RE: Consent

BTW, one of the uses for the object is tracking - location reports
are sent periodically. Can't deal with consent-per-report; you
have to allow one consent then a lot of reports. All the ways you
can get consent are still valid, but you also can't tolerate a
null message exchange for each report.

Yes, of course your consent has to include whether you allow
tracking, how frequently, with what accuracy,...

Brian

> -----Original Message-----
> From: Adam Shostack [mailto:adam@zeroknowledge.com]
> Sent: Wednesday, August 22, 2001 2:58 PM
> To: James M. Polk
> Cc: geopriv@mail.apps.ietf.org
> Subject: Re: Consent
>
>
> On Mon, Aug 20, 2001 at 02:07:56PM -0500, James M. Polk wrote:
> >
> > Adam
> >
> > I'm glad someone brought this up as a starting point for
> discussion....
> > comments below
> >
> > At 02:46 PM 8/20/2001 -0400, Adam Shostack wrote:
> > >I'm finding myself asking a lot of questions about what
> people mean by
> > >phrases they use including the word "consent."
> > >
> > >May I suggest that we use the following terminology:
> > >
> > >Consentual-disclosure: The end-user has chosen to reveal
> > >information. This choice is freely given, not mandated or
> required.
> >
> > But is this given explicitly or implicitly (and yes I've
> read below)? Is
> > everyone defaulted to be allowed or not-allowed to discover
> location of
> > another. What about in letting others discover my location?
>
> I think there are two issues, one of which is how we reach a consent
> decision, and then second, what we do with it. This set of ideas was
> (implicitly) designed for signalling what form of consent is being
> asked for or assumed.
>
> My location is personally identifiable information in which I have a
> strong privacy interest. Under the Fair Information Practices, I need
> to have notice and consent if that information is given to others.
> There are exceptions, such as for law enforcement or 911, which is why
> theres the mandated-disclosure category.
>
> If we can agree that these are useful categories, we can start to
> decide how to put things into categories and use them.
>
> I think that in Europe, Canada, Australia, and other places where data
> protection laws apply to private firms, the default would need to be
> that your consent is required before the disclosure of information to
> friends, family, or companies that want to see it.
>
> > >Mandated-disclosure: There is a legal requirement to reveal
> > >information.
> >
> > again, explicitly or implicitly?
>
> I'm not sure I understand your question. How can a law imply that you
> must do something? Don't laws need to be explicit?
>
> If you're asking in the context of a protocol, then I think that a
> disclosure is mandated by law should accompany
> - the demand for data (if the end user device is involved in the
> request, the user preference software can't ignore it. There are also
> authorization requirements, otherwise I'll just tag all my packets
> with a mandatory bit)
>
> - the data as it goes elsewhere. The fact that it was demanded
> probably places limits on how it can be used and revealed onwards.
> For example, while there are a set of uses for E911 data that have
> been listed, the fact that I dialed 911 should not mean that the
> service provider can now reveal my location to starbucks.
>
> Adam
>
>
> > >Needed-disclosure: There is a requirement to reveal the
> > >information in order to make the service work. For
> example, if I call
> > >1-800-find-gas to get the nearest gas station, I may expect that my
> > >location will be transmitted.
> > >
> > >Explicit-consent-action: The user performs a GUI action to
> reveal or
> > >conceal information at the time of the request
> > >
> > >Default-conset-action: The user has set a preference for some
> > >recipient, class of recipient, etc.
> > >
> > >Adam
> >
> > *************************************
> > "People generally demand more respect for their own rights
> than they are
> > willing to allow for others"
> >
> > James M. Polk
> > Consulting Engineer
> > Office of the CTO
> >
> > Cisco Systems
> > 18581 N. Dallas Parkway
> > Dallas, Texas 75287
> > w) 972.813.5208
> > f) 972.813.5280
> > www.cisco.com
> --
> "It is seldom that liberty of any kind is lost all at once."
> -Hume
>
>
Received on Wed Aug 22 17:16:24 2001