Re: geolocation privacy statement strawman from Alissa Cooper on 2009-04-04 (public-geolocation@w3.org from April 2009)

From: Alissa Cooper <acooper@cdt.org>
Date: Sat, 4 Apr 2009 07:19:19 -0400
To: public-geolocation <public-geolocation@w3.org>
Message-Id: <00D022C1-EB99-4EAF-A5D7-F4288AA4D8FC@cdt.org>
I would obviously prefer to have the user's privacy preferences  
expressible through the API itself. But should the text below make its  
way into the spec as an alternative mechanism for addressing privacy,  
I have a few suggestions on how to make it clearer and more consistent.

On Mar 30, 2009, at 6:35 AM, Andrei Popescu wrote:

> Hi,
>
> Here is a new draft wording based on the feedback received so far.
>
>
> Privacy considerations for implementers of the Geolocation API:
>
> User Agents must not send location information to websites without
> express permission of the user. Browsers should acquire permission
> through a user interface which will include the URI of the document
> origin. All permissions should be revocable, and User Agents should
> respect revoked permissions.

FWIW, I agree with Angel that the "shoulds" above should be "musts."  
If the whole section is going to be non-normative anyway, what's the  
harm?

>
>
> Some User Agents will have prearranged trust relationships that do not
> require such user interfaces.

To ensure that the sentence above doesn't swallow the considerations  
for implementers entirely, I would say something like, "In limited  
circumstances, certain User Agents will have. . .." Otherwise every UA  
could claim to have "prearranged trust relationships."

> For example, a Web browser will present
> a user interface when a Web site performs a geolocation request.
> However, a voip telephone may not present any user interface when
> using location information to perform an E911 function.
>
> Privacy considerations for recipients of location information:
>
> The two primary concerns regarding recipients of location information
> are retention and retransmission.

I'm not so sure that this is true. A design decision was made within  
Geopriv to include default privacy rules about retention and  
retransmission, but that decision was based on several factors, with  
level of "concern" being only one of them. As the rest of this  
paragraph explains, there are other privacy considerations besides  
retention and retransmission (use, disclosure, etc.), so I'm not sure  
how much value is added by declaring that two of these are "primary."  
I would drop this sentence.

Before getting into use limitation as the next sentence does, it might  
make sense to say something about limiting collection, such as:

Web sites must only request location when necessary.

This might seem really obvious, but a surprising amount of data  
collection goes on "just because" (look at how much data most Facebook  
apps collect compared to what they need to deliver their services).  
This trend has made collection limitation a pretty standard privacy  
principle.

> Recipients must only use the
> location information for the task for which it was provided to them
> and must dispose of it once completed, unless expressly permitted to
> do so.

Nit: It is unclear what the phrase "to do so" refers to in the above  
sentence -- using the information for other tasks, or retaining it  
beyond the completion of a task? Suggestion:

Recipients must only use location information for the task for which  
it was provided to them. Recipients must dispose of location  
information once that task is completed, unless they are expressly  
permitted to retain it by the user.

> Recipients must also take measures to protect this information
> against unauthorized access. If location information is stored, users
> should be allowed to update and delete this information. The recipient
> of location information should not retransmit the location information
> without the user’s consent.

To stay consistent with the rest of this text, the sentence above  
should say "user's express consent." Also, both of the "shoulds" in  
the above should be "musts."

> Care should be taken when retransmitting
> and use of HTTPS is encouraged. Furthermore, a clear and accessible
> privacy policy should be made available to all users that details the
> usage of location data.

This disclosure suggestion is a little limiting if the words "privacy  
policy" are interpreted to mean the usual long privacy statement  
linked at the bottom of a Web site. It might make sense to leave some  
room for disclosure in other places. It could also be more clear about  
what needs to be disclosed -- there is a pretty standard set of items  
that are usually disclosed in notices like this. Suggestion:

Recipients must clearly and conspicuously disclose the fact that they  
are collecting location data, the purpose for the collection, how long  
the data is retained, how the data is secured, how the data is shared  
if it is shared, how users may access, update and delete the data, and  
any other choices that users have with respect to the data. This  
disclosure must include an explanation of any exceptions to the  
guidelines listed above.


Best,
Alissa

>
>
>
> On Wed, Mar 25, 2009 at 3:41 PM, Dirk Segers  
> <dirk.segers@vodafone.com> wrote:
>> Hi all,
>>
>> Looks very good to me, just 2 minor suggestions below.
>>
>> Regarding the example of calling emergency services : as in Europe  
>> the
>> passing of the location is mandatory for calls to emergency services,
>> for Europe the wording "may not" would even be "is not allowed to"...
>>
>
> Ok, but I think it's fine to keep as is, since that sentence shows
> just an example of when it is reasonable not to present a user
> interface before acquiring the user's location.
>
>> Regarding the two primary concerns with the recipients of geolocation
>> information, one might add a 3rd one (or alternatively include it in
>> "data retention" more explicitly), being the concern to ensure proper
>> protection of the geolocation data with the recipient (eg against
>> unauthorised access by the staff of the website owner and/or access  
>> to
>> these data by unauthorised 3rd parties).
>
> Added the following sentence "Sites must also take measures to protect
> this information against unauthorized access". Do you think we need to
> be more specific than this?
>
>> Also if this aspect is covered
>> by the privacy policy we might want to mention it explicitly here as
>> well.
>>
>
> I'm not sure I fully understand. Should we explicitly mention that the
> privacy policy may say something about how the location information is
> protected against unauthorized access? I've added a sentence that
> explains how does the privacy policy relate to this guidelines. Would
> you think that is enough?
>
>
> On Wed, Mar 25, 2009 at 4:45 PM, Angel Machín  
> <angel.machin@gmail.com> wrote:
>> Hi Andrei,
>>
>>
>> IMHO, I think it should be: "permissions *must* be revocable, and
>> applications *must* respect revoked permissions".
>>
>> If User Agents store these permissions internally they have to be  
>> revocable
>> by users at any time and the UI must allow it.
>
> As these sections are meant to be guidelines, I think we should be
> using the verb "should" in all cases except where we have a good
> reason not to. We're saying that the location must not be disclosed
> without user consent but, beyond that, I think the verb "should" is
> the appropriate one.
>
> Thanks,
> Andrei
>

--
----------------------------------------------------
Alissa Cooper
Chief Computer Scientist
Center for Democracy and Technology
202 637 9800 x110
acooper@cdt.org
http://www.cdt.org/
Received on Saturday, 4 April 2009 11:20:06 UTC