Re: [OPSAWG] WG LC: draft-ietf-opsawg-finding-geofeeds

Randy Bush <randy@psg.com> Mon, 01 February 2021 19:28 UTC

Return-Path: <randy@psg.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 101FD3A1403; Mon, 1 Feb 2021 11:28:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7LHJF4zIs9LA; Mon, 1 Feb 2021 11:28:01 -0800 (PST)
Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:8006::18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D747C3A1400; Mon, 1 Feb 2021 11:28:00 -0800 (PST)
Received: from localhost ([127.0.0.1] helo=ryuu.rg.net) by ran.psg.com with esmtp (Exim 4.90_1) (envelope-from <randy@psg.com>) id 1l6erW-0004iL-Ip; Mon, 01 Feb 2021 19:27:50 +0000
Date: Mon, 01 Feb 2021 11:27:50 -0800
Message-ID: <m2h7mvfv0p.wl-randy@psg.com>
From: Randy Bush <randy@psg.com>
To: "Adrian Farrel" <adrian@olddog.co.uk>
Cc: <opsawg@ietf.org>, <opsawg-chairs@ietf.org>, <draft-ietf-opsawg-finding-geofeeds@ietf.org>
In-Reply-To: <06bf01d6f884$18acfd10$4a06f730$@olddog.co.uk>
References: <06bf01d6f884$18acfd10$4a06f730$@olddog.co.uk>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/26.3 Mule/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset=ISO-8859-7
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/ApgtBjtQN9CBrz278JYUiQ8ffEM>
Subject: Re: [OPSAWG] WG LC: draft-ietf-opsawg-finding-geofeeds
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Feb 2021 19:28:03 -0000

hey adrian,

> Is it too late to ask for some privacy considerations to be added to
> this document?

it is never too late to ask for privacy.  as usual, the problem is how
to provide it :)

> My initial thought was that the authors would point me to 8805, but a
> quick look there doesn’t show any mention of privacy.

which is unfortunate.  the authors have sworn under oath that they
considered it.

e.g. they told me that this is why postal codes are not in 8805 geofeed
files.  they described places such as those isles to the west of europe
(on which i think you live) postal codes can locate an individual or
extremely small group.

> My concern here is that the end-user’s geographic locale is being
> exposed to the service provider without the agreement of the end-user,
> and without the end-user even knowing that it is happening.

i think we all share the concern that an end-user's locale might be
revealed.  and i suspect at least you and i pretty much agree on the
core issues.  but ...

tl;dr: that is an 8805 problem, water under someone else's bridge

unnecessary and pedantic details:

  o in pretty much all cases i know, the user's locale is known by their
    service provider.  the issue would seem to be the provider's
    revealing the user's locale to the public, which includes other
    providers.

  o my understanding is that 8805 was developed specifically to provide
    a mechanism for the user's provider to publish the user's locale to
    other providers, with the major goal being content customization.

  o whether we believe that content should be customized by locale,
    while an interesting discussion, is probably best held in another
    locale.

  o luckily, the folk who want to customize content by locale seem happy
    with fairly low resolution.

  o though clearly agencies such as law enforcement and my mother, would
    love one's precise locale at all times; i do not think they were the
    intended customer for 8805, and they are definitely not the intended
    customer for this draft.

> I know that this information has great value for a number of aspects
> of service provision (not least geographic licensing), and I am not
> opposed to its availability. I do object, however, to the concept that
> a user’s locale is generally available. A user should have the option
> of not revealing their locale (in the knowledge that this may exclude
> them from accessing some services).

let's remember that even 8805 does not directly reveal the location of
users.  it reveals low resolution location of ip address spaces.  but of
course we know ip addresses can be attributed to users.

> Now, I doubt that this document is the right place to fix these
> privacy concerns. But it might be a good place to add a short
> paragraph on the privacy issues raised by using geo feeds.

to paraphrase the immortal words of vince perriello, send text :)
but, as a first idea, how about something such as this in the Geofeed
Files section?

    RFC8805 geofeed data may reveal the approximate location of an IP
    address, which might in turn reveal the approximate location of an
    individual user.  Unfortunately, RFC8805 provides no privacy
    guidance on avoiding or ameliorating possible damage due to this
    exposure of the user.  In publishing pointers to geofeed files as
    described in this document the operator should be aware of this
    exposure in geofeed data and be cautious.

sad to say, i can not think of more useful guidance than caution.

randy