Last call comments from GEOPRIV

In response to a request from the chairs of the W3C Geolocation WG to  
provide last call comments, we have reviewed the Geolocation API  
specification in our roles as co-chairs of the IETF GEOPRIV working  
group. Overall, we find that the API specification itself is  
reasonably technically sound, but we have deep concerns that it lacks  
stong privacy controls for geolocation information.

By way of background, the GEOPRIV working group has developed a "tool  
chain" for geolocation and privacy on the Internet.  This tool chain  
includes a suite of protocols for configuring Internet hosts with  
geolocation information (and transmitting it to other hosts) combined  
with mechanisms for managing the privacy of that information.  In  
principle, the Geolocation API should fit naturally into this tool  
chain: A host that receives location information via GEOPRIV protocols  
should be able to provide it to web sites via the Geolocation API, and  
web sites that obtain geolocation via the API should be able to use it  
in GEOPRIV protocols.

It is in the interest of the Web (and the Internet more broadly) to  
maintain consistency between the existing tool chain and the  
Geolocation API, both technically and in terms of user experience.   
There are two main gaps between the current draft Geolocation API and  
the GEOPRIV tool chain: (1) the expressiveness of the API's location  
semantics, and more critically, (2) the privacy protections that the  
API makes available to users.  We believe the former has been  
addressed to our satisfaction through discussions with the Geolocation  
WG, but the current document is still deficient with respect to the  
latter.

With respect to location semantics, in developing protocols to carry  
geolocation, GEOPRIV has been careful to maintain equal support for  
three forms of location that are commonly used:
1. Location as a geometric object (geodetic location)
2. Location as an address (civic location)
3. Location as a URI (location by reference)

Essentially all GEOPRIV protocols are able to convey location in all  
three of these forms, making it likely that an HTTP UA will have  
access to each form at some point.  On the other hand, the current  
Geolocation API includes only geodetic location, in a very limited  
form, so UAs will not be able to provide civic location or location by  
reference via the API.  The Geolocation WG has agreed to explore the  
inclusion of other forms of location in the second version of its API,  
and we encourage the group to maintain that goal.  While we would have  
liked to have seen support for these forms of location in the current  
version of the API, we do not believe that at this stage of the  
process, the lack of these extensions should delay the current API  
specification.

The issue that should not be delayed until the next version is the  
need for the API to include privacy protections for the geolocation  
information it provides.  Information about users' geolocation is  
critically sensitive: its disclosure to unauthorized parties can  
expose users to risks ranging from embarrassment to physical danger.   
Geolocation information shared through the Geolocation API is at even  
higher risk than other forms of personal information on the Web (e.g.,  
credit card numbers), because it is provided automatically to web  
pages by the UA, and may not even require user intervention.  This  
fact motivates the use of machine-readable privacy rules, and makes it  
critical that the API explicitly incorporate user preferences.

The IETF has for several years taken the approach of making privacy  
policies a central part of geolocation standards. The protocols and  
data formats produced by GEOPRIV help to protect location information  
by ensuring that whenever location is transmitted, privacy policy  
information is transmitted too. GEOPRIV standards allow users to  
express their preferences about how their location information is  
handled -- both in terms of which entities can receive it and in terms  
of how those entities are permitted to use it. The framework includes  
a standard format for conveying these preferences together with  
location information (the Presence Information Data Format-Location  
Object described in RFC 4119) and a lightweight policy language for  
expressing privacy preferences.  The common framework allows for  
interoperability along a chain of tools involved in geolocation  
conveyance.

This model differs from the paradigm for privacy protection that has  
long prevailed on the Web -- mostly site-specific privacy warnings,  
where users can either grant access to location (and accept all the  
site's terms), or withhold location entirely. In contrast, the GEOPRIV  
model empowers users to express their own privacy preferences to sites  
with which they share their location.

In order to provide sufficient privacy protections in this API, we  
propose two changes to the current document:

1. To enable users to provide their privacy preferences to web sites,  
a 'rules' object should be added as an attribute of the Position  
object, in which the user can provide information about how the  
recipient should use the location information in the Position object.   
These rules should correspond to the PIDF-LO rules in RFC 4119,  
including at a minimum constraints on retention and retransmission of  
geolocation information.

2. At a minimum, UAs that receive privacy rules should be obligated to  
apply those rules to location requests they receive in order to  
determine whether the requests are authorized. For authorized  
requests, UAs should use the 'rules' object to transmit rules to  
location recipients. Ideally, UAs should also allow users to set rules  
directly to control access to location from within the UA.

GEOPRIV participants have submitted to the Geolocation WG two  
documents that specify changes to the API that would accomplish these  
goals:
http://www.w3.org/2008/geolocation/drafts/API/spec-source-CDT.html
http://geopriv.dreamhosters.com/w3c/spec-source-priv.html

In conclusion, we support the Geolocation WG's efforts to enable the  
Web to be location-aware, but we have strong reservations about the  
current approach to privacy.  We hope that the group will follow  
through on the goal of maintaining compatibility between location  
formats within the geolocation tool chain, and we urge the group to  
enable the API to provide strong privacy protections for geolocation  
information. The GEOPRIV WG will be glad to provide any help we can in  
harmonizing the W3C Geolocation API with the broader Internet tool  
chain for geolocation information.

Richard Barnes and Alissa Cooper
GEOPRIV Co-Chairs

Received on Friday, 7 August 2009 17:38:56 UTC