Consent Management for IoT APIs

[FabrizioMoggio]

In the IoT Network Optimization API (https://github.com/camaraproject/IoTNetworkOptimization) we have the following use case:

Use case: enablement of IoT Network features (e.g. power saving) for a fleet of devices, typically not associated to a person (M2M).

I don't see User Consent applicable in this scenario so, even if phone numbers are input parameters (and this usually impose using 3Legs) I think this APIs should use 2Legs.

Please consider: camaraproject/IoTNetworkOptimization#10

[eric-murray]

Hi @FabrizioMoggio

The requirement is "where personal data is processed by the API and users can exercise their rights through mechanisms such as opt-in and/or opt-out, the use of three-legged access tokens is mandatory". For the IoT use case, I would imagine that the MSISDNs are not considered to be personal data, and hence there is no opt-in requirement or opt-out right. In that case, 2-legged access tokens are fine.

Of course, any implementation that was using MSISDNs to identify the devices would need to ensure that the API did indeed only work for such IoT devices, and not for any MSISDN that the API consumer submits.

[FabrizioMoggio]

the list of MSISDNs, input of the API, must be with a specific profile, such as M2M. This must be checked by the Transformation Function, managed by the API with a specific error return code and well described in the API documentation.

[eric-murray]

... and well described in the API documentation

I think this is the key point. Such a requirement cannot be captured directly by the OAS definition, and so documenting this point well within the OAS definition is key.

Hopefully, at some point in the future, IoT devices can be identified by a more "fine grained" identifier than MSISDN, such as a specific network access identifier (3GPP external id) domain.

[jpengar]

+1. I agree with Eric's comments.