Re: [Geopriv] Privacy of Location Information: The IntendedRecipient

From: Alissa Cooper ^lt;acooper@cdt.org>
Date: Fri Nov 14 2008 - 11:42:47 EST

It seems to me that in a commercial context there are three categories
of recipients that are relevant from a user perspective: the recipient
(an individual or an organization), the recipient's business
affiliates, and third parties with no relationship to the recipient.
Any further granularity is likely to be overkill for most people. Even
the middle category (affiliates) might be unnecessary, although
privacy lawyers will argue that the existence of a contract between
the recipient and an affiliate is material because it allows the
recipient to impose constraints on how the affiliate can use the
location information it receives. So the fact that AAA has a contract
with Bob's Towing means that I as a user who trusts AAA should be more
willing to trust my location information to Bob's Towing.

Some of the examples below go beyond the notion of expressing to whom
location information should be retransmitted to also include why the
information is retransmitted (I think this is also Hannes' idea of
"context"). The destination AOR, destination domain, and public
examples only speak to the "who" question. The other two incorporate
the notion of the purpose of the retransmission -- service-related or
business partnership.

While the ability to formalize and limit the purpose or context of the
disclosure in rules is attractive, it seems somewhat impossible given
that the reasons for a retransmission are limitless, and the user has
minimal ability to know the options in advance. For example, AAA's
services might require retransmission to BBB Insurance for billing,
retransmission to BBB Insurance for future marketing purposes,
retransmission to the local DMV for statistics-gathering, and multiple
other purpose/recipient combinations. While it would be useful for
some users to be able to express their preferences about each of
these, I'm skeptical that enough people would find this valuable to
make it worth the effort of augmenting the "who" with the "why." The
[recipient | affiliates | others] choice probably suffices. Plus, for
commercial LRs at least, merely adhering to the user's preferences
about who can receive location information is probably going to be a
big step in itself, without even getting to the question of allowing
users to designate which retransmission purposes are allowed.

Lately I have been thinking about this from an advertiser's
perspective, where the choices for users are even coarser (e.g., a
blanket yes/no on whether any user data can be collected to target
ads), so perhaps I'm jaded. But I think introducing the notion of
context might be more trouble than it's worth.

Alissa
Center for Democracy & Technology

On Nov 12, 2008, at 8:42 AM, Henning Schulzrinne wrote:

> Right now, there is little (to put it charitably...) deployment of
> GEOPRIV, and even less outside the ECRIT realm. Thus, we have to
> speculate. My general hunch would be to replace "retransmission"
> with something like
>
> - destination AOR only (alice@example.com)
>
> - disclose to destination domain only (@aaa.com)
>
> - service-related disclosure (AAA may disclose to Bob's Towing and
> Salvage)
>
> - any business partner of the destination AOR (AAA may disclose to
> AAA Auto Insurance)
>
> - public (recipient can post this on a public web page or display
> this on a Jumbotron on Times Square)
>
> I suspect that CDT or privacy-focused organizations can help us
> define this better. The goal should be to align this to common
> privacy practices elsewhere, since lawyers and software developers
> understand those. Making up whole new systems for niche applications
> is unlikely to get us far.
>
> Henning

_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv
Received on Fri, 14 Nov 2008 11:42:47 -0500

This archive was generated by hypermail 2.1.8 : Fri Nov 14 2008 - 11:43:09 EST