Continuing concerns about Geolocation privacy

Response Contact: Mark Nottingham <mnot@mnot.net>
Technical Contacts: Richard Barnes <rbarnes@bbn.com>, Alissa Cooper
<acooper@cdt.org>
Purpose: For Action


The IETF has been following the progress of the W3C Geolocation working
group. We appreciate the request for feedback as part of last call. We
believe that the specification should support more robust privacy
features than it currently does.  We request that the W3C Geolocation WG
re-examine its approach to privacy in the API to incorporate GEOPRIV-
style privacy preferences and ensure interoperability with other parts of
the geolocation toolchain. The IETF would like to offer its help to
harmonize the current specification with the GEOPRIV model.

The security and privacy considerations section of the W3C Geolocation
API has been significantly fleshed out over the course of the API's
development. However, the W3C Geolocation working group has pursued an
approach of setting general requirements and providing suggestions to
implementors about privacy, rather than incorporating privacy mechanisms
into the API itself. As the W3C Geolocation WG has pointed out, most
applications and UIs currently do not use a granular privacy framework,
but it is still possible to put a framework into place to be ready when
it is required.

Geolocation information shared through the Geolocation API differs from
other forms of personal information on the Web (e.g., credit card
numbers), in that it is provided automatically to web pages by the UA,
and may not even require user intervention.  This fact motivates the use
of machine-readable privacy rules, and makes it critical that the API
explicitly incorporate user preferences.

The critical value of binding policy to location information is that no
recipient of the location information can claim to not have knowledge of
users' preferences for how their location may be used. Sharing privacy
rules incentivizes privacy-preserving behavior.  Privacy-respecting
entities gain the ability to interact more richly with users' location
information, while privacy-violating entities can be shown to have
explicitly violated the user's preferences.  A structure to convey the
user's preferences along with location information increases the
likelihood that those preferences will be honored.

The IETF has for years taken the approach of building privacy policies
into geolocation standards. The protocols and data formats produced by
GEOPRIV help to protect location information by ensuring that whenever
location is transmitted, privacy policy information is transmitted too.
GEOPRIV standards allow users to express their preferences about how
their location information is handled -- both in terms of which entities
can receive it and in terms of how those entities are permitted to use
it. The framework includes a standard format for conveying these
preferences together with location information (the Presence Information
Data Format-Location Object described in RFC 4119) and a lightweight
policy language for expressing privacy preferences.  The common framework
allows for interoperability along a chain of tools involved in
geolocation conveyance.

This model differs from the paradigm for privacy protection that has long
prevailed on the Web -- mostly site-specific privacy warnings, where
users can either grant access to location (and accept all the site's
terms), or withhold location entirely. In contrast, the GEOPRIV model
empowers users to express their own privacy preferences to sites with
whom they share their location.

To help preserve user control throughout the toolchain, members of
GEOPRIV submitted two different proposed versions of the W3C API that
included support for GEOPRIV-style privacy preferences in the
specification.  The initial proposal would have added several fields to
the Position object data structure, and would require the user agent to
obtain privacy instructions from users.  The revised proposal made
certain elements optional, thereby allowing browser makers that had
already deployed products implementing the draft API to be in compliance
without having to alter their products. The W3C Geolocation WG did not
pursue either approach.

We believe the W3C Geolocation API could be a valuable vehicle in
empowering users to specify their preferences for how their location
information is used, furthering a paradigm shift in Web privacy. By
choosing not to build privacy directly into the specification, the W3C
would miss an opportunity to benefit the Internet community and to
address a widely acknowledged privacy challenge facing location-based
services on the Web.

We urge the W3C to reconsider its approach to privacy in the Geolocation
API, and in particular to explicitly incorporate privacy preferences in
the API.  Further, interoperability with the rest of the geolocation
toolchain would be a valuable feature.  We would be happy to work with
W3C Geolocation WG members to find the most appropriate way to harmonize
the current specification with the GEOPRIV model.

Received on Tuesday, 11 August 2009 20:40:08 UTC