- From: IETF Chair <chair@ietf.org>
- Date: Mon, 10 Aug 2009 13:09:26 -0700 (PDT)
- To: public-geolocation@w3.org
- To: W3C Geolocation WG
- Cc: rbarnes@bbn.com, acooper@cdt.org, mdw@w3.org, statements@ietf.org
Response Contact: Mark Nottingham <mnot@mnot.net> Technical Contacts: Richard Barnes <rbarnes@bbn.com>, Alissa Cooper <acooper@cdt.org> Purpose: For Action The IETF has been following the progress of the W3C Geolocation working group. We appreciate the request for feedback as part of last call. We believe that the specification should support more robust privacy features than it currently does. We request that the W3C Geolocation WG re-examine its approach to privacy in the API to incorporate GEOPRIV- style privacy preferences and ensure interoperability with other parts of the geolocation toolchain. The IETF would like to offer its help to harmonize the current specification with the GEOPRIV model. The security and privacy considerations section of the W3C Geolocation API has been significantly fleshed out over the course of the API's development. However, the W3C Geolocation working group has pursued an approach of setting general requirements and providing suggestions to implementors about privacy, rather than incorporating privacy mechanisms into the API itself. As the W3C Geolocation WG has pointed out, most applications and UIs currently do not use a granular privacy framework, but it is still possible to put a framework into place to be ready when it is required. Geolocation information shared through the Geolocation API differs from other forms of personal information on the Web (e.g., credit card numbers), in that it is provided automatically to web pages by the UA, and may not even require user intervention. This fact motivates the use of machine-readable privacy rules, and makes it critical that the API explicitly incorporate user preferences. The critical value of binding policy to location information is that no recipient of the location information can claim to not have knowledge of users' preferences for how their location may be used. Sharing privacy rules incentivizes privacy-preserving behavior. Privacy-respecting entities gain the ability to interact more richly with users' location information, while privacy-violating entities can be shown to have explicitly violated the user's preferences. A structure to convey the user's preferences along with location information increases the likelihood that those preferences will be honored. The IETF has for years taken the approach of building privacy policies into geolocation standards. The protocols and data formats produced by GEOPRIV help to protect location information by ensuring that whenever location is transmitted, privacy policy information is transmitted too. GEOPRIV standards allow users to express their preferences about how their location information is handled -- both in terms of which entities can receive it and in terms of how those entities are permitted to use it. The framework includes a standard format for conveying these preferences together with location information (the Presence Information Data Format-Location Object described in RFC 4119) and a lightweight policy language for expressing privacy preferences. The common framework allows for interoperability along a chain of tools involved in geolocation conveyance. This model differs from the paradigm for privacy protection that has long prevailed on the Web -- mostly site-specific privacy warnings, where users can either grant access to location (and accept all the site's terms), or withhold location entirely. In contrast, the GEOPRIV model empowers users to express their own privacy preferences to sites with whom they share their location. To help preserve user control throughout the toolchain, members of GEOPRIV submitted two different proposed versions of the W3C API that included support for GEOPRIV-style privacy preferences in the specification. The initial proposal would have added several fields to the Position object data structure, and would require the user agent to obtain privacy instructions from users. The revised proposal made certain elements optional, thereby allowing browser makers that had already deployed products implementing the draft API to be in compliance without having to alter their products. The W3C Geolocation WG did not pursue either approach. We believe the W3C Geolocation API could be a valuable vehicle in empowering users to specify their preferences for how their location information is used, furthering a paradigm shift in Web privacy. By choosing not to build privacy directly into the specification, the W3C would miss an opportunity to benefit the Internet community and to address a widely acknowledged privacy challenge facing location-based services on the Web. We urge the W3C to reconsider its approach to privacy in the Geolocation API, and in particular to explicitly incorporate privacy preferences in the API. Further, interoperability with the rest of the geolocation toolchain would be a valuable feature. We would be happy to work with W3C Geolocation WG members to find the most appropriate way to harmonize the current specification with the GEOPRIV model.
Received on Tuesday, 11 August 2009 20:40:08 UTC