Re: Geolocation compliance (ACTION-165)

On Wednesday 25 April 2012 08:36:05 Ian Fette wrote:
> > do you see an issue if we only talk about postal code? Is there another
> > measure instead?
> I'm not sure what you mean by "is there another measure". Sites can
> attempt to do finer grained geolocation for sure. Also, "postal code" is
> not well defined in terms of privacy impact, FWIW. In the US, if you have
> a postal code of 10002 I know you're in the lower east side of Manhattan.
> (Basically, the area bounded by Houston to the north and Bowery to the
> west). A fairly small area, but I guess probably still at least tens of
> thousands of people living there. On the other hand, if you have a zip
> code of 99684, I basically know you're in the area surrounding Unalakleet
> AK, which is a very large geographic area (somewhere around 2,000 km^2)
> but a very small population (around 760). Or, a more extreme example,
> 99832 is Pelican, AK which is narrowing it down to 125 people.

See, this is what I meant. We have geo-coordinates and things. Must it be 
the postal code only because marketing in certain western countries works 
with the postal code? I have my doubts and I expressed those doubts. 
> Maybe this is fine and intended, but I think a lot of us are used to
> thinking about postal codes in large US cities.
> Another interesting example is Canada. Go to Google Maps and search for
> H2M 2M4. That's basically a subsection of a single block in Montréal (it
> seems to identify somewhere around 5 apartment buildings that look like
> they have about 4 units each from google maps satellite view).

Yes, this matches exactly my concerns, but I also have concerns that the 
geolocation folks use geo-coordinates and the others use postal code. There 
is a friction ahead. This is my main concern. 

As geolocation is highly sensitive I wonder how we can come up with 
something sensible. EU needs consent anyway by law (very explicit in 
Directive 2002/58EC). As the geolocation API requires consent anyway, the 
only question remaining may be whether we accept DNT:0 as consent as 
required by the geolocation API
> So, I'm not really sure what guidance we're actually giving people.

Agree, we can do better IMHO. But at the same time try to reduce implementer 

> > And I agree that we have some logical break if the geolocation wants
> > consent
> > and the DNT specification says tracking at postal code level is fine.
> > But
> > IMHO this is a tricky issue. So leaving the break where it is is an
> > option IMHO.
> I don't understand what the current state is. The spec seems to imply you
> can't use fine grained geolocation if user sends DNT:1, but the Geo API
> has express user consent. I don't think leaving the ambiguity is a good
> idea.

True, so let's fix that. One phrase needed IMHO. Geolocation API consent 
tops DNT. But what about DNT;1 received a long time after the Geolocation 


Received on Wednesday, 25 April 2012 19:58:34 UTC