Re: Consent

On Mon, Aug 20, 2001 at 03:18:26PM -0500, Chris M. Lonvick wrote:
> Hi Adam,
>
> At 02:46 PM 8/20/2001 -0400, Adam Shostack wrote:
> >I'm finding myself asking a lot of questions about what people mean by
> >phrases they use including the word "consent."
> >
> >Mandated-disclosure: There is a legal requirement to reveal
> >information.
>
> I'm not sure that I'd go along with the word "legal". What may be
> a legal requirement in country ABC may not be a legal requirement
> in country XYZ. In either case, the law may, or may not, be the
> requirement for "mandated-disclosure".

These are excellent points, and they make adding authorization to a
mandated-disclosure request difficult.

> I believe that what you are trying to say is something like: If you
> are in the US, and you have a cell phone, then you should know (by
> reading the contract?) that your location will be revealed if you
> dial an emergency number. However, in country DEF there may be no
> laws governing the location disclosure when a subscriber dials an
> emergency number, yet the service provider mandates it anyway (and
> should note that in their contract).

Thats not quite it. If you are in the US and you have a cell phone,
then it does not matter if you know your location will be revealed if
you dial an emergency number. The E911 regulations require that your
location be revealed, and you don't get a choice, and you might not
even be entitled to notification.

Lets take EU and Mexico as two examples as how the latter (DEF case)
might work. The EU has data protection laws which apply to the
private sector. As far as I know, Mexico does not.

In DEF-EU, I think it would be tricky (absent E911-like rules) to
claim that a disclosure is mandatory, because I have a privacy right
to notice and choice that the company can not arbitrarily override.

In Mexico, without data protection law, then you might be able to use
the mandatory bit. I think that using needed-disclosure would be
better, because it would reduce the likelyhood that somone would hack
their software to override the mandated bit.

> It may just avoid some confusion if any documents produced from this
> group were to not base anything upon "legal requirements". Perhaps
> a better definition may be:
>
> Mandated-disclosure: There is a policy requirement from the
> provider of the service to reveal information. This may be from
> their adherence to local laws.

I think it may be useful to distinguish between the contractual and
legal obligations, because I may be willing to disregard one and not
the other.

> Somewhat related, the IAB and IESG have already said this on the
> subject:
> " The IETF, an international standards body, believes itself to be
> the wrong forum for designing protocol or equipment features that
> address needs arising from the laws of individual countries,
> because these laws vary widely across the areas that IETF standards
> are deployed in."
> -RFC 2804

Thanks for pointing that out. I feel somewhat odd, because I'm basing
some of my arguments on national laws, knowing full well what 2804
says, and having participated (marginally) in the raven discussions
that led to it. However, the laws I'm working from are laws which do
not vary widely in those places where they are. That is, countries
will either have a privacy law, which is based on the fair information
practices, or they don't have a privacy law at all. So, if there is a
privacy law, it will tend to be harmonious, and we can address a large
number of country's laws with a few broad strokes. Those broad
strokes will also represent good privacy practices.

> I think your definitions are on track.

Thanks!

Adam

-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume