INTERNET-DRAFT J. Morris
Center for Democracy and Technology
D. Mulligan
Samuelson Law, Technology, and Public Policy Clinic
S. Kelin
Samuelson Law, Technology, and Public Policy Clinic
A. Davidson
Center for Democracy and Technology
draft-morris-geopriv-scenarios-00.txt November 2001
Expires May 2002
Framework for Location Computation Scenarios
Status of this Memo
This document is an Internet-Draft and is subject to all provisions
of Section 10 of RFC2026. Internet-Drafts are working documents of
the Internet Engineering Task Force (IETF), its areas, and its
working groups. Note that other groups may also distribute working
documents as Internet- Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other
documents at any time. It is inappropriate to use Internet-Drafts
as reference material or to cite them other than as "work in
progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Copyright Notice
Copyright (C) The Internet Society (2001). All Rights Reserved.
Abstract
This document defines a framework for describing location
computation scenarios. The framework is intended to be a starting
point for a discussion of privacy and security issues for location-
based services.
Morris, Mulligan, Kelin & Davidson [Page 1]
Internet-Draft Location Computation Scenarios November 2001
1. Introduction
Location-based services (applications that require geographic
location information as input) are becoming increasingly common.
The collection and transfer of location information about a
particular target can have privacy implications. The ability to
derive or compute a target's location, and access to the derived or
computed location, are key elements of the location-based services
privacy equation. Central to a target's privacy are (a) the
identity of entities that have access to raw location data, derive
or compute location, and/or have access to derived or computed
location information, and (b) whether those entities can be trusted
to know and follow the target's privacy rules. This document seeks
to list location-computation scenarios and identify for each
scenario which entities must be trusted to ensure a target's
privacy.
2. Scope of This Document
The framework set out below assumes that "location information" is
a relatively specific way of describing where a target is located
and that the location information is either (a) derived or computed
from information generally viewed as non-public, or (b) determined
by a device that is not generally publicly addressable or
accessable. For example, location information could include
information calculated by triangulating on a wireless signal with
respect to carriers' cell phone towers, or longitude and latitude
information determined by a device with GPS (global positioning
satellite) capabilities. The framework below also encompasses, for
example, scenarios in which the non-mobile position of a target is
derived from "caller-ID" or ANI (automatic number identification)
information obtained by a service provider offering dial-in network
access.
Excluded from the framework below is location information that is
based on generally available information such as an IP or e-mail
address. It is important to note that information like IP address
can enable someone to roughly estimate a location. Commercial
services exist, for example, that offer to provide rough location
information based on IP address. Currently, this type of location
information is less accurate and has a coarser granularity than the
type of location information addressed in this document. This less
accurate type of location computation still raises significant
potential privacy and public policy concerns, but such scenarios
are outside the scope of this document.
Morris, Mulligan, Kelin & Davidson [Page 2]
Internet-Draft Location Computation Scenarios November 2001
For the purposes of this document, "privacy rules" are rules that
regulate an entity's activities with respect to location
information, including, but not limited to, the collection, use,
disclosure, and retention of location information. These rules must
generally comply with fair information practices. For example, see
the OECD (Organisation for Economic Co-operation and Development)
Guidelines on the Protection of Privacy and Transborder Flows of
Personal Data at http://www1.oecd.org/dsti/sti/it/secur/prod/PRIV-
EN.HTM. Specific parameters of these rules are outside the scope of
this document, but they must be fully articulated in a separate
document prior to creating location privacy technologies.
3. Framework
The framework to describe location computation scenarios has three
attribute categories: mobility of the target, which entity has
control over the raw data, and the site of the location
computation.
The first attribute category, the mobility of the target, has two
possible values: fixed or mobile. Because human beings are not
inherently trackable, location-based services often use location
information based on devices that people use or carry. In other
words, the location of a target's device is often used as a proxy
for the location of the target him/herself. In other scenarios,
the desired location is that of the device itself, for example if a
device is installed in a vehicle or other object to be tracked.
For purposes of this framework, what is relevant is not primarily
the actual portability of a target device, but the method of the
device's data connection. For example, a laptop computer using a
wired data connection (including a dial-up connection through the
public switched telephone network) typically indicates that the
target is in a fixed location at the point of the location inquiry,
while a laptop computer using a wireless data connection should be
viewed as "mobile" even if the laptop is in fact not moving. Thus,
the type of data connection can indicate a target's "mobility."
The other two attribute categories can be thought of as decision
points that are related to steps in the location computation
process. The location computation process contains two steps: 1)
obtaining raw data about the target's location, and 2) deriving or
computing the target's location using this raw data. One example
of such a location computation process is signal triangulation.
The raw data (Step 1) includes the direction a cell phone is from
certain cell towers and where those cell towers are located. Given
Morris, Mulligan, Kelin & Davidson [Page 3]
Internet-Draft Location Computation Scenarios November 2001
this information, one can compute the cell phone's location (Step
2).
It is significant that the raw information from Step 1 and the
computed location from Step 2 both provide information about the
target's position. In Step 2, the raw data from Step 1 is
transformed (and perhaps joined with external geographic or other
data) into a more useful format. Because location information can
be expressed in many formats, it is also possible that the location
computed in Step 2 will be further transformed so that it is more
useful to the requestor. After the target's location has been
computed, the location is available to be used in a location
service or otherwise served to a requestor (as discussed in Section
7 below).
The first decision point is who has control over the raw data (Step
1). There are two possible values: the target or the target's
(wired or wireless) carrier network. In this framework, if the
target cannot control the dissemination of the raw data (such as
with a cell phone that transmits information from a GPS chip to the
wireless carrier without regard to the user's preferences), then
the correct value would be the carrier (even though the user may
have the ability to turn the cell phone, and thus the GPS
reporting, off entirely).
The second decision point is the site of the location computation
(Step 2). There are three possible values: the target's device, the
carrier network of the target's device, or a third party who is
neither the target nor the carrier.
There are two distinct decision points because the entity or device
that controls the raw data may transmit it to a different entity
before the location computation is performed. Although some
initial implementions of location-based services may assume that a
wireless carrier will perform the location computation, any
framework to protect privacy should accommodate a model in which
third parties receive raw locational data, derive or compute a
location, and then serve or otherwise act on the location in
accordance with a target's privacy rules.
4. Significance of Decision Points
To ensure privacy, the target must be able to set and communicate
privacy rules. Furthermore, the privacy rules of the target must be
honored both by entities with access to the raw data and by
entities (if different) that perform the location computation (and
Morris, Mulligan, Kelin & Davidson [Page 4]
Internet-Draft Location Computation Scenarios November 2001
possibly by additional entities that later receive and/or re-serve
the computed location).
The first decision point - who has access to and control over the
raw data - is important because any entity with access to this raw
data can likely determine the location of the target independent of
the desires of the target. If the target has control over the raw
data, the target (if given appropriate tools) can limit
transmission of the raw data according to appropriate privacy
rules. This would include situations in which raw data is
generated by a GPS-enabled device controlled by the target, but
also would include scenarios in which a target manually inputs his
location into a device or location service. In contrast, if a
carrier has access to or control over the location information
(such as when the raw data is drawn from a wireless carrier's
network), the carrier must know or learn - and follow - the
appropriate privacy rules.
The second decision point - who performs the location computation -
is equally important because, by definition, any such entity knows
the target's location. If the target (or target's device) performs
the location computation, the target (if given appropriate tools)
can limit transmission of location information according to
appropriate privacy rules. In contrast, if either a carrier or
third party performs the location computation, the carrier or third
party must know or learn - and follow - the appropriate privacy
rules.
Together, the entities that control the raw data and perform the
location computation determine who knows the target's location.
Thus, these entities must protect the location information
consistent with the privacy rules set by the target during all uses
and disclosures.
5. Basic Scenarios
The three attribute categories and their possible values yield a
total of 12 basic scenarios, as illustrated below. In the diagram,
the following words stand for the following phrases:
Morris, Mulligan, Kelin & Davidson [Page 5]
Internet-Draft Location Computation Scenarios November 2001
mobility - mobility of the target
data - who controls or has access to raw location data
computation - who performs the location computation
carrier - carrier network of the target's device
target - the target or the target's device
Sc n - scenario number
[mobility] [data] [computation]
fixed -----+-- target ---+-- target ------- (Sc1)
| |
| +-- carrier ------ (Sc2)
| |
| +-- third party -- (Sc3)
|
+-- carrier --+-- target ------- (Sc4)
|
+-- carrier ------ (Sc5)
|
+-- third party -- (Sc6)
mobile ----+-- target ---+-- target ------- (Sc7)
| |
| +-- carrier ------ (Sc8)
| |
| +-- third party -- (Sc9)
|
+-- carrier --+-- target ------- (Sc10)
|
+-- carrier ------ (Sc11)
|
+-- third party -- (Sc12)
6. Examples of Scenarios
Of the 12 scenarios identified, some reflect well-known business
and technical models that currently are being implemented. For
example, Sc11 is where the location of a cellular telephone user is
determined by the user's wireless carrier based on information in
the carrier's network.
Other scenarios reflect plausible if less visible business models,
such as Sc9 in which a target has a cellular telephone or other
Morris, Mulligan, Kelin & Davidson [Page 6]
Internet-Draft Location Computation Scenarios November 2001
device containing a GPS chip, and the target (or target's device)
transmits the raw data to a third party, which returns the target's
current street location.
Among the "fixed" mobility scenarios, for example, Sc3 would
include a situation in which a target manually provides current
location information and a third party returns driving direction to
a particular retail establishment. Sc5 would include a possible
business model in which a carrier provided highly localized
targetted advertisements based on "caller ID" information drawn
from a dial-in modem port.
Finally, certain scenarios, such as Sc4, do not reflect any readily
apparent practical implementations but are included to ensure a
complete analysis of the scenarios.
It is important to acknowledge that particular types or formats of
location data cannot be easily categorized as always "raw data" or
always "computed location information." For example, in Sc9,
longitude and latitude data may be the "raw data" returned by a GPS
device, and a third party may derive a street address from that raw
data. But in Sc12, the raw data may be triangulation data
available to a carrier through its network, and based on that raw
data the carrier may compute longitude and latitude data to be
provided to a law enforcement agency involved in a wilderness
search and rescue. Moreover, as discussed below, computed location
information may be further transformed into additional, perhaps
more useful, location formats.
7. After the Location Computation
After the target's location has initially been computed, there are
at least five possible outcomes:
Morris, Mulligan, Kelin & Davidson [Page 7]
Internet-Draft Location Computation Scenarios November 2001
(a) the transaction is complete (if, for example, the target
wants to know its own location and the target computes the location,
as in Sc10);
(b) the entity that computes the location transmits it back to
the target, or transmits to the target other information (such as
driving directions) that are based on the target's location;
(c) the entity that computes the location transmits it to a third
party that makes immediate use of the information;
(d) the entity that computes the location stores it for later
retrieval by the target or possibly a third party; or
(e) the entity that computes the location transmits it to a third
party that in turn serves or stores the location information.
Once a location has been computed, it is available to be
transmitted or served to a requestor. An entity that serves
location information is known as a "location server." It is
important to note that any entity can be a location server,
including the target's device, the carrier, or a third party. To
protect the privacy of the target, any location server must receive
and follow the target's privacy rules when it stores location
information and/or uses or discloses this information.
8. Implications
As discussed above, two critical elements of location computation
scenarios are who controls the raw data and who computes or derives
the location. If the target does not both control the raw data and
perform the location computation, he or she must form a
relationship (even if, in some cases, a very brief one) with at
least one other entity, and privacy rules must control this
relationship. Who these other entities are must be considered
because different entities have different relationships with the
target, face different technical constraints, and are subject to
different legal considerations.
For example, a target who uses a computer to dial into a network
(and most other wired connections) typically does so through an
Internet Service Provider as the "carrier," and it is likely (but
not certain) that the user has a pre-existing relationship with the
ISP. In cases where there is a pre-existing relationship,
technology may not be necessary to transmit privacy rules to that
carrier. Instead, the target and carrier might reach a contractual
agreement about privacy, and the target may first express privacy
rules in an online or offline form that is stored by the carrier.
Morris, Mulligan, Kelin & Davidson [Page 8]
Internet-Draft Location Computation Scenarios November 2001
For wireless scenarios, a target typically (but not always) has a
pre-existing relationship with a wireless carrier, but there may
not be any direct relationship with the relevant carrier while a
target is "roaming" away from the primary carrier's service area.
As for technical constraints, it is possible that a target's mobile
device will be small, lightweight, and low on computing power.
These characteristics may mean that the device cannot efficiently
perform its own computations. Thus, to protect his or her privacy,
the target would need to form a trusted relationship with his or
her carrier or a third party, obligating them to compute the
location and either provide it back to the target's device for
serving or abide by the target's rules about privacy.
Carriers and others may be constrained by national or local laws
regarding how they handle information. For example, in some
relevant situations within the United States, "Customer Proprietary
Network Information" (CPNI) rules require that telecommunications
carriers obtain customer approval before using, disclosing, or
permitting access to individually identifiable CPNI. See 47 United
States Code Section 222 at
http://www4.law.cornell.edu/uscode/47/222.html.
9. Possible Technologies to be Developed
It is not the purpose of this document to identify the specific
technologies necessary to protect privacy of location information.
But, in considering the framework set out above, the scenarios
suggest a number of possible technological needs to protect a
target's privacy and transmit a target's privacy rules. Those
possible technological needs include:
(a) a method to transmit to a carrier that has access to raw
location data the applicable privacy rules of the target;
(b) a method to transmit a target's privacy rules to an entity
that computes or derives location; and
(c) a method to transmit a target's privacy rules to any
subsequent entity (after the location computation is complete).
A single technology could be created to accomplish all three listed
needs. It is also possible, however, that the first listed need
(to protect privacy of raw data) could be accomplished by the
Morris, Mulligan, Kelin & Davidson [Page 9]
Internet-Draft Location Computation Scenarios November 2001
transmission of a more limited amount of data than might be
required to accomplish the other needs. For example, if a privacy
model permits other entities to receive and follow more complex
privacy rules, then a carrier with access to raw data might need to
receive only one instruction regarding what other entity should
receive the raw data.
10. Conclusion
Scenarios are a good way to begin discussing the privacy issues of
location-based services. To be useful, these scenarios should
include the details of location computation, which can in turn
suggest the specific entities that must receive and honor a
target's privacy rules.
11. Security Considerations
This document does not introduce new security issues. The entire
document, however, does address the need to protect the privacy and
confidentiality of location information.
Authors
John B. Morris, Jr.
Center for Democracy and Technology
1634 I Street NW, Suite 1100
Washington, DC 20006
+1.202.637.9800
jmorris@cdt.org
Deirdre K. Mulligan
Samuelson Law, Technology, and Public Policy Clinic
Center for Clinical Education
Boalt Hall School of Law
Berkeley, CA 94720-7200
dmulligan@law.berkeley.edu
Morris, Mulligan, Kelin & Davidson [Page 10]
Internet-Draft Location Computation Scenarios November 2001
Sabra-Anne R. Kelin
Samuelson Law, Technology, and Public Policy Clinic
Center for Clinical Education
Boalt Hall School of Law
Berkeley, CA 94720-7200
sakelin@boalthall.berkeley.edu
Alan Davidson
Center for Democracy and Technology
1634 I Street NW, Suite 1100
Washington, DC 20006
abd@cdt.org
draft-morris-geopriv-scenarios-00.txt Expires May 2002
Morris, Mulligan, Kelin & Davidson [Page 11]