RE: Requirements Document

Adam

Do you object to a requirement that it must be possible to
deploy the geopriv object in a standards based manner
such that authorization to reveal location information is
handled out of band (by contract for example), rather than
by explicit user action at the point of use?

I have no objection to the object having advice to implementers
on how to provide explicit user consent. I strongly object
to requiring its use in all cases.

Brian

> -----Original Message-----
> From: Adam Shostack [mailto:adam@zeroknowledge.com]
> Sent: Monday, August 20, 2001 1:23 PM
> To: Henning Schulzrinne
> Cc: Randy Bush; john.loughney@nokia.com;
> behcet.sarikaya@usa.alcatel.com; geopriv@mail.apps.ietf.org
> Subject: Re: Requirements Document
>
>
>
> On Fri, Aug 17, 2001 at 01:15:13PM -0700, Henning Schulzrinne wrote:
> > Adam Shostack wrote:
> > >
> > > On Thu, Aug 16, 2001 at 10:46:50PM -0700, Henning
> Schulzrinne wrote:
> > >
> > > > - In PSTN emergency call services, callers know (or
> should know) that
> > > > dialing 911 or 112 or whatever means that they agree
> and consent to have
> > > > their calling number and possibly their location
> revealed to the public
> > > > safety answering point (or the equivalent in other countries).
> [...]
> > As far as I know, no state has asked customers whether
> they'd like this
> > location information to be kept private. This is simply not
> an option.
>
> Thanks for the pointers. I think we have a fundamental difference in
> the way we're using the term "consent." For me, I don't consent to
> things that are mandatory, I accept them. The term consent is usually
> used this way in the privacy field; if you don't agree to the full
> data transfer, you should still be able to get service.
>
> Then I would avoid the use of the term consent, and say simply that
> callers should know that their calling number and location will be
> revealed to the public safety answering point. Generally, this will
> require some form of notice in those countries which have privacy
> laws, although there may be exceptions already granted.
>
> > > For example, does your implied consent extend to implied
> consent to a
> > > statistical study of from where 911 calls are made? Does it imply
> > > consent to my name being in the court records as the one
> who made the
> > > call?
> >
> > Yes, all 911 calls are recorded and routinely used in court
> proceedings.
> > This does require a subpoena from a judge, so presumably
> normal witness
> > protection mechanisms are applied (one would hope). This recording
> > certainly applies to the audio portion and time stamp and
> probably also
> > to the other data (location and such). There have also been
> cases where
> > people making prank 911 calls from cell phones were booked
> based on this
> > information, so this information can and will be used
> "against" you. I
> > don't know how long this information is kept on file.
>
> > > I don't understand the term "implied voluntary disclosure." It is
> > > either voluntary, in which case I should have a chance to make a
> > > different decision, or it is not, in which case I can't.
> I think in
> > > the US, it is not voluntary, but it would be a serious mistake to
> > > build US law into code that runs in other countries.
> >
> > I'm not a lawyer, so don't take this as legal advice.
> Implied consent
> > means that by calling 911, you agree to the laws and regulations
> > governing 911, including disclosure of personal
> information. Same thing
> > as when you call an 800#, your number will be disclosed,
> regardless of
> > whether you suppress caller id or not.
> >
> > Again, I would be really curious where regulations differ
> substantially.
>
> The law enforcement use of the data (false calls) is different from
> other secondary uses of the data. Its not clear to me if other uses
> (such as a statistical study of the data) would be allowed on the
> fully identifiable data. See section 7 of the EU Data Protection
> Directive. (I have a hardcopy here, so I don't have an URL handy.)
>
> > Finally, it doesn't matter whether other countries or jurisdictions
> > handle this differently. I'm not arguing against privacy control for
> > location information - that's clearly a good thing.
> However, there are
> > circumstances where there's implied consent. Like I said
> earlier, the
> > use of intelligent end systems allows far greater freedom
> for that end
> > system to determine its information disclosure policy.
> Thus, we should
> > look at a range of environments, including:
> >
> > - end-system (and user) initiated disclosure of location
> information; no
> > protocol is needed here. This is strictly a user interface issue,
> > probably governed by local regulations and laws. The IETF
> only needs to
> > get involved here to the extent of defining appropriate
> data structures,
> > so that we get global interoperability.
> >
> > This is the case I'm concerned about, as it is the simpler case
> > technically, but immediately useful to address the
> legitimate needs of
> > the public expecting efficient delivery of emergency
> services. (I find
> > it rather peculiar that privacy is treated as a single,
> overriding goal
> > for everyone and under all circumstances. One may at least consider
> > cases where people prefer to be found when they're in
> distress, and who
> > may not want to risk pressing the wrong button sending the ambulance
> > chasing through the whole county.)
>
> I don't see any problem with members of a society having different
> priorities, or asking engineers to cope with them. I do have a
> concern about a technology (cell phones) which is very useful
> today being
> changed so that it can be used as a tool of mass surveillance, and I
> think that that concern is widely shared, by many engineers.
>
> > - third-party-initiated disclosure of such information,
> where protocol
> > support is definitely needed. I believe this should be the
> focus of the
> > working group, as it raises the most difficult issues. We
> can provide
> > mechanism to authorize the release of different types of
> information;
> > whether local laws respect these choices is beyond our
> control. There
> > are two sub-cases here:
> >
> > (1) The network knows my precise location. In that case, I
> can advise
> > the network to "fudge" the data to a lower precision, but local laws
> > won't necessarily honor those choices. Such is life. The place to
> > address this is via the local legislative body, not the IETF.
> >
> > (2) I tell the network my precise location (and the network
> doesn't know
> > on its own). In that case, I have a choice as to what I
> reveal to the
> > network.
> >
> > Read "the network" as meaning a server not under my control, e.g.,
> > operated by a carrier.
> >
> > I'm arguing that in emergency communications, control and
> privacy has
> > potential costs, as you illustrate by the example.
> >
> > >
> > > > As far as the working group is concerned, my primary
> issue is that there
> > > > a circumstances where voluntary disclosure of location
> information is
> > > > common, either explicitly (e.g., by configuring some
> piece of software
> > > > to send a header or include an email signature) or
> implicitly (by
> > > > calling a certain number). I would be curious what kind
> of 'privacy
> > > > management' people have in mind for these cases.
> Clearly, it is useful
> > >
> > > I think that the privacy requirements here are that either the
> > > information is used only for the immediate purpose (what
> the EU DPD
> > > calls "necessary for the performance of a
> contract...protect the vital
> > > interests of the data subject" (article 7), or that there
> are ways in
> > > which the fair information practices are respected as the
> data flows.
> > >
> >
> > I agree, but that's a political or legal issue, not a
> technical one. I
> > see no technical means to keep the police department from using data
> > that it has acquired legitimately for one purpose for
> another. The IETF
> > can't keep police departments honest.
>
> I think its possible to make design choices that make these things
> easier or harder. For example, we could suggest that the right way to
> deal with all requests for data is via strongly authenticated http
> requests to the network (as you defined it above). We could also
> suggest that the right way to handle such requests is via streaming
> mbone to the various police agencies that might have an interest. It
> is clearly easier to audit and manage the use data in the first case.
> We could go a step further and define a protocol which, unless there
> is a specific reason not to, will notify the user device that the
> network has answered a request on its behalf. While neither of these
> would keep a police department honest, I think it helps to illustrate
> that there are choices we're making, and I think that its appropriate
> for a group whose charter involves privacy to make those choices
> consciously.
>
> Adam
>
Received on Mon Aug 20 14:23:07 2001