Liaison statement
IETF RAI and APP concerns about location privacy

Submission date 2008-11-21
From IETF RAI AREA (Cullen Jennings)
To W3C Geolocation Working Group (Angel Machin, Lars Erik Bolstad)
Cc Richard Barnes, Robert Sparks, Matt Womer
Response contact Jon Peterson,,
Purpose For action
Deadline 2008-12-16 Action Taken
Attachments (None)
Dear Mr. Bolstad and Mr. Machin,

The IETF RAI and APP areas were recently advised by some of our
participants of the work of the W3C Geolocation working group. We feel
that the current direction of this work presents risks to the privacy
of location information on the Internet. The experience of the IETF,
and its GEOPRIV working group, in dealing with location and location
privacy may be helpful to the Geolocation WG in finding a solution that
better respects the privacy of location information on the Web.

The IETF is committed to protecting the privacy of Internet users and
acknowledges the W3C's commitment to privacy on the Web. Both groups
recognize that the increasing availability of location information on
the Internet raises unique privacy concerns. In many contexts location
information is highly sensitive, as it can reveal intimate details
about a user's whereabouts, and can be of particular interest to
corporations and government authorities. Standards for communicating
location - over the Internet or within a browser - have an important
role to play in providing a technical basis for privacy protection.
The protocols and data formats produced by the IETF GEOPRIV WG help to
protect location information by ensuring that whenever location is
transmitted, privacy policy information is transmitted alongside it.
GEOPRIV standards provide tools that allow users to express their
preferences about how their location information is used. These tools
include a standard format for conveying these preferences together with
location information (the Presence Information Data Format-Location
Object described in RFC 4119) and a lightweight policy language for
expressing privacy preferences.

The critical value of binding policy to location information is that no
recipient of the location information can disavow knowledge of users'
preferences for how their location may be used.  By creating a
structure to convey the user's preferences along with location
information, the likelihood that those preferences will be honored
necessarily increases.

This model differs from the paradigm for privacy protection that has
long prevailed on the Web. The main privacy mechanisms used in the Web
today are site-specific privacy policies.  Users typically have only a
binary choice: To grant access to location (and accept all the terms of
the policy), or to withhold location. The GEOPRIV model extends this
model by empowering users to express their own privacy preferences to
sites with whom they share their location.

The IETF APP and RAI areas would like to express their concern that the
current W3C Geolocation API draft does not include privacy protections
for location information. The current API specification requires
conforming implementations to provide a mechanism to protect user
privacy, but it leaves it up to each implementation to invent its own
privacy mechanism. This approach could result in weak or non-existent
protections, or inconsistent user expectations and experiences.  By
contrast, if the W3C Geolocation API specified a standard format for
privacy rules, then users could have consistent location privacy
experience across the Web, no matter how they access it.

Normally, the first public working draft of a W3C specification would
not raise as much concern as this draft API. In this case, however,
multiple implementations already exist, and it seems very likely that
the specification will be widely deployed even before it is published
as a W3C Recommendation. It is thus essential to include privacy
features even in early drafts, in order to prevent proliferation of UA
implementations and Web sites that fail to protect users' location

More generally, the IETF APP and RAI areas are interested in working
with the W3C on ensuring that their location standards are compatible.
The IETF has developed a suite of privacy-preserving protocols to
configure hosts with their location and to convey location between
hosts.  Alignment between these protocols and the Geolocation API would
allow UAs to use network-based location to provide location-based
applications in a much wider variety of scenarios than is currently
possible.  Harmonizing the privacy concepts between protocols and the
API will be an important first step toward this alignment.

The IETF APP and RAI areas request that the W3C delay publication of
the draft API specification until the W3C Geolocation WG has concluded
its current discussion about addressing privacy more concretely in the
API. APP and RAI believe that concluding the discussion about privacy
that has already begun within the W3C Geolocation WG before the draft
specification is published will ultimately benefit the W3C and, more
importantly, location-based applications on the Internet and the Web.

Jon Peterson & Cullen Jennings (Directors, RAI Area of the IETF)
Lisa Dusseault & Chris Newman (Directors, APP Area of the IETF)