RE: Terminology

1. "owner" and "policy proponent" (new), "policy decision point"

The word "owner" is probably good, but I'd hope for a better word. The
problem I see is this -- by calling this entity the "owner" we suggest
that he/she has some rightful ownership of the location sighting (where
location sighting = the information that a certain target is sighted at a
certain location at a certain time). When the "user" has the rightful
ownership of that information (i.e., owner == user) he/she is likely to
have the best possible control of their privacy. However, in some settings
-- e.g., the cases where the "carrier" (e.g., a Voluntary Location
Processor) legally owns the location sighting information -- the user will
not have claim to such ownership, strictly speaking. However, privacy may
still exist because of a contract between the "user" and the "owner" (the
VLP carrier, in this case). The carrier owns the information, but may
allow the "user" to exercise control over its disclosure. Thus the user
exercises policy control over how the location sighting is used, without
having to be the owner of the information per se. This is not the best
scenario for privacy, but I think we need to be able to talk about such
scenarios, and refer to such a user who exercises control over location
disclosure policy.

So I would like to propose the term "policy proponent" to refer to an
entity that proposes a policy which should govern the disclosure of
location sightings. An entity who wants to protect their privacy would do
so by becoming a policy proponent. I visualize multiple policy proponents,
one of whom is possibly the user, who may or may not be the owner.

The reason I say "a policy" in the above paragraph, as opposed to "the
policy" is that there may be multiple policy proponents and their policies
may potentially conflict with each other. For example, take the situation
in which the State (a policy proponent) mandates full disclosure for E-911
or for cases covered by a judicial court order. The "policy decision
point" is an entity that processes multiple policies applicable to a
location sighting, resolves policy conflicts according to a resolution
algorithm, and outputs a go/no-go disclosure decision.

If we are talking about ownership of information, I think the terms we use
should preferably be close to the terms used by laws that address ownership
of information (I am not sure what those terms are). If we don't have a
better term, then I'm happy with "owner" for the most part, though I
would prefer the term "owner of the sighting" to make it even clearer. The
term "sighting" itself is well defined in literature in location-aware
computing, as a 3-tuple consisting of <target-identity, location, time>.

2. "user"

For the "user carrying the target"... I propose "co-located user" or
"co-sighted user". Sometimes the co-located (co-sighted) user does not
exist or has no meaning (e.g., in asset tracking). Also, we may even get
by without ever referring to the co-located (co-sighted) user in cases
where he/she is neither the owner nor a policy proponent.

3. "server", "client"

How about "location server" and "location client" ? I think these terms
avoid the confusion that arises with client/server roles at the protocol
level (e.g. HTTP). Commenting on John Morris's proposed "ultimate
location recipient", I agree that we may need to distinguish between
"direct" and "indirect" recipients of location information. The
information is passed from a "location server" to a "direct location
recipient" ("direct location client") who in turns serves as a "location
server" and passes it (possibly translated, obfuscated...etc) to an
indirect location client. Direct and indirect are relative to the first
location server. If a certain location client guarantees to not
propagate location information further (e.g., it may be technically
incapable of doing so, or be contractually bound), then we may call it an
"ultimate location recipient". In my view this qualification is a strong
privacy statement, so the distinction is important to make.

In item (1), I realize that I used the term "Policy Decision Point" which
is probably not a term used by policy folks. Please correct me !

Cheers
-- Ajith

| Ajith Narayanan
| IBM Emerging Technology Centre
| ajithn@sg.ibm.com Tel: (65) 320-1939 Fax: (65) 224-5260
| IBM Singapore Pte Ltd, IBM Towers, 80 Anson Rd, Singapore 079907

--
"Rosen, Brian" <Brian.Rosen@marconi.com> on 12/12/2001 08:47:44 AM
To:   "'John Morris '" <jmorris@cdt.org>, "'geopriv@mail.apps.ietf.org '"
      <geopriv@mail.apps.ietf.org>
cc:
Subject:  RE: Terminology
Henning suggested "owner" for the policy determining entity, so
why don't we agree to that.
I'd actually like a more descriptive term for the entity "carrying"
the target than "user".  Anyone got suggestions?
Henning, like you, did not like "client' or "server".  He suggested
"location provider" and "location seeker".  I have no problem with
those choices.
I don't yet appreciate the difference betweeen an involuntary
and a voluntary provider.  Please give me some hint of why
differentiating might affect the design of the object, the protocol
or the privacy considerations.  It seems to me that voluntary
or involuntary, you treat the data the same way.
-----Original Message-----
From: John Morris
To: geopriv@mail.apps.ietf.org
Sent: 12/11/01 6:54 PM
Subject: Re: Terminology
Brian,
I strongly agree that we should start with definitions and terminology,
and
I include some comments and suggestions in line below.  But first, three
preliminary comments:
1.  There are at least two places below where I suggest that we create
two
definitions where you suggest only single definitions.  I expect that
your
reaction to at least one of my two suggestions is that my distinction is
irrelevant.  But I ask you to at least concede that the distinctions I
am
drawing are factually accurate.  It may well be that two different
categories of actors will in the final analysis be treated exactly the
same
(which is a conclusion that you suggested yesterday), but I think in our
definitions we should still identify the different categories of actors
and
then later decide, if appropriate, to group two categories together.
2.  I suggest a couple of new terms below.  I do not care about the
precise
words I have suggested, only about the conceptual categories.  So if
anyone
has better words to describe the relevant categories, please offer them
up.
3.  My comments below focus on your suggested definitions, without
addressing whether the WG wants or needs to have a definition of
"location"
or types of location. We can discuss that in a later e-mail.
On to my comments:
At 12:43 PM 12/11/01 -0500, Rosen, Brian wrote:
>I'd like to start a discussion of terminology.
>
>I think we all agree on the term "target"; it's the device
>that has a location.
Fine.
>We usually use the term "user", in two contexts.  One is that
>the target is usually described as associated with the user.
>We really want the location of the user, but until we get
>implanted with GPS receivers and radios, we have targets
>that are separate from the user.  The other context we
>use "user" is that the user is the source of the privacy
>concern.  Ultimately, it is the user that grants rights to
>some other entity to learn the location of the target.
I would split this into two, along the lines of:
   "user" is the person (if any) who is directly associated with the
target
device (by carrying the device, or driving it, etc.)
   "owner" is the person or entity (if different from the user) who is
the
appropriate person/entity to set privacy rules
To be clear, in some cases there may be no user at all -- an owner
simply
wants to locate the target device, and the device is not a proxy for
person.
Also to be clear, in many cases the user and owner may be one and the
same.  But clearly there will be scenarios in which the user and owner
are
not the same.  In the final analysis, it is possible that this
distinction
may not be all that relevant, but I for one cannot prejudge that at this
point.
> >From there, we tend to fall apart on generally accepted
>terminology.  I'd like to propose that we use the policy
>terms like 'Policy Determination Point' and 'Policy
>Enforcement Point' which have accepted meanings when we
>discuss the application of the users policy on the
>location dissemination.  Is that acceptable?
Personally, I do not yet clearly understand how you would define those
two
terms.  I can imagine their definition, and I think that I could get on
board with some definition, but can you spell out two separate
definitions?
>Finally, I'd like to take a stab at convincing you that
>there are only two other entities (nouns) in this process.
>I think many have in mind that there are several other entities,
>but in my mind, there are only two.
>
>A Server is an entity that knows the location of a target.
>A Client is an entity that wants to find out the location
>of a target.
>
>See, wasn't that easy?
Too easy, in my view!
First, I agree with you that we may be able conflate many potential
categories of actor into a single term like "server."  So I accept your
effort to simplify.  I am not happy with "server" or "client" because
they
mean too many things already, but this concern is fairly minor.
More importantly, let's come back to the debate you and I had yesterday
in
the WG about whether my use of the term "carrier" was accurate and/or
relevant.  You quickly convinced me that the word "carrier" is wrong,
but I
persist in thinking that there is a potentially relevant distinction
here.  Let me reformulate my distinction as follows (and please, I hope
someone comes up with better words than I have here):
an "involuntary location processor" is an entity (like, e.g., a wireless
carrier or a dial-up ISP) that unavoidably learns or can learn the
location
of the target, simply as a function of the role the entity plays in the
target's communications capability.  Thus, unless a cell phone user
simply
decided never to turn on the device, there is likely nothing the user or
owner can do to stop the wireless carrier from learning the
location.  (Indeed, U.S. E911 laws may make this situation obligatory
for
the U.S.).
a "voluntary location processor" is an entity that (a) receives the
target's location with the consent of the owner and (b) in most cases
takes
some action with the information (e.g., serves it, translates it, stores
it, obfuscates it, returns other info to the target based on it).
Now, I admit that ILPs and VLPs may well in the end be treated exactly
alike, and so you may be correct in suggesting that the distinction is
irrelevant.  But again, I for one doubt that the distinction will be
irrelevant, and I certainly cannot at this point in the analysis say
that
the ILP should not receive special attention.  Let's identify two
definitions and decide to conflate them later, if appropriate.
Now, to round out my suggested terminology, I probably would substitute
something like "ultimate location recipient" instead of "client," but I
do
not think this is critical. The key, in my mind, is that the recipient
is
the last entity to receive the location information, and this recipient
may
well not need to know the full details of the owner's privacy rules.
>Now, let's look at scenarios.  Please remember that these
>are logical functions, and a physical device can have
>multiple functions implemented in it.
I agree that we should look at scenarios very soon, but I do not want to
delay my thoughts above until I can get more time to comments on your
scenarios.  Also, reaching tentative consensus on the terminology is
probably a good first step.
John
----------------------------------------
John B. Morris, Jr.
Director, Internet Standards, Technology
    & Policy Project
Center for Democracy and Technology
1634 I Street NW, Suite 1100
Washington, DC 20006
(202) 637-9800
(202) 637-0968 fax
jmorris@cdt.org
http://www.cdt.org
----------------------------------------