Security choices and trade-offs. It will be important to capture trade-offs between security properties of the 5G-ENSURE architecture or supported 5G application scenarios. As noted in Section 6.1, there is an inevitable trade-off between the need for mechanisms to protect privacy and the need to support lawful interception of communications and also lawful access to communications data. Many privacy concerns can obviously be captured by modelling threats to privacy. These will mostly be concerned with unauthorized access to personal data via management services like HLR lookup services, interception of personal data such as the location of individuals, or propagation of personal data in communication context information that may be accessible to applications. These threats can then be analysed and addressed in a given architecture, scenario or application. However, other trust issues may exist that conflict with privacy, and these could also be captured in the form of potential threats. For example, subscribers may expect that if their child goes missing, they can be traced by inspecting communication data generated by their interactions with the mobile network. Failure to meet these expectations would be a threat to trust, though not explicitly to privacy. The relevant countermeasure would be to retain communication data generated by some of the technology components in the network. To do this, one will certainly need additional services that have privileged access to monitor assets involved in transfer of communication content or generation of communication metadata. These services should allow access by authorised agencies to the real-time monitoring streams or to previously stored communication data. Obviously, threats to privacy will then exist representing unauthorized access to these services – in fact making these services highly secure should be a major concern for architects and implementers. In specific scenarios it may make sense to provide more or less of this monitoring, based on the expectations of users, to minimise potential threats to privacy while ensuring the network behaves in ways its users would consider trustworthy.
