Device Identifier Meeting Minutes 2024-01-26

Owned by Eric Murray
Last updated: Feb 09, 2024
3 min read

Attendees & Representation

Name

Company

Attendee

Name

Company

Attendee

Eric Murray

Vodafone (moderator)

X

Sachin Kumar

Vodafone

X

Kevin Smith

Vodafone

 

Alex Ferreira

Phronesis

 

Matthew Hornsey

Phronesis

 

Matthew Hand

Phronesis

 

Sébastien Synold

Intersec

 

S, Vigneshwaran

Cognizant

 

Karthik Raj Rethinakumar

Cognizant

 

Manish Jain

Cognizant

 

Huub Appelboom

KPN

X

Rafal Artych

DT

 

Abhisek Das

Infosys

 

Brian Smith

Shabodi

 

Umair Ali Rashid

Shabodi

 

Foo Ming Hui

Singtel

 

Vilim Duganic

Infobip

 

Surajj Jaggernath

Vodacom

X

Agenda

  • Review of previous meeting minutes

    • Approved

  • Review of Device Identifier API status

  • Discussion on requirements for IMEI Fraud

  • AOB

Review of Device Identifier API status

  • Current "work in progress" version can be found here

PRs

  • New PRs:

    • PR #51: Add Identity & Consent header

      • Adds mandatory identity & consent header to API information

      • This will be a requirement of v0.1.0 of Identity & Consent documentation

  • Existing PRs:

    • None

  • Closed PRs:

    • PR #50: Minor Correction of YAML - Amending typos

      • Fixes documentation typos

      • API version updated to 0.3.1

Issues

  • New Issues

    • None

  • Existing Issues

    • Issue #46:  Rename API title to CAMARA Mobile Device Identifier API

      • Current API title is "CAMARA Device Identifier API", but the API only applies (and can only apply) to mobile devices.

      • It is proposed to make this clearer by renaming the API to "CAMARA Mobile Device Identifier API"

UPDATE:

  •  

    •  

      • Meeting agreed this proposal was a good idea 

  •  

    • Issue #47: Add ageOfInformation field to API response

      • Follows on from Discussion #35

      • Current API response gives no indication of when the physical device information was collected for the specified subscription identifier (e.g. phoneNumber). Dependent on the backend implementation, this information could have been collected some time earlier, and potentially be out of date

      • Add an ageOfInfomation field to the response. Time unit TBD, but probably "hours" is sufficient.

UPDATE:

  •  

    •  

      • Huub suggests to use time stamp, in date-time format

  •  

    • Issue #30: Defined scopes and meanings, being discussed in Issue 

      • Issue updated to give 3 options:

        • Proposal is to have two scopes for one endpoint - one for all information, and one for TAC, Make and Model only

        • Alternative 1: One single scope, which gives all information

        • Alternative 2: Two scopes but two endpoints

          • Split /get-device-identifier into two separate endpoints for imei / imeisv and tac / manufacturer / model respectively, each with its own scope.

UPDATE:

  •  

    •  

      • Discussed during meeting, but pros and cons of both approaches

      • Also need to think from a "product" point of view - the two scopes will represent different products, so should they not also have different endpoints?

ACTION: Eric to add Vodafone preference, and to advertise issue via mailing list to try and get alternative opinions.

  •  

    • Issue #21: API Definition Terminology

      • Issue is out of date

ACTION: Eric to update issue text (still open)

  • Closed Issues

    • None

Discussions

  • New Discussions

    • None

  • Existing Discussions:

    • Discussion #36: Alternative device identifiers

      • An alternative proposal is to salt the IMEI with an API consumer specific salt and then hash it

      • This would a less useful identifier (only useful to the API consumer) but easier to justify providing under an opt-out or no consent basis

      • Use cases for such an alternative identifier are not clear

AGREEMENT: Leave discussion open for now, but prioritise returning IMEI / IMEISV

  • Closed Discussions

    • Discussion #49: Get Device Identifier without exposing the phone number

      • Discussion on whether device identifier can be obtained without the API consumer needing to know or learning the MSISDN

      • When Identity & Consent rules are fully implemented, end user identifying data such as this will be removed from the service API call

Other Issues

  • Kevin raised the point that YAML schemas should use the common schemas defined in CAMARA_common.yaml where appropriate. Ideally, they could be directly referenced, though this can cause issues with some OAS viewers.

    • ACTION: Eric to check that current Device Identifier YAML is compliant with common schemas

      • Device  schema needs to be updated now that IPv6 address must be a single address, but there is an outstanding PR for this schema

      • Will introduce a PR once the Commonalities PR is merged

    • ACTION: Kevin to check how OAS viewers handle external references

Discussion on IMEI Fraud API

This API will not be further discussed until API proponents attend the sub-project meetings

  • See API Proposal submission here

  • Open Discussions:

    • #37: IMEI Fraud API Input

      • Proposal is just to use a single "IMEI" field, which would accept either IMEI or IMEISV

    • #34: What values should the IMEI Fraud API respond with to indicate reported ownership status?

      • The GSMA appear to have an existing Device Check service, which includes an API. How does the CAMARA proposal differ from this?

      • Kevin highlighted a GSMA video on their Device Check service.

AGREEMENT: MTN / Huawei will join sub-project meetings from next year, so can then drive these discussion

AOB

  • Issue #48: Additional sub-project codeowner required

    • UPDATE: No additional codeowner yet identified

  • Next meeting to be held Friday 9th February 2024 @ 09:00 GMT.

  • One day, meetings will be held using the LFX Zoom service, but not yet