Re: Requirements Document

On Fri, Aug 17, 2001 at 01:15:13PM -0700, Henning Schulzrinne wrote:
> Adam Shostack wrote:
> >
> > On Thu, Aug 16, 2001 at 10:46:50PM -0700, Henning Schulzrinne wrote:
> >
> > > - In PSTN emergency call services, callers know (or should know) that
> > > dialing 911 or 112 or whatever means that they agree and consent to have
> > > their calling number and possibly their location revealed to the public
> > > safety answering point (or the equivalent in other countries).
[...]
> As far as I know, no state has asked customers whether they'd like this
> location information to be kept private. This is simply not an option.

Thanks for the pointers. I think we have a fundamental difference in
the way we're using the term "consent." For me, I don't consent to
things that are mandatory, I accept them. The term consent is usually
used this way in the privacy field; if you don't agree to the full
data transfer, you should still be able to get service.

Then I would avoid the use of the term consent, and say simply that
callers should know that their calling number and location will be
revealed to the public safety answering point. Generally, this will
require some form of notice in those countries which have privacy
laws, although there may be exceptions already granted.

> > For example, does your implied consent extend to implied consent to a
> > statistical study of from where 911 calls are made? Does it imply
> > consent to my name being in the court records as the one who made the
> > call?
>
> Yes, all 911 calls are recorded and routinely used in court proceedings.
> This does require a subpoena from a judge, so presumably normal witness
> protection mechanisms are applied (one would hope). This recording
> certainly applies to the audio portion and time stamp and probably also
> to the other data (location and such). There have also been cases where
> people making prank 911 calls from cell phones were booked based on this
> information, so this information can and will be used "against" you. I
> don't know how long this information is kept on file.

> > I don't understand the term "implied voluntary disclosure." It is
> > either voluntary, in which case I should have a chance to make a
> > different decision, or it is not, in which case I can't. I think in
> > the US, it is not voluntary, but it would be a serious mistake to
> > build US law into code that runs in other countries.
>
> I'm not a lawyer, so don't take this as legal advice. Implied consent
> means that by calling 911, you agree to the laws and regulations
> governing 911, including disclosure of personal information. Same thing
> as when you call an 800#, your number will be disclosed, regardless of
> whether you suppress caller id or not.
>
> Again, I would be really curious where regulations differ substantially.

The law enforcement use of the data (false calls) is different from
other secondary uses of the data. Its not clear to me if other uses
(such as a statistical study of the data) would be allowed on the
fully identifiable data. See section 7 of the EU Data Protection
Directive. (I have a hardcopy here, so I don't have an URL handy.)

> Finally, it doesn't matter whether other countries or jurisdictions
> handle this differently. I'm not arguing against privacy control for
> location information - that's clearly a good thing. However, there are
> circumstances where there's implied consent. Like I said earlier, the
> use of intelligent end systems allows far greater freedom for that end
> system to determine its information disclosure policy. Thus, we should
> look at a range of environments, including:
>
> - end-system (and user) initiated disclosure of location information; no
> protocol is needed here. This is strictly a user interface issue,
> probably governed by local regulations and laws. The IETF only needs to
> get involved here to the extent of defining appropriate data structures,
> so that we get global interoperability.
>
> This is the case I'm concerned about, as it is the simpler case
> technically, but immediately useful to address the legitimate needs of
> the public expecting efficient delivery of emergency services. (I find
> it rather peculiar that privacy is treated as a single, overriding goal
> for everyone and under all circumstances. One may at least consider
> cases where people prefer to be found when they're in distress, and who
> may not want to risk pressing the wrong button sending the ambulance
> chasing through the whole county.)

I don't see any problem with members of a society having different
priorities, or asking engineers to cope with them. I do have a
concern about a technology (cell phones) which is very useful today being
changed so that it can be used as a tool of mass surveillance, and I
think that that concern is widely shared, by many engineers.

> - third-party-initiated disclosure of such information, where protocol
> support is definitely needed. I believe this should be the focus of the
> working group, as it raises the most difficult issues. We can provide
> mechanism to authorize the release of different types of information;
> whether local laws respect these choices is beyond our control. There
> are two sub-cases here:
>
> (1) The network knows my precise location. In that case, I can advise
> the network to "fudge" the data to a lower precision, but local laws
> won't necessarily honor those choices. Such is life. The place to
> address this is via the local legislative body, not the IETF.
>
> (2) I tell the network my precise location (and the network doesn't know
> on its own). In that case, I have a choice as to what I reveal to the
> network.
>
> Read "the network" as meaning a server not under my control, e.g.,
> operated by a carrier.
>
> I'm arguing that in emergency communications, control and privacy has
> potential costs, as you illustrate by the example.
>
> >
> > > As far as the working group is concerned, my primary issue is that there
> > > a circumstances where voluntary disclosure of location information is
> > > common, either explicitly (e.g., by configuring some piece of software
> > > to send a header or include an email signature) or implicitly (by
> > > calling a certain number). I would be curious what kind of 'privacy
> > > management' people have in mind for these cases. Clearly, it is useful
> >
> > I think that the privacy requirements here are that either the
> > information is used only for the immediate purpose (what the EU DPD
> > calls "necessary for the performance of a contract...protect the vital
> > interests of the data subject" (article 7), or that there are ways in
> > which the fair information practices are respected as the data flows.
> >
>
> I agree, but that's a political or legal issue, not a technical one. I
> see no technical means to keep the police department from using data
> that it has acquired legitimately for one purpose for another. The IETF
> can't keep police departments honest.

I think its possible to make design choices that make these things
easier or harder. For example, we could suggest that the right way to
deal with all requests for data is via strongly authenticated http
requests to the network (as you defined it above). We could also
suggest that the right way to handle such requests is via streaming
mbone to the various police agencies that might have an interest. It
is clearly easier to audit and manage the use data in the first case.
We could go a step further and define a protocol which, unless there
is a specific reason not to, will notify the user device that the
network has answered a request on its behalf. While neither of these
would keep a police department honest, I think it helps to illustrate
that there are choices we're making, and I think that its appropriate
for a group whose charter involves privacy to make those choices
consciously.

Adam
Received on Mon Aug 20 13:23:52 2001