Re: Requirements Document

Adam Shostack wrote:
>
> On Thu, Aug 16, 2001 at 10:46:50PM -0700, Henning Schulzrinne wrote:
>
> > - In PSTN emergency call services, callers know (or should know) that
> > dialing 911 or 112 or whatever means that they agree and consent to have
> > their calling number and possibly their location revealed to the public
> > safety answering point (or the equivalent in other countries).
>
> Could you justify this? If I call 911 from a cell phone today, I do
> not expect that my location will be revealed. In fact, I recall a few
> years back a very famous case in Boston where a fellow called 911,
> passed out, and then nearly died because they couldn't locate him in
> time. So, I don't agree that you have informed consent or legitemate
> expectation that my location will be revealed, or that I know what the
> information will be used for.
>

See http://www.cs.columbia.edu/sip/emergency.html for pointers. As of
Oct. 1, 2001, all wireless providers in the US are supposed to have
implemented "Phase II" of the E911 service, which provides accurate
(within about 100m, with measurements depending whether network-based
location or end system-based location is being used) location
information. Many carriers are apparently asking for waivers since they
can't meet the deadline. "Phase I" is in common use today; wireless
carriers provide the PSAP with information about the cell tower and,
where available, antenna sector used. This is then plotted on a map
reflecting propagation characteristics. This gives reasonably good
location information in densely populated areas, but doesn't help much
in rural areas.

As far as I know, no state has asked customers whether they'd like this
location information to be kept private. This is simply not an option.
(Indeed, you're probably paying on your cellular bill to have this
feature implemented, even if you'd rather not have it.)

> For example, does your implied consent extend to implied consent to a
> statistical study of from where 911 calls are made? Does it imply
> consent to my name being in the court records as the one who made the
> call?

Yes, all 911 calls are recorded and routinely used in court proceedings.
This does require a subpoena from a judge, so presumably normal witness
protection mechanisms are applied (one would hope). This recording
certainly applies to the audio portion and time stamp and probably also
to the other data (location and such). There have also been cases where
people making prank 911 calls from cell phones were booked based on this
information, so this information can and will be used "against" you. I
don't know how long this information is kept on file.

No, you don't get a choice in the matter. Nobody forces you to call 911;
if you don't like the policy, you can call the police or fire department
at the number listed in the phone book. You may have to wait in line
behind somebody arguing about their parking ticket, but at least your
location information is safe-guarded.

> I don't understand the term "implied voluntary disclosure." It is
> either voluntary, in which case I should have a chance to make a
> different decision, or it is not, in which case I can't. I think in
> the US, it is not voluntary, but it would be a serious mistake to
> build US law into code that runs in other countries.

I'm not a lawyer, so don't take this as legal advice. Implied consent
means that by calling 911, you agree to the laws and regulations
governing 911, including disclosure of personal information. Same thing
as when you call an 800#, your number will be disclosed, regardless of
whether you suppress caller id or not.

Again, I would be really curious where regulations differ substantially.

Finally, it doesn't matter whether other countries or jurisdictions
handle this differently. I'm not arguing against privacy control for
location information - that's clearly a good thing. However, there are
circumstances where there's implied consent. Like I said earlier, the
use of intelligent end systems allows far greater freedom for that end
system to determine its information disclosure policy. Thus, we should
look at a range of environments, including:

- end-system (and user) initiated disclosure of location information; no
protocol is needed here. This is strictly a user interface issue,
probably governed by local regulations and laws. The IETF only needs to
get involved here to the extent of defining appropriate data structures,
so that we get global interoperability.

This is the case I'm concerned about, as it is the simpler case
technically, but immediately useful to address the legitimate needs of
the public expecting efficient delivery of emergency services. (I find
it rather peculiar that privacy is treated as a single, overriding goal
for everyone and under all circumstances. One may at least consider
cases where people prefer to be found when they're in distress, and who
may not want to risk pressing the wrong button sending the ambulance
chasing through the whole county.)

- third-party-initiated disclosure of such information, where protocol
support is definitely needed. I believe this should be the focus of the
working group, as it raises the most difficult issues. We can provide
mechanism to authorize the release of different types of information;
whether local laws respect these choices is beyond our control. There
are two sub-cases here:

(1) The network knows my precise location. In that case, I can advise
the network to "fudge" the data to a lower precision, but local laws
won't necessarily honor those choices. Such is life. The place to
address this is via the local legislative body, not the IETF.

(2) I tell the network my precise location (and the network doesn't know
on its own). In that case, I have a choice as to what I reveal to the
network.

Read "the network" as meaning a server not under my control, e.g.,
operated by a carrier.

I'm arguing that in emergency communications, control and privacy has
potential costs, as you illustrate by the example.

>
> > As far as the working group is concerned, my primary issue is that there
> > a circumstances where voluntary disclosure of location information is
> > common, either explicitly (e.g., by configuring some piece of software
> > to send a header or include an email signature) or implicitly (by
> > calling a certain number). I would be curious what kind of 'privacy
> > management' people have in mind for these cases. Clearly, it is useful
>
> I think that the privacy requirements here are that either the
> information is used only for the immediate purpose (what the EU DPD
> calls "necessary for the performance of a contract...protect the vital
> interests of the data subject" (article 7), or that there are ways in
> which the fair information practices are respected as the data flows.
>

I agree, but that's a political or legal issue, not a technical one. I
see no technical means to keep the police department from using data
that it has acquired legitimately for one purpose for another. The IETF
can't keep police departments honest.

> Adam
>
> --
> "It is seldom that liberty of any kind is lost all at once."
> -Hume
Received on Sat Aug 18 00:59:11 2001