- From: Alissa Cooper <acooper@cdt.org>
- Date: Fri, 24 Oct 2008 15:20:12 -0400
- To: Ian Hickson <ian@hixie.ch>
- Cc: public-geolocation@w3.org
(John is traveling and offline until Monday, but I will weigh in with a few thoughts in the meantime.) On Oct 23, 2008, at 4:23 PM, Ian Hickson wrote: > Could you elaborate on the exact scenario through which a user's > privacy > can be violated? > > As I understand it, the user has full control over whether a site has > access to this information or not, and would thus only give the > information to a site that the user trusts to not abuse the > information. > If the user doesn't trust the site not to abuse the information, > then it > doesn't matter what privacy theory is passed along with the > location, the > site can't be trusted to make abuse it (by definition). This seems to assume that the only scenario in which this API will be used is when a user manually enters his location information on a site or manually authorizes that site to obtain his location. I imagine that the use cases for the spec are actually much broader, and may well encompass scenarios where the user is not involved in providing his location information or authorizing its use. Consider a slight variation on the existing Geode add-on as an example. Right now, when you visit a site that requests your location, Geode prompts you to decide whether and with what specificity your location information can be shared with the site. But what if this prompt didn't exist? Then the site would request location information, and it would be delivered without the user being involved (this is exactly what happens already with IP address-based geolocation lookups). Although existing implementations may obtain permission, it seems plausible (and likely) for user agents to implement the API such that sites can directly obtain location information without interacting with the user. This could be an attractive avenue for, say, third-party advertisers who want to serve location-based ads but don't want to (or aren't allowed by the site to) interject a request for permission from the user. The spec does not appear to be limited in any way to the case where users have full control. If that is the intention, we should discuss how to make it explicit (although even in that case there would still be value in crafting the spec such that sites will be more likely to take privacy considerations into account). > This seems equivalent to all other private information a user gives > a site > access to, such as credit card details, social security numbers, > preferences, etc. The information is held under the terms of the > site's > privacy policy, and the user makes a decision as to whether to > provide the > information based on whether they trust the site operator or not. > Relying on a site's privacy policy for enforcement of privacy rules strikes me as a much riskier approach than, at a minimum, forcing sites to consider privacy rules that are always automatically conveyed together with location information. Take the example of a pizza place. You provide your location information to a pizza place's web site, and it returns to you the nearest chain location. An average user probably expects the pizza place to get rid of his location information relatively soon afterward. But what if the pizza place keeps it, or sells it? What if law enforcement then comes and asks for all of the pizza place's location info? It is far preferable from a privacy perspective for the pizza place to be forced to confront these issues when it receives location data accompanied by rules explaining the user's preference not to have his location data stored. The rules can still be ignored. But without them, the pizza place can much more easily absolve itself of all responsibility for the data it collects merely by stating its practice of retaining location information indefinitely in a privacy policy which no average user is likely to read. With rules attached, the pizza place must at the very least develop a rationale for ignoring the rules. If you decouple the conveyance of location information from the rules associated with that information, it's an invitation for sites to ignore privacy altogether. Given that location information may be extremely sensitive, forcing sites to at least think through an approach to privacy, rather than skirting it entirely, seems sensible. It is certainly true that much of the data shared on the web today is governed by privacy policies. If we decided today to develop a standard for the conveyance of social security numbers on the web, I think it would be a good idea to consider how such a standard could have rules or user preferences about the onward transfer of the numbers built into it. That's not the standard we're focused on, but we are focused on conveying location information, which can be just as sensitive if not more sensitive in certain contexts than the kinds of data you list above. So I think it makes sense for those involved in this effort to consider how we can improve over the status quo for conveying user data on the web. Alissa -- ---------------------------------------------------- Alissa Cooper Chief Computer Scientist Center for Democracy and Technology 1634 I Street NW, Suite 1100 Washington, DC 20006 202 637 9800 fax 202 637 0968 acooper@cdt.org http://www.cdt.org
Received on Sunday, 26 October 2008 15:27:02 UTC