impact of fraud and scams on victims can be significant. In addition to financial loss, the emotional distress and embarrassment leave many wary and reluctant to engage in the digital space. This erosion of trust can have a negative impact on consumers’ quality of life because many services and interactions are online.
Legislators worldwide are responding to this issue through new laws and regulations. For example, the Australian Scams Prevention Framework sets out principles that regulated entities (banks, telecoms, social media companies) must comply with. Financial regulators, such as those in Africa and Singapore, are enforcing stricter authentication and know your customer (KYC) requirements for financial institutions and mobile money providers (MMPs) to reduce the likelihood of impersonation scams.
Mobile operators are investing significant resources in solutions that include firewalls, block lists and continuous system monitoring. The GSMA plays an important coordination role, providing platforms to share intelligence through the Fraud and Security Group (FASG) and Telecommunication Information Sharing and Analysis Centre (T-ISAC). The GSMA Open Gateway initiative and Scam Signal are helping to unite the mobile and financial services industries behind standardised technology solutions that can assist in combating this crime.
Debate
How should mobile operators and other organisations, such as law enforcement, financial institutions and social media/digital platforms, collaborate to effectively combat scams and fraud to reduce risk for end users and ensure criminals are prosecuted?
When legislating, how should governments address fraud and scams effectively and provide legal certainty, without discouraging industry efforts to innovate and invest in fraud prevention measures?
What measures should governments be taking to educate the public in staying safe online and reducing the risk of being targeted by scammers?
Industry position
The GSMA and its members are committed to tackling scams that exploit victims through the use of mobile technology and devices. Protecting consumers from scams requires the collective effort from everyone involved in the ecosystem, including mobile operators, digital platforms, financial institutions, law enforcement agencies, governments, regulators and individuals.
Legislation should target criminals who perpetrate illegal activity such as fraud and scams, while policies should be designed to allow investment in fraud prevention measures and not stifle innovation or the development and deployment of different technologies.
Collaborating, building partnerships and sharing actionable intelligence are all important for mobile operators to identify new threats and lead cross- sectoral initiatives to combat scams.
Multistakeholder efforts are required to encourage the safe and responsible use of mobile-based online services and devices. All participants in the mobile ecosystem – including banks, financial institutions and technology companies – have a responsibility to protect individuals, including educating them about safe behaviours and being vigilant.
Resources
Fraud and Scams: Staying Safe in the Mobile World, GSMA, 2025
Safety, Privacy and Security Across the Mobile Ecosystem, GSMA, 2022
Mitigating Common Fraud Risks, GSMA, 2019
Mobile Money Fraud Typologies and Mitigation Strategies, GSMA, 2024
GSMA Open Gateway API Descriptions
Background
Today, mobile networks not only offer traditional voice and messaging services, but also provide access to virtually all forms of digital content via the internet. In this respect, mobile operators offer the same service as any other internet service provider (ISP). This means mobile networks are inevitably used to access illegal content, ranging from pirated material that infringes intellectual property rights (IPR) to racist content or child sexual abuse material.
Laws regarding illegal content vary considerably. Some content, such as child sexual abuse material, is considered illegal around the world, while other content, such as dialogue that calls for political reform, is illegal in some countries but is protected by rights to freedom of expression in others.
Communications service providers, including mobile operators and ISPs, are not usually liable for illegal content on their networks and services, provided they are not aware of its presence and follow certain rules (e.g. ‘notice and takedown’ processes to remove or disable access to the illegal content as soon as they are notified of its existence by the appropriate legal authority).
Mobile operators are typically alerted to illegal content by national hotline organisations or law enforcement agencies. When content is reported, operators follow procedures based on relevant data protection, privacy and disclosure legislation. In the case of child sexual abuse material, mobile operators use terms and conditions, notice and takedown processes and reporting mechanisms to keep their services free of this material.
Debate
Should all types of illegal content, from IPR infringements to child sexual abuse material, be subject to the same reporting and removal processes?
What responsibilities should governments, law enforcement or industry have in the policing and removal of illegal content?
Should access to illegal content on the internet be blocked by ISPs and mobile operators?
Industry position
The mobile industry is committed to working with law enforcement agencies and appropriate authorities, and to having robust processes in place that enable the swift removal or disabling of confirmed instances of illegal content hosted on their services.
ISPs, including mobile operators, are not qualified to decide what constitutes illegal content, the scope of which is broad and varies between countries. As such, they should not be expected to monitor and judge third-party material, whether it is hosted on or accessed through their own network.
National governments decide what constitutes illegal content in their country. They should be open and transparent about which content is illegal before placing responsibility for enforcement on hotlines, law enforcement agencies and industry.
The mobile industry condemns the misuse of its services for sharing child sexual abuse material. The GSMA Mobile Alliance to Combat Digital Child Sexual Exploitation provides leadership in this area and works proactively to combat the misuse of mobile networks and services by criminals seeking to access or share child sexual abuse material.
Regarding copyright infringement and piracy, the mobile industry recognises the importance of proper compensation for rights holders and the prevention of unauthorised distribution.
Resources
Combatting Online Child Sexual Abuse Content website, GSMA Mobile Alliance Against Child Sexual Abuse Content
Notice and Takedown: Company Policies and Practices to Remove Online Child Sexual Abuse Material, GSMA and UNICEF, May 2016
Hotlines: Responding to Reports of Illegal Online Content, GSMA, July 2016
Child Sexual Abuse Material: Model Legislation and Global Review, Tenth Edition, International Centre for Missing and Exploited Children, 2023
The Model National Response website, WePROTECT Global Alliance
Internet governance involves an array of activities related to the policy and procedures of the management of the internet. It encompasses legal and regulatory issues, such as privacy, cybercrime, intellectual property rights and spam. It is also concerned with technical issues related to network management and standards, and economic issues such as taxation and internet interconnection arrangements.
Because the growth of the mobile industry is tied to the evolution of internet-enabledservices and devices, decisions about the use, management and regulation of the internet affect mobile service providers and other industry players and their customers.
Internet governance requires input and collaboration from diverse stakeholders relating to their interests and expertise in technical engineering, resource management, standards and policy issues, among others. Relevant stakeholder groups will vary depending on the specific internet governance issues that are being addressed.
Debate
Who ‘owns’ the internet?
Should certain countries or organisations be allowed to have greater decision- making powers than others about the management of the internet?
How should a multistakeholder model be applied to internet governance?
“Only a concerted joint global effort by governments, businesses, the technical community and civil society will produce a governance architecture that is as generic, scalable and transnational as the internet itself. No single actor or group of actors can solve this alone.”
– Vint Cerf, Chief Internet Evangelist at Google and Co-inventor of the Internet Protocol suite, February 2018
Industry position
The internet should be secure, stable, trustworthy and interoperable, and no single institution or organisation can or should manage it. The existing multistakeholder model for internet governance and decision-making should be preserved and allowed to evolve.
Given the ubiquity of the internet today, any architecture designed to govern its use should be capable of addressing a range of issues and challenges in a manner that is more agile and flexible than traditional government and intergovernmental mechanisms.
Collaborative, diverse and inclusive decision- making models are required for stakeholders to participate in internet governance.
The decentralised development of the internet should continue, without the control of a particular business model or regulatory approach.
Some internet governance issues warrant a different approach at the local, national, regional or global level. An effective and efficient multistakeholder model ensures that stakeholders, within their respective roles, can participate in building a consensus on such issues.
Technical aspects related to the management and development of internet networks and architecture should be addressed collaboratively by different stakeholder groups through relevant standards bodies, the Internet Engineering Task Force (IETF), the Internet Architecture Board (IAB) and other forums.
Economic and transactional issues, such as internet interconnection charges, are best left to commercial negotiation, consistent with commercial law and regulatory regimes.
Resources
Internet Governance Forum website
WSIS+20 and IGF+20 Review by the UN General Assembly (2025), Internet Governance Forum
Background
Mobile operators are often subject to a range of laws and/or licence conditions that require them to support law enforcement and security activities in countries where they operate. These requirements vary from country to country and have an impact on the privacy of mobile customers.
Where they exist, such laws and licence conditions typically require operators to retain data about their customers’ mobile service use and disclose it, including their personal data, to law enforcement and national security agencies on lawful demand. They may also require operators to intercept customer communications upon lawful demand, or to notify competent authorities before implementing features like end-to-end encryption that may prevent lawful access.
Such laws provide a framework for the operation of law enforcement and security service surveillance and guide mobile operators in their mandatory liaison with these services. However, in some countries, there is a lack of clarity in the legal framework to regulate the disclosure of data or lawful interception of customer communications. This creates challenges for the industry in protecting the privacy of its customers’ information and their communications.
Legislation often lags behind technological developments. For example, obligations may apply only to established telecommunications operators but not to more recent market entrants, such as those providing internet-based services, including Voice over IP (VoIP), video or instant messaging
In response to public debate concerning the extent of government access to mobile subscriber data, a number of major telecommunications providers (such as AT&T, Deutsche Telekom, Orange, Rogers, SaskTel, Sprint, T-Mobile, TekSavvy, TeliaSonera, Telstra, Telus, Verizon, Vodafone and Wind Mobile), as well as internet companies (such as Apple, Amazon, Dropbox, Google, LinkedIn, Meta, Microsoft, Pinterest, Snapchat, Tumblr, Yahoo! and X), publish ‘transparency reports’ that provide statistics relating to government requests for disclosure of such data.
Debate
What is the correct legal framework to achieve a balance between a government’s obligation to ensure that its law enforcement and security agencies can protect citizens and the rights of those citizens to privacy?
Should all providers of communications services be subject to the same interception, retention and disclosure laws on a technology-neutral basis?
Would greater transparency about the number and nature of requests governments make assist the debate, improve government accountability and bolster consumer confidence?
Industry position
Governments should ensure they have a proportionate legal framework that clearly specifies the surveillance powers available to national law enforcement and security agencies.
Any interference with the right to privacy of telecommunications customers must be in accordance with the law.
The retention and disclosure of data and the interception of communications for law enforcement or security purposes should take place only under a clear legal framework and using the proper process and authorisation specified by that framework.
There should be a legal process available to telecommunications providers to challenge requests they believe to be outside the scope of relevant laws.
The framework should be transparent, proportionate, justified and compatible with human rights principles, including obligations under applicable international human rights conventions, such as the International Convention on Civil and Political Rights.
Given the expanding range of communications services, the legal framework should be technology-neutral.
Governments should provide appropriate limitations of liability or indemnify telecommunications providers against legal claims brought in respect of compliance with requests and obligations for the retention, disclosure and interception of communications and data.
The costs of complying with all laws covering the interception of communications and the retention and disclosure of data should be borne by governments. Such costs and the basis for their calculation should be agreed in advance.
The GSMA and its members are supportive of initiatives that seek to increase government transparency and publication of statistics related to requests for access to customer data.
Resources
Guiding Principles on Business and Human Rights: Implementing the United Nations ‘Protect, Respect and Remedy’ Framework, Office of the High Commissioner for Human Rights, 2011
Judgment on the Data Retention and Investigatory Powers Act 2014 (‘DRIPA’), UK High Court of Justice
A Question of Trust: Report of the Investigatory Powers Review (UK), David Anderson QC, June 2015
Background
From time to time, mobile operators receive orders from government authorities to restrict services on their networks.
These service restriction orders (SROs) require operators to shut down or restrict access to their mobile network, network service or over-the-top (OTT) service.
Orders include blocking particular apps or content, restricting data bandwidth and degrading the quality of SMS or voice services. In some cases, mobile operators would risk criminal sanctions or the loss of their licence if they disclosed that they had been issued with an SRO.
SROs can have serious consequences. For example, national security can be undermined if powers are misused and public safety can be endangered if emergency services and citizens are unable to communicate with one another. Freedom of expression, freedom of assembly, freedom to conduct business and other human rights can also be affected.
Individuals and businesses can also be affected by an SRO, and can become unable to pay friends, suppliers or salaries. This can have a knock-on effect on credit and investment plans, ultimately damaging a country’s reputation for managing the economy and foreign investment and discouraging donor countries from providing funds or other resources.
MNOs also suffer. Not only do they sustain financial losses from the suspension of services and damage to their reputation, but their local staff can also face pressure from authorities and possibly even public retaliation.
Debate
What factors and alternatives should governments consider before planning an SRO?
What tools and methods can be used to avoid the need for an SRO or to avoid negative impacts if an SRO is the only option?
Industry position
The GSMA discourages the use of SROs. Governments should only resort to SROs in exceptional and pre-defined circumstances, and only if absolutely necessary and proportionate to achieve a specified and legitimate aim that is consistent with internationally recognised human rights and relevant laws.
To aid transparency, governments should only issue SROs to operators in writing, citing the legal basis and with a clear audit trail to the person authorising the order. They should inform citizens that the service restriction has been ordered by the government and has been approved by a judicial or other authority in accordance with administrative procedures laid down in law. They should allow operators to investigate the impacts on their networks and customers and to communicate freely with their customers about the SRO. If it would undermine national security to do so at the time the service is restricted, citizens should be informed as soon as possible after the event.
Governments should seek to avoid or mitigate the potentially harmful effects of SROs by minimising the number of demands, the geographic scope, the number of potentially affected individuals and businesses, the functional scope and the duration of the restriction.
For example, rather than block an entire network or social media platform, it may be possible for the SRO to target particular content or users. In any event, the SRO should always specify an end date. Independent oversight mechanisms should be established to ensure these principles are observed.
Operators can play an important role by raising awareness of the potential impact of SROs among government officials. They can also be prepared to work swiftly and efficiently to determine the legitimacy of the SRO once it has been received. This will help to establish whether it has been approved by a judicial authority, whether it is valid and binding and whether there is any opportunity for an appeal, working with the government to limit the scope and impact of the order. Procedures can include guidance on how local personnel are to deal with SROs and the use of standardised forms to quickly assess and escalate SROs to senior company representatives.
First and foremost, all decisions should be made with the safety and security of the mobile operator’s customers, networks and staff in mind, and with the aim of restoring services as quickly as possible.
Resources
Guidelines for the Lawful Disruption of Access to Online Services, Australian Government, July 2017
Joint Statement on Network and Service Shutdowns, Global Network Initiative and the Telecommunications Industry Dialogue, July 2016
Background
In several countries, customers of prepaid or pay-as-you-go (PAYG) services can anonymously activate their subscriber identity module (SIM) card simply by purchasing credit, as formal user registration is not required. At the end of 2020, 72% of mobile subscriptions were prepaid and some 160 governments around the world have mandated prepaid SIM registration, citing a perceived but unproven link between the introduction of such policies and the reduction of criminal and anti-social behaviour. Mandated prepaid SIM registration is most prevalent in African countries, where SIM registration is required to identify the user. In some countries, biometric data is also required for SIM registration, which can have additional privacy implications.
Some governments, including the Czech Republic, UK and USA, have decided against mandating registration for prepaid SIM users, concluding that the potential loopholes and implementation challenges outweigh the merits.
SIM registration can, however, allow many consumers to access value-added mobile and digital services that would not otherwise be available to them as unregistered users, including identity-linked services such as mobile money, e-health and e-government services.
For a SIM registration policy to create positive outcomes for consumers, it must be implemented in a pragmatic way that takes local market conditions into account, such as the ability of mobile operators to verify customer IDs. If registration requirements are too onerous for a customer to meet, mandating a SIM registration policy may lead to implementation challenges and unforeseen consequences. For example, it could unintentionally exclude vulnerable and socially disadvantaged consumers or refugees who lack the required IDs. It might also lead to the emergence of an underground market for fraudulently registered or stolen SIM cards, driven by the desire of some mobile users, including criminals, to remain anonymous.
Debate
To what extent do the benefits of mandatory prepaid SIM registration outweigh the costs and risks?
What factors should governments consider before mandating such a policy?
Industry position
While registration of prepaid SIM card users can have valuable benefits for citizens, governments should not mandate it.
To date, there has been no empirical evidence that mandatory SIM registration directly leads to a reduction in crime. Where a decision to mandate the registration of prepaid SIM users has been made, we recommend that governments consider global best practices and allow registration mechanisms that are flexible, proportionate and relevant to the market, including the level of official ID penetration and the timing of any national identity roll-out plans.
If these conditions are met, the SIM registration exercise is more likely to be effective and lead to more accurate customer databases. Furthermore, a robust customer verification and authentication system can enable mobile operators to facilitate the creation of digital identity solutions, empowering customers to access a variety of mobile and non-mobile services.
We urge governments that are considering the introduction or revision of mandatory SIM registration to take the following steps before finalising their plans:
- Consult, collaborate and communicate with mobile operators before, during and after the implementation exercise.
- Balance national security demands against the protection of citizens’ rights, particularly where governments mandate SIM registration for security reasons.
- Set realistic timescales for designing, testing and implementing registration processes.
- Provide certainty and clarity on registration requirements before any implementation.
- Allow and/or encourage the storage of electronic records and design registration processes that are administratively ‘light’.
- Allow and/or encourage the SIM-registered customer to access other value-added mobile and digital services.
- Support mobile operators in the implementation of SIM registration programmes by contributing to joint communication activities and their operational costs.
Resources
Access to Mobile Services and Proof of Identity, GSMA, April 2021
Enabling Access to Mobile Services for the Forcibly Displaced, GSMA, September 2017
Regulatory and Policy Trends Impacting Digital Identity and the Role of Mobile, GSMA, October 2016
Mandatory Registration of Prepaid SIM Cards: Addressing Challenges through Best Practice, GSMA, April 2016
Background
It is important to distinguish between misinformation and disinformation. Misinformation is information that is false but not created with the intent to cause harm. Disinformation is information that is false and deliberately created and shared to harm a person, social group, organisation or country.
Mobile operators do not typically host content, but they can still be affected by false information. For example, misinformation linking 5G and the COVID-19 pandemic had direct consequences for the mobile industry, such as attacks on telecommunications equipment and staff. Through its work with the mobile industry, the GSMA provides access to factual information, including independent expert reports on electromagnetic fields (EMF) and health.
Legal frameworks are emerging globally to address misinformation, with a notable focus on online platforms. The EU’s Digital Services Act (DSA) 2022 (which includes the Code of Practice on Disinformation) and the UK’s Online Safety Act emphasise transparency, risk assessment and platform accountability regarding harmful content.
Additionally, the World Economic Forum highlights the need for AI models to minimise bias and for public awareness campaigns. The European Commission has expressed concerns about the growing influence of online platforms in political discussions, disinformation campaigns, fake news dissemination in the lead-up to elections and the societal impact of hate speech.
Debate
Who determines whether information is true or false?
What are the most effective mechanisms to deal with misinformation and disinformation?
Industry position
False information can have a harmful impact on society. It can erode public confidence and distort perceptions of independently verifiable facts, leading to a lack of public trust in democratic processes and institutions. It can also create or deepen tensions in society by exploiting individual or collective vulnerabilities.Governments and policymakers should explore appropriate countermeasures to false online information. The EU Code of Practice on Disinformation, signed by online platforms, is an example of organisations collaborating to create an accountability mechanism and opportunities to share information and best practice.
Awareness campaigns can also be used to point citizens to trustworthy sources of information, equip them with tools to use technology safely and provide a mechanism to report websites containing false or harmful information.
Mobile operators continue to communicate accurate information on their networks and services to their customers.
Resources
Exploring Online Misinformation and Disinformation in Asia Pacific, GSMA, July 2021
Safety, Privacy and Security Across the Mobile Ecosystem, GSMA, November 2022
2022 Code of Practice on Disinformation, European Commission
22European Commission website, Tackling online disinformation
Background
A counterfeit mobile device explicitly infringes the trademark or design of an original or authentic branded product, even where there are slight variations to the established brand name.
Due to their illicit nature, these mobile devices are typically shipped and sold in shadow or underground markets by
organised criminal networks. It is estimated that almost one in five mobile devices may be counterfeit.23 This has far-reaching negative impacts. Consumers risk lower quality, safety, security, environmental health and privacy assurances. Governments forgo taxes and duties and must contend with increased crime. Industry players are also affected, as it can harm the trademarks and brands of legitimate device manufacturers and the substandard performance of counterfeit devices can have implications for mobile operators.
Some countries have introduced national lists of homologated (approved) devices to combat counterfeiting, smuggling and tax evasion. The purpose of homologated lists is to indicate which devices are permitted access to mobile networks. Mobile operators add device-blocking capabilities to their local networks and connect with the national homologated list to ensure only permitted devices are allowed network access.
However, counterfeit mobile devices are not easy to identify and block, given that many have International Mobile Equipment Identity (IMEI) numbers that appear legitimate. It is common for counterfeiters to hijack IMEI number ranges allocated to legitimate device manufacturers for use in their products, which makes it more difficult to differentiate between authentic and counterfeit products.
Debate
How can governments and other stakeholders best address the issue of counterfeit mobile devices?
Industry position
The mobile industry supports the need for legal and product integrity in the mobile device market and is increasingly concerned about the negative impact of counterfeit devices on consumer welfare and societyin general.
Although mobile operators and legitimate vendors cannot stop the productionand distribution of counterfeit devices, multistakeholder collaboration can help combat the issue at the source. National law enforcement and customs agencies should take measures to stop the production and exportation of counterfeit devices in their jurisdictions. Information on crime patterns and specific criminal activity relating to counterfeit devices must be provided by national agencies to appropriate international bodies, such as Interpol and the World Customs Organization (WCO), to encourage and facilitate action by relevant agencies in other jurisdictions.
The GSMA makes its device information and device status services available for customs agencies and other industry stakeholders to verify the authenticity of mobile device identities online. National customs agencies are advised to use these services as part of a rigorous set of measures to monitor the importation of mobile devices.
The GSMA encourages mobile operators to adopt systems like the Equipment Identity Register (EIR) and to connect to GSMA systems such as the GSMA Device Database.
Using the GSMA global Type Allocation Code (TAC) list of all legitimate device identity number ranges, operators can block devices with invalid IMEIs.
National authorities should study which factors, such as import duties and taxation levels, contribute to local demand for counterfeit devices. The potential to reduce tax levels on devices to narrow the price gap between counterfeit/smuggled and legitimate devices should be carefully considered, as it could make the underground market a less lucrative place to trade.
Implementing national lists of homologated devices can be successful if they are linked to the GSMA TAC list. National import verification systems and national device homologation systems should also be linked to national lists of approved devices. Some implementations propose that customers register their details and devices centrally. The GSMA does not support central customer registrations because they are unnecessary – the subscriber identities associated with each device can be established by mobile operators themselves.
Where national authorities are considering introducing a system to block non- homologated devices, they should consider offering amnesty to consumers who already own non-compliant devices. Blocking huge quantities of devices would not only be a major loss for consumers, but would also have significant social, economic and security impacts. It is recommended that the funding model for such systems should not place a burden on consumers and mobile operators, since they are not the cause of the underlying issue. National systems should also not be applied to roamers who might be denied service without cause.
Resources
Preventing Device Crime website, GSMA Device Information Services
The Economic Cost of IPR Infringement in the Smartphones Sector, EUIPO and ITU, February 2017
Background
Policymakers in many countries are concerned about the incidence of mobile device theft, particularly when organised crime becomes involved in the trafficking of stolen devices to other markets.
The GSMA has been leading industry initiatives to block stolen mobile devices based on a shared database of the unique identifiers of devices reported lost or stolen. Using the IMEI of mobile devices, the GSMA Device Registry maintains a central list, known as the GSMA Block List, of devices reported lost or stolen by mobile customers. The GSMA Device Registry is accessible to mobile operators around the world to ensure that stolen devices transported to other countries can be denied network access.
The effectiveness of blocking stolen devices on individual network EIRs depends on the secure implementation of the IMEI in all mobile devices. Leading devicemanufacturers are encouraged to support a range of measures to strengthen IMEI security and reliability in accordance with GSMA-defined security requirements.
Debate
What can industry do to prevent mobile phone theft?
What are the policy implications of this rising trend?
Industry position
The mobile industry has led numerous initiatives and developed a range of enablers in the global fight against mobile device theft.
Although the problem of device theft is not of the industry’s creation, the industry recognises it is part of the solution. When lost or stolen mobile devices are rendered useless, they have significantly less value, removing the incentive for thieves to target them.
The GSMA encourages mobile operators to participate in its Device Registry service to report and block the IMEIs of devices flagged as stolen on the global block list. Typically, operators deploy EIRs on their networks to deny connectivity to flagged devices and share identifiers of devices from their local network’s block list to ensure devices stolen from their customers can be blocked on the networks of other participants. These block list solutions have been in place on some networks for many years.
To enable a wider range of stakeholders to combat device crime, the GSMA provides services that allow eligible parties, such as law enforcement, device traders and insurers, to check the status of devices against the GSMA Block List and, in some cases, to also flag stolen devices.
IMEI blocking, when combined with other multistakeholder measures, can be the cornerstone of a highly effective anti-theft campaign.
Consumers who have had their devices stolen can be vulnerable to their personal data being used to commit a range of additional crimes. Industry, law enforcement agencies and regulators are recommended to provide anti-theft consumer education material on their websites with advice and measures appropriate to their markets.
The concept of a ‘kill switch’ – a mechanism that disables a stolen phone remotely – has been developed for a range of devices. The GSMA supports device-based anti- theft features and has defined feature requirements for a globally applicable solution. These high-level requirements have security solutions on mobile devices can also help render devices useless and unattractive to criminals by preventing those devices from working on non-mobile networks such as Wi-Fi, where EIR blocking would otherwise be ineffective.
National authorities have a significant role to play in combating criminal activity. It is critical that they engage constructively with the industry to ensure the distribution of mobile devices through unauthorised channels is monitored and that action is taken against those involved in the theft or illegal distribution of stolen devices.
A coherent cross-border information- sharing approach involving all relevant stakeholders makes national measures more effective. The GSMA advocates the sharing of stolen device data internationally for blocking and status-checking purposes, which can be facilitated by the GSMA Device Registry and Device Check services. Only if regulation allows and encourages stolen device information to be shared across all countries will this deterrent have a global impact.
In markets with a national homologated list, lost and stolen device information can be exchanged between mobile operators through the GSMA Device Registry. Alternatively, if a national device block list system is already in place and complies with GSMA requirements, it may be approved to use the GSMA Device Registry to exchange block list information.
Resources
The Global Source of IMEI Data, GSMA IMEI Services
Preventing Device Crime website, GSMA Device Information Services
IMEI Security Technical Design Principles, GSMA, August 2016
IMEI Security Weakness Reporting and Correction Process, GSMA, November 2016 Anti-Theft Device Feature Requirements, GSMA, May 2016
Background
Security attacks can affect all technology, including mobile devices. Mobile operators use encryption technologies to deter criminals from eavesdropping and intercepting traffic.
The barriers to compromising mobile security are high, and research into possible vulnerabilities has generally been technically complex. While no security technology is guaranteed to be unbreakable, practical attacks on mobile services are rare because they tend to require considerable resources, including specialised equipment, computer processing power and a high level of technical expertise beyond the capability of most people.
Reports of eavesdropping are not uncommon, but such attacks have not taken place on a wide scale and 4G and 5G networks are considerably better protected against eavesdropping risks than earlier generation networks. 5G technology boasts a host of new security capabilities that further enhance protection levels.
Debate
How secure are mobile voice and data technologies and what is being done to mitigate the risks?
Do emerging technologies and services create new opportunities for criminals?
How is 5G, and all the capabilities it brings, affecting the security landscape?
Industry position
The protection and privacy of customer communications is at the forefront of mobile operators’ concerns.
The mobile industry makes every reasonable effort to protect the privacy and integrity of customer and network communications.
The GSMA leads a range of industry initiatives to make mobile operators aware of the risks and mitigation options available to protect their networks and customers.
This work, described below, is recognised by regulators around the world as sufficient to eliminate the need to formally regulate.
- The GSMA works with experts to facilitate an appropriate response to threats, playing a key role in coordinating the industry response to security vulnerability research through its Coordinated Vulnerability Disclosure (CVD) programme.
- The Telecommunication Information Sharing and Analysis Centre (T-ISAC) collects and disseminates information and advice on security incidents within the mobile community in a trusted and anonymised way.
- The GSMA conducts comprehensive threat analysis involving industry experts from across the ecosystem, regulators and public sources, such as 3GPP, the European Union Agency for Cybersecurity (ENISA) and the National Institute of Standards and Technology (NIST), and mapped these threats to appropriate and effective security controls. This analysis has been collated into a range of security guidance publications, including the GSMA Baseline Security Controls, which helps mobile operators understand and develop their security posture.
- The GSMA's Fraud and Security Group acts as a centre of expertise for the industry’s management of fraud and security matters. The group seeks to maintain or increase the protection of mobile operator technology and infrastructure, as well as customer identity, security and privacy, to ensure the industry maintains a strongreputation and mobile operators remain trusted partners in the ecosystem.
- The GSMA Mobile Cybersecurity Knowledge Base makes the combined knowledge of the 5G ecosystem available to increase trust in 5G networks and make the interconnected world as secure as possible.
- The GSMA supports global security standards for emerging services and acknowledges the role that SIM-based secure elements have played in protecting customers and mobile services, as SIM cards have proven to be resilient to attack.
- The Embedded Universal Integrated Circuit Card (UICC) approach that has been defined by the GSMA and implemented by industry and is designed to build on the protection levels achieved in the past.
- The GSMA constantly monitors the activities of hacker groups, researchers, innovators and a range of industry stakeholders to improve the security of communications networks. The ability of the GSMA to learn and adapt can be seen in the security improvements that have been implemented from one generation of mobile technology to the next.
Resources
GSMA Mobile Cybersecurity Knowledge Base, GSMA
FS.31 Baseline Security Controls, GSMA
GSMA Mobile Telecommunications Security Landscape, GSMA, February 2023
Safety, Privacy and Security Across the Mobile Ecosystem, GSMA, November 2022 GSMA T-ISAC website
Background
Signal inhibitors, also known as jammers, are devices that generate interference or intentionally disrupt communications services. In the case of mobile services, they interfere with communication between the mobile terminal and the base station. Their use by private individuals is banned in countries such as Australia, the UK and the USA.
In some regions, such as Latin America, signal inhibitors are used to prevent the illegal use of mobile phones in specific locations, such as prisons. However, blocking the signal does not address the root of the problem: wireless devices illegally ending up in the hands of inmates who then use them for illegal purposes.
Signal inhibitors do not prevent mobile devices from connecting to Wi-Fi networks because they do not affect the frequency bands used by Wi-Fi routers.
As a result, signal inhibitors do not block people from using OTT voice applications to make calls to phone networks.
Mobile operators provide coverage and capacity by investing heavily in the installation of radio base stations. However, the indiscriminate use of signal inhibitors compromises these investments by causing extensive disruption to the operation of mobile networks, reducing coverage and forcing a deteriorated service for consumers.
Debate
Should governments or private organisations be allowed to use signal inhibitors that interfere with the provision of mobile
voice and data services to consumers?
Should the marketing and sale of signal inhibitors to private individuals and organisations be prohibited?
Industry position
In some Latin American countries, such as Colombia, El Salvador, Guatemala and Honduras, governments are promoting the deployment of signal inhibitors to limit the use of mobile services in prisons. The GSMA and its members are committed to working with governments to use technology to help keep mobile phones out of sensitive areas and to cooperating on efforts to detect, track and prevent the use of smuggled devices.
It is vital to find a long-term, practical solution that does not have a negative impact on legitimate users or affect the substantial investments that mobile operators have made to improve their coverage.
The nature of radio signals makes it virtually impossible to ensure that the interference generated by inhibitors is confined, for example, within the walls of a building.
Consequently, the interference caused by signal inhibitors affects citizens, services and public safety. It restricts network coverage and has a negative effect on the quality of services delivered to mobile users. Inhibitors also cause problems for other critical services that rely on mobile communications. For example, during an emergency, they could limit the ability of mobile users to contact emergency services via numbers such as 999, 911 or 112, and they can interfere with the operation of mobile-connected alarms or personal health devices.
Signal inhibitors should only be used as a last resort and only deployed in coordination with mobile operators. This coordination must continue for the duration of the deployment of the devices, from installation to deactivation, to ensure that interference is minimised in adjacent areas and legitimate mobile phone users are not affected.
Furthermore, to protect the public interest and safeguard the delivery of mobile services, regulatory authorities should ban the use of signal inhibitors by private entities and create sanctions for private entities that use or commercialise them without permission from relevant authorities. The import and sale of inhibitors or jammers must be restricted to those considered qualified and authorised to do so, and their operation must be authorised by the national telecommunications regulator.
Nevertheless, strengthening security to prevent wireless devices from beingsmuggled into sensitive areas such as prisons is the most effective measure against the illegal use of mobile devices in these areas, and this would not affect the rights of legitimate users of mobile services.
Resources
Common Position Proposal on Signal Inhibitors (Jammers) in Latin America, GSMA, November 2014
Signal Inhibitor Solutions: Use of Jammers in Prisons, GSMA, December 2018
Safety, Privacy and Security Across the Mobile Ecosystem, GSMA, November 2022