3 reasons to be optimistic about data privacy in the 5G era

 5G data privacy GDPR EDGE COMPUTING PRIVATE NETWORKS network slicing IoT Mobile Digital Identity and Security Review

Estimated reading time: 5 minutes

New 5G networks are set to unleash a data explosion – which will make people understandably concerned about surveillance, consent and hacks. But we should also be aware of the great work being done to counter the threats… 

Last summer a rumour spread fast across social media: 5G causes COVID. It was quickly debunked by experts. Perhaps the best put-down came from Australian professor of medicine John Dwyer. 

He pointed out that: “Coronavirus is available to all Australians, which you can't say about the 5G network.”

Still, the conspiracy theories around 5G persist. They reflect the enduring fear of change that greets virtually all transformative new technologies.

That said, 5G will usher in new products, services and behaviors. And some of them could have negative consequences.

There are genuine reasons to be vigilant.

One legitimate concern centres on privacy.

5G will vastly scale up the data flowing across cellular networks. According to Ericsson, global mobile data traffic exceeded 49 exabytes (that’s 49 billion gigabytes) per month at the end of 2020.

It is projected to hit 237 EB per month in 2026.

What’s more, unlike today, almost half of this data will be generated by machines, not people with smartphones. 

The World Economic Forum estimates that, by 2025, there will be 2.6 billion ‘human’ 5G subscribers compared with 5 billion 5G IoT connections.

Obviously, more data from more (diverse) sources ramps up the risk of leaks – both accidental and deliberate. It also raises the question of non-consensual corporate/government access to private data.

But against that, it’s important to remember that 5G stakeholders are well aware of these vulnerabilities. Indeed, they built many privacy safeguards into the network architecture itself. 

What’s more, 5G is being launched into a world that offers more statutory protections for consumers than ever before.

Jean-François Rubon, SVP of Strategy and Innovation for Mobile Connectivity and Services at Thales, says this makes the current climate very different. “We didn’t really have conversations about privacy when we were building 4G,” he says.

“It’s a different world now. People are more aware of the issues, and regulators are acting on these concerns.”

So there are good grounds to be positive. 

But before we dive into them, let’s re-cap the nature of the most pressing 5G privacy concerns.
 

The location threat: 5G’s small cell size

In the 4G world, cell phone towers are generally positioned about a mile apart from each other. This means that carriers can know the general area a person is in, but not the precise address. 5G cell phone towers have a much shorter range – their signals can’t easily penetrate buildings. For this reason, they are smaller and more closely spaced together. They sit inside buildings and on rooftops. This proximity makes it possible for phone companies to track a person’s location in great detail.
 

The corporate threat: edge computing and private networks

In standalone 5G, each network function no longer resides in its own isolated, secure hardware. Instead it resides in software on shared virtualised infrastructure with other applications. This makes 5G a new kind of network, profoundly different from its physically-based predecessors. 

Virtualization makes it possible to offer ultra-fast connectivity and exponentially more connections. It also enables ‘network slicing’. Carriers can carve up their networks to give private companies the ability to run their own discrete 5G operations.  

The attractions are self-evident. Especially for organisations in sensitive verticals (defence, utilities, etc) that want to keep their data on-site. 

But there are obvious privacy and security implications. The ‘old’ centralized 5G set-up offers physical protections: you can even have guards and walls around data centres. By contrast, mobile edge computing (MEC) servers are not centralised. There could be 1000s of them. This makes it essential to monitor and control who has access. 

Also, running a private network doesn’t mean that data never leaves it. Many private networks will still exchange information with public infrastructure. Companies and MNOs need to ensure proper isolation to prevent data leaks.

And they need ‘data in motion’ security that meets the ultra-low latency and high-throughput requirements of 5G networks. Many existing technologies will struggle to cope. 

It’s why companies such as Thales have developed high-speed encryption (HSE)  solutions that give customers a single platform to ‘encrypt data in motion’— from data centre and HQ to backup to disaster recovery sites. Such systems can secure transmitted data at speeds up to 100 Gbps and with microsecond latency.
 

The analytics threat: NWDAF makes it easier to collect data

The architects of 5G wanted to improve the analytical data available to MNOs. They created the Network Data Analytics Function (NWDAF) to make it easier to collect statistical information on past events, or predictive information about future events. User consent may not be relevant for network data, but it is a consideration when gathering data on user behaviour. 
 

The machine threat: billions of IoT devices widen the attack surface

As stated, 5G will connect more machines than people. The IoT network will include every kind of device – from ‘dumb’ sensors to an autonomous cars. 

One might wonder why we should worry about getting consent from a ‘dumb’ device. But Jean-François Rubon argues it’s not that simple. “You can ask: do machines have a right to privacy?,” he says. “But it’s the wrong question. Most machines will be connected to users in some way. It could be meter related to a person’s power consumption or even a health sensor gathering physiological data. In this sense, IoT privacy is a really important topic.”

Indeed, IoT machines will form ‘nodes’ on a vast connected grid, offering hackers billions of potential access points – and companies the ability to build profiles on people.

Organizations will be able to gather a lot of information about customers’ online and offline behaviour. While this will enable the personalized services consumers demand, it must be done with consent. And it must be protected/anonymized to prevent social engineering attacks targeting individuals and the businesses they work in. Ultimately, individuals must know who processes their personal data, for what purposes and for how long.
 

But there are many reasons to be optimistic 

Plenty has been written about the above threats. Predictions of doom are easy to make. However, there’s no doubt that the 5G era is different from those that came before. For this reason, industry insiders are working hard to counter the threats. And consumers are taking steps to protect themselves. 

Let’s look at three stand-out reasons to be positive. 

#1 - MNOs are building 5G networks in a privacy-aware era

When 3G and 4G networks were under construction, there was little or no privacy debate. Today is very different. Scandalous corporate hacks, Cambridge Analytica and books about surveillance capitalism have changed the public mood.
 
They have also changed the law. The big shift started with The European Union’s European General Data Protection Regulation, which limits the processing of a person’s data without consent.

GDPR’s impact was not just on EU citizens. It also inspired similar laws in Brazil, India, California, Japan and elsewhere. 

These regulations increase the pressure on corporations and carriers to protect the personal data flowing across 5G networks – and seek informed consent when they want to process that data.

#2 - 4G SIMs have a privacy flaw. The 5G SIM fixes it

The traditional 4G SIM has a security hole. When it communicates its identity to the network it does so in plain text. This is a problem if attackers are able to intercept this communication. And they can. They use something called an IMSI Catcher (also known as a Stingray) to gain possession of the IMSI, harvest user data, do location tracking and even perform a denial of service.

When the mobile standards body 3GPP defined the 5G security architecture, it fixed the problem. How? By ensuring the user, identity is encrypted when it’s transmitted over the air. The 3GPP created a new identifier, the SUPI (Subscription Permanent Identifier). Devices don't send the SUPI over the air. Instead, they send an encrypted identity called a SUCI (Subscription Concealed Identifier), which is ciphered thanks to the 5G SIM. If an attacker intercepts the SUCI the information is useless.

#3 - 5G builds in support for a ‘zero trust’ approach to data access, which will lock out intruders

 As stated earlier, the 5G network is far more heterogeneous than its 4G processor. It is built on ‘standard’ cloud-based infrastructure (as compared with the largely physical infrastructure of 4G) and it will comprise many discrete private networks run by autonomous organisations.

All of which makes it difficult to protect network resources with conventional ‘perimeter-oriented’ security. 

So if we assume that attackers can and will enter public and private 5G networks, what is the best method of defence?

5G stakeholders believe it to be the Zero Trust model of security.

Zero Trust is based on a simple assumption: trust no one with everything. This means that every access request must be fully authenticated, authorized, and encrypted before being granted. It restricts what an attacker can do, even if he/she has gained entry to the network.

When it defined the tech behind 5G, the 3GPP standards body made sure that it supported a zero trust approach in three domains.

•    Network access security. This provides users with secure access to services through the device (phone or IoT) and the radio node.

•    Network domain security. Enable nodes to securely exchange signalling data and user data.

•    Service-based architecture (SBA) domain security. This specifies the mechanism for secure communication between network functions in the serving network domain and with other network domains.

Given the need for 5G networks to meet ultra-low latency and high-throughput requirements from cell sites to the edge and core, securing data in motion can be quite a challenge. Thales HSE with its flexible and easy to manage interface can secure data in motion for the mobile backhaul with the following capabilities:

Companies such as Thales currently offer solutions to help corporates enact a zero trust model. These solutions comprise tools for authentication, encryption and key management.

 

Related articles:

How ML can prevent network outage in a 5G world

5G: how can enterprises protect themselves?

5 ways business is getting an industrial 5G makeover

5G versus 4G: what's the difference?

5G SIM, security and privacy for IMSIS
 

All articles