Telecoms routing specialist XConnect‘s Data Protection Officer Lee Suker discusses the use of Home Location Register lookup services, describing the opportunity they represent for the industry to improve a multitude of services, and also issuing a warning regarding the little known personal data threat they could pose for businesses and individuals post GDPR.
What is HLR look-up?
The Home Location Register (HLR) is the main database of subscriber information for a mobile network. It is essential for the smooth running of mobile operators, but it is also available to a larger set of companies, such as the SMS A2P industry.
The SMS A2P market has historically used HLR Lookup to enable message routing for many years; your bank can send you a credit card SMS alert thanks to the information from HLR lookup for example. That information instructs a messaging aggregator to forward the message to one operator or another.
HLR information is essential to mobile telephony, but the way it has been shared has been old fashioned, with little attention to privacy, security or efficiency. It needs to be reworked, before customers or the industry start to suffer.
Are there opportunities for legitimate services to use this data?
The primary market for HLR Lookup is routing, this is likely to reduce significantly over time as operators and SMS A2P providers switch to HLR Lookup alternatives such as specific routing databases. There is a secondary market, which has not been studied thoroughly but easily exceeds 10Bn lookups per month.
For instance, markets include financial services, contact centres, CRM and digital commerce. All of which are collecting personal data from a lookup in order to perform different processes, including:
- Onboarding customers and verifying that their mobile number is correct and live on a network.
- Checking a customers phone-active status
- Identifying which country the subscriber is currently located
- Determine if the subscriber has recently swapped their sim-card
Legislation like GDPR indicates a global momentum towards privacy, but I don’t believe that this is securing all of our personal information… Mobile services have privacy holes in 2 out of 3 mobile operators. Significantly the HLR lookup function provides a backdoor to important personal data.”
How do new privacy regulations such as GDPR and in Brazil affect HLR? Is this information secure?
Legislation like GDPR indicates a global momentum towards privacy, but I don’t believe that this is securing all of our personal information. As well as measures being taken by organisations to circumvent the intent of legislation there are technical vulnerabilities.
For instance, our mobile services have privacy holes in 2 out of 3 mobile operators. Significantly the HLR lookup function provides a backdoor to important personal data. To put some of these challenges and opportunities into layman terms. Today, In some networks it is possible to retrieve the location of a subscriber, information about the sim-card, the phone itself and if the phone is active.
Should Mobile Operators be worried about their responsibilities regarding HLR under GDPR?
The GDPR is putting a lot of new responsibility on Mobile Operator as the controller of personal data, but also processing companies such as messaging companies are affected.
All of them are supposed to take active care – being accountable as articulated by the data protection principles. However, the personal information available from HLR Lookup is available in a grey-market, creating a risk for operators, legitimate suppliers, the enterprises and ultimately the customers.
There is a school of thought suggesting that operators are particularly vulnerable to ransom attacks because data from an HLR Lookup is so very easy to get hold of. Things are still settling on GDPR, but this area is one that needs to be tackled, or the industry risks fines and new regulations.
How worried should consumers be about the possibility of this sensitive information being misused?
There are risks to the individual, some trite, some dangerous and some obscure.
HLR Lookup is used indirectly by financial services companies to check for sim-card changes. Changes are used to score financial transaction and therefore likely to have legally significant consequence for data subjects. Disclosure of a subscribers roamed-to country can compromise the security of their assets whilst away; for instance, a burglar would be able to check if you are at home.
The best hope for solving this problem of data leakage is for the industry to sit down and to develop a process to close grey-markets, and make this information available via proper, legitimate processes.”
There is no clear evidence that this is the case yet, but the risk is clear. Even revealing phone status such as on or off could create risks for the individual.
Many users would be surprised that this information can be obtained without any safeguards. Given the forces at play in the web it is only a question of time before someone taps into this resource with malicious intent.
What then is the best approach for the industry to solve the issue?
The best hope for solving this problem of data leakage is for the industry to sit down and to develop a process to close grey-markets, and make this information available via proper, legitimate processes.
There are real technical challenges that operators need to tackle, but this will take time. In the meantime these challenges shouldn’t be an obstacle to putting in place strong organisational measures to create a secure and profitable data supply chain.
If you are concerned about the issues of personal data leakage and HLR lookups , get in touch with other Members to discuss the topic further – contact us now.
I just returned from WWC Madrid yesterday, an event focused on the wholesale voice and messaging industry. Based on the discussions that I had, I believe that it is fair to say the awareness of GDPR is good, but knowledge is still in short supply across the community. When you combine this with the generally accepted way in which HLR Lookups are used and traded, it reinforces the importance of the debate that I’m advocating in this post. My sense is that there is a lot for everyone to loose if we don’t act now.
Completely agree with Lee that the industry needs to take the initiative as regards HLR lookup from a GDPR perspective, especially given the risks of current practices being found in breach of GDPR down the line.