Elements of privacy

As the WG moves forward with defining requirements, and beyond, we
will need to consider the different elements that are part of a
typical privacy analysis, based on accepted ideas of fair information
practices. These elements include notice, minimization, consent,
security, enforcement, renention, and access. Adam Shostack and
others on the list have discussed these elements, and we plan to
discuss these elements in an internet-draft to be submitted after
IETF 52. Nevertheless, we thought it would be helpful to set the
elements out briefly prior to the meeting next week in SLC.

Below we've laid out two simple scenarios that help to illustrate the
different elements of privacy and fair information practices. We
then list and describe the elements individually. Whether or not all
of the elements become a part of a geopriv protocol, it is useful to
identify and consider the range of elements.

We look forward to a discussion of the relevant drafts and other issues.

John Morris
Deirdre Mulligan
Sabra-Anne Kelin
Alan Davidson

=================
SCENARIO #1: In the first scenario, the target knows his location
and requests a location-based service. For example, a target with a
GPS-enabled device wants to find out how to get somewhere. He could
send his location to a service provider, which could then calculate
how to get from the target's current location to the desired
location; the provider could then send this information to the target.

The first phase of this scenario is transmission of the target's
location information to the service provider. The privacy issue here
is whether the information is secure while it's in transit. For
example, is it encrypted? (see element 4 - security).

The next phase of this scenario is happens after the service provider
has received the location information. The first privacy issue is
what the provider is allowed to do with the information. Can it use
the information in-house in a manner that goes beyond the
location-based service? Can it give or sell the information to a
third party? (see element 3 - consent). Also, how long can the
provider retain the information? Indefinitely? Only as long as
necessary in order to provide the location-based service? (see
element 6 - retention). Also, what must the provider do while it
stores the information? Store it on a secure server? Encrypt it?
(see element 4 - security). Lastly, does the provider have to give
the target access to the information in order to correct or delete
it? (see element 7 - access).

=================
SCENARIO #2: The second scenario is more complicated. Here, a
client wants to learn a target's location and then use that location
to provide a location-based service. For example, a business wants to
send advertisements to a target when he is at a specific location.

The first phase of this scenario is comprised of the client
requesting location information and the target (or the target's
proxy) deciding whether to send the information. The first privacy
issue is whether the client's request must state for what purposes
the client intends to use the information. For example, the client
might want to use the information solely to provide the
location-based service, or it might also want to give or sell the
information to third parties. (see element 1 - notice). Also, are
there are any restrictions on what information the client can
request? For example, can the client request information that is not
necessary to provide the location-based service? (see element 2 -
minimization). The next issue is what the target's default setting is
for responding to requests. Do the target's privacy rules generally
send location information _except_ for certain situations? Or do they
generally _not_ send location information except for certain
situations? If the default is not sending location information, what
actions must the target perform to authorize the information's
release? (see element 3 - consent).

The second phase of this scenario is when the location information is
sent to the client. The privacy issue here is whether the information
is secure while it's in transit. (see point 4 - security).

The third phase of this scenario happens after the client has
received the location information. The first privacy issue is what
the client is allowed to do with the information. Can it use the
information in-house in a manner that goes beyond the location-based
service? Can it give or sell the information to a third party? (see
element 3 - consent). Another privacy issue is related to the client
obeying the contents of its original request. What happens if the
client's request stated certain intended uses of the information and
the client later used the information in other ways? (see element 5 -
enforcement). Also, how long can the client retain the information?
Indefinitely? Only as long as necessary in order to provide the
location-based service? (see element 6 - retention). Lastly, what
must the client do while it stores the information? Store it on a
secure server? Encrypt it? (see element 4 - security). Does the
client have to give the target access to the information in order to
correct or delete it? (see element 7 - access).

=================
These two scenarios raise privacy issues that are addressed by fair
information practices. These practices are drawn from a variety of
widely available documents. For example, see the OECD (Organisation
for Economic Co-operation and Development) Guidelines on the
Protection of Privacy and Transborder Flows of Personal Data at
http://www1.oecd.org/dsti/sti/it/secur/prod/PRIV-EN.HTM. The
following elements describe, for each privacy issues, what rules are
suggested by fair information practices.

1. Notice
A business must provide a consumer with full, clear, and conspicuous
notice of its information practices. This includes what information
it collects, how it collects it (e.g., directly or through
non-obvious means), and why it collects it. It also includes how it
uses the information, including whether it discloses the information
collected to other entities and whether other entities are collecting
information through it. A business must also tell a consumer how it
meets the other principles of fair information practices.

2. Minimization
A business may collect only information that it needs. Need is
defined with respect to what the consumer expects from a transaction.

3. Consent
Consent is required before information can be collected or used in
any way. This consent must come from the individual whose information
is being sought. Any secondary use of the information (i.e., use
beyond that to which the individual initially consented) requires
additional consent by the individual. An individual's access to a
service cannot be conditioned upon her consent to secondary uses of
her information. In order to be valid, consent must be explicit
(opt-in), not implicit (opt-out).

4. Security
Businesses must take reasonable steps to protect the security of the
information they collect from consumers.

5. Enforcement
Reliable mechanisms must exist in order to provide sanctions for
noncompliance. In general, it's easier to enforce rules if businesses
are explicit about their information practices.

6. Retention
Even if a business protects an individual's information and handles
it correctly, the mere presence of that information means that third
parties could access the information and use it incorrectly. Thus,
once information is no longer needed, a business must get rid of it
or strip off any identifiers so that the information is less
susceptible to abuse by others.

7. Access
If decisions are being made about an individual based on her
information, then she has a right to access, correct, or delete that
information. Thus, a business must give a consumer reasonable access
to the information that has been collected about her, including a
reasonable opportunity to review, correct, or delete that information.

----------------------------------------
John B. Morris, Jr.
Director, Internet Standards, Technology
    & Policy Project
Center for Democracy and Technology
1634 I Street NW, Suite 1100
Washington, DC 20006
(202) 637-9800
(202) 637-0968 fax
jmorris@cdt.org
http://www.cdt.org
----------------------------------------
Received on Fri Dec 7 12:13:24 2001