TR 33.926 [ 4], clause 5.3.6.7, Personal Identification Information Violation

Data masking on integration analysis about personal data

In accordance with industry best practice..

NWDAF can collect data from OAM, MDAF and/or 5GC NFs (e.g. AMF) etc. for analytics purposes. Since personal data of the users could be involved , there is a potential privacy impact. As the NWDAF can expose its service operations with a request for bulked data, anonymization of data fields shall be applied to avoid exposing undesired information, aggregation levels.

Verify that no privacy-related information of the subscribers is disclosed to any entity who is not authorized to access such information.

Privacy information list (contains e.g. PII, location data, network identifiers, session information; should be specified based on local policy, regulation and others).

NOTE: If user consent check is implemented, user consent for data collection is granted.

The following entities are operational, integrated and simulated:

• NWDAF.

• 'data producer' (NF- or OAM as source for data collection which generates user data containing privacy info, e.g. AMF).

• 'analytics consumer' (NF- or OAM to which the NWDAF exposes analytics).

The data producer is configured to receive and accept subscription requests from the NWDAF for events according to TS 29.552 [6], clause 5.5.1.1.

1. Tester triggers behaviour so that the 'data producer' is required to handle privacy information (e.g. for AMF trigger registration request at UE).

2. The tester sends an Nnwdaf_AnalyticsInfo_Request request message from the 'analytics consumer' to NWDAF according to TS 29.552 [6], clause 5.2.3.1. The request message shall be crafted to capture information from step 1.

3. The tester retrieves the Nnwdaf_AnalyticsInfo_Request response message from the NWDAF.

The analytics results do not reveal subscriber permanent identifier nor any other data listed on the Privacy information list.

Evidence suitable for the interface, e.g. screenshot, pcap trace, log files containing the results.

TR 33.926 [ 4], clause 5.3.6.7, Personal Identification Information Violation

Data masking on integration analysis about personal data

1. Review the documentation provided by the vendor describing how to create the account for accessing the analytics results provided by the NWDAF.

2. The tester creates the account, and retrieves the analytics results from the NWDAF using the account.

TS 33.926 [4], [clause X.Y]{.mark}.

Finding the right NF instance are serving the UE

TS 23.288 [2], clause 6.2.2.1.

To retrieve data related to a specific UE, the NWDAF shall first determine which NF instances are serving this UE as stated in table 4.2.2.1-2 unless the NWDAF has already obtained this information due to recent operations related to this UE.

Table 4.2.2.1-2: NF Services consumed by NWDAF to determine which NF instances are serving a UE

----------------------------------------------------------------------------------------------------------------------------------------------- Type of NF instance (serving the UE) to determine NF to be contacted by NWDAF Service Reference in TS 23.502 [3] ------------------------------------------------------- --------------------------------- ------------------ ---------------------------------- UDM NRF Nnrf_NFDiscovery 5.2.7.3

AMF UDM Nudm_UECM 5.2.3.2

SMF UDM Nudm_UECM 5.2.3.2

BSF NRF Nnrf_NFDiscovery 5.2.7.3

PCF BSF Nbsf_Management 5.2.13.2

NEF NRF Nnrf_NFDiscovery 5.2.7.3 -----------------------------------------------------------------------------------------------------------------------------------------------

"as specified in TS 23.288 [2], clause 6.2.2.1.

Verify that the NWDAF always find a recent NF from operations related to the UE.

Editor's Note: Purpose of test to be clarified.

Test environment with UE, source AMF, and target AMF and UDM. UE, source AMF, target AMF and UDM may be simulated.

The UE is registrated on the source AMF and the UDM, and the NWDAF subscribes analytics A which needs to collect the UE's information on the source AMF.