ericsson.com
Your location is listed as Global
Login

Privacy in mobile networks − How to embrace privacy by design

This Ericsson whitepaper explains why, as the world becomes more digitalized, telecom service providers need to ensure end-to-end privacy by design. Telecom equipment providers have an important role to play here because privacy needs to be designed-in to their products so they can meet the privacy needs of telecom service providers. Legislators around the globe have tightened their legal frameworks to protect citizens’ right to privacy. Recent regulations, such as the European Union’s GDPR, aim to address basic principles of lawfulness, fairness, transparency, purpose limitation and accuracy. However, these frameworks often lack the concrete guidelines and related best practices to make them actionable. The challenge for telecom service providers lies in achieving regulatory compliance by turning these juridical concepts into technical and operational steps that can be implemented in technical solutions.

White paper  | 

The goal is to respect subscribers' rights to privacy by considering privacy at every stage of a product or service development and operation. This starts in engineering, where privacy must be considered as part of the design process, extends into the deployment phase, where privacy by default provides a basis for ensuring privacy from the initial setup of a product or service, and, ultimately, moves into the operational phase, where privacy is further assured by the actions telecom service providers take on a daily basis. 

All of these phases are interdependent and contribute to a holistic approach to privacy. Privacy by design is a foundation for ensuring that any product or solution can inherently safeguard privacy and, in this white paper, we reveal the importance of establishing a model for how to translate privacy by design principles into product development and service organizations to protect subscribers' rights to privacy.

Introduction

Digital transformation and new forms of wireless connectivity are disrupting how industries operate and societies develop. At the same time, huge opportunities are being created that have never been seen before. These dynamics necessitate a new, trustworthy approach to the way in which privacy is engineered in both hardware (HW) and software (SW) products. 

As privacy cannot be effectively retrofitted to products and services, privacy by design is an essential starting point. The concept of privacy by design is not new but it has now become a priority. The idea was first put forward by Ann Cavoukian in her role as Privacy Commissioner of Ontario, Canada in the mid 1990s as an early attempt to consider the rights and interests of the data subject throughout product design and development. 

Privacy by design was further developed during the introduction of the European Data Protection Directive. The European General Data Protection Regulation (GDPR) that came into force in May 2018 further cemented the central role of privacy by design. 

This paper focuses on the different aspects of privacy by design: functions, assurance, documentation and operations. In modern telecom networks, these four aspects must be addressed to enable vendors and operators to achieve privacy by default. This white paper proposes a framework around how privacy by design principles can be translated into product development using a Security Reliability Model (SRM) to follow the different steps of product development to meet privacy requirements.

Increased privacy risks

Digitalization is transforming industries, opening up new business models and enabling change to be accelerated across societies. This change will enable us to be more efficient, enhance our senses, make the best use of scarce natural resources and enable a safe, sustainable society for all. However, when it comes to privacy, there is also a risk that these new systems could be misused,  either intentionally or unintentionally.

Privacy is a fundamental human right and paramount to preserving human dignity. The issue is so important that most countries address citizens' rights to private communication in their constitutions or jurisprudence. 

Studies of how consumers experience privacy when using social media sites have found that about 60 percent are concerned about how their personal information is used, and fewer than 20 percent trust social media platforms with their personal data [7].  Nevertheless, the usage of social media continues to grow. Recent reports in the media concerning deliberate misuse of collected personal data show an increased mistrust toward both the companies that handle the data and the technology used in collecting it. 

This has created a feeling that the technology itself is constantly looking over users' shoulders, regardless of what they are doing. Another study uncovered that 47 percent of respondents believe that popular apps use microphones, cameras, GPS information and other inputs to collect data about their everyday lives, and this happens even when the apps are not being used [6]. These worries need to be taken seriously to restore trust in technology itself, not only in the specific services or apps it enables. 

Individuals and governments expect privacy principles to be considered in new developments. To keep pace with technological development, the recent focus of regulators has been on strengthening citizens' rights to control their personal data. This has put pressure on telecom service providers to enhance their technical solutions to make them more transparent. In addition, telecom service providers recognize the need to demonstrate the integrity of their software supply chain and to avoid internal data breaches. 

Implementing privacy by design enables regulation and guidelines to be mapped to technical and operational requirements that can be implemented in products and services, so they can protect privacy throughout the product or solution life cycle.

Privacy by design

The concept of privacy by design centers on a set of specific foundational principles. These include being proactive instead of reactive, preventative rather than remedial, and offering end-to-end security and privacy as a default setting. The aim is to ensure an adequate level of data protection at all times of data processing by embedding privacy in the design and operation of the product. Data controllers, which in this context we will generally consider to be telecom operators, are expected to take a risk-based approach to determine the measures required to protect assets and thereby inherently respect their right to privacy. The assets here are the personal data of the data subjects; in other words, the subscribers to their network's communication services. 

When implementing privacy by design, it needs to be clear which steps are being taken from the start of the project up until the final software product is released to the market. In the telecommunications industry, a major aspect is the product development itself, which has as its output the final product. The development is supported by standardization as a requirement and by research as an input for new technologies. 

The following section explains how privacy by design is translated into an actionable framework, providing a roadmap of a model for building privacy into a service by design. This is followed by a discussion of what privacy by design means in the context of standardization and research. 

SRM – a framework for privacy by design

Ericsson has worked on systematic development of a state-of-the-art model to incorporate security and privacy considerations into all phases of product development for many years, and the SRM is one instance of this type of model that now provides a governance framework for security and privacy by design.

Figure 1: The SRM

Figure 1: The SRM

The SRM is a framework that enables security and privacy ambitions to be achieved. Its key characteristics are that it:

  • defines the ambition level for product security and privacy
  • ensures implementation of the appropriate security and privacy features and functions
  • follows up and measures the current product security and privacy status
  • enables the creation of product-related security services

The SRM framework is used to translate privacy policies into actions. While privacy policies, which are derived from regulations and principles, tend to define why a specific level of privacy has to be in place, the SRM provides the answer to what needs to be done in practice to achieve a satisfactory level of privacy protection in the implementation. The SRM is supported by a set of security and privacy design rules, which document best practices regarding how the requirements should be implemented. The design rules in SRM include actual examples of how to develop features and functions in the software. 

The four pillars of the SRM are explained in detail below.

The SRM defines a set of baseline privacy requirements that must be adhered to in products. These requirements have been derived from decades of experience as well as from sources in the telecom and IT industry, including standards, customer policies and regulation. 

The product organization responsible for each product will analyze, decide and document the applicability of and compliance to the given privacy requirements using a risk-based approach. A Privacy Impact Assessment (PIA) is then used to identify and prioritize a list of privacy functions required to mitigate the discovered risks to an acceptable level. 

Assurance activities are divided into three levels: basic, advanced and tailored. All basic level assurance activities relevant to the product should be performed by the product development organization. Advanced level activities can be performed for parts of products that need high security and privacy assurance. Finally, tailored level activities are used for products, or parts of products, where there are product-specific assurance requirements. 

The most prominent assurance activities from a privacy perspective, which are also common to security activities, are: PIAs, vulnerability analyses and hardening and adherence to the privacy design rules.

A PIA will identify risks related to the product when used in the customer's network. The assessment will identify the privacy risks related to  the individuals, such as subscribers, when their personal data is processed in the product. As a result, mitigating security and privacy mechanisms to protect the identified data will be applied according to the privacy and security design rules.

The way of performing vulnerability analysis – often referred to as vulnerability assessment within the telecom industry – comprises testing and verification, including penetration testing. These activities are designed to identify weaknesses and vulnerabilities in the product or solution. A vulnerability analysis shows that risks discovered in the PIA are sufficiently controlled or have mitigations documented in the final product. 

Hardening means increasing product security by reducing its attack surface. Hardening is a key enabler to prevent privacy incidents and possible breaches, as it includes, for example, the removal of unnecessary software, installation of the latest patches, disabling of insecure services and replacement of default passwords. The documentation aspect in the SRM defines security and privacy-specific customer documents. From a privacy perspective, the document defined in SRM is the privacy user guide. 

SRM documentation has multiple purposes. It allows customers to know which privacy functions are available and how to configure them to achieve and maintain privacy compliance. The documentation also informs the customer about the assurance activities that have been performed on the product and communicates other sensitive aspects related to operating the product, such as the impact on privacy and the classification of the processed personal data. 

The product-related security services are currently handled separately by the service organizations and are independently defined by the products. 

Typical deliverables are privacy training recommendations, solution level integration guidance, international data flow handling and potential hardening activities that need to be included in customer delivery projects at deployment time. 

Privacy by design in SRM as a key enabler of the trust stack

Digital industries are placing security and privacy requirements and expectations at the top of their lists. The emergence of 5G, the Internet of Things and cloud computing are introducing new market participants and potentially new threats to privacy. Trust is a vital foundation for collaboration and partnering, and it determines the selection of providers, products, vendors and manufacturers. This area is therefore an opportunity for telecom service providers, which are trusted by their consumers. Trusted business is based on ambitions and strategies, consumer needs and expectations, partner capabilities and standards and regulations.

Figure 2: The trust stack

Figure 2: The trust stack

From a trust-stack perspective, the SRM addresses the core privacy challenges of hardware and software product development. It provides a best-in-class framework for privacy by design of those products. Trusted hardware and  software products are the building blocks of networks, so when these products  are designed with privacy in mind, it will be possible to deploy them to build secure networks that also respect the privacy of subscribers. This will enable secure network operations and result in an operator's customers having a trusted business relationship with their own subscribers and consumers. 

Privacy assurance – PIA

A PIA is the most important assurance activity that needs to be performed to identify risks related to a product when processing personal data in a system that is part of an operator's network. As a result of the assessment, security and privacy mechanisms to protect personal data and mitigate risks are identified according to the privacy and security design rules. Those mechanisms are then considered for product implementation as privacy functions in the form of data retention, encryption, privacy logging, access control and other possible functions, to mention a few examples.

To understand the privacy impact of a product, a data classification is performed as part of the PIA. 

In many cases, products may be delivered as-a-Service (aaS), whereby a vendor also operates the solution on behalf of the customer, as a data  processor. In these cases, the PIA tends to have a wider scope because it also includes performing privacy studies for that particular deployment to evaluate any additional requirements from customers and regulators. This analysis covers not only data protection legislation, such as GDPR, but also other legislation such as telecom regulation and (cyber)security regulation. 

In addition, the contractual relationships of the companies involved in processing the data are documented, and the need for specific data protection agreements is considered when applicable. This includes identifying data controllers and processors, as well as any necessary data transfer agreements (see Figure 3 below).

Figure 3: Example of mapping of data processing parties

Figure 3: Example of mapping of data processing parties

Regardless of whether the product is delivered as a standalone item or as part of an aaS offering, it is crucial to recognize what data is processed and where it is physically processed and stored. This is part of the data-flow diagram (DFD) analysis. Analysis of the DFD contributes to identifying storage locations, flows of data to other countries and the parties that have access to personal data, including the purpose or use case.

Figure 4: Simplified example of a system’s DFD including databases storing personal data

Figure 4: Simplified example of a system’s DFD including databases storing personal data

The PIA process helps identify the assets to be protected based on the information collected. The assessment is fundamentally concerned with assets that contain personal data, but the target can still be anything from personal data in a database to personal information on a physical device.

Typically, the trigger for entering the assessment process is either a new major release of a product or a new product being established. 

The SRM framework clearly defines the activities to be performed, including inputs, outputs and supporting guidelines. The PIA process under SRM at a high level is as described in Figure 5 below:

Figure 5: The PIA process in SRM (high-level view)

Figure 5: The PIA process in SRM (high-level view)

The starting point of the process is the identification and classification of the personal data processed by the product and the drawing of the actual DFD. Through the PIA process, a new product release or feature is analyzed. Utilizing the security and privacy requirements as inputs, one or more PIA workshops are performed, and a preliminary PIA report is produced, which facilitates the identification of the impact on privacy and the possible mitigation measures. 

After several workshops, the process is generally concluded, and the result is made available to product management, as well as to the Product Security Incident Response Team (PSIRT) [3] for risk management purposes. At this point, the possible mitigation actions can start as part of the normal product development activities, with the support of the privacy design rules.

Privacy documentation

With the enforcement of new regulations such as GDPR, the SRM has evolved with a significant step forward to help customers achieve compliance: the introduction of privacy user guides. A privacy user guide includes information about the personal data processed in the product and an explanation of the features implemented in the product to protect the personal data. In addition, the privacy user guide also explains how to operate such features and their default parameters. 

The privacy user guide contains information about the sensitivity of the data that is processed by the product, as well as information on secure configuration of the privacy-impacting features in the product. 

Typical features with potential privacy impact are often related to troubleshooting the product and network issues. These could include subscriber tracing, mirroring traffic to a port or a device to monitor performance and quality, and call recording. While all these features have a valid purpose and a legitimate reason to exist, they could potentially have an impact on subscribers' privacy if they have not been built with privacy in mind. Therefore, the privacy user guide explains how those should be operated, how their usage is logged, who can operate them and what alarms are triggered upon their activation.

Automation of privacy operations

Achieving security and privacy compliance in modern telecom networks is a combination of features, assurance, documentation, deployment and operations. Maintaining and monitoring a satisfactory level of security and privacy over time is also a challenge. Modern telecom networks are complex, and the arrival of dynamic systems and their monitoring requires automation at scale. Solutions that provide adaptive security management automation with enhanced security and privacy visibility will be increasingly needed to ensure the best possible privacy in 5G networks [1].

These solutions will need to enable the monitoring of compliance gaps to regulations/law in near real time and ensure that necessary evidence is collected in the event of a privacy breach. In the case of GDPR, such a unified management approach should also provide automated measures to fulfill 5G users' rights in relation to, for example, consent, data access, data portability, rectification, restrictions, objections, erasure and more. 

Automation solutions can boost end-to-end security and privacy visibility. Security management automation solutions can also provide tools for defined and repeatable processes for selecting, enforcing and monitoring security and privacy policies and controls. For example, Ericsson Security Manager [2] provides a unique industry-standards-based policy library that includes predefined security policy families. This library details the policies and controls dedicated to privacy policies that adhere to specifications and regulations such as GDPR, NIST (the US National Institute of Standards and Technology) and ISO (the International Standards Organization). 

Configuration and compliance based on privacy policies eliminate the need for time-consuming and error-prone manual policy definitions, configuration, compliance checking and reporting. Performing correlation of events and logs enables deviations to compliance to be found in near real time and to correlate these analytics results back to security automation in order to fine tune security and privacy policies and controls.

Standardization and research

The SRM is a tool for actual product development, but developments in the telecom sector are also dependent on standardization. Privacy by design in this context means that during the definition of the specification phase in standardization bodies such as the 3GPP (3rd Generation Partnership Project ) or IETF (Internet Engineering Task Force), there is a vigorous debate surrounding which privacy technologies to include. In addition, privacy by default should be put forward as a standard option in those specifications. Finally, it is also important to be present in standardization organizations that define privacy frameworks, such as ISO. This is important in order to give feedback about the experience of implementing those frameworks in the organization. 

Research is also important for product development, where new technologies are analyzed for their privacy implications, and where solutions to any issues can be discovered and defined. New technologies need to be investigated to improve privacy by, for example, developing solutions to increase transparency regarding how consumers' personal data are handled.

Conclusion

Telecom service providers are entering a new marketplace in which multidirectional business models, enabled by digitalization, are creating a complex ecosystem of interdependencies between organizations. Traditional, linear business models in which an organization sells a product or service to a consumer are being replaced by bundled services, parts of which are provided by different organizations to the consumer. Each player in this convoluted chain will access various parts of a consumer's data, and this will extend deep into the user's sensitive and private information. At the same time, the evolution of the networks themselves will increase the usage of data and the amount of data flowing through the networks.

For example, we can easily foresee a need for sensitive financial, health care and automotive data to be exposed in addition to less critical information that a consumer will still want to keep private, such as location, frequency of consumption or preferences. Due to their ability to connect businesses with consumers and their skills in data hosting and IT, telecom service providers will play a substantial part in the digital economy, which presents them with the opportunity to transform their own performance. 

Telecom service providers can utilize the trust stack to improve trustworthiness and enhance their position in the value chain. Doing so has the potential to enable them to generate new revenues to offset their capital investments in the network infrastructure. However, with this upside comes great responsibility, and telecom service providers can influence the preservation of privacy throughout the digital value chain. And from a trust perspective, they are also among those with the most to lose.

This is why privacy by design is so important for new telecom service provider enabled services and the digital economy. With consumer sentiment already suspicious of social media, it is important that confidence in digital services is not further damaged as it entrenches itself further into the lives of citizens. 

For many years, Ericsson has systematically developed a state-of-the-art model with its SRM to incorporate security and privacy considerations into all phases of product development. We use this to illustrate to customers why they should trust us and be confident that we have done the work to achieve privacy by design in our products and services. These can then be added into the ecosystem with complete confidence. 

Adoption of privacy by design as an integrated and a non-negotiable methodology means each organization in the service delivery chain can be assured that the systems used by others in the chain match the privacy ambitions of the whole service. The SRM is the way to help telecom service providers contribute to delivering on the privacy expectations of their customers as well as regulators and society. It enables the relevant privacy aspects of a service to be considered well ahead of time during the development process.

The consistent approach we are proposing can ensure that product privacy gaps are minimized in the conceptualization phase of a product or a feature,  allowing product development to be steered toward a more privacy-friendly and compliant implementation. 

A repeatable process in a mature framework like the SRM can also facilitate the documentation of the privacy assurance work done, so that the outcome is known and used for designing privacy improvements in subsequent releases, as part of the product roadmap. This also enables confidence to be fostered among third-party organizations across the entire service delivery chain. 

While privacy by default is increasingly recognized as a foundational element for a successful service or product that complies with regulation and legislation, it is only part of the effort that is necessary to protect subscribers' rights to privacy. The SRM sets out how privacy begins with design, moves through enablement of privacy by default and into assuring privacy throughout the life of an operational product or service to achieve end-to-end privacy protection.

References

3GPP 3rd Generation Partnership Project


AAS As a Service


API Application Programming Interface


AWS Amazon Web Services


BISPRS Baseline Information Security and Privacy Requirements for Suppliers


DFD Data-Flow Diagram


GDPR General Data Protection Regulation


HW Hardware


ISO International Organization for Standardization


PIA Privacy Impact Assessment


PSIRT Product Security Incident Response Team


SRM Security Reliability Model


SW Software

Contributors

The contributors to Ericsson's opinion on this topic are Mikael Anneroth, Dario Casella, Hans Eriksson,Kennet Mattsson and Christian Schaefer.

Mikael Anneroth

Mikael Anneroth
holds an expert position at Ericsson Research, Consumer & Industry Lab, studying the use of ICT and communication systems from the human and society perspective. He currently sits on the board of Swedish Innovation Program Viable Cities and is an expert within United 4 Smart Sustainable Cities at the ITU (International Telecommunication Union). Anneroth holds an M.Sc. in applied physics and electrical engineering from Linköping Institute of Technology, Sweden.

Dario Casella

Dario Casella
is director of Product Privacy, working in Ericsson Network Security. Based in Jorvas, Finland, Casella supports Ericsson R&D globally in developing products in a privacy-compliant manner to enable Ericsson's customers have trusted business with their own subscribers and consumers. Casella holds a master's degree in business administration from Università degli Studi di Roma Tre and is a Fellow of Information Privacy (FIP) in the International Association of Privacy Professionals (IAPP), owning multiple CIPP/E and CIPM certifications.

Hans Eriksson

Hans Eriksson
holds a research leader position at Ericsson Research in the Security Research department. He has more than 30 years of experience in R&D within mobile systems and network architectures and has recently worked with 5G Core proof-of-concept trials as a technical coordinator and has international collaborations with customers, standardization bodies and universities.

Kennet Mattsson

Kennet Mattsson
is a product privacy manager and enables Ericsson to develop products in a privacy-compliant manner. Prior to this role, he worked as a security and privacy consultant for more than 10 years since joining Ericsson in 2005. Mattsson holds an M.Sc. in telecommunications from Helsinki University of Technology in Finland, and is an International Association of Privacy Professionals (IAPP) Certified Information Privacy Manager.

Christian Schaefer
is a master researcher in the Security research area at Ericsson Research. He joined Ericsson in 2011 and is currently focusing on different aspects of privacy enhancing technologies, mainly in a big data environment. He holds a Diploma in computer science from University Karlsruhe (TH), Germany.

Acknowledgements
The authors would like to thank Danielle Feiter, Alexandra Searle and Hema Lehocky.