Next Article in Journal
EmoSDS: Unified Emotionally Adaptive Spoken Dialogue System Using Self-Supervised Speech Representations
Next Article in Special Issue
Energy-Efficient Secure Cell-Free Massive MIMO for Internet of Things: A Hybrid CNN–LSTM-Based Deep-Learning Approach
Previous Article in Journal
Enhancing IoT Scalability and Interoperability Through Ontology Alignment and FedProx
Previous Article in Special Issue
Optimizing Radio Access for Massive IoT in 6G Through Highly Dynamic Cooperative Software-Defined Sharing of Network Resources
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Future Internet
Volume 17
Issue 4
10.3390/fi17040142
futureinternet-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Review

A Survey of 5G Core Network User Identity Protections, Concerns, and Proposed Enhancements for Future 6G Technologies

by
Paul Scalise
,
Michael Hempel
* and
Hamid Sharif
Department of Electrical and Computer Engineering, University of Nebraska-Lincoln, Lincoln, NE 68588, USA
*
Author to whom correspondence should be addressed.
Future Internet 2025, 17(4), 142; https://doi.org/10.3390/fi17040142
Submission received: 23 January 2025 / Revised: 20 March 2025 / Accepted: 21 March 2025 / Published: 25 March 2025
(This article belongs to the Special Issue Moving Towards 6G Wireless Technologies—2nd Edition)
Browse Figures
Versions Notes

Abstract

:
Fifth-Generation (5G) cellular networks extensively utilize subscriber identifiers throughout the protocol stack, thereby linking subscribers to their activities on the network. With the inherent use of linked identifiers comes the potential capability to track subscribers’ location and behavior, which poses critical challenges for user identity protections and privacy in sensitive applications like military or healthcare operating over public 5G infrastructure. The reliance on such personal identifiers threatens a user’s right to privacy and brings to light the importance of proper mechanisms to mitigate these risks for current and future cellular network technologies. In this paper, we explore the 5G specifications to understand the most important list of identifiers and their use across Virtual Network Functions (VNF), and points of exposure within the Core Network (CN). We also examine the existing literature regarding identity protections and efforts to mitigate privacy concerns targeted in the CN. Findings include the need for a trust relationship between users and their network providers to protect and safeguard their identity. While 5G technology has greater user identity protections compared to previous cellular generations, our analysis shows that several areas of concern remain, particularly in the exchange of subscriber metadata. This work also finds that new technologies adopted in 5G networks add further complexity to maintaining a strict posture for safeguarding user identity and privacy protections. This paper also reviews the scientific community’s proposed enhancements for future 6G networks’ user identity and privacy protections, with a focus on emerging Artificial Intelligence (AI) and Machine Learning (ML) applications. The ethical implications of private or anonymous communications are also carefully weighed and examined to understand the multifaceted nature of this topic. Our work is concluded by proposing important further research to reduce the prevalence and reliance on personal identifiers such as the SUPI (Subscription Permanent Identifier) within 5G Core operations to help better protect user identity. We also propose replacing the widespread use of the SUPI between VNFs with ephemeral identifiers, building upon efforts by 3GPP aiming for 5G to protect the SUPI from eavesdroppers.

1. Introduction

1.1. Technological Privacy in the Modern Day

Throughout everyday life, a person may expect a basic amount of privacy: locks on doors, shades on windows, fenced-in yards, lack of surveillance, etc. In our modern information society, however, there is also an increasing awareness that privacy expectations may be reduced in public environments and online activities. Categorizing these two philosophical systems could lead to an interpretation with two main privacy ‘spaces’: personal and public. The approach to one’s personal privacy space may be more commonly seen as influenced by current cultural norms along with individual preferences, thereby shaping expectations. The same applies to the public privacy space, where it has been agreed upon for societies to at least retain a basic amount of privacy per person. With the inclusion of technological devices, networks, and utilities in daily life, the problem of maintaining privacy and trust grows to large proportions.
In the context of 5G networks, users have a basic expectation that their communications are secured by the network of their choice. Network operators have an important role in safeguarding users’ data and privacy by properly deploying networks that strictly follow 3GPP standards while ensuring that all efforts are made to protect their end users. A user’s ‘data’ can have different definitions depending on the context. In one sense, ‘data’ means the packets that users send across the service, such as between websites, cloud services, or other users, as well as text messages and phone calls. In other definitions, ‘data’ may refer to metadata, which can include analytics around usage, conversations, location, personally identifiable data, connection and disconnections, IP addresses, hardware identifiers, etc. This paper focuses on how 5G networks handle users’ metadata, specifically their identity, and efforts underway aiming to achieve a more anonymous user experience for users connected to public or private 5G infrastructure. Anonymous connections in public infrastructure have many real-world applications in healthcare and secure military and government operations. However, they also give rise to potential abuse by malicious parties or for unlawful activities. As such, a balanced approach is needed that both protects regular users and helps to enforce applicable laws to prevent unlawful activity. As the standards for 5G networks are region agnostic, they require adherence to local laws and regulations, meaning user identity protections could vary around the world.
Basic concepts around secure and anonymous internet systems can be modeled after the Tor project [1]. Tor is a decentralized network of machines that route and encrypt user information while hiding the user’s true identity. Tor users who interact with internet systems while connected to the Tor network can maintain an anonymous profile through the many mechanisms implemented to protect user identity and ensure their privacy. While the usage of Tor brings multiple ethical and political implications, it has been proven over time to be an effective mechanism for maintaining anonymity while connecting to online services [2].

1.2. Focus of This Paper

Our study of the identifiers used in 5G networks and proposed methods for future 6G networks is focused on operations within the Core Network. Furthermore, our study looks at the specific implications of how these identifiers are used within the 5G standard to strengthen user identity protections while also raising discussions around vendor and network operator trust. Other works in the realm of 5G privacy and security give insight into the vast landscape of 5G technologies and may briefly touch on the topic of user identity protections [3,4,5,6,7,8,9,10]. These works give much needed background for many different avenues of current research on 5G networks and aspects of maintaining strict guidelines for user identity protections. We look to utilize the information in these surveys alongside more focused approaches around personal identifiers to strengthen the need for further protections as 6G networks anticipate massive heterogeneous connectivity of devices.
The remainder of our study will review user identity and privacy through the lens of 5G Standalone (SA) systems as 5G SA systems tend to resolve some concerns from previous generations [11], with a specific focus on the Core Network. We look into the identifiers used in 5G technology that could be traced back to users, followed by a review of the privacy impacts from new technologies adopted into 5G networks, a look at proposed schemes to heighten privacy, the impacts of lawful interception policies, and what these findings, challenges, and opportunities mean for future 6G networks. Our survey also presents our conclusions regarding the impact of 5G systems on user identity and privacy.

2. Concerns Related to User Identity and Privacy in 5G Core Networks

Fifth-Generation CNs are instrumental in creating a more extensible cellular communications system that provides its users with lower latency, higher performance, and more application use cases. Its modular software-driven architecture also allows vendor proliferation, where different vendors can be utilized together in a single 5G system to realize all the required functionalities within the 5G Core and other 5G aspects. Such diverse 5G CNs are the central points that manage all operations in a given 5G network, which is both beneficial to the operator and potentially problematic for ensuring user privacy. Specific mechanisms are put in place by the 3GPP to hinder the tracking of user devices in roaming situations on 5G networks, like the use of the 5G-GUTI (Globally Unique Temporary ID). However, 5G technology continues to embrace the central tenet inherited from prior cellular technology generations: the trustworthiness afforded to the Home Network (HN) to maintain a secure system and not violate the trust given to it by its own users. However, vendor proliferation brings with it a lack of oversight and the erosion of that trust premise. This was most recently seen in late 2024, where, even with extensive safeguards in place, multiple telecom systems in the US were breached, allowing threat actors to track high-ranking government officials’ phone activities and obtain information on where, when, and with whom communications took place [12]. In early 2024, there was a large breach of customer data within one of the largest US telecom companies, affecting over 50 million customers [13,14]. The cause of the breach was stated to be a mistake by a third-party cloud service provider. Similar occurrences were observed in late 2023 with another large US telecom company, where over 60,000 customers nationwide were impacted [15]. After an investigation, internal wrongdoing and inadvertent disclosure were deemed to be the cause for the extensive release of sensitive customer data, including Social Security Numbers (SSN).
The topic of trust is extensively explored by the authors of [16], and they also give an in-depth analysis of trust in cellular networks. They speak of how the concept of trust is complicated and used in various contexts, all of which also come with slightly different meanings. As a whole, the important point is ‘how much’ an entity ‘knows’ about another. They explain that trust models in cellular networks are often overlooked, while, at the same time, it is becoming ever more important for them to be well defined for the plethora of services in a 5G ecosystem. Figure 1 depicts a holistic view of the 5G system architecture, with an emphasis on the SBA and its large number of provided services and VNFs. Table 1 lists the abbreviations and full names for all of the VNFs shown in Figure 1.

2.1. Fifth-Generation Service-Based Architecture and Personally Identifiable Information

One of the major innovations in 5G CNs compared to previous generations is the inclusion of SBA and Virtual Network Functions (VNFs). VNFs are specialized software programs, also known as micro-services, utilized to perform a specific and limited set of tasks. In 5G technology, many different VNFs come together within the CN, working together through well-defined interfaces to facilitate 5G operations. For example, the AMF (Access and Mobility Function) plays the important role of granting a user access to the 5G network. The SBA is the mechanism that allows all VNFs to communicate with each other. Communications between VNFs are carried out by way of RESTful APIs (Representational State Transfer Application Programming Interfaces), similar to how normal day-to-day internet communications with web services are handled. 3GPP standardizes the request schema, parameters, responses, etc., such as in TS 29.500 and 29.501 [17,18]. Many of these requests, however, contain important data elements that can be linked back to a specific user, also known as Personally Identifiable Information (PII). The HN is responsible for maintaining user privacy during authentication or operations together with a roaming network. This is achieved by way of the 5G-GUTI, a temporary identifier used to obfuscate the identity of a user in the Radio Access Network (RAN), as specified in 3GPP TS 33.501. The AMF holds a mapping table of UE (User Equipment) 5G-GUTIs that ultimately trace back to the SUPI. The 5G-GUTI is primarily used in NAS (Non-Access Stratum) layer signaling procedures from the AMF to the UE, instead of leaking the device’s permanent identifier over the air [19]. Interactions between the RAN and UE utilize dynamic identifiers for radio scheduling and resource control. Notably, the Radio Network Temporary Identifier (RNTI) is vital for these RAN operations at the MAC (Medium Access Control) layer of the 5G protocol stack. RNTI usage is related to the 5G-GUTI at higher protocol layers but is not directly associated with or mapped within the CN.
To protect against eavesdropping or the capture of the SUPI when transmitting over the air, 5G technology implements an encrypted version of the SUPI called the SUCI (Subscription Concealed Identifier). The SUCI is mainly utilized in the initial connection of a UE to the network. The SUPI, however, is widely used within the CN to enable normal network operations for connected devices. Some of these operations include Authentication, Roaming Support, Billing, Subscriber Data Management, Quality of Service (QoS), and PDU (Protocol Data Unit) Session Management. Figure 2 represents the elements and VNFs that the SUCI and SUPI are associated with, according to our extensive analysis of the 3GPP Release 18 VNF API specifications. This analysis clearly shows that the SUPI is used extensively throughout many VNFs along the SBA, which causes concerns for user identity exposure through CN metadata tracking and analysis by Core Network elements.
In Table 2, we present an overview of the various identifiers used throughout 5G activities, along with the standards that define them and a description of how and where they are predominantly used. While a user is roaming, the 5G-GUTI makes it much more difficult for a threat actor to identify this user and track their movements through the RAN. The user must maintain trust with the HN, however, to safeguard its privacy, as the HN is responsible for maintaining the logical information required to trace a 5G-GUTI back to a SUPI for identification purposes. It is thus a potential weak point in identity protection within 5G networks. Figure 3 illustrates how the 5G-GUTI is used and mapped back to the SUPI in the CN.

2.2. Newly Adopted Technologies

The authors of [20] provide a breakdown of the identity and privacy risks in 5G networks introduced by newly adopted technologies. A unique perspective presented in this article focuses on the subscribers’ viewpoint, although this is subjective. They state that there is a gap in users’ attention to privacy implications, while there are tools and techniques to assist organizations in performing privacy impact assessments. The authors argue that, even though service providers perform these assessments to fulfill legal, regulatory, and policy requirements, the user may not be aware of the potential privacy risks that come along with using 5G systems. The privacy risks due to new technologies identified by the authors within 5G networks are listed in Table 3, with an emphasis on privacy issues within CNs.
Table 2. List of identifiers in 5G communications with a focus on the CN.
Table 2. List of identifiers in 5G communications with a focus on the CN.
Identifiers in 5G Communications
IdentifierApplicable StandardsDescription
Subscription Permanent Identifier (SUPI)TS 33.501 [21], TS 23.003 [22], TS 22.261 [23], TS 23.316 [24]A globally unique SUPI is allocated to each subscriber and provisioned in the UDM (Unified Data Management)/UDR (Unified Data Repository). The SUPI may contain an IMSI (International Mobile Subscriber Identity), a network-specific identifier, or other identifiers for specific use cases. It is concealed for privacy and supports roaming and interoperability with (Long-Term Evolution) networks.
Subscription Concealed Identifier (SUCI)TS 33.501, TS 23.316The SUCI is a privacy-preserving identifier containing the concealed SUPI. It is used for secure identification in the 5G system. The usage of SUCI for non-3GPP network access is also specified within TS 23.316.
Permanent Equipment Identifier (PEI)TS 23.003, TS 23.316The PEI identifies the UE in the 5G system. In 3GPP access modes, the PEI must be either the IMEI (International Mobile Equipment Identity) or IMEISV (International Mobile Equipment Identity Software Version). For non-3GPP access scenarios, the UE sends the IEEE Extended Unique Identifier EUI-64 [25].
5G-GUTITS 33.501, TS 23.003, TS 38.304 [26], TS 36.304 [27], TS 38.331 [28], TS 36.331 [29]The 5G-GUTI is a temporary identifier assigned by the AMF to the UE. It is structured as [<GUAMI> <5G-TMSI>] (Globally Unique AMF ID) and supports both 3GPP and non-3GPP access. The AMF ensures the uniqueness of the 5G-TMSI within the GUAMI.
AMF NameTS 23.003The AMF is identified by a globally unique Fully Qualified Domain Name (FQDN). Each AMF can be associated with one or more GUAMI(s).
Data Network Name (DNN)TS 23.003, TS 23.502 [30]The DNN is equivalent to an APN (Access Point Name) and is used to select SMF (Session Management Function), UPF (User Plane Function), and N6 (5G Internet Connectivity Interface) interfaces for a PDU Session.
Internal-Group IdentifierTS 23.502The Internal-Group Identifier associates a UE with groups in the subscription data. It is used for applying group-specific policies in the SMF and AMF.
Generic Public Subscription Identifier (GPSI)TS 23.003The GPSI is a public identifier (Phone Number or External Identifier) used to address a 3GPP subscription outside the 3GPP system. It is stored in the subscription data and associated with the SUPI.
AMF UE NGAP (Next-Generation Application Protocol) IDTS 38.413The AMF UE NGAP ID is used to identify the UE on the N2 reference point. It is unique per AMF set and may be updated without changing the AMF.
UE Radio Capability IDTS 23.003The UE Radio Capability ID uniquely identifies a set of UE radio capabilities. It can be assigned by the UE manufacturer or the serving PLMN. The PLMN-assigned ID includes a Version ID to ensure its validity.

2.3. Linkability

The use of data, in particular in connection with cloud services and internet activities, has grown dramatically in recent years. With this increase in data consumption and production comes an inherent increase in concerns regarding identity protections on the internet. The NIST (National Institute of Science and Technology) defines linkable data as “information about or related to an individual for which there is a possibility of logical association with other information about the individual” [33]. Such attacks, where data can be linked back to the person of origin if not handled properly, can be seen in healthcare scenarios [34]. Data linkability concerns cover many different domains and are also highly relevant in 5G networks. A survey conducted on 5G privacy scenarios underscores the importance of keeping the personal or hardware identifiers of a user within a 5G network private [35]. Constant connectivity to a 5G network can facilitate an environment for the unauthorized tracking of individuals using these identifiers. The authors state that it is important for 5G networks to adopt privacy-by-design principles to help mitigate user identity threats. The conclusions from this study state that a complete solution to achieve these privacy objectives goes beyond technology and ultimately also requires legal and regulatory actions. The work shown in [36] mentions that the large number of devices connected to a 5G network and the increasing number of IoT devices only further complicate the management of maintaining user privacy and ensuring non-linkability between device hardware identifiers and personal identity. The researchers in [11] mention the fact that, after a UE has been authenticated on the network, the CN is responsible for creating and periodically updating an associated new temporary identifier: the 5G-GUTI for Standalone networks or the 4G-GUTI for Non-Standalone (NSA) networks. The authors point out that there are no mechanisms put in place for the CN to avoid tracking its users, as all temporary identifiers are also linked back directly to the SUPI. This leaves a possible vulnerability for misuse by untrusted network operators, as end-to-end privacy and the anonymity of the user are not inherently built into the system and thus cannot be guaranteed. Takeaways from [37] cover implementations of the 5G CN stack in open-source repositories. The authors uncovered two novel attacks that potentially allow for attacks against UE privacy with vulnerabilities in the 5G-GUTI update mechanism.

3. Privacy Enhancement Proposals for 5G Core Networks

With the understanding that 5G technology comprises a powerful and complex system, and the goal of maintaining user identity and privacy protections within these systems is an increasingly important and complex issue, researchers have made strides in suggesting mechanisms to create a more private experience for users of 5G networks. For example, the study shown in [38] presents different proposed solutions to conceal the long-term identity of a user across network operations, especially communications between the UE Roaming Network and the HN. The work reviews the schemes using various technologies: pseudonyms [39,40,41,42], Certificate-Based Public-Key Cryptography, Root-Key-Based Encryption, and Identity-Based Encryption. Privacy Enhanced Fast Mutual Authentication (PEFMA) is introduced as a way to conceal the user’s identity over time in normal and roaming scenarios. This approach is similar to how the SUPI is encrypted over the air but differs in that it uses different cryptographic principles. However, both solutions still require trust in the HN. The authors in [43] present mechanisms to protect privacy in Vehicular Networks, giving users conditional anonymity. Traceability to identities is possible via threshold cryptography, requiring collaboration between authorities only for misbehavior or legal abuses. In this mechanism, the HN is considered to be the Trusted Authority, which is responsible for generating and managing the cryptographic secrets. In [44], a pseudonym approach is presented that enhances the 5G-AKA (Authentication and Key Agreement) protocol to never utilize the subscriber’s personal identifier, even during the first attachment. Research conducted in [45] breaks down the vulnerabilities to user privacy in the 5G-AKA protocol. This occurs when a UE has initial authentication communications with the CN. The authors state that the AKA protocol is vulnerable to ‘guess’ and ‘replay’ attacks. An attacker that successfully completes these attacks could generate SUCIs using the HN’s public key, testing these against the network’s response of success or failure, thus leading to the possibility of an attacker tracking a user. The authors of [45] propose three methods to strengthen the 5G-AKA protocol, with the recommended solution relying on the user’s secret key stored in the SIM card, along with using the UE’s ephemeral public key that is generated during the creation of the SUCI. In their approach, the SUPI guess attack is thwarted by including a hash of the user’s secret key into the HMAC (Hash-Based Message Authentication Code), which stops hackers from replicating the HMAC process for guessed SUPIs. The replay attack is patched by storing the user’s ephemeral public key in the CN’s database, allowing for replayed SUCIs to be rejected if their public key already exists. Research in [46,47] covers aspects of anonymous IoT data in a cloud network environment. The devices are associated into groups, and each group’s elected leader is responsible for aggregating the collected data and abstracting individual identities. However, all of the 5G-specific studies still rely on the existence of a trust relationship with the 5G Core Network. No research has yet addressed the scenarios arising when the trust between users and the 5G CN is eroded.

Lawful Interception

Lawful interception (LI) refers to the standardized approaches and technical mechanisms that allow law enforcement agencies to legally monitor a user’s voice, data, and metadata on public 5G infrastructures specified in 3GPP TS 33.106 [48]. These mechanisms are designed specifically and solely for these agencies to collect information on users for high-stakes scenarios: warrants, national security, public safety, etc. These standards, while useful for lawful surveillance, require strict policy enforcement to prevent misuse against innocent and law-abiding users. These policies could lead an individual to lose trust in 5G infrastructure as their implementations and usage are not always public knowledge. In a more technical sense, as these mechanisms are built into the system, they leave potential backdoor access for attackers who are looking to gather data on specific users. Having mechanisms in place to collect user data makes these attacks more realistic and attainable compared to in the scenarios where this type of technology access is not already implemented. Research carried out in [49] shows how 5G roaming security, built to prevent billing fraud, results in unprotected attack surfaces for state-sponsored attackers. The authors argue that there is no way for a user’s smartphone to verify roaming decisions around the underlying trust assumptions in specific CNs. They tested their theories on an open-source 5G repository, Open5GS [50], which could not prevent these attacks.

4. A Look Toward Privacy in 6G Core Networks

The next generation of 6G cellular networks will inherit technologies from 5G technology, as well as multiple new additions to create even more services for users, including ultra-low-latency communications and extreme throughput in mobile applications. Advances across the protocol stack, and through further proliferation and integration with cloud infrastructure for 6G operations, will yet again revolutionize the experience for consumers and will allow for more widespread coverage and connection. A comprehensive survey covering expected 6G technologies is shown in [51]. The authors of this research condense their findings and juxtapose current 5G technologies with emerging 6G advancements. An illustration of the authors’ proposed application sectors from their findings in 6G research is presented beside the three current 5G application sectors, URLLC (Ultra-Reliable Low-Latency Communications), eMBB (Enhanced Mobile Broadband), and mMTC (Massive Machine Type Communications), in Figure 4. Further comprehensive studies of the proposed Key Performance Indicators (KPI), such as the massive increase in connected devices with network heterogeneity, and open research questions for 6G technology are outlined in [52,53]. Furthermore, notable open research areas in terms of identity protection and privacy are listed below:
  • Network Anomaly Detection: With the anticipated massive number of connected devices in 6G networks, there will a significant rise in the need for sophisticated network monitoring. A big contender for addressing this challenge is the use of FL for real-time, automated anomaly detection. However, evaluating and ensuring the accuracy, precision, and recall of these automated threat detection systems are important research questions.
  • Regulatory Compliance: Sixth-Generation networks will be connected across geographical borders. This brings with it the need to address differing approaches, laws, and viewpoints regarding privacy and data handling between different countries.
  • Security and Privacy in Edge Computing: With the diversity of 6G technology’s targeted use cases, there will be an inherent risk from edge computing to privacy and security. Since edge nodes may serve numerous devices at once, using shared resources, isolation of tasks will be vital for user privacy.
  • Risk Assessment Frameworks for 6G Technology: A formal risk assessment framework must be created for 6G technology, as previous models may not fully capture the expansiveness and novel network capabilities of 6G technology. This model must also serve to explain privacy threats and their impact, as well as potential mitigation strategies.
  • Privacy Concerns in Smart City and Health Services: Sixth-Generation networks will be handling a variety of potentially sensitive data, across domains such as healthcare, public services, self-driving cars, distributed energy resources, etc. Thus, in order to maintain privacy, there is a critical need for standards on data de-identification.
  • Secure IoT Protocols and Energy Efficiency: Sixth-Generation technology aims to become even more efficient in terms of energy use compared to 5G technology and also improve cryptographic security. IoT devices are considered to be resource constrained, however, which means these devices need the ability to be energy efficient without jeopardizing their security by using less secure cryptographic schemes to save power.
Regarding data collection and analytics, a comprehensive survey on utilizing the data analytics functionality within 5G technology, and expanding on this service with ML in 6G technology, is discussed in [54]. In their study, the authors reveal some open research questions around privacy and how this specific core service gathers user data. One concern raised is that O-RAN (Open-RAN) specifications currently do not outline privacy-by-design architectures, which can cause significant issues regarding untrusted cloud operators. Such considerations are seemingly left up to system designers, which is a cause for concern. This mirrors our concerns about the assumptive trustworthiness of activities within the 5G core environment with regard to user privacy protections and data handling.
The authors in [51] bring to light three new sectors that could be introduced in 6G technology that are the intersections of the current 5G applications: mULC (Massive Ultra-Reliable Low-Latency Communication), ULBC (Ultra-Reliable Low-Latency Broadband Communication), and uMBB (Ubiquitous Mobile Broadband). One of the driving factors in the innovations sought by 6G technology is the amalgamation of intelligent systems in cellular networks.

4.1. Sixth-Generation Identity Protections

Sixth-Generation technology will incorporate many new technologies into the cellular ecosystem, all while inheriting methods from the 5G. User identity protections must be a major focus in shaping 6G protocols and architectures. Ref. [55] covers comprehensive topics regarding expected technologies within 6G technology, such as visible light communications, physical layer security, healthcare AI, homomorphic encryption, etc. Specific to identity protections, it states that improvements to AKA are imperative, along with improved management of subscriber identities. End-to-end encryption in 6G networks, on the user and control plane, is needed to resist eavesdropping and tracing attacks. While adding these technologies is vital, the authors do mention the technical issues and limitations that could arise due to heightened latencies, which goes against the goal of ultra-low-latency 6G networks. Various 6G use cases are also outlined in [56,57] which show the necessity for there to be a clear definition of de-identified datasets. The lack of a standard for the architecture of these user datasets may cause privacy leaks, jeopardizing user identity protections. Federated blockchain usage is proposed in [58] as a way to manage the identities of the expected billions of connected devices. The authors present a lightweight Hardware Security Module (HSM) to store cryptographic secrets, instilling trust in devices at a fraction of the cost of traditional HSMs and enhancing security, scalability, and privacy. The presented HSMs allow for end-to-end encryption on the 6G network, and fortified security in the instance of a threat actor inside the serving network, as the HSMs exclusively control the creation and storage of the private keys. This decentralized approach to key storage elevates user identity protections and aims to ensure tamper-proof operations.

4.2. Implications of AI for Identity Protections in 6G Technology

Artificial Intelligence (AI) and Machine Learning (ML) are tools that will be integrated ubiquitously into 6G networks and operations. As these tools require large numbers of data to be trained and will operate in monitoring and system management, there are concerns about how this could affect user identity privacy protections. The researchers who conducted a large study on the effects of ML on privacy in 6G technology present multiple points on how AI and ML could be used by an adversary to erode privacy protections within 6G networks, most notably through Inference of Private Information, Large-Scale Data Collection, and Stenographic Data Generation [59]. The authors mention a core aspect of AI and ML: that it can be a double-edged sword. Takeaways from this observation are that the inclusion of these systems will require the correct people along with strict guidelines in order to protect user privacy. On the other hand, work carried out in [60] brings a positive outlook to privacy protections in 6G networks, revealing how AI systems can be used to help conceal and anonymize user data. A major concern with AI in 6G networks is its possible ability to categorize users by gathering personal and non-personal information. Researchers in [61] bring together their findings in a study on the applicability of privacy solutions discovered against the found issues. Table 4 illustrates their discoveries and conclusions, which bring to light the most important privacy concerns in 6G networks. Table 4 shows the two major issues, similar to those discussed above for 5G technology, with understanding what a private system truly means: it is difficult to resolve defining levels and indicators for privacy and to determine the border between personal and non-personal data. Table 5 provides a select compilation of recent research publications related to 6G AI applications, with descriptions of each paper and their respective privacy focus areas.
  • P1—Privacy attacks on AI models and private data
  • P2—IoT (Internet of Things) edge network and edge AI privacy attacks
  • P3—Privacy limitations in cloud computing and storage environments
  • P4—Cost of privacy enhancements
  • P5—Privacy differences based on location
  • P6—Difficulty in defining levels and indicators for privacy
  • N1—Difficulty determining the border between personal and non-personal data
  • N2—Mixing personal data with non-personal data
  • N3—Utility vs. privacy of anonymized data
  • N4—Privacy attacks on anonymized and synthetic data
  • N5—Data Localization Laws vs. free flow of data.

4.3. Trustworthiness in 6G Networks

As discussed previously, trust in the serving cellular network is a major factor that must be considered by consumers and operators alike. Trustworthiness in 6G technology ranges across many different topics regarding AI, along with user privacy and identity ramifications. The work carried out in [70] shares how trustworthiness is a multidisciplinary topic covering technology, regulation, techno-economics, politics, and ethics. Pertaining to privacy, the authors state that blockchain technologies can aid in 6G technologies while offering immutability, transparency, verifiability, anonymity, and pseudonyms in data sharing mechanisms, authentication, and network access control. FL is also noted as a privacy-focused method for training larger 6G ML models. Ethical aspects are also presented as a vital focus for a user’s trust in the network as 6G technology plans to bring more cyber–physical systems into the cellular ecosystem [71]. The ethics of data privacy is noted as an ever more important topic around the world, as standards creators and vendors must consider how data are processed and protected to uphold the rights of users. The authors raise open questions regarding automated or AI systems and where liability will be placed during malfunctions that could directly affect customers. Figure 5 outlines the core aspects of network trustworthiness in 6G technology, and the need for further privacy and identity protections.
Other aspects of 6G communications that add to the trustworthiness and performance of the network are discussed in [72]. The main topic included in this work is trustworthy Task-Oriented Semantic Communication (ToSC), which advocates for only sending pertinent information within the network. This technique potentially increases user identity protection and privacy and also increases the efficiency of the network if less information is being processed. In mMTC, this strategy could be incorporated to relieve stress on the interfaces between devices, freeing up resources while still maintaining privacy. Deep learning (DL) is discussed as the foundation of their approach to ToSC, extracting only the pertinent information in a query, and the inclusion of differential privacy to the communication contents. It is also mentioned that a balance between utility, efficiency, and privacy is important in 6G networks to maintain extremely high bandwidth and ultra-low latency. Sensors are another area where 6G network interfaces will be impacted by new types of data and strict performance requirements, especially within the context of self-driving vehicles, autonomous robotics, etc. The authors in [73] address how sensor data integration into 6G technology causes many more attack vectors, along with furthering privacy concerns. They bring forward the idea of adding a Sensing Policy, Consent, and Transparency Management (SPCTM) function. The SPCTM function would manage privacy policies, user consent, and transparency, ensuring compliance and awareness. An approach that adds a network function is usually an accepted method for additional functionality and extensibility, but it can also act as a double-edged sword by increasing the size of the attack surface. A survey on trust anchor technologies [74] addresses the importance of the terms and visions of trust as a resource in 6G systems alongside the usage of AI technologies and cooperation with third-party vendors. The concept of “trust anchors” as a foundational service in 6G networks has the following functional and architectural requirements, such as are brought forward to ensure a trustworthy network ecosystem:
  • Non-Repudiation;
  • Immutability;
  • Transparency;
  • Programmability;
  • Modularity;
  • Integration.
In the example of Core-to-Core communications in 6G networks, where multiple independent network providers require the establishment of a trusted platform, a third party needs to provide a trust anchor to all parties. In similar approaches where a network provider utilizes a third party for enhancements in a specific VNF, the network itself provides the trust foundation to all application providers and consumers. This creates a two-way agreement for unified trust management in 6G interfaces. The authors believe their work can be a starting point for creating Trusted Infrastructure architectures for trust anchors in 6G communications.

5. Conclusions

Fifth-Generation technology has enabled numerous new applications and advanced end user experiences. It also advanced use cases for consumers due to its new approaches in connectivity, scalability, and operability. Finally, 5G technology also provides the foundation upon which future generations of cellular networks will be built. With new opportunities, however, come new risks. User identity privacy in 5G and future 6G networks must be a core consideration for the operators of networks, standards organizations, and the research community. We have reviewed the most important aspects of user identity within 5G CNs, ranging from anonymous network technology, SBA, PII in 5G technology, and the impacts of newly adopted technology to privacy enhancement proposals and lawful interception, concluding in a roadmap for privacy in 6G networks. It was found that user identity and privacy are complex topics within 5G systems due to the newly adopted software-defined solutions that this technology deploys.
Privacy is also a topic that is not always well defined, which creates difficulties in creating models that can be standardized in complex systems. Furthermore, with its political implications and the wide variety of privacy laws around the world, it makes it more difficult for standards to be created that ensure that a user’s connections are private.
Trust in the system is inherently the most important factor for a user to consider while connecting to any 5G network, as the HN ultimately controls all of the encryption processes and thus the ability to gather data on users if protections are not in place. Truly anonymous communications within 5G applications could have real-world benefits for areas such as the healthcare sector, along with government and military operations.
Our final insights and key takeaways for further research in this realm are listed below:
  • There exists a strong need to reduce the prevalence and reliance on personal identifiers such as the SUPI (Subscription Permanent Identifier) within 5G/6G Core operations to help better protect user identity. This has the potential to be achieved by replacing the widespread usage of the SUPI between VNFs with decentralized ephemeral identifiers, thereby maintaining 3GPP standard operations, billing and fraud prevention capabilities, and customer service expectations. This would add a layer of identity abstraction for the user on the network to better protect the SUPI and other identifiers from eavesdroppers and unauthorized behavioral tracking and metadata collection.
  • Systems can also be designed to leverage the powerful nature of AI to bring enhanced services, experiences, and threat deterrence for users. User datasets must be de-identified to prevent privacy leaks. Continual training methods such as FL preserve user identity protections, as PII is not transmitted to central servers. Concerns may arise from metadata exposure, which may facilitate linkage attacks.
  • The creation of a standardized trust architecture between users, providers, and third-party vendors would provide visibility and transparency to 5G/6G operations with regard to the data shared or collected by different network elements. Furthermore, adherence to a strict privacy-by-design rationale for newly developed specifications would help to alleviate issues resulting from untrusted third-party vendors or cloud providers.
  • The incorporation of HSMs into 5G/6G infrastructure to enhance the physical-layer security of cryptographic secrets and to enable end-to-end encryption is a further recommendation for enhancing the privacy and data protection capabilities of these systems.
As efforts in 6G conceptualization and technology development continue, it is vital that user identity protections, such as limiting PII metadata within CNs, and privacy considerations are prioritized throughout these efforts in designing future mobile cellular protocols and architectures.

Author Contributions

Investigation, P.S., M.H., and H.S.; writing—original draft preparation, P.S. and M.H.; writing—review and editing, P.S., M.H., and H.S.; supervision, H.S. and M.H.; project administration, H.S. and M.H.; funding acquisition, H.S. and M.H. All authors have read and agreed to the published version of the manuscript.

Funding

This research was partially funded by the University of Nebraska–Lincoln’s Nebraska Center for Energy Sciences Research (NCESR) under Cycle 16 Grant# 20-706. It was also partially funded by the Advanced Telecommunications Engineering Lab (TEL) at the University of Nebraska–Lincoln under TEL’s 5G Student Innovation Grant program.

Data Availability Statement

This study did not report any data.

Conflicts of Interest

The authors declare no conflicts of interest. The funders had no role in the design of the study; in the collection, analyses, or interpretation of data; in the writing of the manuscript; or in the decision to publish the results.

Abbreviations

The following abbreviations are used in this manuscript:
5GFifth Generation
VNFVirtual Network Function
SBAService-Based Architecture
CNCore Network
NFNetwork Function
SAStandalone
SSNSocial Security Number
5G-GUTIGlobally Unique Temporary ID
NASNon-Access Stratum
RNTIRadio Network Temporary Identifier
MACMedium Access Control
HNHome Network
AKMAAuthentication and Key Management
TSNTime-Sensitive Network
AMFAccess and Mobility Function
RESTfulRepresentational State Transfer Application Programming Interfaces
PIIPersonally Identifiable Information
UEUser Equipment
SUPISubscription Permanent Identifier
QoSQuality of Service
PDUProtocol Data Unit
UDMUnified Data Management
UDRUnified Data Repository
IMSIInternational Mobile Subscriber Identity
LTELong-Term Evolution
SUCISubscriber Concealed Identity
PEIPersonal Equipment Identifier
IMEIInternational Mobile Equipment Identity
IMEISVInternational Mobile Equipment Identity Software Version
5G-GUAMIGlobally Unique AMF ID
FQDNFully Qualified Domain Name
DNNData Network Name
APNAccess Point Name
SMFSession Management Function
UPFUser Plane Function
GPSIGeneric Public Subscription Identifier
NGAPNext-Generation Application Protocol
RANRadio Access Network
SDNSoftware-Defined Networking
NISTNational Institute of Science and Technology
NSANon-Standalone
PEFMAPrivacy Enhanced Fast Mutual Authentication
5G-AKAAuthentication and Key Agreement
HMACHash-Based Message Authentication Code
LILawful Interception
URLLCUltra-Reliable Low-Latency Communications
eMBBEnhanced Mobile Broadband
mMTCMassive Machine Type Communications
mULCMassive Ultra-Reliable Low-Latency Communication
ULBCUltra-Reliable Low-Latency Broadband Communication
uMBBUbiquitous Mobile Broadband
KPIKey Performance Indicators
HSMHardware Security Module
FLFederated Learning
ZTAZero-Trust Architectures
AIArtificial Intelligence
MLMachine Learning
IoTInternet of Things
LLMLarge Language Model
XAIExplainable AI
ToSCTask-Oriented Semantic Communication
DLDeep Learning
SPCTMSensing Policy, Consent, and Transparency Management

References

  1. The Tor Project. The Tor Project | Privacy & Freedom Online—torproject.org. Available online: https://www.torproject.org (accessed on 21 January 2025).
  2. Jardine, E. Tor, what is it good for? Political repression and the use of online anonymity-granting technologies. New Media Soc. 2018, 20, 435–452. [Google Scholar]
  3. Cao, J.; Ma, M.; Li, H.; Ma, R.; Sun, Y.; Yu, P.; Xiong, L. A survey on security aspects for 3GPP 5G networks. IEEE Commun. Surv. Tutor. 2019, 22, 170–195. [Google Scholar] [CrossRef]
  4. Zhang, S.; Wang, Y.; Zhou, W. Towards secure 5G networks: A Survey. Comput. Netw. 2019, 162, 106871. [Google Scholar] [CrossRef]
  5. Park, J.H.; Rathore, S.; Singh, S.K.; Salim, M.M.; Azzaoui, A.; Kim, T.W.; Pan, Y.; Park, J.H. A comprehensive survey on core technologies and services for 5G security: Taxonomies, issues, and solutions. Hum.-Centric Comput. Inf. Sci. 2021, 11, 1–22. [Google Scholar] [CrossRef]
  6. Ziani, A.; Medouri, A. A survey of security and privacy for 5G networks. In Emerging Trends in ICT for Sustainable Development: The Proceedings of NICE2020 International Conference; Springer: New York, NY, USA, 2021; pp. 201–208. [Google Scholar] [CrossRef]
  7. Madi, T.; Alameddine, H.A.; Pourzandi, M.; Boukhtouta, A. NFV security survey in 5G networks: A three-dimensional threat taxonomy. Comput. Netw. 2021, 197, 108288. [Google Scholar] [CrossRef]
  8. Tang, Q.; Ermis, O.; Nguyen, C.D.; De Oliveira, A.; Hirtzig, A. A systematic analysis of 5g networks with a focus on 5g core security. IEEE Access 2022, 10, 18298–18319. [Google Scholar] [CrossRef]
  9. Yue, K.; Zhang, Y.; Chen, Y.; Li, Y.; Zhao, L.; Rong, C.; Chen, L. A survey of decentralizing applications via blockchain: The 5G and beyond perspective. IEEE Commun. Surv. Tutor. 2021, 23, 2191–2217. [Google Scholar] [CrossRef]
  10. Scalise, P.; Boeding, M.; Hempel, M.; Sharif, H.; Delloiacovo, J.; Reed, J. A systematic survey on 5G and 6G security considerations, challenges, trends, and research areas. Future Internet 2024, 16, 67. [Google Scholar] [CrossRef]
  11. Mjolsnes, S.F.; Olimid, R.F. Private Identification of Subscribers in Mobile Networks: Status and Challenges. IEEE Commun. Mag. 2019, 57, 138–144. [Google Scholar] [CrossRef]
  12. US Cybersecurity and Infrastructure Security Agency. Joint Statement by FBI and CISA on PRC Activity Targeting Telecommunications. 2024. Available online: https://www.cisa.gov/news-events/news/joint-statement-fbi-and-cisa-prc-activity-targeting-telecommunications (accessed on 27 February 2025).
  13. US Cybersecurity and Infrastructure Security Agency. AT&T Discloses Breach of Customer Data. 2024. Available online: https://www.cisa.gov/news-events/alerts/2024/07/12/att-discloses-breach-customer-data (accessed on 27 February 2025).
  14. Office of the Maine Attorney General. Data Breach Notifications. 2024. Available online: https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/3778e1fc-2ed5-461d-9cc5-df15c07f687c.shtml (accessed on 27 February 2025).
  15. Office of the Maine Attorney General. Data Breach Notifications. 2024. Available online: https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/65b9290a-b22e-4ae7-93e7-5acb84357297.shtml (accessed on 27 February 2025).
  16. Sicari, S.; Rizzardi, A.; Coen-Porisini, A. 5G In the internet of things era: An overview on security and privacy challenges. Comput. Netw. 2020, 179, 107345. [Google Scholar] [CrossRef]
  17. 3GPP. 5G System; Technical Realization of Service Based Architecture; Stage 3. Technical Specification (TS) 29.500, 3rd Generation Partnership Project (3GPP). 2018. Available online: https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3338 (accessed on 21 January 2025).
  18. 3GPP. 5G System; Principles and Guidelines for Services Definition; Stage 3. Technical Specification (TS) 29.501, 3rd Generation Partnership Project (3GPP). 2018. Available online: https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3341 (accessed on 21 January 2025).
  19. Bartock, M.; Cichonski, J.; Souppaya, M.; Scarfone, K.; Grayeli, P.; Sharma, S. Reallocation of Temporary Identities: Applying 5G Cybersecurity and Privacy Capabilities (Draft); Technical Report; US Department of Commerce: Washington, DC, USA, 2024. [CrossRef]
  20. Gorrepati, U.; Zavarsky, P.; Ruhl, R. Privacy Protection in LTE and 5G Networks. In Proceedings of the 2021 2nd International Conference on Secure Cyber Computing and Communications (ICSCCC), Jalandhar, India, 21–23 May 2021; pp. 382–387. [Google Scholar] [CrossRef]
  21. 3GPP. Security Architecture and Procedures for 5G System. Technical Specification (TS) 33.501, 3rd Generation Partnership Project (3GPP). 2018. Available online: https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3169 (accessed on 21 January 2025).
  22. 3GPP. Numbering, Addressing and Identification. Technical Specification (TS) 23.003, 3rd Generation Partnership Project (3GPP). 2019. Available online: https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=729 (accessed on 22 January 2025).
  23. 3GPP. Service Requirements for the 5G System. Technical Specification (TS) 22.261, 3rd Generation Partnership Project (3GPP). 2017. Available online: https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3107 (accessed on 22 January 2025).
  24. 3GPP. Wireless and Wireline Convergence Access Support for the 5G System (5GS). Technical Specification (TS) 23.316, 3rd Generation Partnership Project (3GPP). 2019. Available online: https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3576 (accessed on 22 January 2025).
  25. Institute of Electrical and Electronics Engineers. Guidelines for Use of Extended Unique Identifier (EUI), Organizationally Unique Identifier (OUI), and Company ID (CID)—standards-support.ieee.org. 2023. Available online: https://standards-support.ieee.org/hc/en-us/articles/4888705676564-Guidelines-for-Use-of-Extended-Unique-Identifier-EUI-Organizationally-Unique-Identifier-OUI-and-Company-ID-CID (accessed on 27 February 2025).
  26. 3GPP. NR; User Equipment (UE) Procedures in Idle Mode and in RRC Inactive State. Technical Specification (TS) 38.304, 3rd Generation Partnership Project (3GPP). 2018. Available online: https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3192 (accessed on 22 January 2025).
  27. 3GPP. Evolved Universal Terrestrial Radio Access (E-UTRA); User Equipment (UE) Procedures in Idle Mode. Technical Specification (TS) 36.304, 3rd Generation Partnership Project (3GPP). 2016. Available online: https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=2432 (accessed on 22 January 2025).
  28. 3GPP. NR; Radio Resource Control (RRC); Protocol Specification. Technical Specification (TS) 38.331, 3rd Generation Partnership Project (3GPP). 2018. Available online: https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3197 (accessed on 22 January 2025).
  29. 3GPP. Evolved Universal Terrestrial Radio Access (E-UTRA); Radio Resource Control (RRC); Protocol Specification. Technical Specification (TS) 36.331, 3rd Generation Partnership Project (3GPP). 2017. Available online: https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=2440 (accessed on 22 January 2025).
  30. 3GPP. Procedures for the 5G System (5GS). Technical Specification (TS) 23.502, 3rd Generation Partnership Project (3GPP). 2017. Available online: https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3145 (accessed on 22 January 2025).
  31. Yao, J.; Han, Z.; Sohail, M.; Wang, L. A Robust Security Architecture for SDN-Based 5G Networks. Future Internet 2019, 11, 85. [Google Scholar] [CrossRef]
  32. Humayun, M.; Hamid, B.; Jhanjhi, N.; Suseendran, G.; Talib, M. 5G network security issues, challenges, opportunities and future directions: A survey. J. Phys. Conf. Ser. 2021, 1979, 012037. [Google Scholar] [CrossRef]
  33. National Institute of Standards and Technology. Linkable Information. Available online: https://csrc.nist.gov/glossary/term/linkable_information (accessed on 22 January 2025).
  34. Guo, L.; Zhang, C.; Sun, J.; Fang, Y. A Privacy-Preserving Attribute-Based Authentication System for Mobile Health Networks. IEEE Trans. Mob. Comput. 2013, 13, 1927–1941. [Google Scholar] [CrossRef]
  35. Liyanage, M.; Salo, J.; Braeken, A.; Kumar, T.; Seneviratne, S.; Ylianttila, M. 5G Privacy: Scenarios and Solutions. In Proceedings of the 2018 IEEE 5G World Forum (5GWF), Santa Clara, CA, USA, 9–11 July 2018; pp. 197–203. [Google Scholar] [CrossRef]
  36. Liyanage, M.; Ahmad, I.; Abro, A.B.; Gurtov, A.; Ylianttila, M. User Privacy, Identity and Trust in 5G. In A Comprehensive Guide to 5G Security; Wiley: New York, NY, USA, 2017; pp. 267–279. [Google Scholar] [CrossRef]
  37. Eleftherakis, S.; Otim, T.; Santaromita, G.; Zayas, A.D.; Giustiniano, D.; Kourtellis, N. Demystifying Privacy in 5G Stand Alone Networks. In Proceedings of the 30th Annual International Conference on Mobile Computing and Networking, ACM MobiCom ’24, Washington, DC, USA, 18–22 November 2024; pp. 1330–1345. [Google Scholar] [CrossRef]
  38. Khan, M.; Niemi, V. Privacy Enhanced Fast Mutual Authentication in 5G Network Using Identity Based Encryption. J. ICT Stand. 2017, 5, 69–90. [Google Scholar] [CrossRef]
  39. Ginzboorg, P.; Niemi, V. Privacy of the long-term identities in cellular networks. In Proceedings of the 9th EAI International Conference on Mobile Multimedia Communications, Xi’an, China, 18–19 June 2016; pp. 167–175. [Google Scholar] [CrossRef]
  40. Khan, M.S.A.; Mitchell, C.J. Improving Air Interface User Privacy in Mobile Telephony. In Security Standardisation Research: Proceedings of the Security Standardisation Research: Second International Conference, SSR 2015, Tokyo, Japan, 15–16 December 2015; Proceedings 2; Springer: New York, NY, USA, 2015; pp. 165–184. [Google Scholar] [CrossRef]
  41. Norrman, K.; Näslund, M.; Dubrova, E. Protecting IMSI and User Privacy in 5G Network. In Proceedings of the 9th EAI International Conference on Mobile Multimedia Communications, MobiMedia ’16, Xi’an, China, 18–19 June 2016; pp. 159–166. [Google Scholar]
  42. Van Den Broek, F.; Verdult, R.; De Ruiter, J. Defeating IMSI Catchers. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA, 12–16 October 2015; pp. 340–351. [Google Scholar] [CrossRef]
  43. Eiza, M.H.; Ni, Q.; Shi, Q. Secure and Privacy-Aware Cloud-Assisted Video Reporting Service in 5G-Enabled Vehicular Networks. IEEE Trans. Veh. Technol. 2016, 65, 7868–7881. [Google Scholar] [CrossRef]
  44. Saeed, M.M.; Kamrul Hasan, M.; Hassan, R.; Mokhtar, R.; Saeed, R.A.; Saeid, E.; Gupta, M. Preserving Privacy of User Identity Based on Pseudonym Variable in 5G. Comput. Mater. Contin. 2022, 70, 5551–5568. [Google Scholar] [CrossRef]
  45. Liu, F.; Su, L.; Yang, B.; Du, H.; Qi, M.; He, S. Security Enhancements to Subscriber Privacy Protection Scheme in 5G Systems. In Proceedings of the 2021 International Wireless Communications and Mobile Computing (IWCMC), Harbin, China, 28 June–2 July 2021; pp. 451–456. [Google Scholar] [CrossRef]
  46. Saeed, M.M.; Hasan, M.K.; Obaid, A.J.; Saeed, R.A.; Mokhtar, R.A.; Ali, E.S.; Akhtaruzzaman, M.; Amanlou, S.; Hossain, A.Z. A comprehensive review on the users’ identity privacy for 5G networks. IET Commun. 2022, 16, 384–399. [Google Scholar] [CrossRef]
  47. Zhou, J.; Cao, Z.; Dong, X.; Vasilakos, A.V. Security and Privacy for Cloud-Based IoT: Challenges. IEEE Commun. Mag. 2017, 55, 26–33. [Google Scholar] [CrossRef]
  48. 3GPP. 3G Security; Lawful Interception Requirements. Technical Specification (TS) 33.106, 3rd Generation Partnership Project (3GPP). 2018. Available online: https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=2265 (accessed on 20 January 2025).
  49. Lange, S.; Gringoli, F.; Hollick, M.; Classen, J. Wherever I May Roam: Stealthy Interception and Injection Attacks Through Roaming Agreements. In Proceedings of the European Symposium on Research in Computer Security, Bydgoszcz, Poland, 16–20 September 2024; pp. 208–228. [Google Scholar] [CrossRef]
  50. open5gs.org. 2025. Available online: https://open5gs.org (accessed on 21 January 2025).
  51. Jiang, W.; Han, B.; Habibi, M.A.; Schotten, H.D. The Road Towards 6G: A Comprehensive Survey. IEEE Open J. Commun. Soc. 2021, 2, 334–366. [Google Scholar] [CrossRef]
  52. Shahraki, A.; Abbasi, M.; Piran, M.J.; Taherkordi, A. A Comprehensive Survey on 6G Networks:Applications, Core Services, Enabling Technologies, and Future Challenges. arXiv 2021, arXiv:2101.12475. [Google Scholar] [CrossRef]
  53. Yang, M.; Qu, Y.; Ranbaduge, T.; Thapa, C.; Sultan, N.; Ding, M.; Suzuki, H.; Ni, W.; Abuadbba, S.; Smith, D.; et al. From 5G to 6G: A Survey on Security, Privacy, and Standardization Pathways. arXiv 2024, arXiv:2410.21986. [Google Scholar] [CrossRef]
  54. Gkonis, P.K.; Nomikos, N.; Trakadas, P.; Sarakis, L.; Xylouris, G.; Masip-Bruin, X.; Martrat, J. Leveraging Network Data Analytics Function and Machine Learning for Data Collection, Resource Optimization, Security and Privacy in 6G Networks. IEEE Access 2024, 12, 21320–21336. [Google Scholar] [CrossRef]
  55. Abdel Hakeem, S.A.; Hussein, H.H.; Kim, H. Security Requirements and Challenges of 6G Technologies and Applications. Sensors 2022, 22, 1969. [Google Scholar] [CrossRef] [PubMed]
  56. Wang, M.; Zhu, T.; Zhang, T.; Zhang, J.; Yu, S.; Zhou, W. Security and privacy in 6G networks: New areas and new challenges. Digit. Commun. Netw. 2020, 6, 281–291. [Google Scholar] [CrossRef]
  57. Mahmoud, H.H.H.; Amer, A.A.; Ismail, T. 6G: A comprehensive survey on technologies, applications, challenges, and research problems. Trans. Emerg. Telecommun. Technol. 2021, 32, e4233. [Google Scholar] [CrossRef]
  58. Pujolle, G.; Urien, P. A New Generation of Security for the 6G. In Proceedings of the 2024 8th Cyber Security in Networking Conference (CSNet), Paris, France, 4–6 December 2024; pp. 161–164. [Google Scholar] [CrossRef]
  59. Sun, Y.; Liu, J.; Wang, J.; Cao, Y.; Kato, N. When Machine Learning Meets Privacy in 6G: A Survey. IEEE Commun. Surv. Tutor. 2020, 22, 2694–2724. [Google Scholar] [CrossRef]
  60. Nguyen, V.L.; Lin, P.C.; Cheng, B.C.; Hwang, R.H.; Lin, Y.D. Security and Privacy for 6G: A Survey on Prospective Technologies and Challenges. IEEE Commun. Surv. Tutor. 2021, 23, 2384–2428. [Google Scholar] [CrossRef]
  61. Sandeepa, C.; Siniarski, B.; Kourtellis, N.; Wang, S.; Liyanage, M. A Survey on Privacy of Personal and Non-Personal Data in B5G/6G Networks. ACM Comput. Surv. 2024, 56, 1–37. [Google Scholar] [CrossRef]
  62. Wang, X.; Lyu, J.; Peter, J.D.; Kim, B.G. Privacy-Preserving AI Framework for 6G-enabled Consumer Electronics. IEEE Trans. Consum. Electron. 2024, 70, 3940–3950. [Google Scholar] [CrossRef]
  63. Siriwardhana, Y.; Porambage, P.; Liyanage, M.; Ylianttila, M. AI and 6G Security: Opportunities and Challenges. In Proceedings of the 2021 Joint European Conference on Networks and Communications & 6G Summit (EuCNC/6G Summit), Porto, Portugal, 8–11 June 2021; pp. 616–621. [Google Scholar] [CrossRef]
  64. Navaie, K. Personal Data Protection in AI-Native 6G Systems. arXiv 2024, arXiv:2411.03368. [Google Scholar] [CrossRef]
  65. Ismail, L.; Buyya, R. Artificial Intelligence Applications and Self-Learning 6G Networks for Smart Cities Digital Ecosystems: Taxonomy, Challenges, and Future Directions. Sensors 2022, 22, 5750. [Google Scholar] [CrossRef] [PubMed]
  66. Li, S.; Lin, X.; Liu, Y.; Li, J. Trustworthy AI-Generative Content in Intelligent 6G Network: Adversarial, Privacy, and Fairness. arXiv 2024, arXiv:2405.05930. [Google Scholar] [CrossRef]
  67. Uwaoma, C. On Security Strategies for Addressing Potential Vulnerabilities in 6G Technologies Deployable in Healthcare. arXiv 2023, arXiv:2309.16714. [Google Scholar] [CrossRef]
  68. Xu, M.; Niyato, D.; Kang, J.; Xiong, Z.; Mao, S.; Han, Z.; Kim, D.I.; Letaief, K.B. When Large Language Model Agents Meet 6G Networks: Perception, Grounding, and Alignment. IEEE Wirel. Commun. 2024, 31, 63–71. [Google Scholar] [CrossRef]
  69. Wang, S.; Qureshi, M.A.; Miralles-Pechuán, L.; Huynh-The, T.; Gadekallu, T.R.; Liyanage, M. Explainable AI for 6G Use Cases: Technical Aspects and Research Challenges. IEEE Open J. Commun. Soc. 2024, 5, 2490–2540. [Google Scholar] [CrossRef]
  70. Ylianttila, M.; Kantola, R.; Gurtov, A.; Mucchi, L.; Oppermann, I.; Yan, Z.; Nguyen, T.H.; Liu, F.; Hewa, T.; Liyanage, M.; et al. 6G White paper: Research challenges for Trust, Security and Privacy. arXiv 2020, arXiv:2004.11665. [Google Scholar] [CrossRef]
  71. Drampalou, S.F.; Uzunidis, D.; Vetsos, A.; Miridakis, N.I.; Karkazis, P. A User-Centric Perspective of 6G Networks: A Survey. IEEE Access 2024, 12, 190255–190294. [Google Scholar] [CrossRef]
  72. Guo, S.; Zhang, A.; Wang, Y.; Feng, C.; Quek, T.Q. Trustworthy Semantic-Enabled 6G Communication: A Task-oriented and Privacy-preserving Perspective. arXiv 2024, arXiv:2408.04188. [Google Scholar] [CrossRef]
  73. Dass, P.; Ujjwal, S.; Novotny, J.; Zolotavkin, Y.; Laaroussi, Z.; Köpsell, S. Addressing Privacy Concerns in Joint Communication and Sensing for 6G Networks: Challenges and Prospects. In Proceedings of the Annual Privacy Forum, Karlstad, Sweden, 4–5 September 2024; pp. 87–111. [Google Scholar] [CrossRef]
  74. Veith, B.; Krummacker, D.; Schotten, H.D. The Road to Trustworthy 6G: A survey on Trust Anchor Technologies. IEEE Open J. Commun. Soc. 2023, 4, 581–595. [Google Scholar] [CrossRef]
Futureinternet 17 00142 g001
Figure 1. A depiction of the systematic domain elements and components that comprise the 5G cellular system. Orange outlined elements represent the access networks. Within the 5G Core, pink and gray elements show the user plane and edge computing management, green illustrates subscriber and session data stores, and blue shows core VNFs and services.
Figure 1. A depiction of the systematic domain elements and components that comprise the 5G cellular system. Orange outlined elements represent the access networks. Within the 5G Core, pink and gray elements show the user plane and edge computing management, green illustrates subscriber and session data stores, and blue shows core VNFs and services.
Futureinternet 17 00142 g001
Futureinternet 17 00142 g002
Figure 2. The 5G VNFs that are associated with, or directly utilize, a subscriber’s SUPI or SUCI.
Figure 2. The 5G VNFs that are associated with, or directly utilize, a subscriber’s SUPI or SUCI.
Futureinternet 17 00142 g002
Futureinternet 17 00142 g003
Figure 3. High-level overview of the creation and mapping of the 5G-GUTI in a 5G SA network.
Figure 3. High-level overview of the creation and mapping of the 5G-GUTI in a 5G SA network.
Futureinternet 17 00142 g003
Futureinternet 17 00142 g004
Figure 4. Proposed application sectors for 6G technology extrapolated from the findings in [51].
Figure 4. Proposed application sectors for 6G technology extrapolated from the findings in [51].
Futureinternet 17 00142 g004
Futureinternet 17 00142 g005
Figure 5. The core tenets of trustworthiness in a 6G network ecosystem.
Figure 5. The core tenets of trustworthiness in a 6G network ecosystem.
Futureinternet 17 00142 g005
Table 1. List of 5G VNF abbreviations and names corresponding to Figure 1.
Table 1. List of 5G VNF abbreviations and names corresponding to Figure 1.
VNF Abbreviation Resolutions
5G DDNMFDirect Discovery Name Management FunctionNEFNetwork Exposure Function
5G-EIREquipment Identity RegisterNRFNetwork Repository Function
AAnFAuthentication and Key Management for Applications (AKMA) Anchor FunctionNSACFNetwork Slice Admission Control Function
ADRFAnalytics Data Repository FunctionNSSAAFNetwork Slice Specific Authentication and Authorization Function
AFApplication FunctionNSSFNetwork Slice Selection Function
AMFAccess and Mobility Management FunctionNSWOFNon-Seamless WLAN Offload Function
AUSFAuthentication Server FunctionNWDAFNetwork Data Analytics Function
BSFBinding Support FunctionPCFPolicy Control Function
CHFCharging FunctionSBCSession Border Controller
CSCFCall Session Control FunctionSCPService Communication Proxy
DCCFData Collection Configuration FunctionSEPPSecurity Edge Protection Proxy
DCMFDistributed Control and Management FrameworkSMFSession Management Function
DCSFData Channel Signaling FunctionSMSFShort Message Service Function
EASDFEdge Application Server Discovery FunctionTNGFTrusted Non-3GPP Gateway Function
GMLCGateway Mobile Location CentreTSCTSFTime-Sensitive Communication Time Synchronization Function
HSSHome Subscriber ServerTSN AFTime-Sensitive Network (TSN) Application Function
IBCFInterconnection Border Control FunctionTWIFTrusted WLAN Interworking Function
LMFLocation Management FunctionUCMFUser Equipment (UE) Capability Management Function
MB-SMFMulticast/Broadcast Session Management FunctionUDMUnified Data Management
MB-UPFMulticast/Broadcast User Plane FunctionUDRUnified Data Repository
MBSFMulticast/Broadcast Service FunctionUDSFUnstructured Data Storage Function
MBSTFMulticast/Broadcast Service Transport FunctionUPFUser Plane Function
MFAFMessaging Framework Adapter FunctionVASValue-Added Services
MRFMultimedia Resource FunctionW-AGFWireline Access Gateway Function
N3IWFNon-3GPP Interworking Function
Table 3. Description of new technologies adopted in 5G CNs that could affect user identity protections.
Table 3. Description of new technologies adopted in 5G CNs that could affect user identity protections.
New Adopted Technologies in 5G and Potential Threats They Pose to User Identity Protections [20]
TechnologySummarized Description
Cross-Border Data FlowsAs nations’ data networks are interconnected, data must be transmitted and shared securely while also maintaining user privacy. Different countries around the world may have different standards for protecting user privacy.
Virtualization and CloudificationThe use of Software-Defined Networking (SDN) and VNFs allow for virtual connections between cloud services, compared to previous generations where all interfaces and network connections were closely coupled physically. If these cloud services or resources are shared, there is a possibility for unauthorized user data access.
SDNSDN is a vital enabler of 5G networks, enhancing flexibility and performance by separating the control, data, and application layers through standard interfaces. The control layer, managed by the SDN controller, oversees data flow, while the application layer supports functions like load balancing and quality assurance. Despite its advantages, SDN introduces privacy risks, such as attacks on the controller or application layer that can lead to unauthorized access and manipulation of data flows [31]. To mitigate these risks, robust authentication, together with authorization mechanisms and privacy impact assessments, is essential in SDN-based 5G deployments.
Insider ThreatsIt is vital that a user of a network can afford a high degree of trust towards the operators. The complexity of a 5G environment increases the opportunity for intentional or unintentional user privacy compromises. Similarly, it is possible for insiders to misuse critical network elements, resulting in a lack of integrity of the user’s privacy [32]. As this was a threat in previous generations of cellular networks, the threat model has only grown and become more complex due to the deployment of the extensible technologies listed earlier. The increased dependence on cloud services and Software-Defined Networking has provided more areas for misuse. The additions to 5G infrastructure thus require strict access and monitoring procedures.
Table 4. The privacy solutions and applicability addressing concerns in personal and non-personal data [61]. The privacy solution is labeled in the far-left column, and the abbreviated privacy issues are presented in the columns on the right.
Table 4. The privacy solutions and applicability addressing concerns in personal and non-personal data [61]. The privacy solution is labeled in the far-left column, and the abbreviated privacy issues are presented in the columns on the right.
Privacy SolutionP1P2P3P4P5P6N1N2N3N4N5
Non-centralized MLXX
Differential privacy and data perturbationXX
Homomorphic encryptionXXX
Lightweight cryptography for IoT and edgeXXXX
Fog computing privacy preservationXXXX
Blockchain-based consensus and storageXX
Privacy level definitions and quantificationXXX
Table 5. Comparison of the current literature regarding AI, user identity protections, and privacy in 6G technology.
Table 5. Comparison of the current literature regarding AI, user identity protections, and privacy in 6G technology.
Current 6G AI Privacy Literature
Paper Title and CitationFocusDescription
‘Privacy-Preserving AI Framework for 6G-Enabled Consumer Electronics’ [62]Differential privacy, federated learningCovers user data privacy concerns in 6G technology and presents a differential privacy and federated learning (FL) framework, offering a solution to safeguard sensitive user data during transmission. Blockchain is utilized to support the FL model in a decentralized manner, reducing vulnerabilities.
‘AI and 6G Security: Opportunities and Challenges’ [63]Intelligent security privacy provisionsDiscusses the use of AI to catch and deter threats in 6G networks. Mentions the use of AI as a double-edged sword, and the importance of maintaining user privacy given the huge influx of data consumed or produced by models. Underscores the importance of the “Ethics by Design” of AI systems.
‘Personal Data Protection in AI-Native 6G Systems’ [64]AI privacy compliance, privacy by designIdentifies privacy risks with AI-enabled 6G systems, such as privacy breaches, data misuse, lack of transparency, and bias. Solutions to these issues include regulatory compliance, bias audits, and explainable AI-deployed systems.
‘Artificial Intelligence Applications and Self-Learning 6G Networks for Smart Cities Digital Ecosystems: Taxonomy, Challenges, and Future Directions’ [65]Cellular network evolution, self-learning AI systemsDetails how 6G technology can be used to create smart cities with interconnected services and applications. Stresses the importance of data privacy in the use of self-learning edge AI systems and data caching.
‘Trustworthy AI-Generative Content in Intelligent 6G Network: Adversarial, Privacy, and Fairness’ [66]Safe, fair, and private AIAn operational framework is presented named TrustGAIN, which aims to protect against AI poising or prompt attacks, ensuring fair and unbiased output and maintaining user privacy with encryption. The authors also share how differential privacy can be used to limit privacy leaks but note that it cannot eliminate them. Homomorphic encryption on user datasets is also mentioned, adding identity protections and processing encrypted data without the need for decryption.
‘On Security Strategies for Addressing Potential Vulnerabilities in 6G Technologies Deployable in Healthcare’ [67]Healthcare privacyReviews current and past privacy and security concerns in cellular networks, such as unauthorized access and data breaches. Proposes Zero-Trust Architectures (ZTA) with the use of AI to enforce strict privacy measures for medical data.
‘When large language model agents meet 6G networks: Perception, grounding, and alignment’ [68]Large Language Models (LLM), Agentic AI, edge computingThe authors cover the expected aspects of agentic LLMs in 6G networks with a split approach for on-device capabilities and the use of edge computing. User privacy is discussed as a split approach with associated pros and cons: high anonymity when using on-device model inference with concerns arising from the reliance on edge computing for complex tasks. The authors note that privacy in edge computing poses a risk in the case of malicious edge nodes.
‘Explainable AI for 6G use cases: Technical aspects and research challenges’ [69]Explainable AI (XAI) in 6G technologyThis research covers an exhaustive list of XAI use cases in 6G technology, ranging from self-driving vehicles to medicine. Important privacy focuses include leveraging XAI to catch user privacy ‘leakages’, understand re-identification attacks on user datasets, and retain user expectations in terms of service capabilities and performance. It is prominent that XAI is still a bleeding-edge field with open research questions, notably, Can privacy threats be posed by the increased transparency of AI decision-making?
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Scalise, P.; Hempel, M.; Sharif, H. A Survey of 5G Core Network User Identity Protections, Concerns, and Proposed Enhancements for Future 6G Technologies. Future Internet 2025, 17, 142. https://doi.org/10.3390/fi17040142

AMA Style

Scalise P, Hempel M, Sharif H. A Survey of 5G Core Network User Identity Protections, Concerns, and Proposed Enhancements for Future 6G Technologies. Future Internet. 2025; 17(4):142. https://doi.org/10.3390/fi17040142

Chicago/Turabian Style

Scalise, Paul, Michael Hempel, and Hamid Sharif. 2025. "A Survey of 5G Core Network User Identity Protections, Concerns, and Proposed Enhancements for Future 6G Technologies" Future Internet 17, no. 4: 142. https://doi.org/10.3390/fi17040142

APA Style

Scalise, P., Hempel, M., & Sharif, H. (2025). A Survey of 5G Core Network User Identity Protections, Concerns, and Proposed Enhancements for Future 6G Technologies. Future Internet, 17(4), 142. https://doi.org/10.3390/fi17040142

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop