RE: combination of location and identity

Hello all,

I agree with Mr. Hauser's theses and I'm also glad that I have found this
WG.

About the proposal to distinguish between the location and its
"representations", I suggest to consider the following representations:

    - geographical coordinates (with or without altitude), maybe plus time
coordinate
    - postal address
    - telephone number's country/city prefix etc.
    - access network specific identifier
      e.g. CGI/SAI (cell global identifier/Service Area Identifier of a
GSM/UMTS network)

I also agree with Mr.Takahashi, who wrote on July, 2nd: "I think, in first
place, we need a common understanding on what are location-based services to
discuss security and privacy."

I suggest the following preliminary list of procedures using location
information:

1.) Location information associated with a common resource
Some Internet Resource (HTML document) is indexed by geographic coordinates
(or another representation of location). This case is considered in
draft-daviel-html-geo-tag-05.txt.
Such a document could for instance, be a contract, which is associated with
time and space coordinates (WHERE and WHEN did the contractors sign it) and
which is made available for the public.
It could also be a restaurant guide or something similar, which has only
significance in a distinct region, but is of public interest.

2.) Request location information associated with a static interface/node.
This case is considered in rfc1876, where is described, how to incorporate
geographic information into the DNS.
This information is useful for the network operator, but it should be
accessible in a very restricted manner, because serious damage of network
infrastructure could result from a wrong person getting this information.

3.) Request location information associated with a mobile interface
(notebook, mobile phone, router in an airplane...)
This may result in a lot of nice applications, but there has to be the
permission of the owner of the interface to reveal this location
information.

4.) Request "geographic infrastructure information" based on a given
location.
A user requests a map (2D or 3D-map) with a given resolution about a given
region.
(Could also be indexed by time coordinate, if it is a political map with
borders - you know, borders change by time, as in Yugoslavia)
The region given in the request should not be traceable by anyone, because
most likely this will be the location of the requestor, or at least a
region, the requestor is interested in.

5.) Request location dependent information from a given provider (server).
This is similar to case 1., but a trustet relationship between the provider
and the requestor is assumed. On the one hand the provider guarantees, that
nobody else gets the information about which place the requestor is
interested in, on the other hand the requestor is authenticated and
authorized to get this information (and he will pay for it - accounting).

6.) Anonymous push services
Depending on the change of the current location (of the terminal equipment),
a user gets publicly available information in an anonymous manner.

7.) Authorized push services
Depending on the change of the current location (of the terminal equipment),
a user gets information which is provided to a specific group.

Best Regards
Christoph Valentin
SIEMENS Austria
Program and System Engineering

> -----Original Message-----
> From: Christian Hauser [mailto:lobase@gmx.net]
> Sent: Thursday, July 12, 2001 9:53 AM
> To: geopriv@mail.apps.ietf.org
> Subject: combination of location and identity
>
>
> Hello,
>
> I'm very glad to find this group, which covers one of the
> most interesting
> and important topics of today. Currently, I'm doing some
> research on privacy
> issues of location-based services. I would like to
> participate in this group
> and to contribute to a common understanding of this topic.
> Actually, I have
> two contributions:
>
> 1) Reading the literature, I was wondering, if it could help
> to clarify,
> what we exactly think of when talking about "location". My
> proposal would be
> that "location" is a certain place (on earth?), which has several
> "representations", e.g. a coordinate or a symbolic
> representation like "The White House".
>
> Within certain user groups, these representations are well
> known and thus
> equivalent to a location (meaning of a WGS84 coordinate is
> nearly globally
> known, the exact place of "The White House" is known by a
> certain group of
> people, too), whereas some groups do not know (exactly) the
> according place (some
> people only know the rough area, "The White House" is situated in).
>
> Moreover, thinking of user identifiers including location
> representations
> (like "president@whitehouse.gov" or an IP address), these can
> be linked to a
> more or less exact place dependent on the attacker's
> knowledge (e.g. knowledge
> of the IP address topology). Apart from that, some
> identifiers reveal just
> the location of the user with regard to network topology
> (e.g. the home network
> "whitehouse.gov") but not the geographic location of the user.
>
> 2) From our point of view, the degree of danger risen by disclosure of
> location information primarily depends on two parameters,
> regarding user privacy.
> The first and most obvious one is the granularity (precision,
> resolution) of
> the location information, which is a kind of entropy of this
> information.
>
> The second parameter, which we rate of at least same importance is the
> information, which can be linked to the disclosed location
> information. Regarding
> tracking of a user ("target"), this can be seen as the
> identity information
> bound to the revealed location information, e.g. the user's
> real name, a
> pseudonym, a role (pedestrian, member of a certain group).
> Moreover, it can also
> be any other information, known about the target. E.g., if
> the tracked target
> is my cell phone or PDA it is usually located where I am,
> thus disclosing my
> location, too. Thinking of my car being tracked, then I am
> likely to be, too
> (at least if it is moving) but inference of my location is much more
> imprecise than regarding my cell phone.
>
> Thus, in my opinion we do not only need to consider the location
> information, but also other information about the target
> linked to this location
> information. These are two parameters to adjust the overall
> entropy of the
> information. For example, somebody knowing my exact location
> may not be allowed to
> know my exact identity (just perhaps a pseudonym) and
> somebody knowing my exact
> identity may not be allowed to know my exact location
> (neither that of my
> cell phone). Therefore, we need to control the accuracy of
> location information
> as well as the amount of identity information that can be
> linked to the
> location information.
>
> Does anybody agree with my theses?
>
> Best regards
>
> Christian Hauser
> Institute of Communication Networks and Computer Engineering
> University of Stuttgart, Pfaffenwaldring 47, 70569 Stuttgart, Germany
>
> --
> Sent through GMX FreeMail - http://www.gmx.net
>
Received on Thu Jul 12 09:02:19 2001