Re: Consent

On Wed, Aug 22, 2001 at 05:24:06PM -0700, John W Noerenberg II wrote:
> In general, I think your classifications are on the right track.
>
> At 3:18 PM -0500 8/20/01, Chris M. Lonvick wrote:
> >At 3:16 PM -0400 8/22/01, Adam Shostack wrote:
> >>Mandated-disclosure: There is a policy requirement from the
> >>provider of the service to reveal information. This may be from
> >>their adherence to local laws.
> >
> >I think it may be useful to distinguish between the contractual and
> >legal obligations, because I may be willing to disregard one and not
> >the other.
> >
> >>Needed-disclosure: There is a requirement to reveal the
> >>information in order to make the service work. For example, if I call
> >>1-800-find-gas to get the nearest gas station, I may expect that my
> >>location will be transmitted.
>
> These two are nasty. Chris is right to be careful about introducing
> something representing a legal decision into the classification. But
> Adam is right, there's no inherent harm marking the disclosure as
> legally required, as that can be set according to governing law. The
> problem is determining governing law. Let's say I acquired my device
> in a place where there is no mandated-disclosure requirement. Then I
> attempt to use it in a place where mandated disclosure is required.
> What's the precedence?

An excellent question.

In practice, I expect that the mandated disclosure wins, because the
service provider is going to do it, not caring about your contract or
law where you bought the phone, sim, etc. If we work from this
assumption, then I'd say it is a mandated-disclosure, because the
information is being disclosed because a party thinks its mandated.
Note that I did say that a mandated disclosure is imposed by the
service provider, not someone else. That raises a set of questions if
the service provider offers other location-based services, which I
don't know how to answer or finesse. For example, if the service
provider (OnStar) provides roadside assistance, would that be
mandated- or needed-? My goal was to have it needed-, but I'm hard
pressed to find a definition set that respects 2804.

> Needed-disclosure and mandated-disclosure overlap in meaning. Both
> imply an obligation. After all, the police need to know where you
> are to respond to your 911 call. Is that a mandated-disclosure or a
> needed-disclosure? If my agreement with AAA says that every time I
> call for roadside assistance my location is transmitted to their
> dispatcher is that mandated or needed?

Firstly, I agree that my definitions are imperfect, and can use some
work.

I don't agre that the police need to know where you are to respond to
a 911 call; they are able to respond today. It is a mandated
disclosure because the SP is going to give out the information, and
nothing we say here, or build into protocols, is going to change
that. I think that AAA is a needed-disclosure; it may be possible to
convince the SP that they may not arbitrarily hand out data, whatever
their contract says.

> It's probably more important that the location that is transmitted by
> the sender is encoded in such a way that it can only be used for the
> purpose the sender allows. If I call 1-800-find-gas, I may not want
> to receive a list of fast-food joints along with the list of nearby
> gas stations -- or maybe I do.

I've been playing with the idea that we should encourage location to
be encoded in tuples of (location, privacy-info), where privacy-info
includes ways to talk about the various fip requirements.

Adam

> But a taxonomy of disclosure is a real good idea.
> --
>
> john noerenberg
> jwn2@qualcomm.com
> --------------------------------------------------------------------------
> Peace of mind isn't at all superficial, really. It's the whole thing.
> That which produces it is good maintenance; that which disturbs it
> is poor maintenance.
> -- Zen and the Art of Motorcycle Maintenance, Robert M. Pirsig, 1974
> --------------------------------------------------------------------------

-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume