Alternative device identifiers #36
Replies: 4 comments 11 replies
-
Can an alternative device identifier be returned that identifies the device to the API consumer, but cannot be used by any third-party to identify the device? It could - i.e. an opaque reference that can only be resolved by the issuing operator. Does the API consumer need to be able to derive the IMEI from this identifier, or just know that all devices with the same identifier are the same device? I suspect to be useful we would want the latter - otherwise we would just use the IMEI. Do any existing device identifiers satisfy this requirement? Would hashing the MSISDN with an API consumer salt be sufficient? Not sure. What happens if the MSISDN is ported to another operator? How is any alternative identifier derived, and how is it used by the API consumer? For further discussion :) - by 'used' do you mean use case scenarios? |
Beta Was this translation helpful? Give feedback.
-
Sorry, that was a typo. Should have been "Would hashing the IMEI with an API consumer salt be sufficient?". I'll edit.
Yes, I mean what is the use case for the device identifier information. For example, for insurance purposes, the insurance company may well require to know the IMEI. But for fraud detection, they may just need to know that the device currently being used by their customer is different to the one that they were using previously and had insured. |
Beta Was this translation helpful? Give feedback.
-
In general , there are 2 kinds of applications for device identifiers. One is a blacklist (or a grey list) of devices that have been used by fraudsters, or devices that have been stolen. For these list to be effective, it is indeed required that multiple independent parties can work with such a list. For this, IMEI as a device identifier is more suitable, although you run the risk that these IMEI's can be abused to track and trace people. Probably the only way to solve this is by having stringent rules on who can use this kind of information, which cases are approved, and to have transparency on both the legal basis for the use cases and who is using the data and for what purpose. For case of fraud consent will not work as a legal basis (because fraudsters will not give consent, and then you can not block access to a service), but only legitimate interest can be used. For ownership of devices and blokcing stolen devices, consent can be used as a legal basis. The other main application is that of a whitelist of devices, ranging from a short list of devices that can be used by a specific user (as a possesion factor in authentication), to a list of devices which belong to trusted users. For whitelists of devices, an alternate device identifier can be much more privacy friendly, in case the identifiers are only relevant for a specific application (or service provider), and can not be used to track users across different applications. This alternate device identifier can for example be generated by hashing the IMEI in combination with a sufficient long Salt (which needs to be application specific), or the MNO can generate random identifiers and store there with the IMEI in a table for future lookup. In this case of alternate identifiers, you probably also don't need to acquire users consent, because it is similar to the use of a functional cookie, which can be used without acquiring consent. The main advantage of such a white list based alternate device identifiers is that it can be made resilient towards factory resets of the device. |
Beta Was this translation helpful? Give feedback.
-
So you discuss two (physical) device identifiers:
My comments on the salted and hashed IMEI are:
So currently I do not see value in using salted & hashed IMEI as an alternative device identifier, but am open to persuasion! |
Beta Was this translation helpful? Give feedback.
-
Beta Was this translation helpful? Give feedback.
All reactions