W3C home > Mailing lists > Public > public-privacy@w3.org > July to September 2015

Re: Geofencing and privacy

From: David Singer <singer@apple.com>
Date: Thu, 02 Jul 2015 08:58:59 -0700
Cc: "norcie@cdt.org" <norcie@cdt.org>, "chaals@yandex-team.ru" <chaals@yandex-team.ru>, "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Message-id: <A4F4F1F5-5201-4B1E-8BCF-7DA4769396CE@apple.com>
To: Christine Runnegar <runnegar@isoc.org>
OK, maybe I missed the back-conversation on this topic, and if so, I apologize, and please point me at where it happened.  Otherwise...


I am wondering whether it’s even possible to satisfy the benign, helpful, use cases for this, without also enabling the malicious ones.

I assume that the sense is, that it’s better for privacy if a site sets up a set of GeoFences and only gets enter/leave events for them, than to have it track you all the time.

But that assumes that there are cases where, say, I would not give Rick’s Falafel Chain permission to track me all the time, but I would let it set up a set of GeoFences, so then it can know when I am near or entering one of their outlets. Is this really true?


* Without a lot of work, how do I determine that the set of fences enclose areas that Rick’s could reasonably care about? 
  — How do I know that they haven’t set up fences around their competitors, for example?
  — Maybe they have been hacked, or are co-operating with the government, and some of the fences are quite different (e.g. a fence around a known site of protests).
* If I do a gross check on radii (they are ‘reasonably large’), that may miss that the multiple fences provide a lot of information (e.g. they have small intersections, or I can watch enter/leave events from adjacent fences) that enable the site to work out much more than ‘general area’.
* Is the edge ‘hard’ or should the terminal also fuzz it? What if I am travelling roughly along the circumference? Should there be ‘hysteresis’ over enter/leave?
* Does the notification happen ‘silently’ (without user awareness)? This seems undesirable. But it also seems undesirable to keep prodding the user every time a fence-crossing happens (“I just told or am about to tell (OK?) Rick’s Falafels that you entered one of their regions”).
* What if my privacy is time-of-day sensitive? For example, entering the men’s restroom in a public park at 3pm and 3am may have radically different implications. (Yes, I realize that it’s questionable why I’d agree to a fence around a public restroom, but I am sure there are other time-sensitive issues, not least opening times.)

I have no idea what should be changed, because until we detail the use cases that are desirable, and we delineate the abuses that are undesirable, and we convince ourselves we can enable the first while blocking the second, I am not sure we have a way ahead at all. I rather suspect the entire mental model will be a result not of enabling the desirable cases (easy), but of detecting and protecting against the undesirable cases (both very hard, IMHO).

At a trivial level, I cannot even work out how one could check (and ideally it’s automatic) whether the requested fences are all a legitimate interest of the requester. McDonald’s has 17 outlets within the périphérique of Paris, for example. Am I really going to look at each of 17 fences and check that they are centered on McDonald’s? Banks typically have even more locations.

Help?

> On Jul 2, 2015, at 6:42 , Christine Runnegar <runnegar@isoc.org> wrote:
> 
> Many thanks Greg and Charles.
> 
> Colleagues, 
> 
> The earlier that we can provide our guidance in the development process the better.
> 
> Please take a look at the draft in the next week and share your views on this list. Let’s aim to send some consolidated PING feedback by mid July.
> 
> Ideally, please be specific about what could/should be changed (if anything) and why. Also, please suggest language for the privacy and considerations section.
> 
> Christine (co-chair)
> 
>> On 25 Jun 2015, at 5:13 pm, Greg Norcie <gnorcie@cdt.org> wrote:
>> 
>> Those are some great points.
>> 
>> I think that it would be useful for the standard to focus on notice and choice.
>> 
>> Specifically, it would be great if rather than being presented with latitude and longitude coordinates, any consent dialog was required to display a map showing the area being fenced.
>> 
>> Another way to enhance notice would be to set up "levels" of Geofences.
>> 
>> For example:
>> 
>> 	• Level 1: Down to the meter sensitivity (rooms in a house)
>> 	• Level 2: Building level sensitivity (user is at home)
>> 	• Level 3: Neighborhood level sensitivity (user is in the Mission)
>> 	• Level 4: City level (user is inSan Francisco)
>> 	• Level 5: Metro level: (User is San Francisco Bay Area - SF, Oakland, South Bay, etc)
>> 	• Level 6: State level: User is in California
>> 	• Level 7: User is in the United States of America
>> 
>> (Also, I know this is a pretty North America centric model since in Europe et al what would be a state would be another country, so I'm totally open to suggestions on how to tweak the language)
>> 
>> Levels with higher privacy implications could show more dire warnings and/or require more explicit, opt in consent.
>> 
>> IMHO users need to have continuous feedback about geofences - whenever entering/exiting there should be some sort of feedback about who is monitoring them, the granularity of the geofence, and an opportunity to revoke consent.
>> 
>> 
>> 
>> 
>> On Wed, Jun 24, 2015 at 4:45 AM, <chaals@yandex-team.ru> wrote:
>> 
>> 
>> 24.06.2015, 07:37, "Christine Runnegar" <runnegar@isoc.org>:
>>> Hi all.
>>> 
>>> The First Public Working Draft of Geofencing API has been published by the Geolocation WG:
>>> 
>>> http://www.w3.org/TR/2015/WD-geofencing-20150604/
>>> 
>>> You will see that there is still work to be done on the privacy and security considerations section.
>> 
>> I raised an issue [1] on the precision of circles - what happens if a user's geolocation is expressed as [51,0] - a rough location for "London" and a geofence is set up around 50.234567,-.31415927 - say, some GCHQ coffee point…?
>> 
>> A lot of what happens with geoinformation depends on understanding the resolution - are you allowing the system to discover that you are in a given city, on a given street, or whether you are sitting or standing at the tram stop? (Actually the current spec is pretty daft and can't tell if you're in a given street, only if you're within a certain ellipse defined by wgs84)?
>> 
>> What if someone sets up a private geofence for you, say "around your house". Browsers should probably provide a way to independently verify the area that is begin described... but will people use it? Not that many people can actually read a map - hence the popularity of turn-by-turn navigation.
>> 
>> cheers
>> 
>> Chaals
>> 
>> --
>> Charles McCathie Nevile - web standards - CTO Office, Yandex
>> chaals@yandex-team.ru - - - Find more at http://yandex.com
>> 
>> 
>> 
>> 
>> -- 
>> /***********************************/
>> Greg Norcie (norcie@cdt.org)
>> Staff Technologist
>> Center for Democracy & Technology
>> 1634 Eye St NW Suite 1100
>> Washington DC 20006
>> (p) 202-637-9800
>> PGP: http://norcie.com/pgp.txt
>> 
>> Fingerprint:  
>> 73DF-6710-520F-83FE-03B5
>> 8407-2D0E-ABC3-E1AE-21F1
>> 
>> /***********************************/
> 

David Singer
Manager, Software Standards, Apple Inc.
Received on Thursday, 2 July 2015 15:59:30 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 2 July 2015 15:59:31 UTC