/
2025-09-25 API backlog minutes

2025-09-25 API backlog minutes

 

Attendees

Organization

Name

Orange

 

Charter Communications

@Christopher Aubut

CableLabs

 

Telefonica

@Alberto Ramos Monaga

Vodafone

@Surajj Jaggernath

Ericsson

 

AT&T

@Pierre Close

T-Mobile US

 

KDDI

 

Slagen

 

Nokia

 

China Telecom

 

ZTE

 

KPN

 

GSMA

 

Centilion

 

Deutsche Telekom

@Noel Wirzius

MTN

 

China Mobile

 

Verizon

@Mahesh Chapalamadugu

PlektonLabs

 

TIM

 

NTT

 

China Unicom

 

Infosys Ltd

@Abhisek Das @Vijay Narasimha Murthy

Spectrum

 

Chunghwa Telecom

@Guang-Han Ma

Telecom Argentina

 

Huawei

 

xFlow Research

@ALI IQBAL @Muhammad Usman Sharif

Agenda Proposal

Approval of minutes of last conf. call

  • Minutes of last API backlog WG call available here

    • DECISION: OK

Antitrust Policy

The project's Antitrust Policy, which you can find linked from the LF and project websites. The policy is important where multiple companies, including potential industry competitors, are participating in meetings. Please review and if you have any questions, please contact your company legal counsel. Members of the LF may contact Andrew Updegrove at the firm Gesmer Updegrove LLP, which provides legal counsel to the LinusFoundation.

 

 

New Procedures in API Backlog WG meetings

A number of improvements are under discussion with leadership team of OGW project (Henry), CAMARA Project (Markus), Product Definition WS (Helene) and TSC (Herbert). As of today, the WG adopted agreements are three:

  1. To close the agenda SEVEN DAYS BEFORE the conf. call.

    • In case a WG participant wants to include a point in the agenda (e.g., present a new API proposal), this participant shall ensure the corresponding issue is opened in Github by then.

    • Exceptional situations will be treated separately.

  2. New schedule of conf. calls **The meetings are to be held by Linux Foundation (Links available at GitHub and Confluence Backlog front pages)

    • 2nd Thursday of the month (9-10:30 UTC)

    • 4th Thursday of the month (15-16:30 UTC)

  3.  Send agenda to TSC mail list, to encourage more TSC member companies to join the call and provide comments when they identify APIs which are of interest for them. 

  4. New API proposals are included in backlog table when template PR is created, linking to the pending PR

  5. PR will be merged as soon as ready for TSC, and should be merged before TSC review

  6. API enhancements requires existing group’s validation. TSC is informed accordingly to validate

  7. Link and status in backlog table will be updated accordingly

  8. Issue to track API onboarding will be opened once new API is confirmed in TSC.

  9. New proposal Lifecycle for frozen APIs.

Recent Updates & Recap

Last TSC meeting 2025-09-04:

Sponsored Data:

  • Decision on last TSC: [delayed] - Due to short time to review an offline approval will be done by vote (by next Thursday)

#253 [Repository Transition]: Join DedicatedNetworks into Quality On Demand Sub Project

  • Decision: No objections - approved - Wiki page is already moved, changes within repository are on the way (camaraproject/DedicatedNetworks#77), only point might be to clarify the mailing lists and meetings.

Other topics

Update on Proposal “Dual-Phase Meta-Release Strategy: We've started collecting feedback. In the KYC WG (Sep 16):

  • General support, no objections raised.

  • KDDI backed the model, including the 1 meta-release/year option. They request a transition path for commercially deployed APIs not yet stable, to avoid breaking changes.

  • TIM supports the Spring/Fall split and proposed 3 criteria for declaring an API Stable: (1) Spec is mature (WG-approved), (2) 2 commercial deployments, and (3) 1 full GSMA certification KDDI agreed with these criteria.

  • DT confirmed alignment.

    • 📎 Main issue: #194

    • 📎 WG discussion: KYC #35

      • Decision: More time for feedback on the proposals, but also start working on planning next steps as more details are needed to be discussed

        • Proposal from ReleaseManagement for a potential time plan for the next two meta-release (Spring26 and Fall26)

        • Analysis of impact on existing documents in Governance and ReleaseManagement

          • Separate issue on the criteria for declaring an API Stable in Governance (current criteria, proposed changes)

            • e.g. requirement on test statements which we have today, but mostly not delivered

Fraud Hotzone Alert:

  • The proposal raised concerns on privacy, data confidentiality, and governance, similar to Scam Signal.

  • Agreement that the API cannot be hosted in CAMARA’s public repository and should instead follow GSMA’s confidential framework.

  • After discussion within CAMARA, the decision is to propose this API for the next TSC meeting and initiate conversations with GSMA from the API Backlog group to explain the situation and request approval.

  • Decision:

    • The API will be placed in a private repository under GSMA rules.

    • Access will follow the same confidentiality norms as Scam Signal (restricted membership, controlled contributions, and compliance with GSMA security policies).

    • Topic will be formally tabled for the next TSC for approval.

Upcoming Archiving of Frozen Proposals: In alignment with the “Frozen” API process outlined above, we would like to notify the Backlog Working Group that several proposals have reached — or are about to reach — the 6-month inactivity limit. As per policy, these proposals are subject to permanent archiving unless reactivated immediately.

  • 🔴 Proposals that have reached their archiving deadline (27 Aug 2025): Authorization for Advertisements (#17 ), Carrier Wholesale Pricing (#23), Steering of Roaming Management (#24), 5G New Calling (#35), and IdentityAndConsentManagement (#167).

  • 🟠 Proposals nearing their archiving deadline (13 Sept 2025): SIM Historical Information (#115), User Account Spend Count (#121) and Number Of Cards Under User’s ID (#122).

  • Action: All relevant API Proposal owners have been contacted. Unless objections are raised, formal archiving will proceed in the next Backlog WG meeting.

    • Decision: OK

Clean-up process: This is an early draft proposal under discussion in the API Backlog Working Group, aiming to introduce a lightweight, transparent and reversible cleanup process for inactive contributions in the CAMARA catalog — specifically onboarding trackers and repositories that show no meaningful progress after initial approval.

  • Context: While the “frozen” label applies to API Proposals, no governance mechanism currently exists for:

    • Onboarding trackers stuck in an incomplete state

    • Repositories without signs of validation, activity or adoption

  • Draft Proposal (Work-in-Progress): Introduce unified archiving criteria that would be reviewed after each meta-release cycle (Fall/Spring), allowing the Backlog WG to propose archival when:

    • Onboarding trackers show no progress after 6+ months

    • Repositories lack commits, WG engagement or release inclusion
      → Archival is proposed if 3+ criteria are met and no response is received within 2 weeks of notification.

  • What It Aims to Enable:

    • Consistent lifecycle logic (proposal → tracker → repo)

    • Better visibility and expectations for contributors

    • Noise reduction across GitHub, backlog and Wiki

  • Next steps: formal presentation at the next TSC and receive feedback form Backlog WG at #199.

Discussion

Current Issues 

Issue #

Company

Summary

Status Update

#250

Infosys

In Home Device Management API

The API template is not yet.

LAST UPDATES:

The API enables full management of devices connected to a home network, providing connection details and control functions for both customer and operator devices.

  • @Eric Murray - What use cases could this API support that TR-369 cannot? And if TR-369 has gaps, why is it preferable to create a new API in CAMARA instead of evolving TR-369 within the Broadband Forum?

    • @ravim95-eng: The BBF TR-369 standard focuses on low-level broadband network operations intended for service providers. In contrast, CAMARA offers a higher-level abstraction through simplified APIs, making them accessible to non-telecom consumers without requiring knowledge of underlying protocols like TR-369, TR-069, or TR-181. The proposed CAMARA Device API is designed to be standards-agnostic and easily consumable across domains.

  • @Alberto Ramos Monaga: Bit concerned about a possible overlap with the already approved Home Devices QoD API, since both build on the same household device inventory.

    • @ravim95-eng: I see the proposed InHomeDeviceAPI to be foundational/pre-requisite API for usecases like Home Devices QOD API rather than functional overlap

Aug 28, 2025: The presentation will be on the next Backlog meeting with all needed supporting documentation and the API proposal.

AP: The presentation will be on the next Backlog meeting with all needed supporting documentation and the API proposal.

Sep 11, 2025: AP: The presentation will be on the next Backlog meeting with all needed supporting documentation and the update API proposal.

Key Architects are out of office; hence team would be presenting ‘AP 20250828-01’ on the next call of 25th September.

MEETING UPDATE:

Sep 25, 2025: The presentation has been carried out during the meeting. Discussion:

  • @Mahesh Chapalamadugu (verizon):

    • Noted that the IoT Device Management repo is still very early, with the goal of basic lifecycle management, later extending to diagnostics.

    • Raised the possibility of overlap/synergy between IoT Device Management and the new In-home Device API.

    • Emphasized CAMARA’s principle of keeping APIs small, intent-based and simple, rather than large YAMLs covering multiple functions.

    • Asked whether In-home Device API is really distinct or if it should be consolidated with IoT device management.

  • @Ravi:

    • Explained that In-home Device API is intended to manage household connected devices (desktops, laptops, mobiles) behind a modem, exposing standard APIs for ISPs and third-party apps (voice assistants, apps, etc.).

    • Suggested that IoT and connected devices should be unified under one specification rather than kept separate.

    • Argued that at an abstraction level the data attributes for IoT and connected devices are nearly identical, so one generalized API could cover both.

    • Clarified that the proposal is not about putting everything in one YAML but keeping separate operations with a shared model for all devices.

    • Conceded that while the current focus is “in-home”, the model could extend beyond (e.g., connected cars).

AP1: Create a PR with the API proposal following the template.

  • Join to the call of IoT Device Management to clarify scope and positioning (if the API remain separate, clearly document the distinct use cases, if not proposed a unified device object model that works across IoT, home, and possible other domains like automotive).

  • https://github.com/camaraproject/APIBacklog/issues/50 - This is the issue in API backlog for device management. You will also find a pdf file which has high level scope defined in the same issue

AP2: Upload the presentation to the supporting document within the current PR.

241

Chunghwa Telecom

Fraud Hotzone Alert (previously called Communication Risk Check)

The API template is available in PR#243

LAST UPDATES:

  • Fraud Hotzone Alert API empowers anti-fraud systems to analyze phone call and SMS activities associated with a phone number during a specified period, offering a comprehensive view of communication behavior.

Jul 10, 2025:

@Eric Murray: This proposal is too broad and intrusive for a CAMARA API. Like Scam Signal — which isn’t a CAMARA API due to its sensitivity — this involves exposing too much personal data. It’s unlikely that users would consent, even for fraud prevention. A better approach would be to compute a risk score from background data, without exposing the details. Otherwise, the API risks being unusable.

  • @jasonchan: We consulted the relevant departments at Chunghwa Telecom, and according to user policy and regulations, mobile network contracts include a clause informing users that their data may be accessed for purposes like fraud prevention. So, this privacy concern might be addressed through proper consent management.

@rebecca from MTN: Rebecca from MTN raised a key question: Will this API require user consent? She asked whether sharing such detailed data is allowed without explicit consent, or if consent must be obtained.

  • @jasonchan: Currently, no separate consent is involved, as the mobile contract already includes a clause stating that user data may be accessed — effectively serving as implicit consent.

@Tanja de Groot: A suggestion was made to follow a “Know Your Customer” model, where instead of exposing all user data, the API would return a simplified risk score (e.g., high, medium, low, or a percentage). This avoids requiring the application to handle, process, and store sensitive data, and lets the API handle the calculations internally.

@Appelboom, Huub: Even if the API returns only a risk score, processing traffic data for this purpose in Europe still requires explicit user consent under most legislation. The legal issue is fundamental and has also affected similar APIs like Scam Signal. Outside Europe, rules may differ.

Additionally, banks typically prefer raw data to run their own risk models, as fraud patterns evolve rapidly. This makes it difficult to lock the logic on the API side — overly prescriptive APIs may quickly become ineffective.

  • @guang-han ma: In Taiwan, user consent is already obtained through standard agreements when they subscribe to services. So, in this use case, the required consent is already in place, and the concern about user permission is addressed by existing practices.

AP1 → Upload the proposal presentation to the API template PR.

AP2 → Answer all these questions for the next meeting

Jul 24, 2025:

Updated presentation: documentation/SupportingDocuments/Fraud Hotzone Alert.pptx

Proposal to change name to Fraud Hotzone Alert, more related to the use case covered.

API proposal modified, in terms of parameters:

  • input: phoneNumber, lookBackDays, thresholdRatio, method, FraudHotZone, checkType, checkTarget

  • output: anomalyDetected, anomalyDate

Privacy and overlapping with other APIs is addressed in the shared slides, offline validation is required for:

  • Ensuring that @Eric Murray comments are addressed

  • Ensuring that Scam Signal and Customer Insight groups are ok with the scope of this API. Target group should as well be found

  • Review API naming as requested by @Tanja de Groot

Outstanding conversations from the overlap:

  • Scam Signal: There could be some functional overlap, as both aim to detect potential fraud scenarios, but their scope and response models are fundamentally different. Scam Signal focuses solely on checking if the potential victim’s phone number is currently in an active call, leaving fraud suspicion assessment to the API consumer. Fraud Hotzone Reports, instead, analyses recent call/SMS history and directly returns a fraud likelihood assessment from the operator. Are separate APIs, but we could still consider them part of the same Working Group, even if one repo is public and the other private. The main complexity would be meeting management, so for now Fraud Hotzone Reports could start independently since Scam Signal meetings are private.

  • Customer Insights: No functional or scope overlap. Customer Insights delivers a TrustScore and does not identify fraud victims, while Fraud Hotzone Reports serves a completely different purpose with a different data model and fraud detection approach.

Aug 14, 2025: AP: sent to TSC as a part of the same group of Scam Signal, even if the repository is public and the other one is private, and manage the meeting independently, as Scam Signal meetings are private.

Aug 28, 2025:

The main issue is that the API involves highly sensitive data and, as raised by Herbert (DT), it falls into the same category as Scam Signal, meaning it cannot be hosted in CAMARA’s public repository. The suggested approach is to handle it under a confidential GSMA framework or develop it market-specific for Chunghwa. For this reason, the topic has been removed from the TSC agenda until governance is clarified.

AP1: Contact GSMA (e.g., @MarkCornall) to explore private hosting under a confidential framework.
AP2: Validate internally at Chunghwa whether you are comfortable proceeding under GSMA’s confidential model and confirm alignment with local regulatory requirements.

Sep 11, 2025: We continue with the discussion track on scam signal private repository.

  • Governance: Strong feedback (Herbert) emphasized that, given the sensitivity of fraud-detection algorithms, Fraud Hotzone should not be developed as a public CAMARA API but rather in a private GSMA repository (same model as Scam Signal). The discussion on this point is still ongoing.

  • Naming: Agreement to shift from “Alert” to “Reports” to avoid confusion with real-time notification APIs.

MEETING UPDATE: