Location privacy concerns

We would like to raise - for discussion both on the list and at the 
London face-to-face - the critical need to address privacy within the 
context of any specification that this WG generates.  Based on the 
initial spec, it appears that the privacy of the location information 
conveyed in accordance with the spec is being treated separately from 
the conveyance of the information itself.  Some of the list 
discussions suggest that that privacy controls associated with the 
location information should be handled independently by the UI.  And, 
as the privacy and security considerations section of the spec is 
blank, we're guessing that privacy controls are assumed to be handled 
elsewhere or at best later.

If we are correctly perceiving the situation, we think that this 
approach - of deferring the bulk of the effort to address the privacy 
issues until some future time or place - is very problematic.  We 
fear that it will increase risk to privacy, and will be inconsistent 
with (and could undermine) the work being done in other standards 
bodies (most notably the Geopriv effort at the IETF).

Before trying to start a substantive discussion of privacy issues, 
let me briefly provide background on where I (John) am coming from, 
and more broadly on the IETF Geopriv effort.  I serve as the director 
of the "Internet Standards, Technology & Policy Project" of the 
Center for Democracy & Technology, a public policy/think tank based 
in Washington, D.C.  I've been active at the IETF and (to a lesser 
extent) at W3C since 2001, working to ensure that public policy 
concerns are not overlooked or harmed in technical standards setting 
processes.  CDT has been a member of the W3C since 1997, working on 
activities ranging from the P3P WG years ago to the newly created 
"open government" effort.  Also joining me on this WG (and I hope at 
the London f2f) is CDT's CTO, Alissa Cooper.

The history of the IETF Geopriv working group is, we think, relevant 
to the question of when and how this WG addresses privacy.  Some 
folks here are active in Geopriv, but we suspect that others may be 
less familiar with the background.

When discussions in the IETF about standardizing location conveyance 
first began nearly a decade ago, there were a number of BOFs and 
proposed WGs (such as the "spatial" effort) that sought to 
standardize location conveyance without fully addressing the privacy 
concerns raised by such conveyance.  After a fair bit of angst and 
debate, the IETF concluded that any standard to convey location MUST 
address privacy as an integral part of the standard.  This decision 
led to the 2001 creation of Geopriv, which has made much progress 
since then (notwithstanding some initial continuing resistance to 
really addressing privacy).  The key Geopriv documents are at 
http://www.ietf.org/html.charters/geopriv-charter.html.  Geopriv 
anticipates that there will be a "using protocol" that will actually 
carry the Geopriv information -- Geopriv carried over XML is shown at 
http://www.ietf.org/rfc/rfc4119.txt among other documents.  A quick 
read giving an overview of Geopriv and discussing its adoption in 
other standards contexts is available at 
http://www.cdt.org/publications/20070100ieee.pdf.

The core decision that underlies the Geopriv effort is that any piece 
of location information MUST be inextricably bound together with the 
privacy rules that apply to the location info.  Thus, for example, 
the same envelope that carries location also carries rules about how 
long the location info can be retained, and whether it can be 
retransmitted.  In addition to basic rules carried within the Geopriv 
envelope, the spec also allows for a pointer to more robust rules 
(some of which are being defined within Geopriv).

Let us raise and confront one issue that prompted a great deal of 
discussion and debate within the Geopriv effort.  Some argued that it 
was pointless to bind location rules to location because there was no 
way - as a technical matter - to ensure that the recipient of the 
rules would honor those rules.  Because Geopriv can be used in 
context where encryption is not feasible, one could do nothing to 
"guarantee" that the recipient would play nice.  The answer to this 
concern is that privacy is an area in which technology must look to 
local laws to enforce privacy expectations - in other words, 
technical standards cannot in fact "guarantee" privacy, but by 
inextricably binding privacy rules to location (as Geopriv does), the 
standard can make it much harder for anyone to claim that they did 
not know that they were not meant to pass on the location information.

We are hopeful that Geopriv can provide a starting point for the 
handling of location privacy within this WG.  We think it would be 
very helpful for this group to establish a direct formal liaison with 
Geopriv, and for us to invite one or two folks from that effort to 
the London meeting (in addition to the people who already overlap in 
the two groups).  We look forward to working with everyone on these 
issues.

John Morris & Alissa Cooper

-- 
----------------------------------------
John B. Morris, Jr.
Director, Internet Standards, Technology
    & Policy Project
Center for Democracy and Technology
1634 I Street NW, Suite 1100
Washington, DC 20006
(202) 637-9800
(202) 637-0968 fax
jmorris@cdt.org
http://www.cdt.org
----------------------------------------

Received on Thursday, 23 October 2008 17:37:27 UTC