From ef0d315c4cce9ca9aafbecb0aa546b00124f4879 Mon Sep 17 00:00:00 2001 From: Axel Nennker Date: Tue, 7 Jul 2026 10:59:39 +0200 Subject: [PATCH] CIBA in NR is problematic CIBA defeats the purpose of NR --- code/API_definitions/number-recycling.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/code/API_definitions/number-recycling.yaml b/code/API_definitions/number-recycling.yaml index 2b3aa31..e76ece5 100644 --- a/code/API_definitions/number-recycling.yaml +++ b/code/API_definitions/number-recycling.yaml @@ -59,6 +59,14 @@ info: In cases where personal data is processed by the API and users can exercise their rights through mechanisms such as opt-in and/or opt-out, the use of three-legged access tokens is mandatory. This ensures that the API remains in compliance with privacy regulations, upholding the principles of transparency and user-centric privacy-by-design. + Note: Using CIBA to obtain an access token for this API is problematic, because CIBA + delivers an authentication challenge (e.g. a push notification or SMS) to the device + associated with the phone number. This conflicts with the API's purpose: checking + whether that phone number still belongs to the same subscriber who originally consented. + If the number has since been recycled, the authentication challenge is delivered to the + new subscriber rather than the original one — undermining the very check this API exists + to perform. + # Identifying the phone number from the access token This API requires the API consumer to identify a phone number as the subject of the API as follows: