Google+ Badge

Tuesday, 2 October 2012

HLR Lookup, IMSI Lookup and Privacy

HLR Lookup, IMSI Lookup and Privacy

IMSI Lookup & HLR Lookup reveals data that needs protecting.

Firstly, I'm not lawyer, but you don't need to be to understand the issues or consequences of my opinions in this blog.  Hopefully you will have read some of my other posts and got a feel for how companies good and bad are using HLR Lookup, if not please see the links below.
When you use a HLR Lookup service (or IMSI Lookup Service) , the data returned to you reveals a number of things:
  1. The Mobile Country Code, and Mobile Network (MCC/MNC) of the home operator.
  2. The Master Switching Center (MSC) of network node currently providing a service.
  3. Subscriber Status Code (SSC) of the MSISDN queried.
This doesn't sound much, but the crucial item is the 2rd and 3rd on the list.  Sometime known as a full IMSI Lookup.  It tells you:
  1. If the user has their phone switched on or off and whether it has been recently activated.
  2. The geographical location of the subscriber to the nearest city, including if the subscriber is roaming abroad.
There are real applications that are blatant abuses of this data and it is surprising that so many HLR Lookup services are still available today without the full authorisation of the Mobile Operator.

There are arguably legitimate services that use Subscriber Status and Geo-location, but these services enabled by HLR Lookup are being increasingly restricted by Mobile Operators as they take increasing measures to lock down any Privacy, Security and Fraud issues in their network.  Some examples of these services might be:
  • Mobile Banking - Is the location of the subscribers mobile phone consistent with other status information known about the banks customer?
  • Mobile Vouchers- Encourage your customer to visit your branch when they are nearby. 
  • Managing Mobile Marketing List - does you customer still use the MSISDN provided.
Please comment on this post if you believe there are other valid use cases or you have any opinions on those used.

What is good practice?

It is not easy for the Mobile Operator to provide these services legitimately.  It would require mechanisms to manage the opt-in of subscribers and the organisations authorised to have the information about them.  Until such mechanisms are in place then mobile operators are forced to take a tough stance on the availability of this data.  Consequently, if you use this information for what you think are legitimate services, then work hard with your supplier to maintain the supply.  However, securing the supply of information may be beyond your combined powers and at some point you could get cut off.  Perhaps a more robust approach is to work with your suppliers to find an alternate approach to solving your problem.  

No comments:

Post a Comment