Re: [paws] Alissa Cooper's Discuss on draft-ietf-paws-protocol-14: (with DISCUSS and COMMENT)

Vincent Chen <vchen@google.com> Mon, 22 September 2014 07:17 UTC

Return-Path: <vchen@google.com>
X-Original-To: paws@ietfa.amsl.com
Delivered-To: paws@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E4041A1A4E for <paws@ietfa.amsl.com>; Mon, 22 Sep 2014 00:17:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.536
X-Spam-Level:
X-Spam-Status: No, score=0.536 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.786, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h0W4rRIdHkBg for <paws@ietfa.amsl.com>; Mon, 22 Sep 2014 00:16:57 -0700 (PDT)
Received: from mail-vc0-x234.google.com (mail-vc0-x234.google.com [IPv6:2607:f8b0:400c:c03::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 519211A1A40 for <paws@ietf.org>; Mon, 22 Sep 2014 00:16:57 -0700 (PDT)
Received: by mail-vc0-f180.google.com with SMTP id hq11so3748200vcb.39 for <paws@ietf.org>; Mon, 22 Sep 2014 00:16:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=NEiYcABNz2xPX56GVmHUaBzGhVp/troI/fn2fP6iI48=; b=lZU22bqg4vZg5knetTSPbz2CfiwMdGFx9gVvy/KB9ZYL+wxZGTcu+GzhGVwWgwv3Q7 sP8vpkZJerPxbyB++pCVhXVMur14VSBtr4ff3cKa/eV4WxvFFdLi8407bf+LEJfqZV6O Erq7AObELxglOgUyh+1iB5Te/TkatG582ffT4iRu1eAFUKZ7UgNPgpTPq5rLJun6bHXl PLz6H3BV7eeGUf/+M/6pUriCskErf3cV2O66ZmM1re7tbQFyO8WcwqeZy+WTTjDtRZj+ +5vc24AzViSXA+SCEtOOkZKP5JYjTqGC+ydCU8wk7WoqA2v3eMueyWwyQQXVDfSmnwrt F09g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=NEiYcABNz2xPX56GVmHUaBzGhVp/troI/fn2fP6iI48=; b=QsIwX6BN923tBE9xrc1at8vEW2U/5UErL0AqNjUlrtzDlp8a62/+IIX7MXapdLcRN0 tP4NQ7InMCAljryFoU8yLN5L853/dsZt5vBPhGuELR8FbpXY7moDRH8d0aEfp5Q5w6kT ZzptUON6EHoyT4mH5HfjsFWykNv3GxTYbULZJbjsrZY4S3FuCfwo0hXHLHD7HSqM51th 6w4S8Fn7sgVi8OohxSpbd0dZmWThlYbZp7Kjcn9r2evP+I/+tkPVIb+RSIhmaVRSxb0S c+8WtJplsZg2hEntJp6fS+PZQC6v5xDrmBtZb/znT+mqEamAqIL7aGqH3iPCgMsSoR12 LMSg==
X-Gm-Message-State: ALoCoQmmsNlOSKUgeZSyvmNB1UPhdyVUq1Vho8xtdahiHCmYhjBIor9orlhG8g6eQDKgeQFueWlc
MIME-Version: 1.0
X-Received: by 10.220.74.10 with SMTP id s10mr5558596vcj.61.1411370216422; Mon, 22 Sep 2014 00:16:56 -0700 (PDT)
Received: by 10.52.236.232 with HTTP; Mon, 22 Sep 2014 00:16:56 -0700 (PDT)
In-Reply-To: <D0388B73.57841%alissa@cooperw.in>
References: <20140820165236.31862.86067.idtracker@ietfa.amsl.com> <CABEV9ROW=KhQDCU5=X+SrtPAAOwd0QgvKJh_-owQ4b1CvdNvog@mail.gmail.com> <D0388B73.57841%alissa@cooperw.in>
Date: Mon, 22 Sep 2014 00:16:56 -0700
Message-ID: <CABEV9ROcLstZ1gpFrYpeAo07o+pp6QPeF4ovm_GXDB8DdWCiGw@mail.gmail.com>
From: Vincent Chen <vchen@google.com>
To: Alissa Cooper <alissa@cooperw.in>
Content-Type: multipart/alternative; boundary=e89a8f64719365946c0503a23c26
Archived-At: http://mailarchive.ietf.org/arch/msg/paws/lu1kddbAebuerQFEwHgh_X6Rxaw
Cc: "paws@ietf.org" <paws@ietf.org>, "paws-chairs@tools.ietf.org" <paws-chairs@tools.ietf.org>, The IESG <iesg@ietf.org>, draft-ietf-paws-protocol@tools.ietf.org
Subject: Re: [paws] Alissa Cooper's Discuss on draft-ietf-paws-protocol-14: (with DISCUSS and COMMENT)
X-BeenThere: paws@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Protocol to Access White Space database \(PAWS\)" <paws.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/paws>, <mailto:paws-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/paws/>
List-Post: <mailto:paws@ietf.org>
List-Help: <mailto:paws-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/paws>, <mailto:paws-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Sep 2014 07:17:01 -0000

Hi Alissa,

Sorry for the delayed response. I've uploaded draft 18, incorporating your
suggestions. I've simplified the text a bit, but, hopefully, it addresses
your concerns. Please let me know what you think.

http://www.ietf.org/rfcdiff?url2=draft-ietf-paws-protocol-18

Thanks.

-vince

On Fri, Sep 12, 2014 at 9:03 AM, Alissa Cooper <alissa@cooperw.in>; wrote:

> Hi Vincent,
>
> I’ve taken a look at the –17. Thanks for accommodating many of my DISCUSS
> points. I have a one response below on a couple of remaining issues.
>
> On 8/21/14, 12:59 AM, "Vincent Chen" <vchen@google.com>; wrote:
>
>
>
>> = Section 5.1 =
>> I'd like to discuss why the single point location format needs to be
>> supported here. Is it really the case that a portion of whitespace
>> spectrum will ever be available only at a single point, as opposed to a
>> region? If not, it seems like sending a point (and, moreover, allowing
>> region to be unsupported but not point) divulges more precise information
>> about the requesting device than is ever actually necessary to fulfill
>> the goals of this protocol. Do regulators require a single point? Why?
>>
>
> The resulting spectrum is valid for 100m (typically) radius around that
> point.
>
> Computation of available spectrum for a region is actually complex and not
> well defined...
>
>
>>
>> = Section 5.2 =
>> I'd like to discuss why the device serial number needs to be included in
>> the device descriptor, rather than some (perhaps persistent) randomly
>> generated device identifier that is used only in the context of this
>> protocol (which would better protect the privacy of the user of the
>> device, since the whitespaces database administrator wouldn't be able to
>> correlate the device's spectrum requests with other activities linked to
>> the serial number). It's not really clear why serial number is collected
>> since both this document and RFC 6953 note the protocol does not defend
>> against abuse or mis-use of spectrum.
>>
>
> The regulator want to have the ability to black list ranges of serial
> numbers, if it
> determines that a series was defective. The Databases must use the serial
> number
> to determine it can return available spectrum.
>
>
>>
>> I'm asking the above two questions in light of requirement P.7 from RFC
>> 6953, "The PAWS protocol SHOULD support privacy-sensitive handling of
>> device-provided data where such protection is feasible, allowed, and
>> desired."
>>
>> A separate interesting question that does not seem to be addressed
>> anywhere in the draft is whether a device can be fingerprinted by the
>> database operator by virtue of the collection of elements it sends
>> (rulesetIds, manufacturer, model, antenna characteristics, device
>> capabilities, etc.) even if it doesn't send a serial number or device
>> owner information that uniquely identify it. That seems worth discussion
>> in Section 10.
>>
>
> What should the discussion say? Just that it is possible? or does it need
> to have a solution?
>
>
> Now that the document is clear that Slave device location and serial
> number are optional (unless required by a ruleset), I think the remaining
> task on the above three points is to add a bit of text to Section 10 to
> explain the potential privacy threats from authorized databases, perhaps as
> a short paragraph or two at the end of Section 10. Something along these
> lines (just a suggestion, feel free to reject this entirely or use bits
> that you like):
>
> "In addition to the privacy risks described above, in some cases, users of
> Master or Slave devices may open themselves up to privacy risks related to
> the secondary use of PAWS-related information by a database administrator.
> For example, in situations where rulesets require that Master or Slave
> devices uniquely identify themselves (via the DeviceDescriptor or
> DeviceOwner parameters), database administrators may be able to use that
> information to track connectivity activity over time, or they may share
> such tracking information with third parties. Where Master or Slave devices
> choose to provide or are required to provide geolocation information in
> conjunction with unique device identifiers, this capability may further
> extent to location tracking. Even where a device does not provide a
> specific unique identifier, a database administrator may be able to
> uniquely fingerprint a device based on the combination of other information
> provided in DeviceDescriptor or DeviceCapabilities parameters.
>
> In cases where devices have a choice to not send device-identifying
> information or geolocation, or to send less granular geolocation (i.e., a
> region rather than a point), PAWS implementations can reduce the risks
> associated with secondary use by not sending that information. Where
> rulesets require this information to be sent, these risks require
> out-of-band mitigation (e.g., public statements or contractual terms
> preventing secondary use).”
>
> Thanks,
> Alissa
>
>
>
>>
>>
>> ----------------------------------------------------------------------
>> COMMENT:
>> ----------------------------------------------------------------------
>>
>> = Shepherd write-up=
>> "An in-depth review by a JSON expert might be useful."
>>
>> Did that happen?
>>
>
> Tim Bray had looked at it before final call.
>
>
>>
>> = Section 1 =
>> "It opens the door for innovations in spectrum
>>    management that can incorporate a variety of parameters, including
>>    user location and time.  In the future, it also can include other
>>    parameters, such as user priority, time, signal type and power,
>>    spectrum supply and demand, payment or micro-auction bidding, and
>>    more."
>>
>> Time seems to be listed both as a current parameter and a future one,
>> which is confusing.
>>
>
> Agreed. The second "time" should be removed.
>
>
>>
>> = Section 4.4 =
>> "FCC rules, for example, require that a 'Fixed Device'
>>    register its owner and operator contact information, its device
>>    identifier, its location, and its antenna height."
>>
>> It would be nice to have a citation for the rules referenced here.
>>
>
> OK.
>
>
>>
>> = Section 5.1 =
>> Feel free to ignore this if it's completely misguided, but does altitude
>> really not matter? Are we sure this protocol won't be re-used for devices
>> on airplanes trying to find available spectrum? (I note that in RFC 6953,
>> requirement D.1 specifies that the data model must support "the height
>> and its uncertainty" -- I have no idea what "the height" means or if it
>> is related to altitude.)
>>
>
> See Section 5.3 on "height" of the antenna. It's separated out, from the
> "latitude, longitude" specification
> of GeoLocation. It allows specification with respect to ground level or
> mean sea level, and is intended
> for Fixed devices, rather than mobile devices.
>
> From the current regulator's perspective, the allowed power for mobile
> devices is low enough that
> height does not matter.
>
>
>
>>
>> = Section 10 =
>> I agree with Stephen that the database operator should be considered as a
>> potential adversary from the standpoint of potentially being able to
>> create a fine-grained database that tracks the locations and spectrum use
>> patterns of individual devices. That data could certainly be abused.
>>
>>
> So just listing that as a potential threat and declare that fixing this as
> out of scope is sufficient?
>
> Or do we need to state that Databases MUST not track? I can see how
> anonymized tracking
> can be useful for spectrum management in the future, much like anonymized
> tracking of car locations
> provide valuable traffic information for navigation systems.
>
> --
> -vince
>
>


-- 
-vince