Re: combination of location and identity

I have read also, and found useful to further develop on.

Societal issues are clearly important - if not essential - to be thought
fully through. The ISTF WG will be copied in on this for further
consideration.

I posted to the list about our white paper (proposed title is "Social
and technical privacy issues and best practice, the new "soft
regulations") a short while back.

Areas we are looking to (or have suggested for consideration) cover
include topics such as cookies and tracking, privacy statements, audits
of privacy practices, Intrusion detection, ISP monitoring, Social
engineering, Encryption and secure transmissions.

Whatever information is needed and stored, clearly security of the
combinations passively held (and steps to prevent unauthorised access,
corruption, 'false' associations being set up) and actively acted upon,
if legitimate and authorised, is essential.

Some comments and consideration:

> > About the proposal to distinguish between the location and its
> > "representations", I suggest to consider the following
> > representations:
> >
> > - geographical coordinates (with or without altitude),
> > maybe plus time
> > coordinate
> > - postal address
> > - telephone number's country/city prefix etc.
> > - access network specific identifier
> > e.g. CGI/SAI (cell global identifier/Service Area
> > Identifier of a
> > GSM/UMTS network)

I've commented separately on this, but there seems to be assumption that
any mobile phone, computer, etc., is linked directly to an individual. I
don't recall the precise breakdown, but traditionally the majority of
fixed network phone connections were residential. Increasingly with
home-based working (and employee benefit packages), home phone
connections will be paid for by employers, and indeed may be billed to
corporate accounts.

That also appears to be increasingly the case with the wireless/mobile
environment. In that employees have devices for corporate purposes, and
these are consolidated/billed to a centralised billing point (which may
have access to link individual employee data to individual handset etc
usage, via cost code/centers and departments).
My experience is a little dated, but in many years of mobile (and global
roaming) use in a coeporation, I never saw usage details or billing for
the team, let alone individuals or the department. And it would be wise
not to overlook the significance (and disposabilty) of pre-paid service
and devices, where there is no need or link between the service and the
individual user identity.

So postal address may not relate to the user. As to prefixes, country
codes are standardized, but number schemes may not be. As far as I know,
U.S. mobile numbering reflects local area codes. Is that the case
elsewhere? I think I'm right in saying that UK national number groups
for mobile identify down to the network operator (and possibly the
virtual operator), but does not relate to geographic area other than the
whole of the UK.

Individual cell or service area location identifiers (assuming these do
not equate to just network operator) help locate any individual handset
- I believe as part of the data linked to to the UK National Grid
reference system and passed to the UK emergency services.

>
> We also have to differentiate between local vs global significance.
> Postal code 95345 in USA probably has several counterparts all over
> the world.

We would need to confirm for sure with the International Postal Union,
but my recollection in this area is that like international number
groups (phone service), or ISO and internet country codes, posatl codes
are co-ordinated world wide.

Hence UK Practice Alpha Alpha Numeric Numeric Alpha Alpha (my home
coding is OX25 6LS); Canada is Alpha Numeric Alpha Numeric Alpha Numeric
(e.g. V5N 4C7). The US of course uses state + numeric-numeric (e.g. NY
10010-3945). An example from Germany D-53227; France Paris 75020
(department plus arrondisement).
 
> > I also agree with Mr.Takahashi, who wrote on July, 2nd: "I
> > think, in first
> > place, we need a common understanding on what are
> > location-based services to
> > discuss security and privacy."
> >

Ummm - many fixed and wireless services are related to location, anyway,
even if not transparently. Where for example phone service was
traditionally delivered to (and contracted to an individual at) a fixed
geographic location (dwelling house, etc), the delivery and
communications channel can become more and more generic, with an
individual and handset (or whatever) device linking to any availble near
access point (wireless LAN, fixed network base station, GSM, UMTS, etc).
With wireless PBXs, DECT cordless devices, we are moving slowly to an
environment where most means of accessing voice and non-voice
applications over networks are no longer (or have no longer any need to
be) physically connected.

At a very low level then, 'my' associated pieces of equipment (PDA(s),
notebook, phone, fax, entertainment (TV etc)), need a degree of identity
vis-a-vis the network(s) which will range from fairly fixed (I may only
watch TV regularly at home. Does my user preferences need to travel with
me when I go on vacation, away for business, such that I only need to
identify myself to the network as a discrete individual? The 'networks'
have my profile stored, so that once my unique identity is made known
and authorised/verified, the information is streamed to wherever I am to
setup those preferences on any available TV or other device. More
sensibly, perhaps, the network doesn't need to know or have this stored.
Instead, my user profile is contained on a smartcard (or within an
smartcard device), and all I need is to insert it in a (standardised)
reader, or be within (for a contactless device) a certain radius. And
validated/authorised say by a thumbprint or other biometric.

And any service enabled to any device, whether 'mine' or in a hotel
room, or my friends, or a public service, is chargable and billed to
'me' rather than to the owner or operator.

The critical issue then here is that my user identity and profile is
stored securely (and off-net), and only becomes available to (and
enables) the network(s) to provide what service I want when I 'jack in'.
If the minimum information is held on the net (it requiring my profile
and validation + any on-net information to 'unlock' use), my essential
'privacy' is safeguarded until that happens. The security of my active
use is another matter. I may want for example to be alerted where and
whenever I am if someone is calling me, or has left a message, or
e-mailed me. But I want to choose when I do this - or reveal where I
am. I may want to screen first. I may be happy to be monitored in
certain jurisdictions, but not others. If I'm ordering goods and
services, I want to be confident that this is indeed secure as is my
mail. Equally, my suppliers want assurance that I either am who I say I
am or at the very least are paid for the goods and services, whatever my
'real' identity or home location.

> >
> > 1.) Location information associated with a common resource
> > Some Internet Resource (HTML document) is indexed by
> > geographic coordinates
> > (or another representation of location). This case is considered in
> > draft-daviel-html-geo-tag-05.txt.
> > Such a document could for instance, be a contract, which is
> > associated with
> > time and space coordinates (WHERE and WHEN did the
> > contractors sign it) and
> > which is made available for the public.
> > It could also be a restaurant guide or something similar,
> > which has only
> > significance in a distinct region, but is of public interest.
>
> I read your draft, very interesting. What we should also be aware is
> that if I document is cached, the cache should update the geo tags.
>
> >
> > 2.) Request location information associated with a static
> > interface/node.
> > This case is considered in rfc1876, where is described, how
> > to incorporate
> > geographic information into the DNS.
> > This information is useful for the network operator, but it should
> be
> > accessible in a very restricted manner, because serious
> > damage of network
> > infrastructure could result from a wrong person getting this
> > information.
>
> This has been around for a while. Of course is some form of geo
> location service, but this information is considered very risky. I do
> not think people will actually implement it.
>
> >
> > 3.) Request location information associated with a mobile interface
> > (notebook, mobile phone, router in an airplane...)
> > This may result in a lot of nice applications, but there has to be
> the
> > permission of the owner of the interface to reveal this location
> > information.
>
> Permission from the owner is a must. If we think about car and
> airplanes bombs, kidnapping, etc we become to grasp how a geo service
> can really do damage. Do you remeber some years ago during the
> internal russian war that separatist which was killed based on his
> celular location?
>
> >
> >
> > 5.) Request location dependent information from a given
> > provider (server).
> > This is similar to case 1., but a trustet relationship
> > between the provider
> > and the requestor is assumed. On the one hand the provider
> > guarantees, that
> > nobody else gets the information about which place the requestor is
> > interested in, on the other hand the requestor is authenticated and
> > authorized to get this information (and he will pay for it -
> > accounting).
> >
> > 6.) Anonymous push services
> > Depending on the change of the current location (of the
> > terminal equipment),
> > a user gets publicly available information in an anonymous manner.
> >
> > 7.) Authorized push services
> > Depending on the change of the current location (of the
> > terminal equipment),
> > a user gets information which is provided to a specific group.
>
> 6 and 7 have great potential.
>

And have the potential for at least annoyance because of their
intrusiveness. Anonymous services may in any case fall foul of EU law
(distance selling directive, for example) - and perhaps other
jurisdictions also.

'Authorised' services may be acceptable. Is authorisation by a user
sufficient (or the owner of the equipment, and payer of the service,
with whom an operator would have the contract to provide service)? If
chargeable directly to the user, perhaps there is no problem. If
chargeable by way of connect time and/or data volumes transported by the
billing entity to the ultimate 'customer', and not part of an overall
corporate or group agreement, there is a problem, of valid
authorisation.

I think I'll stop there. I haven't addressed all the issues raised, but
think there's enough to consider further.

Dominic

-- 
Dominic Pinto
-------------
Associate Director @ TCUK		| Barn Cottage, Hill House
Senior Associate Telesphere Limited	| Somerton Road, Souldern
http://www.telespherelimited.com	| Bicester, Oxon, OX25 6LS, UK	
----------------------------------------------------------------------
Ph/Fax: +44 1869 346375 Cellphone/GSM Mobile: +44 780 302 8268
----------------------------------------------------------------------
Were you a student at the University of Newcastle upon Tyne?
Register now on 'NUgrad'  - YOUR interactive on-line
database - at  http://www.ncl.ac.uk/alumni/NUgrad
----------------------------------------------------------------------
Check out the 40th European Telecommunications Conference Barcelona 
Spain August 21st - 25th 2001 '2001 European Odyssey - 
Telecommunications in the e-society' at http://www.fitce.org
----------------------------------------------------------------------
The Internet should be for Everyone - help make it so by joining the 
Internet Society ISOC - http://www.england.isoc.org
----------------------------------------------------------------------
"This e-mail, and the information it contains or is attached to it, is
private and confidential and is intended for the addressee only.  The
unauthorised use, modification, disclosure, copying or distribution of
this e-mail or any of the information it contains or is attached to it
is prohibited and may be unlawful. If you are not the intended
recipient, please notify the sender immediately."