Pseudonym Mediation Device functionality

Description

The Pseudonym Mediation Device (PMD) functionality is a security and privacy mechanism specified within 3GPP standards, particularly in TS 23.271 (Location Services) and TS 33.117 (Lawful Interception architecture). It is not necessarily a standalone physical node but a logical function that can be integrated within core network elements like the Home Location Register (HLR), Home Subscriber Server (HSS), or a dedicated node. Its primary role is to maintain the separation between a user's permanent long-term identity and the temporary, frequently changing identities used over the air interface to prevent tracking.

In operation, when a subscriber attaches to the network, the core network assigns a temporary identifier, such as a Temporary Mobile Subscriber Identity (TMSI) in GSM/UMTS or a Globally Unique Temporary Identity (GUTI) in LTE/5G. This pseudonym is used in most signaling messages over the radio access network to avoid transmitting the permanent International Mobile Subscriber Identity (IMSI). However, within the secure core network domain, various functions (e.g., charging, lawful interception, location services) require mapping back to the permanent subscriber identity.

The PMD functionality performs this mediation. It maintains the binding between the currently allocated pseudonym (TMSI/GUTI) and the corresponding IMSI. When a network function receives a request or a record containing only a pseudonym, it can query the PMD to resolve it to the IMSI. Crucially, this resolution happens only within the protected core network, ensuring the IMSI is never exposed on the radio link. The PMD must be a highly secure and trusted entity with strict access controls, as it holds the key mapping for user privacy.

Its architecture involves interfaces with other core network entities. For lawful interception, the PMD (or a Mediation Function that includes PMD capabilities) provides the identity mapping to the Lawful Interception system, allowing authorized agencies to correlate intercepted communications with a specific subscriber's permanent identity, as required by legal frameworks. In location services, it enables location requests based on a pseudonym to be correctly routed to the serving node holding that subscriber's context.

Purpose & Motivation

The PMD functionality was created to resolve a fundamental tension in cellular network design: the need for network operations and lawful interception to identify subscribers uniquely, versus the privacy requirement to protect subscribers from being tracked or identified by eavesdroppers on the radio interface. Without such a mechanism, the permanent IMSI would need to be transmitted frequently, making subscribers vulnerable to location tracking and identity theft via IMSI catchers.

The problem it addresses is maintaining subscriber identity confidentiality while preserving necessary network functionality. Early cellular systems had limited use of temporary identifiers, and the mapping was often handled in a distributed, non-standardized way. The standardization of the PMD functionality, particularly in the context of lawful interception (LI), provided a clear, secure, and standardized method for authorized entities to resolve pseudonyms. This was crucial for complying with legal requirements for LI across different countries and network architectures.

Historically, its development was driven by the evolution of privacy features (like TMSI) in 2G/3G and the subsequent need for a standardized mediation point for lawful interception mandates introduced in the late 1990s and early 2000s. It ensures that even as networks use stronger over-the-air privacy techniques, the ability for lawful, authorized identity resolution for legal, operational, and emergency service purposes remains intact and is performed in a controlled, auditable manner within the secure network core.