Re: Terminology

I think your earlier example of using geopriv in conjunction with
inanimate carriers of targets is an example of where the split between
carry and assert matters. The entity (say a shipping container)
doesn't care about its location privacy, but its owner may.

Adam

On Wed, Dec 12, 2001 at 10:27:40AM -0500, Rosen, Brian wrote:
> So now we have 3 entities:
> The entity "carrying" the target
> The entity that legally/contractually owns the location information
> The entity that asserts the policy.
>
> I don't have a real philosophical problem with 3 entities,
> but I wonder if there really are cases where "carry" and "assert"
> are actually two different entities?
>
> Brian
>
> > -----Original Message-----
> > From: Ajith Narayanan [mailto:ajithn@sg.ibm.com]
> > Sent: Wednesday, December 12, 2001 3:59 AM
> > To: Rosen, Brian
> > Cc: 'John Morris '; 'geopriv'
> > Subject: RE: Terminology
> >
> >
> >
> >
> >
> > 1. "owner" and "policy proponent" (new), "policy decision point"
> >
> > The word "owner" is probably good, but I'd hope for a better
> > word. The
> > problem I see is this -- by calling this entity the "owner"
> > we suggest
> > that he/she has some rightful ownership of the location
> > sighting (where
> > location sighting = the information that a certain target is
> > sighted at a
> > certain location at a certain time). When the "user" has the rightful
> > ownership of that information (i.e., owner == user) he/she is
> > likely to
> > have the best possible control of their privacy. However, in
> > some settings
> > -- e.g., the cases where the "carrier" (e.g., a Voluntary Location
> > Processor) legally owns the location sighting information --
> > the user will
> > not have claim to such ownership, strictly speaking.
> > However, privacy may
> > still exist because of a contract between the "user" and the
> > "owner" (the
> > VLP carrier, in this case). The carrier owns the information, but may
> > allow the "user" to exercise control over its disclosure.
> > Thus the user
> > exercises policy control over how the location sighting is
> > used, without
> > having to be the owner of the information per se. This is
> > not the best
> > scenario for privacy, but I think we need to be able to talk
> > about such
> > scenarios, and refer to such a user who exercises control
> > over location
> > disclosure policy.
> >
> > So I would like to propose the term "policy proponent" to refer to an
> > entity that proposes a policy which should govern the disclosure of
> > location sightings. An entity who wants to protect their
> > privacy would do
> > so by becoming a policy proponent. I visualize multiple
> > policy proponents,
> > one of whom is possibly the user, who may or may not be the owner.
> >
> > The reason I say "a policy" in the above paragraph, as
> > opposed to "the
> > policy" is that there may be multiple policy proponents and
> > their policies
> > may potentially conflict with each other. For example, take
> > the situation
> > in which the State (a policy proponent) mandates full
> > disclosure for E-911
> > or for cases covered by a judicial court order. The
> > "policy decision
> > point" is an entity that processes multiple policies applicable to a
> > location sighting, resolves policy conflicts according to a resolution
> > algorithm, and outputs a go/no-go disclosure decision.
> >
> > If we are talking about ownership of information, I think the
> > terms we use
> > should preferably be close to the terms used by laws that
> > address ownership
> > of information (I am not sure what those terms are). If we
> > don't have a
> > better term, then I'm happy with "owner" for the most part, though I
> > would prefer the term "owner of the sighting" to make it even
> > clearer. The
> > term "sighting" itself is well defined in literature in location-aware
> > computing, as a 3-tuple consisting of <target-identity,
> > location, time>.
> >
> > 2. "user"
> >
> > For the "user carrying the target"... I propose "co-located user" or
> > "co-sighted user". Sometimes the co-located (co-sighted)
> > user does not
> > exist or has no meaning (e.g., in asset tracking). Also, we
> > may even get
> > by without ever referring to the co-located (co-sighted) user in cases
> > where he/she is neither the owner nor a policy proponent.
> >
> > 3. "server", "client"
> >
> > How about "location server" and "location client" ? I think
> > these terms
> > avoid the confusion that arises with client/server roles at
> > the protocol
> > level (e.g. HTTP). Commenting on John Morris's proposed "ultimate
> > location recipient", I agree that we may need to distinguish between
> > "direct" and "indirect" recipients of location information. The
> > information is passed from a "location server" to a "direct location
> > recipient" ("direct location client") who in turns serves as
> > a "location
> > server" and passes it (possibly translated, obfuscated...etc) to an
> > indirect location client. Direct and indirect are relative
> > to the first
> > location server. If a certain location client guarantees to not
> > propagate location information further (e.g., it may be technically
> > incapable of doing so, or be contractually bound), then we
> > may call it an
> > "ultimate location recipient". In my view this qualification
> > is a strong
> > privacy statement, so the distinction is important to make.
> >
> > In item (1), I realize that I used the term "Policy Decision
> > Point" which
> > is probably not a term used by policy folks. Please correct me !
> >
> > Cheers
> > -- Ajith
> >
> > | Ajith Narayanan
> > | IBM Emerging Technology Centre
> > | ajithn@sg.ibm.com Tel: (65) 320-1939 Fax: (65) 224-5260
> > | IBM Singapore Pte Ltd, IBM Towers, 80 Anson Rd, Singapore 079907
> > --
> >
> >
> > "Rosen, Brian" <Brian.Rosen@marconi.com> on 12/12/2001 08:47:44 AM
> >
> > To: "'John Morris '" <jmorris@cdt.org>,
> > "'geopriv@mail.apps.ietf.org '"
> > <geopriv@mail.apps.ietf.org>
> > cc:
> > Subject: RE: Terminology
> >
> >
> >
> > Henning suggested "owner" for the policy determining entity, so
> > why don't we agree to that.
> >
> > I'd actually like a more descriptive term for the entity "carrying"
> > the target than "user". Anyone got suggestions?
> >
> > Henning, like you, did not like "client' or "server". He suggested
> > "location provider" and "location seeker". I have no problem with
> > those choices.
> >
> > I don't yet appreciate the difference betweeen an involuntary
> > and a voluntary provider. Please give me some hint of why
> > differentiating might affect the design of the object, the protocol
> > or the privacy considerations. It seems to me that voluntary
> > or involuntary, you treat the data the same way.
> >
> >
> >
> > -----Original Message-----
> > From: John Morris
> > To: geopriv@mail.apps.ietf.org
> > Sent: 12/11/01 6:54 PM
> > Subject: Re: Terminology
> >
> > Brian,
> >
> > I strongly agree that we should start with definitions and
> > terminology,
> > and
> > I include some comments and suggestions in line below. But
> > first, three
> >
> > preliminary comments:
> >
> > 1. There are at least two places below where I suggest that we create
> > two
> > definitions where you suggest only single definitions. I expect that
> > your
> > reaction to at least one of my two suggestions is that my
> > distinction is
> >
> > irrelevant. But I ask you to at least concede that the distinctions I
> > am
> > drawing are factually accurate. It may well be that two different
> > categories of actors will in the final analysis be treated exactly the
> > same
> > (which is a conclusion that you suggested yesterday), but I
> > think in our
> >
> > definitions we should still identify the different categories
> > of actors
> > and
> > then later decide, if appropriate, to group two categories together.
> >
> > 2. I suggest a couple of new terms below. I do not care about the
> > precise
> > words I have suggested, only about the conceptual categories. So if
> > anyone
> > has better words to describe the relevant categories, please
> > offer them
> > up.
> >
> > 3. My comments below focus on your suggested definitions, without
> > addressing whether the WG wants or needs to have a definition of
> > "location"
> > or types of location. We can discuss that in a later e-mail.
> >
> > On to my comments:
> >
> > At 12:43 PM 12/11/01 -0500, Rosen, Brian wrote:
> > >I'd like to start a discussion of terminology.
> > >
> > >I think we all agree on the term "target"; it's the device
> > >that has a location.
> >
> > Fine.
> >
> > >We usually use the term "user", in two contexts. One is that
> > >the target is usually described as associated with the user.
> > >We really want the location of the user, but until we get
> > >implanted with GPS receivers and radios, we have targets
> > >that are separate from the user. The other context we
> > >use "user" is that the user is the source of the privacy
> > >concern. Ultimately, it is the user that grants rights to
> > >some other entity to learn the location of the target.
> >
> > I would split this into two, along the lines of:
> > "user" is the person (if any) who is directly associated with the
> > target
> > device (by carrying the device, or driving it, etc.)
> > "owner" is the person or entity (if different from the user) who is
> > the
> > appropriate person/entity to set privacy rules
> > To be clear, in some cases there may be no user at all -- an owner
> > simply
> > wants to locate the target device, and the device is not a proxy for
> > person.
> > Also to be clear, in many cases the user and owner may be one and the
> > same. But clearly there will be scenarios in which the user and owner
> > are
> > not the same. In the final analysis, it is possible that this
> > distinction
> > may not be all that relevant, but I for one cannot prejudge
> > that at this
> > point.
> >
> > > >From there, we tend to fall apart on generally accepted
> > >terminology. I'd like to propose that we use the policy
> > >terms like 'Policy Determination Point' and 'Policy
> > >Enforcement Point' which have accepted meanings when we
> > >discuss the application of the users policy on the
> > >location dissemination. Is that acceptable?
> >
> > Personally, I do not yet clearly understand how you would define those
> > two
> > terms. I can imagine their definition, and I think that I
> > could get on
> > board with some definition, but can you spell out two separate
> > definitions?
> >
> > >Finally, I'd like to take a stab at convincing you that
> > >there are only two other entities (nouns) in this process.
> > >I think many have in mind that there are several other entities,
> > >but in my mind, there are only two.
> > >
> > >A Server is an entity that knows the location of a target.
> > >A Client is an entity that wants to find out the location
> > >of a target.
> > >
> > >See, wasn't that easy?
> >
> > Too easy, in my view!
> >
> > First, I agree with you that we may be able conflate many potential
> > categories of actor into a single term like "server." So I
> > accept your
> > effort to simplify. I am not happy with "server" or "client" because
> > they
> > mean too many things already, but this concern is fairly minor.
> >
> > More importantly, let's come back to the debate you and I had
> > yesterday
> > in
> > the WG about whether my use of the term "carrier" was accurate and/or
> > relevant. You quickly convinced me that the word "carrier" is wrong,
> > but I
> > persist in thinking that there is a potentially relevant distinction
> > here. Let me reformulate my distinction as follows (and
> > please, I hope
> > someone comes up with better words than I have here):
> >
> > an "involuntary location processor" is an entity (like, e.g.,
> > a wireless
> >
> > carrier or a dial-up ISP) that unavoidably learns or can learn the
> > location
> > of the target, simply as a function of the role the entity
> > plays in the
> > target's communications capability. Thus, unless a cell phone user
> > simply
> > decided never to turn on the device, there is likely nothing
> > the user or
> >
> > owner can do to stop the wireless carrier from learning the
> > location. (Indeed, U.S. E911 laws may make this situation obligatory
> > for
> > the U.S.).
> >
> > a "voluntary location processor" is an entity that (a) receives the
> > target's location with the consent of the owner and (b) in most cases
> > takes
> > some action with the information (e.g., serves it, translates
> > it, stores
> >
> > it, obfuscates it, returns other info to the target based on it).
> >
> > Now, I admit that ILPs and VLPs may well in the end be treated exactly
> > alike, and so you may be correct in suggesting that the distinction is
> > irrelevant. But again, I for one doubt that the distinction will be
> > irrelevant, and I certainly cannot at this point in the analysis say
> > that
> > the ILP should not receive special attention. Let's identify two
> > definitions and decide to conflate them later, if appropriate.
> >
> > Now, to round out my suggested terminology, I probably would
> > substitute
> > something like "ultimate location recipient" instead of
> > "client," but I
> > do
> > not think this is critical. The key, in my mind, is that the recipient
> > is
> > the last entity to receive the location information, and this
> > recipient
> > may
> > well not need to know the full details of the owner's privacy rules.
> >
> > >Now, let's look at scenarios. Please remember that these
> > >are logical functions, and a physical device can have
> > >multiple functions implemented in it.
> >
> > I agree that we should look at scenarios very soon, but I do
> > not want to
> >
> > delay my thoughts above until I can get more time to comments on your
> > scenarios. Also, reaching tentative consensus on the terminology is
> > probably a good first step.
> >
> > John
> >
> >
> > ----------------------------------------
> > John B. Morris, Jr.
> > Director, Internet Standards, Technology
> > & Policy Project
> > Center for Democracy and Technology
> > 1634 I Street NW, Suite 1100
> > Washington, DC 20006
> > (202) 637-9800
> > (202) 637-0968 fax
> > jmorris@cdt.org
> > http://www.cdt.org
> > ----------------------------------------
> >
> >
> >

-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume