WO2023168620A1 - Procédé et appareil d'acquisition de consentement d'utilisateur, dispositif, et support de stockage - Google Patents

Procédé et appareil d'acquisition de consentement d'utilisateur, dispositif, et support de stockage Download PDF

Info

Publication number
WO2023168620A1
WO2023168620A1 PCT/CN2022/079889 CN2022079889W WO2023168620A1 WO 2023168620 A1 WO2023168620 A1 WO 2023168620A1 CN 2022079889 W CN2022079889 W CN 2022079889W WO 2023168620 A1 WO2023168620 A1 WO 2023168620A1
Authority
WO
WIPO (PCT)
Prior art keywords
user consent
user
data
information
authorization
Prior art date
Application number
PCT/CN2022/079889
Other languages
English (en)
Chinese (zh)
Inventor
熊丽晖
甘露
Original Assignee
Oppo广东移动通信有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Oppo广东移动通信有限公司 filed Critical Oppo广东移动通信有限公司
Priority to PCT/CN2022/079889 priority Critical patent/WO2023168620A1/fr
Publication of WO2023168620A1 publication Critical patent/WO2023168620A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data

Definitions

  • This application relates to the field of wireless communications, and in particular to a method, device, equipment and storage medium for obtaining user consent.
  • the application needs to obtain authorization from the user in order to collect and analyze user data and better provide services to users.
  • the Unified Data Management (UDM) network element maintains user consent parameters as subscription data.
  • the application server requests the network exposure function network element to process user data. If the application server requests to process user data, it needs to obtain the user data. If authorized, the network exposure function network element obtains the user consent parameters from the UDM network element and responds to the application server's request based on the user consent parameters.
  • the embodiments of this application provide a method, device, equipment and storage medium for obtaining user consent, which can obtain real-time user consent.
  • the technical solutions are as follows:
  • a method for obtaining user consent is provided, the method is executed by a network device, and the method includes:
  • a user consent authorization response is sent to the application server AS based on the first user consent information and the second user consent information, the first user consent information is sent by the terminal device, and the second user consent information is stored by the unified data management function UDM.
  • a method for obtaining user consent is provided.
  • the method is executed by a terminal device, and the method includes:
  • a first user consent authorization request is sent to the network device.
  • the first user consent authorization request includes first user consent information.
  • the first user consent information is used to match the second user consent information to obtain The user consents to the authorization response, and the second user consent information is stored by the unified data management function UDM.
  • a method for obtaining user consent is provided.
  • the method is executed by the application server AS.
  • the method includes:
  • the user consent authorization response is obtained based on the first user consent information and the second user consent information.
  • the first user consent information is sent by the terminal device, and the second user consent information is received.
  • Information is stored by the unified data management function UDM.
  • a method for obtaining user consent is provided, the method is executed by the unified data management function UDM, and the method includes:
  • a data acquisition response is sent to the network device based on the data acquisition request.
  • the data acquisition response includes second user consent information corresponding to the terminal identification and the data type for which the AS requests user consent.
  • the second user consent information Used to obtain a user consent authorization response by matching with the first user consent information, the second user consent information is stored by the UDM, and the first user consent information is sent by the terminal device.
  • a device for obtaining user consent includes:
  • the first sending module is configured to send a user consent authorization response to the application server AS based on the first user consent information and the second user consent information.
  • the first user consent information is sent by the terminal device, and the second user consent information is sent by the unified Data management function UDM storage.
  • a device for obtaining user consent includes:
  • the second receiving module is used to receive the user's consent authorization request
  • the second sending module is configured to send a first user consent authorization request to the network device based on the user consent authorization request.
  • the first user consent authorization request includes first user consent information, and the first user consent information is used to communicate with the network device.
  • the second user consent information is matched to obtain a user consent authorization response, and the second user consent information is stored by the unified data management function UDM.
  • a device for obtaining user consent includes:
  • the third receiving module is used to receive the user consent authorization response sent by the network device.
  • the user consent authorization response is obtained based on the first user consent information and the second user consent information.
  • the first user consent information is sent by the terminal device.
  • the second user consent information is stored by the unified data management function UDM.
  • a device for obtaining user consent includes:
  • the fourth receiving module is used to receive a data acquisition request sent by the network device, where the data acquisition request includes the terminal identification and the data type for which the application server AS requests user consent;
  • the fourth sending module is configured to send a data acquisition response to the network device based on the data acquisition request, where the data acquisition response includes second user consent information corresponding to the terminal identification and the data type for which the AS requests user consent,
  • the second user consent information is used to match the first user consent information to obtain a user consent authorization response.
  • the second user consent information is stored by UDM, and the first user consent information is sent by the terminal device.
  • a network device includes: a transceiver; wherein,
  • the transceiver is configured to send a user consent authorization response to the application server AS based on the first user consent information and the second user consent information.
  • the first user consent information is sent by the terminal device, and the second user consent information is sent by the unified Data management function UDM storage.
  • a terminal device includes: a transceiver; wherein,
  • the transceiver is used to receive user consent authorization requests
  • the transceiver is configured to send a first user consent authorization request to a network device based on the user consent authorization request, where the first user consent authorization request includes first user consent information, and the first user consent information is used to communicate with The second user consent information is matched to obtain a user consent authorization response, and the second user consent information is stored by the unified data management function UDM.
  • an application server includes: a transceiver; wherein,
  • the transceiver is configured to receive a user consent authorization response sent by a network device.
  • the user consent authorization response is obtained based on the first user consent information and the second user consent information.
  • the first user consent information is sent by the terminal device.
  • the second user consent information is stored by the unified data management function UDM.
  • a core network device includes: a transceiver; wherein,
  • the transceiver is configured to receive a data acquisition request sent by a network device, where the data acquisition request includes a terminal identification and a data type for which the application server AS requests user consent;
  • the transceiver is configured to send a data acquisition response to a network device based on the data acquisition request, where the data acquisition response includes second user consent information corresponding to the terminal identification and the data type for which the AS requests user consent,
  • the second user consent information is used to match the first user consent information to obtain a user consent authorization response.
  • the second user consent information is stored by the unified data management function UDM.
  • the first user consent information is sent by the terminal device.
  • a computer-readable storage medium is provided, with executable instructions stored in the readable storage medium, and the executable instructions are loaded and executed by a processor to achieve the acquisition as described in the above aspect.
  • User consent method is provided.
  • a chip is provided.
  • the chip includes programmable logic circuits and/or program instructions.
  • a computer program product which, when run on a processor of a computer device, causes the computer device to execute the method for obtaining user consent described in the above aspect.
  • a user consent mechanism based on dual authorization is used to generate a user consent authorization response. Different from the static user consent authorization mechanism in related technologies, it can be used with the terminal
  • the interaction on the side obtains real-time and dynamic user consent, which facilitates the application server to obtain user consent authorization in real time and obtain real-time user data.
  • Figure 1 is a schematic diagram of the system architecture provided by an exemplary embodiment of the present application.
  • Figure 2 is a schematic diagram of a network architecture provided by an exemplary embodiment of the present application.
  • Figure 3 is a flow chart of a method for obtaining user consent provided by an exemplary embodiment of the present application
  • Figure 4 is a flow chart of a method for obtaining user consent provided by an exemplary embodiment of the present application
  • Figure 5 is a flow chart of a method for obtaining user consent provided by an exemplary embodiment of the present application
  • Figure 6 is a flow chart of a method for obtaining user consent provided by an exemplary embodiment of the present application.
  • Figure 7 is a flow chart of a method for obtaining user consent provided by an exemplary embodiment of the present application.
  • Figure 8 is a flow chart of a method for obtaining user consent provided by an exemplary embodiment of the present application.
  • Figure 9 is a flow chart of a method for obtaining user consent provided by an exemplary embodiment of the present application.
  • Figure 10 is a flow chart of a method for obtaining user consent provided by an exemplary embodiment of the present application.
  • Figure 11 is a flow chart of a method for obtaining user consent provided by an exemplary embodiment of the present application.
  • Figure 12 is a flow chart of a method for obtaining user consent provided by an exemplary embodiment of the present application.
  • Figure 13 is a flow chart of a method for obtaining user consent provided by an exemplary embodiment of the present application.
  • Figure 14 is a flow chart of a method for obtaining user consent provided by an exemplary embodiment of the present application.
  • Figure 15 is a flow chart of a method for obtaining user consent provided by an exemplary embodiment of the present application.
  • Figure 16 is a structural block diagram of a device for obtaining user consent provided by an exemplary embodiment of the present application.
  • Figure 17 is a structural block diagram of a device for obtaining user consent provided by an exemplary embodiment of the present application.
  • Figure 18 is a structural block diagram of a device for obtaining user consent provided by an exemplary embodiment of the present application.
  • Figure 19 is a structural block diagram of a device for obtaining user consent provided by an exemplary embodiment of the present application.
  • Figure 20 is a schematic structural diagram of a communication device provided by an exemplary embodiment of the present application.
  • first, second, etc. may be used in this disclosure to describe various information, the information should not be limited to these terms. These terms are only used to distinguish information of the same type from each other.
  • first parameter may also be called a second parameter, and similarly, the second parameter may also be called a first parameter.
  • word “if” as used herein may be interpreted as "when” or “when” or “in response to determining.”
  • the information including but not limited to user equipment information, user personal information, etc.
  • data including but not limited to data used for analysis, stored data, displayed data, etc.
  • signals involved in this application All are authorized by the user or fully authorized by all parties, and the collection, use and processing of relevant data need to comply with relevant laws, regulations and standards of relevant countries and regions.
  • FIG. 1 shows the architecture of a communication system applicable to the embodiment of the present application.
  • the application architecture includes terminal equipment 10, edge data network (Edge Data Network, EDN) and edge configuration server (Edge Configuration Server, ECS) 20.
  • EDN includes edge application server (Edge Application Server, EAS) 30 and edge enablement server (Edge Enabler Server, EES) 40.
  • the terminal includes an application client (Application Client) 50 and an edge enabler client (Edge Enabler Client, EEC) 60.
  • EDGE-1 is the interface between EES40 and EEC60
  • EDGE-2 is the interface between EES40 and the core network
  • EDGE-3 is the interface between EAS30 and EES40
  • EDGE-4 is the interface between ECS20 and EEC60
  • EDGE-5 is the interface between AC50 and EEC60
  • EDGE-6 is the interface between EES40 and ECS20
  • EDGE-7 is the interface between EAS30 and the core network
  • EDGE-8 is the interface between ECS20 and the core network
  • EDGE-9 is the interface of EES40.
  • EDN Edge Data Network
  • EDN only corresponds to one data network. It is a special local data network that includes edge enablement functions. Data Network Access Identifier (DNAI) and data network name (Datanewrok) can be used. Name, DNN) identifier is a network logic concept. Another understanding of EDN is that EDN is the peer-to-peer concept of a central cloud. It can be understood as a local data center, which can be identified using a data network access identifier and can contain multiple local data networks.
  • DNAI Data Network Access Identifier
  • Datanewrok data network name
  • DNN data network name
  • Another understanding of EDN is that EDN is the peer-to-peer concept of a central cloud. It can be understood as a local data center, which can be identified using a data network access identifier and can contain multiple local data networks.
  • Edge application servers are applications deployed in edge data networks.
  • This edge application may also be called an "application instance.” Specifically, it refers to an instance in which a server application (for example, social media software, augmented reality (AR), virtual reality (VR)) is deployed and runs on EDN.
  • An application can deploy one or more EASs in one or more EDNs.
  • EASs deployed and running in different EDNs can be considered as different EASs of one application. They can share a domain name, or they can be deployed in the cloud with EASs deployed in different EDNs.
  • Applications use different domain names, where the domain name can be a fully qualified domain name (Fully Qualified Domain Name, FQDN), an IP address for any playback, or a different IP address.
  • FQDN Fully Qualified Domain Name
  • EAS can also be called edge applications (servers), application instances, edge application instances, multi-access edge computing (Multi-access Edge Computing, MEC) applications (servers), EAS functions, etc.
  • edge applications servers
  • application instances edge application instances
  • multi-access edge computing Multi-access Edge Computing, MEC applications
  • EAS functions etc.
  • the application client is the peer entity of the edge application server on the UE side.
  • the application client is used to obtain application services from the application server.
  • the application client is a client program applied on the terminal side.
  • the application client can connect to an application server on the cloud to obtain application services, or it can connect to an edge application server deployed and running in one or more EDNs to obtain application services.
  • the application client can also be called Edge Application Client (EAC).
  • EAC Edge Application Client
  • EEC is the peer entity of EES on the UE side.
  • EEC is used to register EEC information and application client information with EES, perform security authentication and authentication, obtain the IP address of EAS from EES, and provide edge computing enabling capabilities to application clients.
  • the EAS discovery server returns the EAS IP address to the application client.
  • EEC can be a sub-functional module implemented inside AC, or a module integrated in the operating system, or an independent application program.
  • EEC provides AC with edge computing-related functions.
  • EES can provide some enabling capabilities for application instances deployed in EDN, and can better support the deployment of applications in Multi-access Edge Computing (MEC).
  • EES can support the registration of edge applications, authentication and authentication of UE, and provide the UE with the Internet Protocol (Internet Protocol, IP) address information of the application instance, etc.
  • EES can further support obtaining the identification and IP address information of the application instance, and further send the identification and IP address information of the application instance to the edge configuration server.
  • EES is deployed in EDN.
  • an EAS is registered on an EES, or the information of an EAS is configured on an EES through the management system.
  • the EES is called the EES associated with the EAS.
  • the EES controls/manages the EAS registered/configured on the EES. .
  • ECS Edge Configuration Server
  • ECS is responsible for providing EES information to UE.
  • ECS can also directly provide application instance information to UE.
  • ECS can also obtain and save information about application instances and IP addresses from other functional entities. And interact with the application's DNS to obtain application instance information. You can further obtain and save application instance and IP address information from other functional entities.
  • LTE Long Term Evolution
  • FDD Frequency Division Duplex
  • Time Division Duplex Time Division Duplex
  • UMTS Universal Mobile Telecommunication System
  • WiMAX Worldwide Interoperability for Microwave Access
  • 5G fifth generation
  • 5G New Radio
  • NR New Radio
  • the terminal in the embodiment of this application may refer to a device with wireless transceiver functions, which may be called a terminal, a user equipment (User Equipment, UE), a mobile station (Mobile Station, MS), or a mobile terminal equipment (Mobile Terminal). , MT), vehicle-mounted terminal, remote station, remote terminal, etc.
  • the specific form of the terminal can be a mobile phone, a cellular phone, a cordless phone, a Session Initiation Protocol (SIP) phone, a wearable device tablet (pad), a desktop computer, a notebook computer, an all-in-one computer, and a vehicle-mounted terminal.
  • WLL Wireless Local Loop
  • PDA Personal Digital Assistant
  • the terminal can be used in the following scenarios: Virtual Reality (VR), Augmented Reality (AR), industrial control, self-driving, remote medical surgery, smart grid (smart grid), transportation safety (transportation safety), smart city (smart city), smart home (smart home), etc.
  • Terminals can be fixed or mobile. It should be noted that the terminal can support at least one wireless communication technology, such as LTE, NR, Wideband Code Division Multiple Access (WCDMA), etc.
  • WCDMA Wideband Code Division Multiple Access
  • the terminal includes a hardware layer, an operating system layer running on the hardware layer, and an application layer running on the operating system layer.
  • This hardware layer includes hardware such as Central Processing Unit (CPU), Memory Management Unit (MMU) and memory (also called main memory).
  • the operating system can be any one or more computer operating systems that implement business processing through processes, such as Linux operating system, Unix operating system, Android operating system, iOS operating system or windows operating system, etc.
  • This application layer includes applications such as browsers, address books, word processing software, and instant messaging software.
  • the embodiments of the present application do not specifically limit the specific structure of the execution subject of the method provided by the embodiment of the present application, as long as the program that records the code of the method provided by the embodiment of the present application can be run to provide according to the embodiment of the present application. method to communicate.
  • computer-readable media may include, but are not limited to: magnetic storage devices (such as hard disks, floppy disks or tapes, etc.), optical disks (such as compact disks (Compact Disc, CD), Digital Versatile Disc (DVD) etc.), smart cards and flash memory devices (e.g., Erasable Programmable Read-Only Memory (EPROM), cards, sticks or key drives, etc.).
  • the various storage media described herein may represent one or more devices and/or other machine-readable media for storing information.
  • the term "machine-readable medium” may include, but is not limited to, wireless channels and various other media capable of storing, containing and/or carrying instructions and/or data.
  • the terminal in the embodiment of the present application can be deployed on land, including indoors or outdoors, handheld or vehicle-mounted; it can also be deployed on water; it can also be deployed on aircraft, balloons and satellites in the air.
  • the embodiments of this application do not limit the application scenarios of wireless access network equipment and terminals.
  • FIG. 2 is a schematic diagram of a network architecture to which embodiments of the present application can be applied.
  • the network architecture includes: user equipment 101, radio access network equipment (Radio Access Network, RAN) 102, user plane function (User Plane Function, UPF) network element 103, data network (Data Network, DN) network element 104, access and mobility management function (Access and Mobility Management Function, AMF) network element 105, session management function (Session Management Function, SMF) network element 106, policy control function module (PolicyControl Function, PCF) network Element 107, Unified Data Management (UDM) network element 108, Application Function (AF) network element 109, Unified Data Repository (UDR) network element 110, and Network Open Function (Network Exposure Function, NEF) network element 111.
  • Radio Access Network Radio Access Network
  • UPF User Plane Function
  • DN data network
  • AMF Access and Mobility Management Function
  • SMF Session Management Function
  • PCF PolicyControl Function
  • UDM Unified Data Management
  • user equipment 101 wireless access network equipment 102, UPF network element 103, DN network element 104, AMF network element 105, SMF network element 106, PCF network element 107, UDM network element 108, AF network element 109, UDR Network element 110 and NEF network element 111 are respectively abbreviated as UE101, RAN102, UPF103, DN104, AMF105, SMF106, PCF107, UDM108, AF109, UDR110, and NEF111.
  • UE101 mainly accesses the 5G network and obtains services through the wireless air interface.
  • UE101 interacts with RAN102 through the air interface, and interacts with the AMF105 of the core network through non-access layer signaling (Non-Access Stratum, NAS).
  • Non-Access Stratum Non-Access Stratum
  • RAN102 is responsible for air interface resource scheduling and air interface connection management of UE101 access network.
  • UPF103 is responsible for the processing of user data in user equipment, such as forwarding and accounting. For example, UPF103 can receive user data from DN104 and transmit it to UE101 through RAN102, and can also receive user data from UE101 through RAN102 and forward it to DN104.
  • the transmission resources and scheduling functions provided by UPF103 for UE101 are managed and controlled by SMF106.
  • DN104 is an operator network that provides data transmission services to users, such as Internet Protocol (Internet Protocol, IP) Multimedia Service (IP Multi-Media Service, IMS), Internet, etc.
  • IP Internet Protocol
  • IMS IP Multimedia Service
  • UE101 accesses DN104 by establishing a protocol data unit (Protocol Data Unit, PDU) session between UE101 to RAN102 to UPF103 to DN104.
  • PDU Protocol Data Unit
  • AMF105 is mainly responsible for mobility management in mobile networks, such as user location update, user registration network and user switching, etc.
  • SMF106 is mainly responsible for session management in mobile networks, such as session establishment, modification and release, etc. Specific functions include assigning IP addresses to users, selecting UPFs that provide packet forwarding functions, etc.
  • PCF107 is responsible for providing policies to AMF105 and SMF106, such as Quality of Service (QoS) policy, slice selection policy, etc.
  • QoS Quality of Service
  • UDM108 is used to store user data, such as subscription information, authentication/authorization information, etc.
  • AF109 is responsible for providing services to the 3rd Generation Partnership Project (3GPP) network, for example, affecting service routing, interacting with PCF107 for policy control, etc.
  • 3GPP 3rd Generation Partnership Project
  • UDR110 is responsible for storing and retrieving contract data, policy data, public architecture data, etc.
  • NEF111 is used in operator networks to open data in the network to third-party application servers, or to receive data provided by third-party application servers for the network.
  • N1 is the interface between UE101 and AMF105
  • N2 is the interface between RAN102 and AMF105, used for sending NAS messages, etc.
  • N3 is the interface between RAN102 and UPF103, used for transmitting user plane data, etc.
  • N4 is the interface between SMF106 and UPF103, used to transmit information such as tunnel identification information of the N3 connection, data cache indication information, and downlink data notification messages
  • N6 interface is the interface between UPF103 and DN104, used to transmit user Surface data, etc.
  • Nudr is the service-based interface displayed by UDR110
  • Namf is the service-based interface displayed by AMF105
  • Nsmf is the service-based interface displayed by SMF106
  • Nnef is the service-based interface displayed by NEF111
  • Npcf is the service-based interface displayed by PCF107.
  • Nudm is the service-based interface displayed by UDM108
  • Naf is the service-based interface displayed by AF109.
  • interfaces between the network elements shown in Figure 2 may also be point-to-point interfaces rather than service-oriented interfaces.
  • UCF User Consent Function
  • Step 201 AS (Application Server, Application Server) sends an API (Application Programming Interface, Application Programming Interface) call (invoke) to NEF, requesting the user's sensitive information (user consent), such as location.
  • API calls include AS ID and user ID (Identifier, identification). User ID is associated with a specific user.
  • Step 202 NEF sends the API call with AS ID and user ID to the NF (Network Function) provider to retrieve user consent information.
  • the NF provider can be an AMF network element or a UDM network element.
  • Step 203 The NF provider checks whether authorization with user consent is required according to the local policy, for example, according to the called API. In an optional embodiment, if the call requests the user's sensitive information, the NF provider can check whether user consent is allowed based on local policy. Otherwise, the NF provider may not check user consent if the call requests non-user information or does not require local policy checking.
  • Step 204 If user consent needs to be checked, the NF provider sends a user consent request message with API ID, AS ID and user ID to UCF.
  • Step 205 UCF checks whether user consent is allowed.
  • UCF can push application requests to users (terminal devices) through the application layer to obtain user consent.
  • UCF can also push SMS (Short Message Service, short messages) to users associated with MISDN (Mobile Integrated Services Digital Network, Mobile Integrated Services Digital Network) Serve).
  • SMS Short Message Service, short messages
  • MISDN Mobile Integrated Services Digital Network, Mobile Integrated Services Digital Network
  • UCF will return the result to the NF provider.
  • UCF may store user consent for future use.
  • Step 206 UCF sends a user consent response to the NF provider, and the user consent response includes the authorization result (authorization or rejection).
  • Step 207 If the authorization result indicates that the user is allowed to agree (authorize), the NF provider responds to the API call, otherwise cancels the API call.
  • UDM maintains user consent parameters as subscription data.
  • the method includes the following steps:
  • Step 301 AS sends an API call to NEF/CAPIF (Common API Framework for 3GPP Northbound APIs, a common API open framework) to request processing of user data.
  • NEF/CAPIF Common API Framework for 3GPP Northbound APIs, a common API open framework
  • the API call comes with AF ID and GPSI (Generic Public Subscription Identifier, Universal Public User Identifier), which means that AF requires NEF/CAPIF to retrieve the location of the UE identified by GPSI.
  • NEF/CAPIF Common API Framework for 3GPP Northbound APIs, a common API open framework
  • Step 302 NEF/CAPIF determines whether the called service needs to check user consent according to the operator's local policy, for example. Whether supervision is required, whether the service called is used to process users' personal information, etc. If there is no need to check whether the user agrees, steps 303 to 306 can be skipped.
  • Step 303 If there are no relevant user consent parameters in the UE context, NEF/CAIPF calls the Nudm_SDM_Get request service to obtain the relevant user consent parameters. Otherwise, steps 304 to 305 may be skipped.
  • Step 304 NEF/CAPIF sends a Nudm_SDM_Get request message to UDM.
  • the message contains the UE ID, which may include the purpose of data processing and the data processor ID.
  • the UE ID can be SUPI (Subscription Permanent Identifier), and NEF/CAPIF obtains SUPI through GPSI analysis.
  • the purpose of data processing refers to what actions are performed on user data to achieve the goal.
  • the data processor ID can be an AF ID, parsed from the AF ID in the API call.
  • Step 305 UDM sends a Nudm_SDM_Get response message to NEF/CAPIF and returns the requested user consent parameters, including the user consent result (authorization result).
  • Step 306 NEF/CAPIF determines whether to authorize the API call based on the user consent parameters. For example, if the API call is to query the user's private information, NEF/CAPIF uses the AF ID and data processing purpose to identify the user consent result. If the user consent for the purpose of data processing is not allowed, NEF/CAPIF will deny AF's request for specific reasons. NEF/CAPIF accepts AF's request if the user consent for the purpose of data processing results in permission. If there is no clear user consent result, NEF/CAPIF can decide to reject or accept AF's request according to the operator's local policy. In addition, if the result of user consent for data processing purposes is allowed, NEF/CAPIF uses the Nudm_SDM_Subscribe service to subscribe to user consent parameter change events on UDM to maintain unexpired user consent parameters.
  • the user consent parameters maintained by UDM include: UE ID, data processor ID, data processing purpose and user consent result.
  • the UE ID can be SUPI.
  • Data processor ID refers to the data processor that processes data for the UE, which can be AF ID, or more general: for example, "3rd party (third party)" is the third-party application ID, or "all” is the third-party application ID or Operator ID.
  • the purpose of data processing is the final goal achieved by processing user data, which refers to what actions are performed on user data to achieve what goal.
  • the result of user consent is whether the data processor agrees to process the data according to the purpose of data processing.
  • Step 307 NEF/CAIPF responds to the API call based on the result of step 306.
  • the related technology also provides a method for revoking user consent.
  • user consent (user consent information/user consent parameters) is stored in UDM as part of the UE subscription data. If there is a request for revocation or modification of the user's consent, UDM initiates the revocation/modification procedure in the network.
  • the premise of this method is that the data consumer or intermediate NF (such as NWDAF (Network Data Analytics Function, Network Data Analysis Function)/NEF) subscribes to the UDM user and agrees to revoke the service, such as the Nudm_SDM_notification service.
  • NWDAF Network Data Analytics Function, Network Data Analysis Function
  • NEF Network Data Analytics Function
  • Another prerequisite is that any NF that obtains user consent from UDM registers with this user consent revocation service.
  • “Subscription Data Type” is set to "User Consent to Subscription Data” and "Data Key for Each Subscription Data Type" is set to "SUPI".
  • Step 401 UDM updates the subscription information based on the user's user consent revocation request. Users can request to withdraw their user-specific consent corresponding to user data, such as location, identity.
  • Step 402a UDM sends a Nudm_SDM_Notify message to the intermediate NF, which includes UE ID, processor ID (processing identification), purpose of processing (data processing purpose), and user consent result.
  • UE ID is related to user ID, such as SUPI, GPSI.
  • Processor ID refers to the identification of the data processor that processes data for the UE, which can be a PLMN (Public Land Mobile Network, Public Land Mobile Network) ID, AF ID, or more general, such as "third party" or "all”.
  • the purpose of processing is associated with the withdrawn service.
  • the result of user consent refers to whether the data processor agrees to process the data according to the purpose of processing, such as: permission or disallowance.
  • Step 403 After receiving the request, the intermediate NF deletes the data agreed by the user. If the intermediate NF has data processing functions such as analysis and collection, the intermediate NF stops processing the data agreed by the user.
  • the intermediate NF If the data consumer accesses the Data Provider (data provider) through the intermediate NF, the intermediate NF also sends a user consent revocation request message to the Data Consumer (data consumer). After the data consumer receives the user's consent revocation request, it deletes the data with the user's consent. If the intermediate NF has the function of processing data, such as analysis and collection functions, the intermediate NF stops processing the data with the user's consent.
  • Step 402b UDM directly sends the Nudm_SDM_Notify message to the data consumer.
  • These include UE ID, processor ID, purpose of processing, and user consent results.
  • the data consumer After receiving the request, the data consumer deletes the data with the user's consent. If the intermediate NF has the function of processing data, such as analysis and collection functions, the intermediate NF stops processing the data with the user's consent.
  • FIG 6 shows a flow chart of a method for obtaining user consent provided by an embodiment of the present application.
  • the network device can be an EES in the communication system shown in Figure 1, or It can be NEF in the network architecture shown in Figure 2, or it can be the execution entity of AIML (Artificial Intelligence Machine Learning).
  • the method includes the following steps.
  • the EES acts as the execution entity agreed by the user. If EES is within the trusted domain of the 5GC service and there is NEF, EES can act as an execution entity agreed by the user, and NEF can also act as an execution entity agreed by the user. Otherwise, if the EES is not within the trusted domain of the 5GC service, the NEF acts as the user-consented execution entity. If the AS is an AIML application server, the network device is the execution entity of AIML.
  • Step 210 Send a user consent authorization response to the AS based on the first user consent information and the second user consent information.
  • the first user consent information is sent by the terminal device, and the second user consent information is stored by the unified data management function UDM.
  • the AS in the embodiment of this application may be an EAS, or the AS may be an AIML application server.
  • the first user consent information is user consent information obtained by the terminal device from end users (end-users) in real time.
  • Real-time acquisition means that the network device obtains the information from the terminal device in real time, which does not mean that the first user agrees that the information must be obtained by the terminal device in real time.
  • the first user consent information is the user consent information stored in the terminal device, or the first user consent information is the user consent information of the end user collected by the terminal device in real time.
  • the end user may also be called a user.
  • the terminal device collects and generates the first user consent information, and sends the first user consent information to the network device. For example, the terminal device stores the first user consent information.
  • the first user consent information includes: terminal identification and data processing purpose (which may also be called a subkey of the data) fields.
  • the first user consent information also includes: at least one of the following fields: AS identification (EAS identification/AIML identification), data type, authorization result, allowed processing time, and data processing granularity; wherein the AS identification includes the requesting user The identification of the consenting AS; the allowed processing time includes the processing time allowed to process user data; the data processing fine-grained level is used to indicate the level of granularity allowed to process user data.
  • AS identification EAS identification/AIML identification
  • AS identification includes the requesting user
  • the allowed processing time includes the processing time allowed to process user data
  • the data processing fine-grained level is used to indicate the level of granularity allowed to process user data.
  • the first user consent information may be one user consent information sent by one terminal device, or may be multiple user consent information sent by multiple terminal devices.
  • the first user consent information is multiple user consent information respectively corresponding to multiple terminal devices
  • the number of second user consent information is also multiple in one-to-one correspondence with the first user consent information.
  • the second user consent information is user consent information stored in UDM.
  • the second user consent information includes a data key and a data processing purpose field, and the data key includes SUPI.
  • the second user consent information also includes: at least one field of data type, authorization result, allowed processing time, and data processing fine granularity.
  • the data type includes: at least one of location information, terminal identification, image information, gesture information, face information, permission to take photos or record videos, permission to make calls or local recording, and permission to read and write photos or files.
  • the second user consent information stored in the UDM may be sent by the operator, sent by the application server, and updated according to the third user consent information in the user consent authorization response.
  • the operator and the application server can change the second user consent information stored in the UDM based on the charging service purchased by the end user, for example, change the length of the allowed processing time in the second user consent information based on the service duration purchased by the end user.
  • the network device generates third user consent information based on the dual authorization of the first user consent information and the second user consent information, and sends a user consent authorization response to the AS.
  • the user consent authorization response includes the third user consent information.
  • the third user consent information includes terminal identification and data processing purpose fields.
  • the third user consent information also includes at least one field among AS identification, data type, authorization result, allowed processing time, and data processing fine granularity.
  • the user consent authorization response also includes: at least one field of authorization result and processing identification, and the processing identification is used to indicate the purpose of data processing.
  • the embodiment of this application involves two types of user consent:
  • first user consent information also known as: terminal side user consent information
  • User consent information stored in UDM network side (second user consent information, or network side user consent information).
  • [user consent info] UE side is the user consent parameter generated by the terminal device in response to the edge application server (EAS)/AIML application server requesting processing of user data.
  • EAS edge application server
  • AIML AIML application server
  • [user consent info] network side stores user consent parameters as subscription data at UDM, and UDM provides subscription notification services. These are user consent parameters stored for specific data processing purposes.
  • the UE ID may include the UE's SUCI (Subscription Concealed Identifier, subscription encryption identification), GUTI (Globally Unique Temporary UE Identity, globally unique temporary UE identification) and other identity indicators for the UE.
  • SUCI Subscribed Concealed Identifier, subscription encryption identification
  • GUTI Globally Unique Temporary UE Identity, globally unique temporary UE identification
  • EAS ID is the identification of the EAS requesting user consent (such as the identification of applications such as SA6Video and SA6Game).
  • AIML ID is the identification of the AIML application server requesting user consent.
  • the data type is user data that involves user privacy when exposing data to edge applications.
  • data types include UE location information (UE location), UE identity (GPSI), UE image information, UE gesture information, UE face information, and permissions for taking photos and recording videos on the UE (camera permissions) , at least one of the permissions for the UE to make calls or local recordings (microphone permissions), and the permissions to read and write photos and files on the UE.
  • the data in the data type field may be a data type ID. For example, if the data type is 01, it means that the data type is the location information of the UE.
  • the authorization result is used to indicate whether processing of user data is authorized.
  • the purpose of data processing is the purpose of processing user data by edge applications.
  • the purpose of data processing includes but is not limited to the following processing methods: collecting data, analyzing data, sharing data, and training models (for example, providing it to NWDAF for model training).
  • Different data processing methods correspond to different data processing purposes.
  • the data in the data processing purpose field may be the data processing purpose ID. For example, if the data processing purpose is 00, it means that the data processing purpose is to collect data.
  • Allowed processing time is used to indicate the processing time that allows edge applications to process user data, including but not limited to: only allowing processing once (that is, the edge application requires authorization from the user for each request to process user data), allowing continuous processing within a period of time User data and processing time.
  • Data processing granularity is the specific allowed processing for a specific data type. For example, if an edge application requests to collect the location information (UE location) of the end user (terminal device), the fine-grained data processing may include an indication of the UE's positioning accuracy (for example, whether the UE is allowed to be positioned within a specific distance range).
  • the method provided by this embodiment uses the user consent information on the terminal side and the user consent information on the network side stored in UDM to generate a user consent authorization response based on a dual authorization user consent mechanism, which is different from related technologies.
  • the static user consent authorization mechanism can obtain real-time and dynamic user consent through interaction with the terminal side, making it easy for the application server to obtain user consent authorization in real time and obtain real-time user data.
  • FIG 8 shows a flow chart of a method for obtaining user consent provided by an embodiment of the present application.
  • the terminal device can be a terminal device in the communication system shown in Figure 1. It may also be a UE in the network architecture shown in Figure 2.
  • AC and EEC are running in the terminal device, and the method can be executed by AC or EEC.
  • the method includes the following steps.
  • Step 220 Receive user consent authorization request.
  • the user consent authorization request includes a second user consent authorization request or a fourth user consent authorization request.
  • the terminal device receives the second user consent authorization request sent by the AS, and the second user consent authorization request is used to request authorization to obtain user consent.
  • the terminal device receives the fourth user consent authorization request sent by the network device.
  • the fourth user consent authorization request is sent by the network device based on the third user consent authorization request sent by the AS.
  • the third user consent authorization request is used to request to obtain user consent.
  • the fourth user consent authorization request is used to request to obtain the first user consent information.
  • the user consent authorization request includes at least one of the AS identification, the data type requested by the AS, the data processing purpose requested by the AS, the user data processing time requested by the AS, and the certificate of the AS.
  • AS can be EAS or AIML application server.
  • Step 230 Send a first user consent authorization request to the network device based on the user consent authorization request.
  • the first user consent authorization request includes first user consent information.
  • the first user consent information is used to match the second user consent information to obtain user consent authorization.
  • the second user agrees that the information is stored by UDM.
  • the terminal device receives the user consent authorization request and sends a first user consent authorization request to the network device based on the user consent authorization request.
  • the first user consent authorization request includes the first user consent information.
  • the method provided by this embodiment uses the user consent information on the terminal side and the user consent information on the network side stored in UDM to generate a user consent authorization response based on a dual authorization user consent mechanism, which is different from related technologies.
  • the medium-static user consent authorization mechanism can obtain real-time and dynamic user consent through interaction with the terminal side, which facilitates the application server to obtain user consent authorization in real time and obtain real-time user data.
  • FIG 9 shows a flow chart of a method for obtaining user consent provided by an embodiment of the present application.
  • This method can be applied to an application server.
  • the application server can be EAS or AIML in the communication system shown in Figure 1.
  • application server. The method includes the following steps.
  • Step 240 Receive the user consent authorization response sent by the network device.
  • the user consent authorization response is obtained based on the first user consent information and the second user consent information.
  • the first user consent information is sent by the terminal device, and the second user consent information is sent by the UDM. storage.
  • the AS sends a second user consent authorization request to the terminal device to initiate the user consent acquisition process.
  • the AS sends a third user consent authorization request to the network device to initiate the user consent acquisition process.
  • the network device receives the third user consent authorization request sent by the AS.
  • the third user consent authorization request is used to request authorization to obtain the user's consent;
  • the third user consent authorization request includes the terminal identification, the AS identification, the data type of the AS requesting the user's consent, and the AS The requested data processing purpose, the user data processing time requested by the AS, and at least one field in the AS's certificate.
  • the network device sends a fourth user consent authorization request to the terminal device based on the third user consent authorization request.
  • the fourth user consent authorization request is used to request to obtain the first user consent information;
  • the fourth user consent authorization request includes the AS identification and the AS requesting user consent.
  • the method provided by this embodiment uses the user consent information on the terminal side and the user consent information on the network side stored in UDM to generate a user consent authorization response based on a dual authorization user consent mechanism, which is different from related technologies.
  • the static user consent authorization mechanism can obtain real-time and dynamic user consent through interaction with the terminal side, making it easy for the application server to obtain user consent authorization in real time and obtain real-time user data.
  • FIG 10 shows a flow chart of a method for obtaining user consent provided by an embodiment of the present application.
  • This method can be applied to UDM, and the UDM can be the UDM in the network architecture shown in Figure 2.
  • the method includes the following steps.
  • Step 250 Receive the data acquisition request sent by the network device.
  • the data acquisition request includes the terminal identification and the data type that the application server AS requests the user to agree to.
  • the network device after receiving the first user consent authorization request sent by the terminal device, the network device sends a data acquisition request to the UDM according to the terminal identification and data processing purpose in the first user consent information to obtain The second user consent information corresponding to the terminal identification and data processing purpose stored in the UDM.
  • Step 260 Send a data acquisition response to the network device based on the data acquisition request.
  • the data acquisition response includes second user consent information corresponding to the terminal identification and the data type for which the AS requests user consent.
  • the second user consent information is used to agree with the first user.
  • the method provided by this embodiment uses the user consent information on the terminal side and the user consent information on the network side stored in UDM to generate a user consent authorization response based on a dual authorization user consent mechanism, which is different from related technologies.
  • the static user consent authorization mechanism can obtain real-time and dynamic user consent through interaction with the terminal side, making it easy for the application server to obtain user consent authorization in real time and obtain real-time user data.
  • the edge application server sends a user consent authorization request for user data that needs to be processed to a specific application client (AC) in the UE through data transmission at the application layer.
  • the UE sends the first user consent information to the Edge Enablement Server (EES) of the edge data network through the Edge Enablement Client (EEC).
  • EES Edge Enablement Server
  • EEC Edge Enablement Client
  • the second user consent information stored in the unified data management function (UDM) in the 5G core network obtained by EES.
  • the EES determines whether to authorize the EAS to process this type of user data.
  • EES/NEF can also update the second user's consent information stored in the UDM.
  • Figure 11 shows a flow chart of a method for obtaining user consent provided by an embodiment of the present application.
  • AS including EAS as an example, this method can be applied to the communication system shown in Figure 1.
  • the method includes the following steps.
  • the AS is EAS and the network device is EES/NEF.
  • the EAS in this embodiment can also be replaced by an AIML application server, and correspondingly, the network device can be the execution entity of AIML.
  • This embodiment provides support based on the edge enablement layer.
  • EES Endpointed Endpoint
  • EES Endpointed Endpoint
  • EAS Endpointd Endpoint
  • TLS Transport Layer Security, Secure Transport Layer Protocol
  • Step 501 EAS sends a second user consent authorization request to the UE through data transmission at the application layer, which includes the EAS identification (EAS ID) that provides the application service (such as SA6Video, SA6Game application), the data type requested to be processed, and the requested data The purpose of processing, the processing time of the requested user data and the certificate of the EAS.
  • EAS ID EAS identification
  • SA6Video SA6 Game application
  • the UE verifies the certificate of the EAS. After the verification is successful, it queries the locally stored first user consent information based on the second user consent authorization request. For example, the terminal locally stores the historically generated first user consent information; or the terminal collects the user information of the end user. Consent information, obtain consent information from the first user.
  • the UE queries the locally stored first user consent information according to the user consent authorization request; the UE sends the first user consent authorization request to the network device. Or, if the UE does not query the locally stored first user consent information according to the user consent authorization request, it obtains the first user consent information by collecting the user consent information of the end user; the UE sends the first user consent authorization request to the network device. .
  • Step 502a If the authorization is not agreed, the UE returns an authorization failure indication to the EAS.
  • the terminal device When the authorization result in the first user's consent information includes disapproval of authorization, the terminal device sends an authorization failure indication to the AS.
  • Step 502b If the authorization is agreed, user consent information (first user consent information) on the UE side can be generated based on the query results, as shown in Table 1.
  • the UE uses the TLS session key between the EEC and EES to derive the integrity key (K EDGEint ) and encryption key (K EDGEenc ).
  • K EDGEint the integrity key
  • K EDGEenc encryption key
  • Use K EDGEint to generate the verification value MAC, and use K EDGEenc to encrypt the message.
  • the UE generates an EDGE container (edge information set).
  • the edge information set includes encryption and integrity protection: EAS ID, UE ID (such as SUCI, 5G-GUTI), authorization result to confirm authorization, data type of EAS request, EAS request At least one of the data processing purpose, the processing time of the requested user data, and the user consent information (first user consent information) generated by the UE on the UE side.
  • the UE sends the first user consent authorization request to EES/NEF.
  • the terminal device sends a first user consent authorization request to the network device.
  • the network device receives the first user consent authorization request sent by the terminal device, and the first user consent authorization request includes the first user consent information generated by the terminal device.
  • the first user consent authorization request includes an edge information set
  • the edge information set includes the first user consent information.
  • the edge information set also includes at least one field of the data type requested by the AS from the user, the purpose of data processing requested by the AS, and the user data processing time requested by the AS.
  • the first user agrees that the edge information set in the authorization request is encrypted, or the first user agrees that the edge information set in the authorization request is integrity protected, or the first user agrees that the edge information set in the authorization request is integrity protected.
  • Sets are encrypted and integrity protected.
  • the edge information set is encrypted using an encryption key, which is obtained based on the TLS session key between the terminal device and the network device.
  • the input string consists of the following parameters:
  • L0 length of algorithm type distinguisher(i.e.0x00 0x01)(length of algorithm type distinguisher)
  • L1 length of algorithm identity(i.e.0x00 0x01)(length of algorithm identity)
  • the algorithm used is the encryption algorithm, the algorithm identifier is N-EDGE-enc-alg, and the input values are shown in Table 3.
  • the input key KEY is the TLS session key between EEC and EES, and the encryption key is output.
  • the edge information set is then encrypted using an encryption key: the input key is the encryption key K EDGEint , the input parameters include the length of the required keystream (keystream), and the output is the keystream (keystream).
  • the ciphertext is obtained.
  • the ciphertext will be transmitted between EEC and EES.
  • the receiver uses the same encryption algorithm and encryption key to generate a key stream, and XORs it with the ciphertext to recover the corresponding plaintext.
  • the check value is used to check the integrity of the edge information set.
  • the check value is obtained using the integrity key.
  • the integrity key is based on the relationship between the terminal device and the network device.
  • the TLS session key obtained.
  • the input string consists of the following parameters:
  • L0 length of algorithm type distinguisher(i.e.0x00 0x01)(length of algorithm type distinguisher)
  • L1 length of algorithm identity(i.e.0x00 0x01)(length of algorithm identity)
  • the algorithm used is the integrity protection algorithm, the algorithm identifier is N-EDGE-int-alg, and the input values are shown in Table 4.
  • the input key KEY is the TLS session key between EEC and EES, and the output is the integrity key.
  • the integrity key is then used to generate the check value of the edge information set: the input key is the integrity key K EDGEint , and the input parameters include the message (edge information set) that needs to be protected and the length of the message.
  • the output is the check value MAC.
  • the receiver uses the same integrity protection algorithm and integrity key to generate the verification value XMAC, and verifies the integrity of the received message by verifying whether the MAC and XAMC are equal.
  • Step 503 EES/NES uses the TLS session key with the UE to generate the encryption key and integrity key, decrypt the EDGE container (edge information set), and verify the validity of the check value MAC. After the verification is successful, a Nudm_SDM_GET Request (data acquisition request) is sent to UDM, which contains the UE ID. If the EES already has the second user consent information, steps 503 to 505 can be omitted.
  • Step 504 EES/NES sends Nudm_SDM_GET Request (data acquisition request) to UDM.
  • the data acquisition request contains the UE ID and the data type of the request processing.
  • EES/NES sends a data acquisition request to UDM.
  • the data acquisition request includes the terminal identification and the data type for which the AS requests user consent.
  • Step 505 The UDM obtains the SUPI according to the UE ID, and uses the SUPI and the data type of the request processing to retrieve the second user consent information [user consent info] stored on the network side .
  • Step 506 UDM sends Nudm_SDM_GET Response (data acquisition response) to EES/NEF, which contains [user consent info] network side .
  • EES/NES receives the data acquisition response sent by UDM, and the data acquisition response includes the second user consent information.
  • Step 507 EES/NEF determines whether to authorize the user consent requested by the EAS based on the user consent information on the network side and the UE side. Generate authorization response for user consent.
  • Step 601 EES/NEF checks the UE ID of [user consent info] network side and [user consent info] UE side in sequence (that is, whether the UE ID in the first user consent information and the data key in the second user consent information are Match), data type, and data processing purpose are consistent. If there is an inconsistency, step 602 is executed: EES/NEF returns a failed user consent retrieval message to the UDM, and can re-obtain user consent information (second user consent information) on the network side through steps 504 to 506 again.
  • the first user consent information includes terminal identification, data type, and data processing purpose fields
  • the second user consent information includes data key, data type, and data processing purpose fields
  • the third user consent information is determined based on the terminal identification, data key, and data type.
  • EES/NEF sends a user consent authorization response to AS.
  • EES/NEF sends a user consent retrieval failure message to UDM.
  • Step 603 EES/NEF further checks the allowed processing time of both. If the processing time on the UE side is shorter than the processing time on the network side, the processing time on the UE side is used. If the processing time on the UE side is longer than the processing time on the network side, , then consider whether the service supports increasing the user's allowed processing time. For example, when the service is a charging service or a service-restricted service, and the user's allowed processing time cannot be increased, the allowed processing time on the network side (the second allowed processing time) is used; when the user's allowed processing time can be increased, the terminal can be used The allowed processing time on the side (the first allowed processing time).
  • the first user consent information also includes the first allowed processing time
  • the second user consent information also includes the second allowed processing time
  • the third allowed processing time includes the first allowed processing time
  • the third allowed processing time includes the first allowed processing time or the second allowed processing time. time. At this time, whether the third allowed processing time is the first allowed processing time or the second allowed processing time is determined based on the business requirements and the selection strategy.
  • Step 604 EES/NEF checks the fine-grained data processing. If the user consent information on the UE side and the network side is inconsistent, select the fine-grained data processing based on the specific configuration, instance or the special needs of the end user, such as [user consent info] UE side contains the positioning accuracy actively changed by the end user, then the positioning accuracy actively changed by the end user is determined as the third data processing granularity.
  • the first user consent information also includes the first data processing fine granularity
  • the second user consent information also includes the second data processing fine granularity
  • the user consent authorization response includes the third data processing fine granularity
  • the third data processing fine granularity includes One data processing fine granularity or a second data processing fine granularity.
  • the third data processing granularity adopts the first data processing fine granularity or the second data processing fine granularity is determined based on specific configurations, instances, or end-user needs.
  • Step 605 EES/NEF determines whether to authorize or not.
  • the basis for determining whether to authorize or not can be based on the selection process from step 601 to step 604. If there are unmatched items, such as for time-based charging services, the UE side requests more user consent processing time. , the authorization result is no. Or EES/NEF has received [user consent info] and the authorization result in the network side is No, or based on specific regional policies and configurations.
  • the user consent authorization response includes the first authorization result; the first authorization result is determined based on the matching result of the first user consent information and the second user consent information.
  • the first authorization result is not authorized. Or, when the authorization result in the first user consent information/second user consent information is not authorized, the first authorization result is not authorized. In the case where the matching result includes a match between the first user consent information and the second user consent information, the first authorization result is authorization.
  • the matching process and results may refer to the above steps 601 to 604.
  • Step 508a EES/NEF returns the user consent authorization response to EAS, which contains the authorization result, processing ID (processing ID, including: at least one of data sharing, data collection, and data analysis) and user consent info (third user consent) information).
  • processing ID processing ID, including: at least one of data sharing, data collection, and data analysis
  • user consent info third user consent information
  • the user consent authorization response includes third user consent information
  • the third user consent information includes the terminal identification field and the purpose of data processing.
  • the third user consent information also includes at least one field of AS identification, data type, authorization result, allowed processing time, and data processing fine-grainedness; wherein, the AS identification includes the identification of the AS requesting the user's consent; the allowed processing time includes allowed processing Processing time for user data; data processing granularity is used to indicate how granularly user data is allowed to be processed.
  • the user agrees that the authorization response also includes: at least one of the authorization result and the processing identifier.
  • the processing identifier is used to indicate the purpose of data processing.
  • Step 508b EES/NEF initiates Nnef_ParameterProvision_Create/Update to update the user consent information (second user consent information) stored in UDM.
  • EES/NEF sends a first update message to UDM.
  • the first update message includes third user consent information.
  • the first update message is used to update the second user consent information stored in UDM.
  • the UDM updates the second user consent information stored in itself according to the third user consent information in the first update message, and obtains the updated second user consent information.
  • the first user consent information in the terminal can also be updated synchronously: EES/NEF sends a second update message to the terminal device, the second update message includes the third user consent information, and the second update message is used to update the terminal device.
  • the stored first user consent information obtains updated first user consent information.
  • the terminal device updates the first user consent information stored in itself according to the third user consent information in the second update message, and obtains the updated first user consent information.
  • EAS can use authorized user consent to start collecting and processing data subjects (data subjects) from UE, or collect and process data subjects from data providers in the network (such as AMF, SMF) through EES/NEF.
  • data subjects data subjects
  • data providers in the network such as AMF, SMF
  • the method provided by this embodiment provides a detailed design of user consent, that is, the format and specific content of user consent stored on the terminal side and network side, including the legal time (allowed processing time) of user consent, Fine-grained data processing, etc.
  • the method provided in this embodiment is based on the mechanism of dual authorization of user consent on the terminal side and the network side. Different from the static user consent authorization mechanism, real-time and dynamic user consent can be obtained through interaction with the terminal side, which facilitates edge applications to obtain real-time User data.
  • the user consent acquisition process can also be initiated by the EAS to the EES.
  • Figure 13 shows a flow chart of a method for obtaining user consent provided by an embodiment of the present application.
  • AS including EAS as an example, this method can be applied to the communication system shown in Figure 1.
  • step 501 may be replaced by step 801 and step 802.
  • Step 801 EAS sends a third user consent authorization request to EES/NEF, which includes the EAS identification (EAS ID) of the application service provided (such as SA6Video, SA6Game application), the type of data requested to be processed, the purpose of the requested data processing, and the requested The processing time of user data and the certificate of EAS.
  • EAS ID EAS identification
  • SA6Video SA6Game application
  • EAS sends a third user consent authorization request to EES/NEF through data transmission at the edge enablement layer, or EAS uses network CAPIF (Common API Framework, common capability opening framework) to send third user consent to EES/NEF. Authorization request.
  • network CAPIF Common API Framework, common capability opening framework
  • EES/NEF receives the third user consent authorization request sent by the AS.
  • the third user consent authorization request is used to request authorization to obtain user consent; the third user consent authorization request includes the terminal identification, AS identification, and the data type for which the AS requests user consent.
  • EES/NEF verifies whether the third user consent authorization request needs to obtain the user consent information on the terminal side. If it needs to be obtained, perform step 802. If it does not need to obtain, as shown in Figure 14, directly perform step 504 to obtain the network side. User consent information.
  • step 507 is replaced by step 803: EES/NEF determines whether to authorize the user consent requested by EAS based on the second user consent information, obtains the third user consent information, and sends the user consent to EAS. Agree to the authorization response. The user agrees that the authorization response includes third-party user consent information.
  • Step 802 EES/NEF sends a fourth user consent authorization request to the terminal device based on the third user consent authorization request.
  • the fourth user consent authorization request is used to request acquisition of the first user consent information.
  • the fourth user consent authorization request includes the AS identifier, the data type requested by the AS for user consent, the data processing purpose requested by the AS, the user data processing time requested by the AS, and at least one field in the certificate of the AS.
  • the fourth user consent authorization request includes a second edge information set.
  • the second edge information set includes an AS identifier, the data type requested by the AS for user consent, the purpose of data processing requested by the AS, the user data processing time requested by the AS, and the user data processing time requested by the AS. At least one field in the certificate.
  • the fourth user agrees that the second edge information set in the authorization request is encrypted, or the fourth user agrees that the second edge information set in the authorization request is integrity protected, or the fourth user agrees with the authorization request.
  • the second set of edge information in is encrypted and integrity protected.
  • EES/NEF encrypts the second edge information set to obtain an encrypted second edge information set, and the fourth user agrees that the authorization request includes the encrypted second edge information set.
  • EES/NEF uses the integrity protection algorithm to obtain the second check value of the second edge information set, and the fourth user consent authorization request also includes the second check value.
  • the terminal device After receiving the fourth user consent authorization request, the terminal device decrypts the encrypted second edge information set to obtain the second edge information set. After receiving the fourth user consent authorization request, the terminal device performs integrity verification on the second edge information set based on the second check value.
  • the terminal device After successful verification, the terminal device obtains the first user consent information based on the information in the second edge information set, and sends the first user consent authorization request to EES/NEF.
  • the first user consent authorization request includes the first user consent information.
  • step 502b For the step of the terminal device sending the first user consent authorization request, refer to the explanation of step 502b in the embodiment shown in Figure 11. That is, the edge information set in the first user consent authorization request sent by the terminal device to EES/NEF is encrypted and /or integrity protected.
  • the method provided by this embodiment provides a detailed design of user consent, that is, the format and specific content that the user agrees to store on the terminal side and the network side, including the allowed processing time and data processing fine granularity agreed by the user. wait.
  • the method provided in this embodiment is based on the mechanism of dual authorization of user consent on the terminal side and the network side. Different from the static user consent authorization mechanism, real-time and dynamic user consent can be obtained through interaction with the terminal side, which facilitates edge applications to obtain real-time User data.
  • the embodiment of this application also provides a method for revoking user consent.
  • the UE revokes the user's consent to the edge application.
  • the EEC in the UE sends a user consent revocation request to EES/NEF, which includes the UE ID and the revoked user consent information.
  • EES/NEF should immediately stop collecting the data subject (data subject) agreed by the user and collect the data subject based on the locally stored user consent. Consent information notifies other relevant data consumers, such as EAS, to stop collecting and processing the user data.
  • EES/NEF further initiates UDM update of user consent information.
  • Figure 15 shows a flow chart of a method for obtaining user consent provided by an embodiment of the present application. Taking AS including EAS as an example, this method can be applied to the communication system shown in 1. The method includes the following steps.
  • Step 701 Based on user operations or changes in local user consent parameters, the UE sends a user consent revocation request (first user consent revocation request) to EES/NEF, which contains UE ID and user consent information.
  • a user consent revocation request (first user consent revocation request)
  • EES/NEF contains UE ID and user consent information.
  • the UE sends a first user consent revocation request to the network device.
  • the first user consent revocation request includes the terminal identification and user consent information.
  • EES/NEF receives the first user consent revocation request sent by the terminal device.
  • the first user consent revocation request includes the terminal identification and user consent information.
  • the user consent information includes the first user consent information, or the updated first user consent information.
  • the first user consent revocation request includes the updated first user consent information.
  • the first user consent revocation request includes the first user consent information.
  • Step 702 EES/NEF stops collecting the user data data subject based on the user consent information and corresponding processing ID. According to local policies, the data may be deleted, isolated, or temporarily retained.
  • EES/NEF ceases the collection and processing of user data indicated by the first user's consent revocation request. For example, EES/NEF deletes user data according to local policies; or isolates user data; or temporarily retains user data.
  • Step 703a EES/NEF sends user consent revocation requests to these data consumers (such as EAS, NWDAF) based on the locally stored data consumer information related to the user consent.
  • data consumers such as EAS, NWDAF
  • EES/NEF sends a second user consent revocation request to the data consumer corresponding to the user consent information.
  • the second user consent revocation request includes the terminal identification and user consent information.
  • Step 703b EES/NEF initiates Nnef_ParameterProvision_Update/Delete or sends a user consent revocation message to UDM through EDGE-2, the interface of EES connected to the core network, to update the user consent information stored in UDM.
  • EES/NEF sends a user consent revocation message to UDM, and the user consent revocation message is used to update the second user consent information stored in UDM.
  • Step 704 The consumer network element that receives the user's consent revocation needs to stop collecting and processing the data subject. According to local policies, the user data may be deleted, isolated, or temporarily retained.
  • AS stops collecting and processing the user data indicated by the second user's consent revocation request.
  • AS deletes user data according to local policies; or, isolates user data; or, temporarily retains user data.
  • the method provided by this embodiment introduces a user consent revocation mechanism actively triggered by the UE, which facilitates the user's dynamic management of user data involving user consent.
  • the steps performed by the AS/EAS in the embodiment of this application can also be performed by the NWDAF network element.
  • Figure 16 shows a structural block diagram of a device for obtaining user consent provided by an exemplary embodiment of the present application.
  • the device can be implemented as a network device, or can be implemented as a part of a network device.
  • the device includes:
  • the first sending module 901 is configured to send a user consent authorization response to the application server AS based on the first user consent information and the second user consent information.
  • the first user consent information is sent by the terminal device, and the second user consent information is sent by Unified data management capabilities UDM storage.
  • the first user consent information includes: terminal identification and data processing purpose fields.
  • the first user consent information also includes: at least one field among AS identification, data type, authorization result, allowed processing time, and data processing fine granularity; wherein, the AS identification It includes the identification of the AS requesting user consent; the allowed processing time includes the processing time allowed to process user data; and the data processing fine-grainedness is used to indicate the granularity of allowed processing of user data.
  • the second user consent information includes a data key and a data processing purpose field
  • the data key includes a contract permanent identifier SUPI.
  • the second user consent information also includes: at least one field of data type, authorization result, allowed processing time, and data processing fine granularity; wherein the allowed processing time includes allowed Processing time for processing user data; the data processing granularity is used to indicate how granular the user data is allowed to be processed.
  • the data types include: location information, terminal identification, image information, gesture information, face information, permission to take photos or record videos, permission to make calls or local recording, and read and write photos or files. At least one of the permissions.
  • the first user consent information includes terminal identification, data type, and data processing purpose fields;
  • the second user consent information includes a data key, the data type, and the data processing purpose field. destination field;
  • the first sending module 901 is configured to determine the data processing purpose in the first user consent information and the second user consent information based on the terminal identification, the data key, and the data type. If they are consistent, the user consent authorization response is sent to the AS.
  • the first sending module 901 is configured to determine the first user consent information and the second user consent information according to the terminal identification, the data key, and the data type. If the data processing purposes in the user consent information are inconsistent, a user consent retrieval failure message is sent to the UDM.
  • the first user consent information further includes a first allowed processing time
  • the second user consent information further includes a second allowed processing time
  • the user consent authorization response includes a third allowed processing time. Processing time; when the first allowed processing time is not greater than the second allowed processing time, the third allowed processing time includes the first allowed processing time; when the first allowed processing time is greater than the In the case of the second allowed processing time, the third allowed processing time includes the first allowed processing time or the second allowed processing time.
  • the first user consent information further includes a first data processing fine granularity
  • the second user consent information further includes a second data processing fine granularity
  • the user consent authorization response includes a third data processing fine granularity.
  • Three data processing fine granularity; the third data processing fine granularity includes the first data processing fine granularity or the second data processing fine granularity.
  • the user consent authorization response includes a first authorization result; the first authorization result is determined based on the matching result of the first user consent information and the second user consent information. .
  • the user consent authorization response includes third user consent information; the third user consent information includes terminal identification and data processing purpose fields.
  • the third user consent information also includes at least one field among AS identification, data type, authorization result, allowed processing time, and data processing fine granularity; wherein the AS identification includes The identification of the AS requesting user consent; the allowed processing time includes the processing time allowed to process user data; the data processing fine-grainedness is used to indicate the level of granularity allowed to process user data.
  • the user consent authorization response further includes: at least one field of an authorization result and a processing identification, where the processing identification is used to indicate the purpose of data processing.
  • the first sending module 901 is configured to send a first update message to the UDM, where the first update message includes the third user consent information.
  • the message is used to update the second user consent information stored in the UDM.
  • the first sending module 901 is configured to send a second update message to the terminal device, where the second update message includes the third user consent information.
  • the update message is used to update the first user consent information stored in the terminal device to obtain updated first user consent information.
  • the apparatus further includes: a first receiving module 902, configured to receive a first user consent authorization request sent by the terminal device, where the first user consent authorization request includes the terminal The first user consent information generated by the device.
  • the first user consent authorization request includes an edge information set, the edge information set includes the first user consent information; the edge information set also includes the AS requesting user consent. At least one field among the data type, the data processing purpose requested by the AS, and the user data processing time requested by the AS.
  • the edge information set is encrypted using an encryption key.
  • the encryption key is a TLS session key according to the secure transport layer protocol between the terminal device and the network device. owned.
  • the first user consent authorization request also includes a check value
  • the check value is used to check the integrity of the edge information set
  • the check value is obtained by using the complete
  • the integrity key is obtained based on the Transport Layer Security Protocol TLS session key between the terminal device and the network device.
  • the device further includes: a first receiving module 902, configured to receive a third user consent authorization request sent by the AS, where the third user consent authorization request is used to request to obtain the user Authorization of consent; the third user consent authorization request includes a terminal identification, an AS identification, the data type requested by the AS for user consent, the data processing purpose requested by the AS, the user data processing time requested by the AS, the At least one field in the AS's certificate.
  • the first sending module 901 is configured to send a fourth user consent authorization request to the terminal device based on the third user consent authorization request, where the fourth user consent authorization request Used to request to obtain the first user consent information; the fourth user consent authorization request includes an AS identification, the data type requested by the AS for user consent, the data processing purpose requested by the AS, and the user data requested by the AS. Processing time, at least one field in the AS's certificate.
  • the device further includes: the first sending module 901, configured to send a data acquisition request to the UDM, where the data acquisition request includes a terminal identification and the AS requesting user consent. The data type; the first receiving module 902 is used to receive the data acquisition response sent by the UDM, where the data acquisition response includes the second user consent information.
  • the apparatus further includes: a first receiving module 902, configured to receive a first user consent revocation request sent by the terminal device, where the first user consent revocation request includes a terminal identification and user consent. Information; the first stop module 904 is used to stop collecting and processing the user data indicated by the first user consent revocation request; wherein the user consent information includes the first user consent information, or the updated third A user consent message.
  • the device further includes: a first storage module 903 for deleting the user data; or a first storage module 903 for isolating the user data; or a first storage module 903 for isolating the user data. Storage module 903, used to temporarily retain the user data.
  • the first sending module 901 is configured to send a second user consent revocation request to the data consumer corresponding to the user consent information, where the second user consent revocation request includes a terminal Identification and said user consent information.
  • the first sending module 901 is configured to send a user consent revocation message to the UDM, where the user consent revocation message is used to update the second user consent stored in the UDM.
  • User consent information includes an edge enablement server EES, a network exposure function NEF, or an execution entity of AIML.
  • the AS includes an edge application server EAS or an AIML application server.
  • Figure 17 shows a structural block diagram of a device for obtaining user consent provided by an exemplary embodiment of the present application.
  • the device can be implemented as a terminal device, or implemented as a part of the terminal device.
  • the device includes:
  • the second receiving module 906 is used to receive the user consent authorization request
  • the second sending module 905 is configured to send a first user consent authorization request to the network device based on the user consent authorization request, where the first user consent authorization request includes first user consent information, and the first user consent information is used to A user consent authorization response is obtained by matching with the second user consent information, and the second user consent information is stored by the unified data management function UDM.
  • the first user consent information includes: terminal identification and data processing purpose fields.
  • the first user consent information also includes: at least one field among application server AS identification, data type, authorization result, allowed processing time, and data processing fine granularity; wherein, the The AS identification includes the identification of the AS requesting the user's consent; the allowed processing time includes the processing time allowed to process user data; and the data processing fine-grainedness is used to indicate the granularity of the allowed processing of user data.
  • the second user consent information includes a data key and a data processing purpose field
  • the data key includes a contract permanent identifier SUPI.
  • the second user consent information also includes: at least one field of data type, authorization result, allowed processing time, and data processing fine granularity; wherein the allowed processing time includes allowed Processing time for processing user data; the data processing granularity is used to indicate how granular the user data is allowed to be processed.
  • the data types include: location information, terminal identification, image information, gesture information, face information, permission to take photos or record videos, permission to make calls or local recording, and read and write photos or files. At least one of the permissions.
  • the user consent authorization request includes a second user consent authorization request or a fourth user consent authorization request;
  • the first receiving module 902 is configured to receive the second user consent authorization request sent by the application server AS. Agree to the authorization request, the second user agrees to the authorization request to request authorization to obtain the user's consent; or, the first receiving module 902 is used to receive the fourth user to agree to the authorization request sent by the network device, the fourth user agrees to the authorization request.
  • the consent authorization request is sent by the network device based on the third user consent authorization request sent by the AS.
  • the third user consent authorization request is used to request authorization to obtain the user's consent.
  • the fourth user consent authorization request is used to request Request to obtain the first user consent information.
  • the user consent authorization request includes an AS identification, the data type for which the AS requests user consent, the data processing purpose requested by the AS, the user data processing time requested by the AS, and the user data processing time requested by the AS. At least one field in the certificate of the above-mentioned AS.
  • the AS includes an edge application server EAS or an AIML application server.
  • the first user consent authorization request includes an edge information set, the edge information set includes the first user consent information; the edge information set also includes the application server AS requesting user consent. At least one field among the data type, the data processing purpose requested by the AS, and the user data processing time requested by the AS.
  • the edge information set is encrypted using an encryption key.
  • the encryption key is a TLS session key according to the secure transport layer protocol between the terminal device and the network device. owned.
  • the first user consent authorization request also includes a check value
  • the check value is used to check the integrity of the edge information set
  • the check value is obtained by using the complete
  • the integrity key is obtained based on the Transport Layer Security Protocol TLS session key between the terminal device and the network device.
  • the device further includes: a second acquisition module 907, configured to query the locally stored first user consent information according to the user consent authorization request; the second sending module 905 , used to send the first user consent authorization request to the network device; or, the second acquisition module 907, used to query the locally stored first user consent information according to the user consent authorization request.
  • the first user consent information is obtained by collecting the user consent of the end user; the second sending module 905 is used to send the first user consent authorization request to the network device.
  • the second sending module 905 is configured to send the first user to the network device when the authorization result in the first user consent information includes consent authorization. Agree to the authorization request.
  • the second sending module 905 is configured to send an authorization failure indication to the AS when the authorization result in the first user consent information includes disapproval of authorization.
  • the user consent authorization response includes third user consent information, and the third user consent information is obtained based on the first user consent information and the second user consent information;
  • the device further includes: the second receiving module 906, configured to receive a second update message sent by the network device, where the second update message includes the third user consent information; a second update module 908, used to Update the first user consent information according to the third user consent information to obtain the updated first user consent information.
  • the second sending module 905 is configured to send a first user consent revocation request to the network device, where the first user consent revocation request includes a terminal identification and user consent information; wherein , the user consent information includes the first user consent information, or the updated first user consent information.
  • the network device includes an edge enablement server EES, a network exposure function NEF, or an execution entity of AIML.
  • Figure 18 shows a structural block diagram of a device for obtaining user consent provided by an exemplary embodiment of the present application.
  • the device can be implemented as an application server, or implemented as part of an application server.
  • the device includes:
  • the third receiving module 910 is used to receive a user consent authorization response sent by the network device.
  • the user consent authorization response is obtained based on the first user consent information and the second user consent information.
  • the first user consent information is obtained by the terminal device.
  • Sent, the second user consent information is stored by the unified data management function UDM.
  • the first user consent information includes: terminal identification and data processing purpose fields.
  • the first user consent information also includes: at least one field among AS identification, data type, authorization result, allowed processing time, and data processing fine granularity; wherein, the AS identification It includes the identification of the AS requesting user consent; the allowed processing time includes the processing time allowed to process user data; and the data processing fine-grainedness is used to indicate the granularity of allowed processing of user data.
  • the second user consent information includes a data key and a data processing purpose field
  • the data key includes a contract permanent identifier SUPI.
  • the second user consent information also includes: at least one field of data type, authorization result, allowed processing time, and data processing fine granularity; wherein the allowed processing time includes allowed Processing time for processing user data; the data processing granularity is used to indicate how granular the user data is allowed to be processed.
  • the data types include: location information, terminal identification, image information, gesture information, face information, permission to take photos or record videos, permission to make calls or local recording, and read and write photos or files. At least one of the permissions.
  • the user consent authorization response includes third user consent information; the third user consent information includes terminal identification and data processing purpose fields.
  • the third user consent information also includes at least one field among AS identification, data type, authorization result, allowed processing time, and data processing fine granularity; wherein the AS identification includes The identification of the AS requesting user consent; the allowed processing time includes the processing time allowed to process user data; the data processing fine-grainedness is used to indicate the level of granularity allowed to process user data.
  • the user consent authorization response further includes: at least one of an authorization result and a processing identifier, where the processing identifier is used to indicate the purpose of data processing.
  • the apparatus further includes: a third sending module 909, configured to send a second user consent authorization request to the terminal device, where the second user consent authorization request is used to request to obtain user consent.
  • a third sending module 909 configured to send a second user consent authorization request to the terminal device, where the second user consent authorization request is used to request to obtain user consent.
  • the second user consent authorization request includes the AS identification, the data type for which the AS requests user consent, the data processing purpose requested by the AS, the user data processing time requested by the AS, and the information in the certificate of the AS. At least one field.
  • the apparatus further includes: a third sending module 909, configured to send a third user consent authorization request to the network device, where the third user consent authorization request is used to request to obtain the user Authorization of consent; the third user consent authorization request includes a terminal identification, an AS identification, the data type requested by the AS for user consent, the data processing purpose requested by the AS, the user data processing time requested by the AS, the At least one field in the AS's certificate.
  • a third sending module 909 configured to send a third user consent authorization request to the network device, where the third user consent authorization request is used to request to obtain the user Authorization of consent
  • the third user consent authorization request includes a terminal identification, an AS identification, the data type requested by the AS for user consent, the data processing purpose requested by the AS, the user data processing time requested by the AS, the At least one field in the AS's certificate.
  • the device further includes: a third processing module, configured to use the authorized user consent collection when the authorization result in the user consent authorization response includes consent authorization. and processing user data.
  • the third receiving module 910 is configured to receive an authorization failure indication sent by the terminal device, where the authorization failure indication is the first user consent information received by the terminal device.
  • the authorization results in include those sent without consent to authorization.
  • the apparatus further includes: the third receiving module 910, configured to receive a second user consent revocation request sent by the network device, where the second user consent revocation request includes a terminal Identification and user consent information;
  • the third stop module 912 is used to stop collecting and processing the user data indicated by the second user consent revocation request; wherein the user consent information includes the first user consent information, or the updated first user consent information. Agree information.
  • the device further includes: a third storage module 911 for deleting the user data; or a third storage module 911 for isolating the user data; or a third storage module 911 for isolating the user data; Storage module 911, used to temporarily retain the user data.
  • the network device includes an edge enablement server EES, a network exposure function NEF, or an execution entity of AIML.
  • the AS includes an edge application server EAS or an AIML application server.
  • Figure 19 shows a structural block diagram of a device for obtaining user consent provided by an exemplary embodiment of the present application.
  • the device can be implemented as a core network device, or can be implemented as a part of the core network device.
  • the device includes:
  • the fourth receiving module 914 is used to receive a data acquisition request sent by the network device.
  • the data acquisition request includes the terminal identification and the data type for which the application server AS requests the user's consent.
  • the fourth sending module 913 is used to receive the data acquisition request based on the data acquisition request.
  • the data acquisition response includes second user consent information corresponding to the terminal identification and the data type for which the AS requests user consent.
  • the second user consent information is used to communicate with the first user.
  • the consent information is matched to obtain a user consent authorization response, the second user consent information is stored by UDM, and the first user consent information is sent by the terminal device.
  • the first user consent information includes: terminal identification and data processing purpose fields.
  • the first user consent information also includes: at least one field among AS identification, data type, authorization result, allowed processing time, and data processing fine granularity; wherein, the AS identification It includes the identification of the AS requesting user consent; the allowed processing time includes the processing time allowed to process user data; and the data processing fine-grainedness is used to indicate the granularity of allowed processing of user data.
  • the second user consent information includes a data key and a data processing purpose field, and the data key includes a contract permanent identifier SUPI.
  • the second user consent information also includes: at least one field of data type, authorization result, allowed processing time, and data processing fine granularity; wherein the allowed processing time includes allowed Processing time for processing user data; the data processing granularity is used to indicate how granular the user data is allowed to be processed.
  • the data types include: location information, terminal identification, image information, gesture information, face information, permission to take photos or record videos, permission to make calls or local recording, and read and write photos or files. At least one of the permissions.
  • the first user consent information includes terminal identification, data type and data processing purpose fields; the second user consent information includes the data key, the data type and the data processing purpose field.
  • the fourth receiving module 914 is used to receive a failure message for retrieving user consent sent by the network device.
  • the failure message for retrieving user consent is the failure message of the network device based on the terminal identifier and the data key. .
  • the data type is determined to be sent when the data processing purposes in the first user consent information and the second user consent information are inconsistent.
  • the user consent authorization response includes third user consent information obtained based on the first user consent information and the second user consent information, and the device further includes: the third user consent information.
  • a fourth receiving module 914 is configured to receive an update message sent by the network device, where the update message includes the third user consent information; a fourth update module 915 is configured to update the third user consent information based on the third user consent information. 2.
  • the device further includes: a fourth receiving module 914, configured to receive a user consent revocation message sent by the network device; a fourth update module 915, configured to revoke the user consent according to the user consent The message updates the second user's consent information.
  • the network device includes an edge enablement server EES, a network exposure function NEF, or an execution entity of AIML.
  • the AS includes an edge application server EAS or an AIML application server.
  • Figure 20 shows a schematic structural diagram of a communication device (terminal device or network device) provided by an exemplary embodiment of the present application.
  • the communication device includes: a processor 1001, a receiver 1002, a transmitter 1003, a memory 1004 and a bus 1005.
  • the processor 1001 includes one or more processing cores.
  • the processor 1001 executes various functional applications and information processing by running software programs and modules.
  • the receiver 1002 and the transmitter 1003 can be implemented as a communication component, and the communication component can be a communication chip.
  • the memory 1004 is connected to the processor 1001 through a bus 1005.
  • the memory 1004 can be used to store at least one instruction, and the processor 1001 is used to execute the at least one instruction to implement each step in the above method embodiment.
  • memory 1004 may be implemented by any type of volatile or non-volatile storage device, or combination thereof, including but not limited to: magnetic or optical disks, electrically erasable programmable Read-only memory (Electrically-Erasable Programmable Read Only Memory, EEPROM), erasable programmable read-only memory (Erasable Programmable Read Only Memory, EPROM), static random access memory (Static Random Access Memory, SRAM), read-only memory (Read-Only Memory, ROM), magnetic memory, flash memory, programmable read-only memory (Programmable Read-Only Memory, PROM).
  • the processor and transceiver in the communication device involved in the embodiment of the present application can perform the steps performed by the terminal device in any of the methods shown in Figures 6-15. This is No further details will be given.
  • the transceiver when the communication device is implemented as a terminal device, the transceiver is configured to receive a user consent authorization request; the transceiver is configured to send a third user consent authorization request to the network device based on the user consent authorization request.
  • the first user consent authorization request includes first user consent information.
  • the first user consent information is used to match the second user consent information to obtain a user consent authorization response.
  • the second user consent information Stored by the Unified Data Management function UDM.
  • the processor and transceiver in the communication device involved in the embodiment of the present application can perform the steps performed by the network device in any of the methods shown in Figures 6-15. No further details will be given.
  • the transceiver is configured to send a user consent authorization response to the application server AS based on the first user consent information and the second user consent information, and the third One user consent information is sent by the terminal device, and the second user consent information is stored by the unified data management function UDM.
  • the processor and transceiver in the communication device involved in the embodiment of the present application can perform the steps performed by the application server in any of the methods shown in Figures 6-15. No further details will be given.
  • the transceiver when the communication device is implemented as an application server, the transceiver is configured to receive a user consent authorization response sent by the network device, where the user consent authorization response is based on the first user consent information and the third user consent information. Two user consent information are obtained, the first user consent information is sent by the terminal device, and the second user consent information is stored by the unified data management function UDM.
  • the processor and transceiver in the communication device involved in the embodiment of the present application can perform the steps performed by the core network device in any of the methods shown in Figures 6-15. , which will not be described again here.
  • the transceiver when the communication device is implemented as a core network device, the transceiver is used to receive a data acquisition request sent by the network device.
  • the data acquisition request includes a terminal identification and the application server AS requests user consent.
  • the data type; the transceiver is configured to send a data acquisition response to the network device based on the data acquisition request, where the data acquisition response includes a second data type corresponding to the terminal identification and the data type for which the AS requests user consent.
  • User consent information the second user consent information is used to match the first user consent information to obtain a user consent authorization response, the second user consent information is stored by the unified data management function UDM, and the first user consent information is obtained by the terminal device sends.
  • a computer-readable storage medium in which at least one instruction, at least a program, a code set or an instruction set is stored, and the at least one instruction, the At least a section of the program, the code set or the instruction set is loaded and executed by the processor to implement the method for obtaining user consent executed by the communication device provided by each of the above method embodiments.
  • a chip is also provided.
  • the chip includes programmable logic circuits and/or program instructions. When the chip is run on a computer device, it is used to implement the above aspects of obtaining user consent. Methods.
  • a computer program product is also provided.
  • the computer program product When the computer program product is run on a processor of a computer device, the computer device performs the method for obtaining user consent described in the above aspect.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Databases & Information Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

Procédé et appareil d'acquisition de consentement d'utilisateur, dispositif, et support de stockage, qui se rapportent au domaine des communications sans fil. Le procédé est appliqué à un dispositif de réseau, et consiste à : envoyer une réponse d'autorisation de consentement d'utilisateur à un serveur d'application (AS) sur la base de premières informations de consentement d'utilisateur et de secondes informations de consentement d'utilisateur, les premières informations de consentement d'utilisateur étant envoyées par un dispositif terminal et les secondes informations de consentement d'utilisateur étant stockées par une fonction de gestion de données unifiée (UDM) (210). Selon le procédé, l'appareil, le dispositif, et le support de stockage, un consentement d'utilisateur en temps réel peut être obtenu.
PCT/CN2022/079889 2022-03-09 2022-03-09 Procédé et appareil d'acquisition de consentement d'utilisateur, dispositif, et support de stockage WO2023168620A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2022/079889 WO2023168620A1 (fr) 2022-03-09 2022-03-09 Procédé et appareil d'acquisition de consentement d'utilisateur, dispositif, et support de stockage

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2022/079889 WO2023168620A1 (fr) 2022-03-09 2022-03-09 Procédé et appareil d'acquisition de consentement d'utilisateur, dispositif, et support de stockage

Publications (1)

Publication Number Publication Date
WO2023168620A1 true WO2023168620A1 (fr) 2023-09-14

Family

ID=87936986

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/079889 WO2023168620A1 (fr) 2022-03-09 2022-03-09 Procédé et appareil d'acquisition de consentement d'utilisateur, dispositif, et support de stockage

Country Status (1)

Country Link
WO (1) WO2023168620A1 (fr)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2016134635A (ja) * 2015-01-15 2016-07-25 日本電気株式会社 制御装置、加入者情報サーバ、無線端末、及びこれらの方法
CN111951003A (zh) * 2019-05-17 2020-11-17 国际商业机器公司 用于管理对用户数据的同意的认知系统
WO2020256366A1 (fr) * 2019-06-17 2020-12-24 Samsung Electronics Co., Ltd. Procédé et serveur de fourniture de consentement d'utilisateur à une application de périphérie
CN112470118A (zh) * 2018-07-25 2021-03-09 株式会社电装 车辆用电子控制系统、程序更新的同意判定方法以及程序更新的同意判定程序
WO2022027492A1 (fr) * 2020-08-06 2022-02-10 华为技术有限公司 Procédé, dispositif et système de communication
WO2022033897A1 (fr) * 2020-08-13 2022-02-17 Nokia Technologies Oy Procédé amélioré de contrôle ou de gestion de données liées à un utilisateur soumises à un consentement de l'utilisateur

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2016134635A (ja) * 2015-01-15 2016-07-25 日本電気株式会社 制御装置、加入者情報サーバ、無線端末、及びこれらの方法
CN112470118A (zh) * 2018-07-25 2021-03-09 株式会社电装 车辆用电子控制系统、程序更新的同意判定方法以及程序更新的同意判定程序
CN111951003A (zh) * 2019-05-17 2020-11-17 国际商业机器公司 用于管理对用户数据的同意的认知系统
WO2020256366A1 (fr) * 2019-06-17 2020-12-24 Samsung Electronics Co., Ltd. Procédé et serveur de fourniture de consentement d'utilisateur à une application de périphérie
WO2022027492A1 (fr) * 2020-08-06 2022-02-10 华为技术有限公司 Procédé, dispositif et système de communication
WO2022033897A1 (fr) * 2020-08-13 2022-02-17 Nokia Technologies Oy Procédé amélioré de contrôle ou de gestion de données liées à un utilisateur soumises à un consentement de l'utilisateur

Similar Documents

Publication Publication Date Title
US10349267B1 (en) Systems and methods for transferring SIM profiles between eUICC devices
KR102588974B1 (ko) 5g 슬라이스 식별자의 프라이버시 보호를 위한 방법 및 시스템
JP6936393B2 (ja) パラメータ保護方法及びデバイス、並びに、システム
US9319219B2 (en) Method of operating a computing device, computing device and computer program
WO2019196699A1 (fr) Procédé et dispositif permettant d'acquérir une politique de sécurité
US8990555B2 (en) Centralized key management
KR20160120598A (ko) 무선 통신 시스템에서 단말에 프로파일을 다운로드 하는 방법 및 장치
WO2020147565A1 (fr) Procédé et dispositif d'appel d'interface de programme d'application
CN107113596B (zh) 在多个物理和虚拟sim卡上提供服务许可聚合的系统和方法
CN112492580A (zh) 信息处理方法及装置、通信设备及存储介质
WO2022078214A1 (fr) Procédé et appareil de mise à jour de données d'abonnement, nœud et support de stockage
EP3759955A1 (fr) Procédés, dispositifs et programmes d'ordinateur pour fournir ou commander des profils d'opérateur dans des terminaux
CN113727341A (zh) 安全通信方法、相关装置及系统
CN110798437B (zh) 一种数据保护方法、装置及计算机存储介质
US10439996B2 (en) Method and system for metadata analysis and collection with privacy
US20230300622A1 (en) Communication system, communication method, and communication apparatus
WO2023143244A1 (fr) Procédé de gestion de terminal et dispositif de réseau central
WO2023168620A1 (fr) Procédé et appareil d'acquisition de consentement d'utilisateur, dispositif, et support de stockage
US20220360586A1 (en) Apparatus, methods, and computer programs
WO2021164458A1 (fr) Procédé de communication, appareil associé, et support de stockage lisible par ordinateur
US20230164538A1 (en) Method and apparatus for subsription management
Kukliński et al. 5g-enabled defence-in-depth for multi-domain operations
WO2024032226A1 (fr) Procédé de communication et appareil de communication
WO2023169122A1 (fr) Procédé et appareil de communication
WO2024093923A1 (fr) Procédé et appareil de communication

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22930265

Country of ref document: EP

Kind code of ref document: A1