Add MonitoredPeriod into the API Response if a Telco cannot show the date / data for for Privacy Reasons

[QaunainM]

Problem / Context

• I noticed that when doing a SIM Swap API request against a number that had a SIM Swap event greater than the maxAge that the Telco wants to expose for privacy reasons, the response comes back blank but still logs as a 200 API successful event
• In this case, for end users it would be better for an error to be returned saying something like; Requests for data more than x days not allowed
• Not all telcos are using the same MaxAge time period at the moment, this will be due to privacy regulations that differ for each country

To Reproduce

• Perform SIM Swap /retrieve-date and /check operations on a German number with Telco (DT) that had the events done more than 30 days ago
• We get back blank data points and 200 API response

Expected behavior
As the restriction on the data being sent back is due to the Telcos privacy reasons, it seems it would be better for:

• An error API response to be returned, as a 451 (unavailable for legal reasons)
• An error message to be returned instead of a blank, i.e. Requests for data more than x days not allowed

[QaunainM]

As a lot of these Network APIs will have privacy concerns depending on the consent that has been captured or based on the historical duration of the event that the developer is trying to retrieve, I think CAMARA should add the 451 error code to its standard.

451 Unavailable For Legal Reasons (RFC 7725)
A server operator has received a legal demand to deny access to a resource or to a set of resources that includes the requested resource.

[bigludo7]

Hi @QaunainM
This is a fair point.
As of now I was expecting the API to send a 400 error for this case (there is discussion for this test case here #70 ).

Regarding use of 451, as it should be considered globally within all CAMARA API, and 451 is not defined in our design document may I ask you to trigger an issue in Commonalities?

[QaunainM]

@bigludo7, thanks I raised it in the Commonalities and made the description more holistic as it will cover all or most CAMARA APIs camaraproject/Commonalities#258

[jgarciahospital]

Hi both,

For this specific case, bear in mind that the decision of including a 200 ok with empty body was concluded because that scenario is indeed providing valuable information to the developer.

If the telco is saying that it cannot provide the exact date of the last Sim Swap because it occurred more than X months ago, the telco is saying exactly this, that the last Sim Swap occurred more than X months ago. No application would need to use the check endpoint with maxage=xMonths, and telcos will be providing useful, valuable (and private) information with an error response.

That is mainly why it was decided to maintain 200 ok with empty body, to avoid this strange situation.

[hdamker]

I don't think we should use the 451 here. It was introduced to make the blocking of content transparent (hence the number from "Fahrenheit 451") and was in addition used (according to the linked Wikipedia article) "because the user's country adds regulatory requirements that the publisher refuses to comply with [e.g. GDPR]". If we would use it now in cases where the resource provider complies with privacy regulations, it would be kind of ironic. In addition the API client couldn't do anything about it ... with 451 there is at least the option to work around with VPNs, TOR etc if the error was returned by an intermediate.

I see two cases concrete for SimSwap:

• the provider is not allowed to return any information about the date, independent if it is in a certain range or not.
  • Here a clear 501 with some "Not implemented due to privacy reasons" would make sense. Just delivering 0 with 200 ok is not a valuable response here.
  • NOTE: currently the endpoint /retrieveDate does not list 501 as a valid response, which means it is mandatory to implement the endpoint, if the API is offered at all. Which makes sense, as checkDate reveals a very similar information.
• the provider can't give the concrete date because it happened before a certain point in time.
  • In this case the "0" is a valuable response, as it means that the date is before a certain date
  • just that the API client might not know the length of the time window as it is dependent on local regulation.
  • What about an optional parameter in the response like maxTimeWindow in which the provider may (but not must) returning this cut-off time in days, e.g. 30 days?

Another reason not to return an error: for the majority of /retrieveDate requests the last sim swap date will be outside of the time window ... so the API would generate mainly error responses. Not a nice case for colleagues monitoring the operation ;-)

[bigludo7]

Thanks @jgarciahospital for the refresh ! I've forgot this one - sorry.
Indeed we have a discussion in the past and retrieved it: #16

I should confess that I liked a lot the proposal by @gregory1g to add a monitoredPeriod attribute but not sure why we did not select this solution. I saw that @hdamker proposed something similar.

[QaunainM]

Hi all, thanks for the context, I read through the comments on #16 , if we focus purely on /retrieve-date

Having something like this as suggested in the previous issue will give the application developers a way of knowing that the null was because there was a SIM swap but it can't be shown as the Telco only returns data for the monitoredPeriod of days, each Telco will have a different monitoredPeriod. Then it also makes it more understandable as to why they are being charged.

{ latestSimChange = null
monitoredPeriod = 90 # days }

[gregory1g]

@bigludo7 If I recall correctly the reason to skip monitoredPeriod was something like: during onboarding an ASP signs terms and conditions where this monitoredPeriod is mentioned.

However, it looks like the current solution is a source of confusions and possible misunderstandings - 200+null response really hard to understand without digging deep into SimSwap anti-fraud purpose and simswap attack techniques.

Moreover, here we discuss GDPR driven limitation, but someone can implement such a limitation purely based on technical reasons: there is no need to support 20 years of simswap history to support anti-simswap attach which has attack time window of few days at most.

Therefore, it could make sense to reconsider "monitoredPeriod" attribute in the response again. The impact on the API and the implementations should be very small.

[QaunainM]

Do we need to make a new issue in this Project or the Commonalities project regarding the monitoredPeriod idea?

[bigludo7]

Hello @QaunainM
We mentioned this topic during the OTP/SIM Swap/Number verification call yesterday.
The idea to rethink introduction of monitoredPeriod was welcomed from my understanding. Probably we could introduce it once the rush for the meta release will be over.

Perhaps we can just edit the title of this issue to a more generic form "What to do when the SIM Swap date is greater than the max historic days that the Telco allows"?

[AxelNennker]

I am not the biggest fan of "that the Telco allows", because I think we should avoid that one telco allows 90 days and another 30.

Is it possible to write:
"What to do when the SIM Swap date is greater than the max historic days that the Camara Terms and Conditions allows"?

[QaunainM]

Hi Axel, the issue I've seen is that each Telco has different max historic days they want to abide by, so its not a standardized number

[gregory1g]

for the "check" API we define maxAge upper limit to 2400 hours (aka 100 days) on the camara API level - so everyone is expected to support it independent on GDPR (at least I do not see any statement saying that local regulations can be applied on top of schema).

Why cannot we define the same "common" limit to retrieve-date API?
This will make it both APIs logically consistent.
Consistency is even more important considering the fact that APIs are rather interchangeable: one can use check API to detect rather exact swap date using binary search method. Therefore, if retrieve-date is limited to 30 days, one still can find out swap date back to 100 days using "check" API and binary search.

Or, if we expect that local regulation can reduce /check monitoring window to 60 or 30 days - it makes sense to describe this option explicitly and apply the same logic for both APIs