Re: Requirements Document

On Mon, Aug 20, 2001 at 02:23:32PM -0400, Rosen, Brian wrote:
> Adam
>
> Do you object to a requirement that it must be possible to
> deploy the geopriv object in a standards based manner
> such that authorization to reveal location information is
> handled out of band (by contract for example), rather than
> by explicit user action at the point of use?

Are you asking about only out-of-band, or setting up a default
out-of-band with in-band control? I would have no problem with the
latter, I would have a problem with the former, there may well be
times when I'd like to change my setting for a single call.

> I have no objection to the object having advice to implementers
> on how to provide explicit user consent. I strongly object
> to requiring its use in all cases.

There is a set of times (e.g., US e911) where the information must be
revealed in order to comply with local law. Clearly, in that case,
you can't require consent. Are you using the term "explicit user
consent" to mean that the user takes some GUI action per request, or
in some other sense? If you're saying that you object to the user
being required to take action for each location request, then thats ok
by me. I have no problem with setting up consent settings that
usually work. If your objection is to the idea of explicit consent
when I reveal my location, and such revelation is not required by law,
I'd like to understand why you object to that.

Adam

> Brian
>
> > -----Original Message-----
> > From: Adam Shostack [mailto:adam@zeroknowledge.com]
> > Sent: Monday, August 20, 2001 1:23 PM
> > To: Henning Schulzrinne
> > Cc: Randy Bush; john.loughney@nokia.com;
> > behcet.sarikaya@usa.alcatel.com; geopriv@mail.apps.ietf.org
> > Subject: Re: Requirements Document
> >
> >
> >
> > On Fri, Aug 17, 2001 at 01:15:13PM -0700, Henning Schulzrinne wrote:
> > > Adam Shostack wrote:
> > > >
> > > > On Thu, Aug 16, 2001 at 10:46:50PM -0700, Henning
> > Schulzrinne wrote:
> > > >
> > > > > - In PSTN emergency call services, callers know (or
> > should know) that
> > > > > dialing 911 or 112 or whatever means that they agree
> > and consent to have
> > > > > their calling number and possibly their location
> > revealed to the public
> > > > > safety answering point (or the equivalent in other countries).
> > [...]
> > > As far as I know, no state has asked customers whether
> > they'd like this
> > > location information to be kept private. This is simply not
> > an option.
> >
> > Thanks for the pointers. I think we have a fundamental difference in
> > the way we're using the term "consent." For me, I don't consent to
> > things that are mandatory, I accept them. The term consent is usually
> > used this way in the privacy field; if you don't agree to the full
> > data transfer, you should still be able to get service.
> >
> > Then I would avoid the use of the term consent, and say simply that
> > callers should know that their calling number and location will be
> > revealed to the public safety answering point. Generally, this will
> > require some form of notice in those countries which have privacy
> > laws, although there may be exceptions already granted.
> >
> > > > For example, does your implied consent extend to implied
> > consent to a
> > > > statistical study of from where 911 calls are made? Does it imply
> > > > consent to my name being in the court records as the one
> > who made the
> > > > call?
> > >
> > > Yes, all 911 calls are recorded and routinely used in court
> > proceedings.
> > > This does require a subpoena from a judge, so presumably
> > normal witness
> > > protection mechanisms are applied (one would hope). This recording
> > > certainly applies to the audio portion and time stamp and
> > probably also
> > > to the other data (location and such). There have also been
> > cases where
> > > people making prank 911 calls from cell phones were booked
> > based on this
> > > information, so this information can and will be used
> > "against" you. I
> > > don't know how long this information is kept on file.
> >
> > > > I don't understand the term "implied voluntary disclosure." It is
> > > > either voluntary, in which case I should have a chance to make a
> > > > different decision, or it is not, in which case I can't.
> > I think in
> > > > the US, it is not voluntary, but it would be a serious mistake to
> > > > build US law into code that runs in other countries.
> > >
> > > I'm not a lawyer, so don't take this as legal advice.
> > Implied consent
> > > means that by calling 911, you agree to the laws and regulations
> > > governing 911, including disclosure of personal
> > information. Same thing
> > > as when you call an 800#, your number will be disclosed,
> > regardless of
> > > whether you suppress caller id or not.
> > >
> > > Again, I would be really curious where regulations differ
> > substantially.
> >
> > The law enforcement use of the data (false calls) is different from
> > other secondary uses of the data. Its not clear to me if other uses
> > (such as a statistical study of the data) would be allowed on the
> > fully identifiable data. See section 7 of the EU Data Protection
> > Directive. (I have a hardcopy here, so I don't have an URL handy.)
> >
> > > Finally, it doesn't matter whether other countries or jurisdictions
> > > handle this differently. I'm not arguing against privacy control for
> > > location information - that's clearly a good thing.
> > However, there are
> > > circumstances where there's implied consent. Like I said
> > earlier, the
> > > use of intelligent end systems allows far greater freedom
> > for that end
> > > system to determine its information disclosure policy.
> > Thus, we should
> > > look at a range of environments, including:
> > >
> > > - end-system (and user) initiated disclosure of location
> > information; no
> > > protocol is needed here. This is strictly a user interface issue,
> > > probably governed by local regulations and laws. The IETF
> > only needs to
> > > get involved here to the extent of defining appropriate
> > data structures,
> > > so that we get global interoperability.
> > >
> > > This is the case I'm concerned about, as it is the simpler case
> > > technically, but immediately useful to address the
> > legitimate needs of
> > > the public expecting efficient delivery of emergency
> > services. (I find
> > > it rather peculiar that privacy is treated as a single,
> > overriding goal
> > > for everyone and under all circumstances. One may at least consider
> > > cases where people prefer to be found when they're in
> > distress, and who
> > > may not want to risk pressing the wrong button sending the ambulance
> > > chasing through the whole county.)
> >
> > I don't see any problem with members of a society having different
> > priorities, or asking engineers to cope with them. I do have a
> > concern about a technology (cell phones) which is very useful
> > today being
> > changed so that it can be used as a tool of mass surveillance, and I
> > think that that concern is widely shared, by many engineers.
> >
> > > - third-party-initiated disclosure of such information,
> > where protocol
> > > support is definitely needed. I believe this should be the
> > focus of the
> > > working group, as it raises the most difficult issues. We
> > can provide
> > > mechanism to authorize the release of different types of
> > information;
> > > whether local laws respect these choices is beyond our
> > control. There
> > > are two sub-cases here:
> > >
> > > (1) The network knows my precise location. In that case, I
> > can advise
> > > the network to "fudge" the data to a lower precision, but local laws
> > > won't necessarily honor those choices. Such is life. The place to
> > > address this is via the local legislative body, not the IETF.
> > >
> > > (2) I tell the network my precise location (and the network
> > doesn't know
> > > on its own). In that case, I have a choice as to what I
> > reveal to the
> > > network.
> > >
> > > Read "the network" as meaning a server not under my control, e.g.,
> > > operated by a carrier.
> > >
> > > I'm arguing that in emergency communications, control and
> > privacy has
> > > potential costs, as you illustrate by the example.
> > >
> > > >
> > > > > As far as the working group is concerned, my primary
> > issue is that there
> > > > > a circumstances where voluntary disclosure of location
> > information is
> > > > > common, either explicitly (e.g., by configuring some
> > piece of software
> > > > > to send a header or include an email signature) or
> > implicitly (by
> > > > > calling a certain number). I would be curious what kind
> > of 'privacy
> > > > > management' people have in mind for these cases.
> > Clearly, it is useful
> > > >
> > > > I think that the privacy requirements here are that either the
> > > > information is used only for the immediate purpose (what
> > the EU DPD
> > > > calls "necessary for the performance of a
> > contract...protect the vital
> > > > interests of the data subject" (article 7), or that there
> > are ways in
> > > > which the fair information practices are respected as the
> > data flows.
> > > >
> > >
> > > I agree, but that's a political or legal issue, not a
> > technical one. I
> > > see no technical means to keep the police department from using data
> > > that it has acquired legitimately for one purpose for
> > another. The IETF
> > > can't keep police departments honest.
> >
> > I think its possible to make design choices that make these things
> > easier or harder. For example, we could suggest that the right way to
> > deal with all requests for data is via strongly authenticated http
> > requests to the network (as you defined it above). We could also
> > suggest that the right way to handle such requests is via streaming
> > mbone to the various police agencies that might have an interest. It
> > is clearly easier to audit and manage the use data in the first case.
> > We could go a step further and define a protocol which, unless there
> > is a specific reason not to, will notify the user device that the
> > network has answered a request on its behalf. While neither of these
> > would keep a police department honest, I think it helps to illustrate
> > that there are choices we're making, and I think that its appropriate
> > for a group whose charter involves privacy to make those choices
> > consciously.
> >
> > Adam
> >

-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume