Re: [ietf-privacy] Nits about draft-ietf-geopriv-held-measurements-06.txt
Martin Thomson <martin.thomson@gmail.com> Thu, 11 April 2013 16:55 UTC
Return-Path: <martin.thomson@gmail.com>
X-Original-To: ietf-privacy@ietfa.amsl.com
Delivered-To: ietf-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92B4121F9049; Thu, 11 Apr 2013 09:55:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.5
X-Spam-Level:
X-Spam-Status: No, score=-2.5 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dECgCflQuMEY; Thu, 11 Apr 2013 09:55:55 -0700 (PDT)
Received: from mail-wi0-x22b.google.com (mail-wi0-x22b.google.com [IPv6:2a00:1450:400c:c05::22b]) by ietfa.amsl.com (Postfix) with ESMTP id 2E66421F902B; Thu, 11 Apr 2013 09:55:55 -0700 (PDT)
Received: by mail-wi0-f171.google.com with SMTP id hn17so788244wib.10 for <multiple recipients>; Thu, 11 Apr 2013 09:55:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=AHesrN6CpB+Tf0JM7Jm9087Qrini3TS/dQ13n1NTaG4=; b=gXdCRminGOP8HUFfLDwxVTi/ZvBkT7k3o6+dJHQx+cuNv50m6iiqC4eUCmIQO8ZOPT esuCyiSl1AlGdDHvaw0aVjeP80cnRrUd3lnjUe7J6c9RN84n0X07cbpLMz0UpDWLMllg tLhXrvK9DJiOks63UQaTdyTOGe3dsKpjEduNgZO8VuJzNtz3lnZKIlXstni4HtQnqpDP Elb6AVSofvfm4SpA75B9o/wKDWvbmKly09SdTBdVRGIDa4t655agXIQCkIzq12xKbQyB Vs7f6HlsOWgALebGesDgxcYB+YnF6+vYA+RxjE0G0St7Sw6pk7V+YEF1vOiltZd+82Hl 4x+Q==
MIME-Version: 1.0
X-Received: by 10.194.82.104 with SMTP id h8mr12279149wjy.3.1365699354305; Thu, 11 Apr 2013 09:55:54 -0700 (PDT)
Received: by 10.194.41.35 with HTTP; Thu, 11 Apr 2013 09:55:54 -0700 (PDT)
In-Reply-To: <6.2.5.6.2.20130410180933.0ce24cb8@resistor.net>
References: <5151B0B5.2090407@cisco.com> <CABkgnnWNPMgsNACjOYdxcn3VW20LFOOS5XeFO9Nifxv2hJTwUg@mail.gmail.com> <6.2.5.6.2.20130410180933.0ce24cb8@resistor.net>
Date: Thu, 11 Apr 2013 09:55:54 -0700
Message-ID: <CABkgnnWe8u5Tq0L0JR-TH5xhO5i0=_=6qDNp+BohFJ_mO29Oqw@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: SM <sm@resistor.net>
Content-Type: text/plain; charset="UTF-8"
Cc: ietf-privacy@ietf.org, GEOPRIV WG <geopriv@ietf.org>, Eliot Lear <lear@cisco.com>
Subject: Re: [ietf-privacy] Nits about draft-ietf-geopriv-held-measurements-06.txt
X-BeenThere: ietf-privacy@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Internet Privacy Discussion List <ietf-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-privacy>, <mailto:ietf-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf-privacy>
List-Post: <mailto:ietf-privacy@ietf.org>
List-Help: <mailto:ietf-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-privacy>, <mailto:ietf-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Apr 2013 16:55:56 -0000
Hey SM, On 10 April 2013 23:02, SM <sm@resistor.net> wrote: > As a FYI, the is an article about the privacy bounds of human mobility at > http://www.nature.com/srep/2013/130325/srep01376/full/srep01376.html Interesting research, but not a particularly surprising finding. There was research a few years back that found that very coarse information (again, cellular radio transmitter locations) was sufficient information to track a precise path for a journey if a precise path had once been provided. It's also consistent with our findings on obscuring location. That is, it doesn't work as well as you think it does, even if you don't think it works very well at all. > Here are some nits (feel free to ignore). Section 6 mentions that: > > "In order to protect the privacy of the subject of location-related > measurement data, this implies that measurement data is protected > with the same degree of protection as location information." > > Section 6.2 mentions that: > > "By adding measurement data to a request for location information, the > Device implicitly grants permission for the LIS to generate the > requested location information using the measurement data. > Permission to use this data for any other purpose is not implied." > > and > > "A LIS MUST discard location-related measurement data after servicing > a request, unless the Device grants permission to use that information > for other purposes." > > How can a device implicitly grant permission? It is up to the user to grant > permission. Ah yes, I'm not sure whether this was made explicit in this draft (probably not), but we take the view that the Device is a proxy for a user (Target in geopriv-parlance). In terms of protocols and location determination that's the only reasonable assumption to make. That's a really important point though, not something we should be taking on faith. I'll make sure to add a note. > The specification also sends information, e.g. for wifi, which might not > readily available to the cellular operator. The privacy model followed can > be described as the unknowingly informant model. I don't know where you are going with the "unknowingly informant model", but it's true that in some cases, measurements that are provided to a LIS might not be useful. If your LIS is operated by a cellular operator, then maybe (though it's only a maybe) the cellular operator wont be able to use the information to improve a location estimate. Similarly, they might not know how to deal with GLONASS pseudoranges. Implementations have choices on the spectrum between: provide nothing and see if the LIS asks for more information; and provide everything and don't worry about the extra stuff. The latter choice actually has some implications with respect to performance and time, so most likely it will go somewhere in between the two.