Re: Terminology

Brian,

I strongly agree that we should start with definitions and terminology, and
I include some comments and suggestions in line below. But first, three
preliminary comments:

1. There are at least two places below where I suggest that we create two
definitions where you suggest only single definitions. I expect that your
reaction to at least one of my two suggestions is that my distinction is
irrelevant. But I ask you to at least concede that the distinctions I am
drawing are factually accurate. It may well be that two different
categories of actors will in the final analysis be treated exactly the same
(which is a conclusion that you suggested yesterday), but I think in our
definitions we should still identify the different categories of actors and
then later decide, if appropriate, to group two categories together.

2. I suggest a couple of new terms below. I do not care about the precise
words I have suggested, only about the conceptual categories. So if anyone
has better words to describe the relevant categories, please offer them up.

3. My comments below focus on your suggested definitions, without
addressing whether the WG wants or needs to have a definition of "location"
or types of location. We can discuss that in a later e-mail.

On to my comments:

At 12:43 PM 12/11/01 -0500, Rosen, Brian wrote:
>I'd like to start a discussion of terminology.
>
>I think we all agree on the term "target"; it's the device
>that has a location.

Fine.

>We usually use the term "user", in two contexts. One is that
>the target is usually described as associated with the user.
>We really want the location of the user, but until we get
>implanted with GPS receivers and radios, we have targets
>that are separate from the user. The other context we
>use "user" is that the user is the source of the privacy
>concern. Ultimately, it is the user that grants rights to
>some other entity to learn the location of the target.

I would split this into two, along the lines of:
   "user" is the person (if any) who is directly associated with the target
device (by carrying the device, or driving it, etc.)
   "owner" is the person or entity (if different from the user) who is the
appropriate person/entity to set privacy rules
To be clear, in some cases there may be no user at all -- an owner simply
wants to locate the target device, and the device is not a proxy for person.
Also to be clear, in many cases the user and owner may be one and the
same. But clearly there will be scenarios in which the user and owner are
not the same. In the final analysis, it is possible that this distinction
may not be all that relevant, but I for one cannot prejudge that at this point.

> >From there, we tend to fall apart on generally accepted
>terminology. I'd like to propose that we use the policy
>terms like 'Policy Determination Point' and 'Policy
>Enforcement Point' which have accepted meanings when we
>discuss the application of the users policy on the
>location dissemination. Is that acceptable?

Personally, I do not yet clearly understand how you would define those two
terms. I can imagine their definition, and I think that I could get on
board with some definition, but can you spell out two separate definitions?

>Finally, I'd like to take a stab at convincing you that
>there are only two other entities (nouns) in this process.
>I think many have in mind that there are several other entities,
>but in my mind, there are only two.
>
>A Server is an entity that knows the location of a target.
>A Client is an entity that wants to find out the location
>of a target.
>
>See, wasn't that easy?

Too easy, in my view!

First, I agree with you that we may be able conflate many potential
categories of actor into a single term like "server." So I accept your
effort to simplify. I am not happy with "server" or "client" because they
mean too many things already, but this concern is fairly minor.

More importantly, let's come back to the debate you and I had yesterday in
the WG about whether my use of the term "carrier" was accurate and/or
relevant. You quickly convinced me that the word "carrier" is wrong, but I
persist in thinking that there is a potentially relevant distinction
here. Let me reformulate my distinction as follows (and please, I hope
someone comes up with better words than I have here):

an "involuntary location processor" is an entity (like, e.g., a wireless
carrier or a dial-up ISP) that unavoidably learns or can learn the location
of the target, simply as a function of the role the entity plays in the
target's communications capability. Thus, unless a cell phone user simply
decided never to turn on the device, there is likely nothing the user or
owner can do to stop the wireless carrier from learning the
location. (Indeed, U.S. E911 laws may make this situation obligatory for
the U.S.).

a "voluntary location processor" is an entity that (a) receives the
target's location with the consent of the owner and (b) in most cases takes
some action with the information (e.g., serves it, translates it, stores
it, obfuscates it, returns other info to the target based on it).

Now, I admit that ILPs and VLPs may well in the end be treated exactly
alike, and so you may be correct in suggesting that the distinction is
irrelevant. But again, I for one doubt that the distinction will be
irrelevant, and I certainly cannot at this point in the analysis say that
the ILP should not receive special attention. Let's identify two
definitions and decide to conflate them later, if appropriate.

Now, to round out my suggested terminology, I probably would substitute
something like "ultimate location recipient" instead of "client," but I do
not think this is critical. The key, in my mind, is that the recipient is
the last entity to receive the location information, and this recipient may
well not need to know the full details of the owner's privacy rules.

>Now, let's look at scenarios. Please remember that these
>are logical functions, and a physical device can have
>multiple functions implemented in it.

I agree that we should look at scenarios very soon, but I do not want to
delay my thoughts above until I can get more time to comments on your
scenarios. Also, reaching tentative consensus on the terminology is
probably a good first step.

John

----------------------------------------
John B. Morris, Jr.
Director, Internet Standards, Technology
    & Policy Project
Center for Democracy and Technology
1634 I Street NW, Suite 1100
Washington, DC 20006
(202) 637-9800
(202) 637-0968 fax
jmorris@cdt.org
http://www.cdt.org
----------------------------------------
Received on Tue Dec 11 18:55:42 2001