Hi Harald,
we have only used the "Auth Token" mechanism in the Netherlands, where the regulatory authority didn't make any complaint. However, I remember some people with the (then not all-omnipresent) iPhone reporting some issues.
Seems to be a general problem...
In order to be on the safe side, we started issuing our own sim cards at CCC Congress and related events. This means that people have to obtain such a card before being able to acces the network. I believe legally, this is the better situation anyway, as the "real operator" SIM card in their device belongs to their "real operator", and we don't know the details of the agreement they have with their operator. They could have some fine print that that SIM is only permitted to be used with roaming partners of the "real operator". So by not accepting foreign SIM cards, we make sure nobody is violating such terms. Furthermore, we can of course use A3/A8 and as a result also A5/1, if we want.
Everybody using our sim cards would be the best of couse - we have some there lying in the drawer. But simply switching the network seems to be more popular - only one person came to get a programmed SIM card. We will put a legal notice about fine prints onto the registration page.
So after all we will probably leave the Auth Token Policy off and let the users enter their IMEI (followed by a registration) before accepting a location update the first time.
The fact that we have the auth-token (or any other) functionality in our software doesn't mean that it is safe to run it, or that you will hve legal guarantees about regulatory approval in any jurisdiction!
That's clear. But as I configured it some time ago, I thought it would not be a problem, since normally the phones should only try to roam if they cannot establish a connection to their home network. Since they are only one time in our network for about 5 seconds to send the SMS, I saw no problem in there - believing phones try to register back immediately after being thrown out.
Regards, Lennart