Part 5 · Privacy, Slicing, Edge, and Special Networks
19
User Privacy in 5G
Hiding who you are — and what's left to leak when you've succeeded
"Encryption hides what you say. Privacy hides that it's you saying it, from here, right now. 5G made huge progress on the second — and it is not finished."
— THE PRIVACY DISTINCTION
5G's headline privacy win is SUCI: your permanent identity no longer crosses the air in clear. But privacy is bigger than identity concealment. Temporary identifiers must rotate, paging must not leak presence, location services must be controlled, and metadata still tells a story. This chapter assembles the full privacy picture — what 5G fixed, what it didn't, and what an operator must still do.
🎯 Learning objectives
Build a 5G privacy threat taxonomy: identity, location, behavior.
State the scope and limits of SUCI.
Explain 5G-GUTI reallocation discipline and paging privacy.
Cover location-service (LCS) privacy.
Identify remaining leaks (capabilities, metadata, side channels) and regulatory obligations.
Purpose: the privacy problem has three faces. 5G largely solved identity; location and behavior need operator action and remain partially open.
FIGURE 19.2Identity Exposure on the Air — 2G to 5G
Purpose: the one privacy metric where 5G made a generational leap. SUCI drops permanent-identity exposure from "routine" to "never" — but only on SA (Chapter 18).
FIGURE 19.3SUCI Protection Scope — and Its Limits
Purpose: calibrate expectations. SUCI is a major win, but a network can deploy it perfectly and still leak privacy through GUTIs, location, and metadata.
19.2 5G-GUTI Discipline and Paging Privacy
FIGURE 19.45G-GUTI Reallocation — When It Must Happen
Purpose: the discipline that makes GUTIs safe. SUCI hides the permanent ID, but a never-rotated temporary ID becomes the new permanent ID — reallocation is mandatory hygiene.
FIGURE 19.5Tracking via Stale GUTI — Attack and Defense
Purpose: the concrete GUTI attack. It needs no cryptographic break — just an operator who configured a long reallocation timer "to save signaling."
FIGURE 19.6Paging Privacy — Temporary Identifiers
Purpose: paging is a privacy surface too. Temporary identifiers protect identity, but stability + small paging areas can still leak presence — another reason rotation matters.
19.3 Location Privacy
FIGURE 19.7Location Service (LCS) Privacy Architecture
Purpose: where location privacy is enforced. The GMLC gates location requests — authorization plus the subscriber's own privacy settings — so location isn't handed out freely (cf. NEF, Chapter 12).
FIGURE 19.8IMSI Catcher vs 5G SA — What Still Works
Purpose: an honest scorecard. 5G SA kills the classic IMSI catcher, but downgrade and metadata attacks survive — so privacy is a system property, not a single feature.
19.4 Remaining Leaks
FIGURE 19.9Capability and Measurement Leakage
Purpose: privacy leaks below the identity layer. Even with SUCI, what a device is and what it measures can partially re-identify or locate it.
FIGURE 19.10Metadata and Traffic Analysis
Purpose: the frontier of privacy. Traffic analysis works on metadata that encryption can't hide — a reminder that confidentiality and privacy are different goals (Chapter 1).
FIGURE 19.11Privacy Regulation Mapping for Operators
Purpose: privacy is also a legal obligation. Each regulatory duty maps to a 5G mechanism or operator practice — the technical and the compliance views meet here.
FIGURE 19.12Operator Privacy Hardening Checklist
Purpose: the privacy job on one card. Identity concealment is step one of eight — the rest are configuration, architecture, and governance.
19.5 The Practical Operator View
Enforce SUCI (no null scheme) and verify GUTI reallocation in real traces — the two foundational identity controls.
Gate LCS at the GMLC with client authorization and subscriber privacy profiles.
Minimize exposed data and metadata at the NEF and in logs (Chapters 12, 26).
Monitor forced downgrades — the main way SUCI's protection is stripped (Chapter 18).
Map technical controls to regulation — privacy is a compliance obligation, not just a feature.
Common misconfiguration risks
SUCI null scheme live (Chapter 4) → identity exposed.
Long GUTI reallocation timers → stale-GUTI tracking.
LCS without proper authorization/privacy profiles → location leakage.
Excessive logging/retention of identity and location data.
Temporary identifiers used in signaling and paging
LCS / GMLC / LMF
Location services / gateway (privacy gate) / location function
traffic analysis
Inferring behavior from metadata despite encryption
Real network example. A privacy NGO tested an operator's 5G SA network and reported it could still track specific subscribers. Investigation showed SUCI was correctly enforced — but the 5G-GUTI reallocation timer was set to 24 hours "to reduce signaling overhead." Because each subscriber kept the same GUTI all day, an observer monitoring paging and signaling could recognize and follow individuals across cells, exactly as in the IMSI-catcher era. The expensive identity-concealment feature was undone by one timer. Fix: reallocate the GUTI on every registration, periodic update, and paging-triggered service request, and add a KPI on GUTI age. Privacy is only as strong as its weakest identifier — and the GUTI is an identifier too.
Confirm SUCI enforced (no null) with monitoring.
Verify GUTI reallocation in traces; alarm on long GUTI age.
Confirm LCS/GMLC authorization and privacy profiles.
Protect UE capabilities/measurements under security.
Minimize exposed metadata and retained identity/location data.
Map privacy controls to applicable regulation.
★ Chapter Summary
Privacy has three faces: identity (mostly fixed by SUCI), location (needs LCS controls), behavior (metadata — hardest).
SUCI ends cleartext-identity exposure on SA, but a stale 5G-GUTI re-creates tracking — reallocation is mandatory.
Paging uses temporary IDs; stability + small areas can still leak presence.
LCS privacy is enforced at the GMLC (authorization + subscriber profiles).
Remaining leaks — capability fingerprinting, metadata, forced downgrade — mean privacy is a system property of SA + configuration + monitoring + governance.
? Review Questions
Distinguish the three branches of the privacy threat taxonomy with an example of each.
State precisely what SUCI does and does not protect.
Why is GUTI reallocation a privacy requirement, and what attack does a stale GUTI enable?
How does paging preserve privacy, and where can it still leak presence?
Where is location privacy enforced, and what two checks must occur before a position is returned?
Name two privacy leaks that survive perfect SUCI deployment.
Why is traffic-analysis the hardest privacy problem?
A network with SUCI enforced still allows subscriber tracking. Diagnose and fix.
🧪 Mini lab — track yourself (ethically)
In an Open5GS + UERANSIM lab (your own UE only): (1) Register a UE and capture the 5G-GUTI. (2) Re-register / trigger updates and check whether the GUTI changes — set a long reallocation timer and confirm it stays the same (the vulnerable state), then a short one and confirm it rotates. (3) Reflect: with a static GUTI, what could an observer of paging/signaling determine about your UE over a day? (4) List which of your captures would leak under encryption anyway (metadata: timing, volume) and which the GUTI rotation fixed. You've now demonstrated that identity concealment and identifier rotation are two separate, both-necessary controls.