5G Privacy Risks addressed by the European Commission

Commission Recommendation on Cybersecurity of 5G networks sets an action plan for the Member States. We explore the main sources of 5G privacy risks.

According to Commission Recommendation on Cybersecurity of 5G networks, EU Member States should by the 30th June 2019 carry out a risk assessment of 5G network infrastructure, including identifying the most sensitive elements where security breaches would have a significant negative impact. By the same date, Member States should also review the security requirements and the risk management methods applicable at national level, to take into account cybersecurity threats that may arise from (i) technical factors, such as the specific technical characteristics of 5G networks, and (ii) other factors such as the legal and policy framework to which suppliers of information and communications technologies equipment may be subject in third countries.

A toolbox will further be agreed at the EU level that will include a risk inventory and a set of possible mitigating measures (e.g. third-party certification for hardware, software or services, formal hardware and software tests or conformity checks, processes to ensure access controls exist and are enforced, identifying products, services or suppliers that are considered potentially not secure, etc.).

5G vs 4G privacy risks

Since we all already use 4G and 3G mobile networks, the key practical question is the comparison between 5G vs 4G privacy risks. Are there fundamental differences? Whereas there might be few qualitative differences, one can think of higher density of 5G cells that enable more precise user location information or the impact of potential network management decentralisation e.g. in relation to locally available 5G services. Mobile location issues are addressed by the EU ePrivacy Directive, soon to become ePrivacy Regulation.

According to Vesna Prodnik Pepevnik, CEO of Vafer and 5G mobile network expert, the main challenges will be linked to vertical applications, from autonomous vehicles and healthcare to energy and monitoring systems with various omnipresent sensors. “The more systems and therefore data are processed by 5G networks, the higher the risk.” In her view, the Commission’s 5G security proposals are currently vague, which might even prove to be an obstacle for certain 5G use cases and therefore the EU’s ambitions in relation to 5G.

It, therefore, remains to be seen to what extent will the proposed measures, including the expected toolbox, provide the necessary safeguards for the industry and trust for the end-users, which are both essential for 5G becoming a major driver for IoT applications.

Aphaia provides Data Protection Impact Assessment, including in relation to ePrivacy, and Telecommunications Policy and Regulation services

5G expansion privacy risks

The expansion of 5G mobile technology around the world promises to bring faster downloads and quicker network response times. But also a lot more concerns about privacy.

In the USA 5G will allow for the possibility of more-precise location tracking, as well as the opportunity to collect vast amounts of additional personal data.

Unfortunately, due to the short range, more cell towers will need to be built, meaning that new towers will cover much smaller areas and give more precise location data.

The European 5G Action Plan’s main goal is to make 5G a reality for all citizens and businesses by 2020. 5G will provide virtually ubiquitous, ultra-high bandwidth, and low latency “connectivity” not only to individual users but also to connected objects. It will also be the “eyes and ears” of Artificial Intelligence systems as it will provide real-time data collection and analysis.

A digital European single market, which is what is being envisioned will also enable remote collaboration using VR, online health monitoring, connected and self-driving cars and drone deliveries are all cited as potential new markets enabled by 5G.

Privacy risk and 5G

In the USA, 5G will entail more indoor towers as it doesn’t penetrate walls very well. Towers in shopping malls, big office buildings, hotels and so on, will become a normal thing and will allow for more precise location data. Location is extremely sensitive. It reveals a tremendous amount about data subjects and telecom companies need to be regulated to make sure that they are not using the data as they wish.

It also may be that 5G will make widespread sensor networks possible, on every telephone pole or street corner. Those might detect people doing things.  5G can also be used to track people and if it is not regulated, the selling of location data can become the biggest issues in our generation.

Dr Bellovin advocates for clearer regulation of what carriers can do with location data, which in his opinion should be nothing.

Dr Bostjan Makarovic, Aphaia Managing Partner, believes that European users are generally well-protected by the ePrivacy Directive when it comes to their location data. “5G might not be unique compared to 4G or even widespread wifi networks. But together with IoT sensors, for example, privacy issues are expected to be amplified in the age of 5G.”

At the same time, the European Commission is racing to make 5G available quickly, and pushing for investment in the sector for new tech, but at what cost? Cybersecurity agency such as ENISA, have stated that 5G connections come with a medium to high risk of cybersecurity attacks because there are not enough safeguards in place to make sure the new networks will be secure.

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.