- From: John Morris <jmorris@cdt.org>
- Date: Thu, 23 Oct 2008 10:36:45 -0700
- To: public-geolocation@w3.org
- Cc: Alissa Cooper <acooper@cdt.org>
We would like to raise - for discussion both on the list and at the London face-to-face - the critical need to address privacy within the context of any specification that this WG generates. Based on the initial spec, it appears that the privacy of the location information conveyed in accordance with the spec is being treated separately from the conveyance of the information itself. Some of the list discussions suggest that that privacy controls associated with the location information should be handled independently by the UI. And, as the privacy and security considerations section of the spec is blank, we're guessing that privacy controls are assumed to be handled elsewhere or at best later. If we are correctly perceiving the situation, we think that this approach - of deferring the bulk of the effort to address the privacy issues until some future time or place - is very problematic. We fear that it will increase risk to privacy, and will be inconsistent with (and could undermine) the work being done in other standards bodies (most notably the Geopriv effort at the IETF). Before trying to start a substantive discussion of privacy issues, let me briefly provide background on where I (John) am coming from, and more broadly on the IETF Geopriv effort. I serve as the director of the "Internet Standards, Technology & Policy Project" of the Center for Democracy & Technology, a public policy/think tank based in Washington, D.C. I've been active at the IETF and (to a lesser extent) at W3C since 2001, working to ensure that public policy concerns are not overlooked or harmed in technical standards setting processes. CDT has been a member of the W3C since 1997, working on activities ranging from the P3P WG years ago to the newly created "open government" effort. Also joining me on this WG (and I hope at the London f2f) is CDT's CTO, Alissa Cooper. The history of the IETF Geopriv working group is, we think, relevant to the question of when and how this WG addresses privacy. Some folks here are active in Geopriv, but we suspect that others may be less familiar with the background. When discussions in the IETF about standardizing location conveyance first began nearly a decade ago, there were a number of BOFs and proposed WGs (such as the "spatial" effort) that sought to standardize location conveyance without fully addressing the privacy concerns raised by such conveyance. After a fair bit of angst and debate, the IETF concluded that any standard to convey location MUST address privacy as an integral part of the standard. This decision led to the 2001 creation of Geopriv, which has made much progress since then (notwithstanding some initial continuing resistance to really addressing privacy). The key Geopriv documents are at http://www.ietf.org/html.charters/geopriv-charter.html. Geopriv anticipates that there will be a "using protocol" that will actually carry the Geopriv information -- Geopriv carried over XML is shown at http://www.ietf.org/rfc/rfc4119.txt among other documents. A quick read giving an overview of Geopriv and discussing its adoption in other standards contexts is available at http://www.cdt.org/publications/20070100ieee.pdf. The core decision that underlies the Geopriv effort is that any piece of location information MUST be inextricably bound together with the privacy rules that apply to the location info. Thus, for example, the same envelope that carries location also carries rules about how long the location info can be retained, and whether it can be retransmitted. In addition to basic rules carried within the Geopriv envelope, the spec also allows for a pointer to more robust rules (some of which are being defined within Geopriv). Let us raise and confront one issue that prompted a great deal of discussion and debate within the Geopriv effort. Some argued that it was pointless to bind location rules to location because there was no way - as a technical matter - to ensure that the recipient of the rules would honor those rules. Because Geopriv can be used in context where encryption is not feasible, one could do nothing to "guarantee" that the recipient would play nice. The answer to this concern is that privacy is an area in which technology must look to local laws to enforce privacy expectations - in other words, technical standards cannot in fact "guarantee" privacy, but by inextricably binding privacy rules to location (as Geopriv does), the standard can make it much harder for anyone to claim that they did not know that they were not meant to pass on the location information. We are hopeful that Geopriv can provide a starting point for the handling of location privacy within this WG. We think it would be very helpful for this group to establish a direct formal liaison with Geopriv, and for us to invite one or two folks from that effort to the London meeting (in addition to the people who already overlap in the two groups). We look forward to working with everyone on these issues. John Morris & Alissa Cooper -- ---------------------------------------- John B. Morris, Jr. Director, Internet Standards, Technology & Policy Project Center for Democracy and Technology 1634 I Street NW, Suite 1100 Washington, DC 20006 (202) 637-9800 (202) 637-0968 fax jmorris@cdt.org http://www.cdt.org ----------------------------------------
Received on Thursday, 23 October 2008 17:37:27 UTC