RE: Terminology

Brian,

Your suggestions and those of Ajith Narayanan and others are heading in a
good direction. Let me focus on your comment:

>I don't yet appreciate the difference betweeen an involuntary
>and a voluntary provider. Please give me some hint of why
>differentiating might affect the design of the object, the protocol
>or the privacy considerations. It seems to me that voluntary
>or involuntary, you treat the data the same way.

I persist with my view that there is a non-trivial factual distinction
between the two types of provider, and for that reason alone it seems safer
to distinguish between them now and conflate them (if appropriate)
later. [For readers who do not recall my prior suggestion, see the end of
this e-mail.] But let me offer two arguments why the distinction might
prove to be significant on down the line:

1. A technical consideration: At least some instances of communications
with an "involuntary location processors" (ILP) will be in situations where
the target device is severely constrained in bandwidth and/or computing
power. Might we possibly consider a two pronged technical solution, one
that works for constrained devices and a broader or more robust version for
less constrained devices? This distinction is of course different than the
involuntary/voluntary distinction, but there is some congruence and if we
are going to consider a simple form of geopriv instruction to address the
constrained device situation, I would want (for the reasons suggested in
the next paragraph) to consider applying that same simple form to all ILPs,
even in non-constrained situations.

2. A privacy consideration: At the risk of creating yet another category,
there are at least two types of ILP, a known and trusted ILP, and an
unknown and/or untrusted ILP. Let me assume a simple case -- I know and
(in theory) trust my own wireless provider, and I can negotiate with that
carrier to ensure that it honors my privacy rules. So my carrier may well,
from a privacy perspective, appropriately be treated like a "voluntary
location processor" (which only includes entities that the
user/target/owner agrees can receive location information). But, when I
roam out of my carrier's service area, I may not know or trust the ILP that
handles my cell call, and the fact that my carrier and the remote ILP have
a contractual relationship does not give me much confidence that the remote
ILP will honor my privacy rules. And so, from a privacy perspective I
would much prefer to give the remote ILP an extremely simply instruction,
something like "send my location only to x." That simple instruction is
far easier to verify that it was honored than my full privacy rules. Now,
it is true that if I send my full privacy rules to an untrusted ILP I could
still send the simple instruction suggested above. But I do not want this
entity that I do not trust to be tempted to try to implement by full
rules. If the untrusted ILP learns that I am willing to accept wireless
advertisements from coffee shop, that entity to be tempted to ignore my
simple instruction and go ahead and tell my location to the coffee shops
that the untrusted ILP chooses. Indeed, I may not even want the untrusted
entity to my full privacy rules because those rules may well give away
confidential information about me or the locations I frequent. For these
reasons, I persist in thinking we should at least keep open the possibility
of treating an ILP differently than a trusted VLP (and in the cases where I
_do_ trust the ILP, my simple instruction can be "send my location only to
x" where x is the trusted ILP).

Again, you may be right that in the end they will be treated the same, but
it is not to me obvious.

John

At 07:47 PM 12/11/01 -0500, Rosen, Brian wrote:
>Henning suggested "owner" for the policy determining entity, so
>why don't we agree to that.
>
>I'd actually like a more descriptive term for the entity "carrying"
>the target than "user". Anyone got suggestions?
>
>Henning, like you, did not like "client' or "server". He suggested
>"location provider" and "location seeker". I have no problem with
>those choices.
>
>I don't yet appreciate the difference betweeen an involuntary
>and a voluntary provider. Please give me some hint of why
>differentiating might affect the design of the object, the protocol
>or the privacy considerations. It seems to me that voluntary
>or involuntary, you treat the data the same way.
>
>
>
>-----Original Message-----
>From: John Morris
>To: geopriv@mail.apps.ietf.org
>Sent: 12/11/01 6:54 PM
>Subject: Re: Terminology
>
>Brian,
>
>I strongly agree that we should start with definitions and terminology,
>and
>I include some comments and suggestions in line below. But first, three
>
>preliminary comments:
>
>1. There are at least two places below where I suggest that we create
>two
>definitions where you suggest only single definitions. I expect that
>your
>reaction to at least one of my two suggestions is that my distinction is
>
>irrelevant. But I ask you to at least concede that the distinctions I
>am
>drawing are factually accurate. It may well be that two different
>categories of actors will in the final analysis be treated exactly the
>same
>(which is a conclusion that you suggested yesterday), but I think in our
>
>definitions we should still identify the different categories of actors
>and
>then later decide, if appropriate, to group two categories together.
>
>2. I suggest a couple of new terms below. I do not care about the
>precise
>words I have suggested, only about the conceptual categories. So if
>anyone
>has better words to describe the relevant categories, please offer them
>up.
>
>3. My comments below focus on your suggested definitions, without
>addressing whether the WG wants or needs to have a definition of
>"location"
>or types of location. We can discuss that in a later e-mail.
>
>On to my comments:
>
>At 12:43 PM 12/11/01 -0500, Rosen, Brian wrote:
> >I'd like to start a discussion of terminology.
> >
> >I think we all agree on the term "target"; it's the device
> >that has a location.
>
>Fine.
>
> >We usually use the term "user", in two contexts. One is that
> >the target is usually described as associated with the user.
> >We really want the location of the user, but until we get
> >implanted with GPS receivers and radios, we have targets
> >that are separate from the user. The other context we
> >use "user" is that the user is the source of the privacy
> >concern. Ultimately, it is the user that grants rights to
> >some other entity to learn the location of the target.
>
>I would split this into two, along the lines of:
> "user" is the person (if any) who is directly associated with the
>target
>device (by carrying the device, or driving it, etc.)
> "owner" is the person or entity (if different from the user) who is
>the
>appropriate person/entity to set privacy rules
>To be clear, in some cases there may be no user at all -- an owner
>simply
>wants to locate the target device, and the device is not a proxy for
>person.
>Also to be clear, in many cases the user and owner may be one and the
>same. But clearly there will be scenarios in which the user and owner
>are
>not the same. In the final analysis, it is possible that this
>distinction
>may not be all that relevant, but I for one cannot prejudge that at this
>point.
>
> > >From there, we tend to fall apart on generally accepted
> >terminology. I'd like to propose that we use the policy
> >terms like 'Policy Determination Point' and 'Policy
> >Enforcement Point' which have accepted meanings when we
> >discuss the application of the users policy on the
> >location dissemination. Is that acceptable?
>
>Personally, I do not yet clearly understand how you would define those
>two
>terms. I can imagine their definition, and I think that I could get on
>board with some definition, but can you spell out two separate
>definitions?
>
> >Finally, I'd like to take a stab at convincing you that
> >there are only two other entities (nouns) in this process.
> >I think many have in mind that there are several other entities,
> >but in my mind, there are only two.
> >
> >A Server is an entity that knows the location of a target.
> >A Client is an entity that wants to find out the location
> >of a target.
> >
> >See, wasn't that easy?
>
>Too easy, in my view!
>
>First, I agree with you that we may be able conflate many potential
>categories of actor into a single term like "server." So I accept your
>effort to simplify. I am not happy with "server" or "client" because
>they
>mean too many things already, but this concern is fairly minor.
>
>More importantly, let's come back to the debate you and I had yesterday
>in
>the WG about whether my use of the term "carrier" was accurate and/or
>relevant. You quickly convinced me that the word "carrier" is wrong,
>but I
>persist in thinking that there is a potentially relevant distinction
>here. Let me reformulate my distinction as follows (and please, I hope
>someone comes up with better words than I have here):
>
>an "involuntary location processor" is an entity (like, e.g., a wireless
>
>carrier or a dial-up ISP) that unavoidably learns or can learn the
>location
>of the target, simply as a function of the role the entity plays in the
>target's communications capability. Thus, unless a cell phone user
>simply
>decided never to turn on the device, there is likely nothing the user or
>
>owner can do to stop the wireless carrier from learning the
>location. (Indeed, U.S. E911 laws may make this situation obligatory
>for
>the U.S.).
>
>a "voluntary location processor" is an entity that (a) receives the
>target's location with the consent of the owner and (b) in most cases
>takes
>some action with the information (e.g., serves it, translates it, stores
>
>it, obfuscates it, returns other info to the target based on it).
>
>Now, I admit that ILPs and VLPs may well in the end be treated exactly
>alike, and so you may be correct in suggesting that the distinction is
>irrelevant. But again, I for one doubt that the distinction will be
>irrelevant, and I certainly cannot at this point in the analysis say
>that
>the ILP should not receive special attention. Let's identify two
>definitions and decide to conflate them later, if appropriate.
>
>Now, to round out my suggested terminology, I probably would substitute
>something like "ultimate location recipient" instead of "client," but I
>do
>not think this is critical. The key, in my mind, is that the recipient
>is
>the last entity to receive the location information, and this recipient
>may
>well not need to know the full details of the owner's privacy rules.
>
> >Now, let's look at scenarios. Please remember that these
> >are logical functions, and a physical device can have
> >multiple functions implemented in it.
>
>I agree that we should look at scenarios very soon, but I do not want to
>
>delay my thoughts above until I can get more time to comments on your
>scenarios. Also, reaching tentative consensus on the terminology is
>probably a good first step.
>
>John
>
>
>----------------------------------------
>John B. Morris, Jr.
>Director, Internet Standards, Technology
> & Policy Project
>Center for Democracy and Technology
>1634 I Street NW, Suite 1100
>Washington, DC 20006
>(202) 637-9800
>(202) 637-0968 fax
>jmorris@cdt.org
>http://www.cdt.org
>----------------------------------------
Received on Wed Dec 12 13:00:55 2001