On 11/02/2017 08:17 PM, Stephen Farrell wrote:
Hiya,
I don't claim to fully understand the usage of this ID,
but I'm quite sure that I have no clue what this text
is supposed to mean (as a piece of specification):
"In particular, the "sip.instance" media feature tag
containing the 3GPP2 MEID URN MUST NOT be included in requests or
responses intended to convey any level of anonymity, as this could
violate the users privacy."
I guess this is either an existing problem with whatever
a "'sip.instance' media feature tag" really is or else this
draft creates a new problem, but the quoted text seems to
me to be non-deterministic impossible-to-program-for words
seemingly about (but not actually helping with) privacy.
Am I confused?
Cheers,
S.
Given that the MEID is a long-lived (permanent) identifier for the
specific mobile equipment, it can be correlated with user identity (and
it has cryptographic identity support at the SIM level). Thus it is
potentially leaky. If you do NOT wish your message to give away your
identity, don't send an MEID in it.
Of course this security consideration is patently bogus, as they're no
doubt planning to send it all the time. Don't do this at home, kids.
Why use it? Because when a user simultaneously has multiple devices and
one might be moving call legs betwixt them, having a persistent label
for each of these devices (instances) is terribly handy. There are more
reasonable ways of doing this, such as using OAuth to transiently
instance-identify/authorize the device. But the mobile folks (and most
explicitly, the SIM folks) have a lot already invested in MEID, so
that's what they want to do, even if it is probably long-term
self-defeating because it builds them into the sort of silo that
WhatsApp and others live to tear down. But hey, they live in a world of
government wire taps and cheap APIs for tracking users, so why should
they care? They're "only going to use it on a secure and trusted
network", as usual. Right...
--
Dean Willis