Re: [Geopriv] Questions on pidf-lo

From: John Morris ^lt;jmorris@cdt.org>
Date: Tue Nov 11 2003 - 13:34:32 EST

Henning, you won't be happy with how I would answer these questions.
See inline. John

At 11:01 AM -0500 11/11/03, Henning Schulzrinne wrote:
>After another reading and some hallway discussions, a few questions
>on PIDF-LO:
>
>1) What's a party?
>
>In the 'retransmission allowed' item, it says "share ... with other
>parties". It is unclear what this means. It probably can't mean
>'transmit on any network link beyond the LR', since the LR may well
>consist of multiple boxes and I don't think we want to rule out that
>the database is on a different server than the proxy or HTTP server.
>
>On the other hand, does 'party' refer to a legal entity? Thus, if I
>send it to the local Pizza Hut, can that branch send it to HQ?

If it is the same corporate entity, then I doubt we can do anything
about this. But we do not want to suggest that sharing with
"affiliated" entities is in any way okay.

>A reasonable notion may be that this refers to the legal entity that
>owns the domain name where I sent the LO, as that's a matter of
>public (whois) record.

If I let joe@aol.com have my location, that would mean that Time
Warner could also have it (and presumably use it). How about
joe@usdoj.gov? I do not think we want to get into defining as
"acceptable to disclose to" any entity larger than "joe@usdoj.gov."
Local laws will then govern what joe can do with it vis-a-vis his
employer.

>If we want people to respect the rules, we can't have vague
>definitions that leave ample room for creative interpretations or
>class action lawsuits.

True, but the answer is not to build into geopriv a broad
interpretation -- if we need to define an interpretation to avoid
vagueness, then we should define it narrowly.

>
>2) External rules
>
>As far as I can tell, the draft is silent on what should happen if
>the ruleset cannot be resolved. I assume the two flags apply,
>keeping to the model of additive permissions.

Although I fully support the model of additive permissions, here I
think the whole transaction should fail.

>3) Retention
>
>Normal operating procedure is that databases are backed up. Am I
>liable if a location object accidentally makes it onto the backup
>tape? (Example: retention is 24 hours; LO arrives at 8 pm; backup is
>run at midnight. I can't tell the backup routine to not backup that
>entry.)
>
>Worded in its current vagueness, I'm afraid that any large entity
>who has any exposure at all would be foolish to accept any object
>that in any way restricts retention and distribution.

My answer is that big entities will have to cope. In the U.S. at
least, we have not yet resolved the train wreck that occurs between
privacy and routine backup tapes. If the info is in a backup tape,
it can be obtained through subpoena, law enforcement request, etc.

And yes, I do think that companies are moving toward a more
considered backup strategy that takes privacy and other legal
obligations into account. It will be a slow transistion, but I think
it will happen.

So any entity concerned about this type of exposure should decide
that certain information should simply not be retained in databases
that are routinely backed up. I strongly do not think we should
allow geopriv to say "do not retain the info longer than the rule
permits (except routine backups don't count)."

>Henning

John

_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www1.ietf.org/mailman/listinfo/geopriv
Received on Tue Nov 11 13:34:22 2003

This archive was generated by hypermail 2.1.8 : Thu Jan 22 2004 - 12:32:24 EST