Title: Geolocation Privacy
1Geolocation Privacy
International Working Group on Data Protection
in Telecommunications Rome, March 2008
2Acknowledgements
- Thanks to Henning Schulzrinne, Jon Peterson, and
Richard Barnes for their help with this slide
set.
3The IETF
- 110 working groups in 8 areas security
privacy relevant topics in all these groups - Statistics about ongoing work http//www.arkko.co
m/tools/docstats.html
General Area
Internet Area
RAI Area
O M Area
Applications Area
Routing Area
RAI
Transport Area
SIP
SIPPING
AVT
GEOPRIV
SIMPLE
MMUSIC
Security Area
4The GEOPRIV Working Group
- First BoF on Spatial Location held at 48th IETF
(July 2000) - IETF community had concerns that privacy was not
sufficiently addressed - GEOPRIV WG formed, met for the first time at 50th
IETF (August 2001) - Strong user privacy mandate in WG charter
- Location determination methods are out of scope
- Scope is on protecting the transmission of
location information over the public Internet - 2008 A number of RFCs associated already
available. - Participation from vendors, operators, standards
professionals, policy experts, and academia - Challenging group with interesting individuals
that produces a lot of mails. - More informationhttp//www.ietf.org/html.charter
s/geopriv-charter.html
5Privacy Concerns
- Location
- Many entities know your location today
- In many cases, YOU do not control the systems
that determines and stores your location - Example NetGeo database (see RFC 1876)
- In many cases, location is only one data element
in the larger presence context. Distribution of
these other attributes also deserves privacy
protection. - To understand the work in GEOPRIV the presence
work has to be considered.
6 Overview of Presence
- Presence emerged as a component of instant
messaging applications - Foremost, provides binary availability data
- Online or offline?
- Closely tied to the concept of a friends list
- Based on subscription, a persistent relationship
- Modern presence systems also provide a
disposition towards communication - Not just am I online, but am I busy, away, etc
- Capability information
- What kinds of communication can I accommodate
with my endpoint? - Customized responses context dependent
- Give different answers to different subscribers
7Presence in the IETF
- Instant Messaging and Presence Protocol (IMPP)
Working Group founded in 1999 - Originally, hoped to arrive at a single, standard
instant messaging and presence protocol - Instead, became a massive religious war
- Surviving proposals today are SIMPLE and XMPP
- Eventually, created a toolset for
interoperability of instant messaging and
presence protocols - Assumes an pluralistic environment
- Among those tools, defined the pres URI scheme
and an XML-based format for presence - Presence Information Data Format (PIDF)
8Basic Presence Model
Notification
(3) SUBSCRIBE
(4) PUBLISH
Publication
Presence Server
(5) NOTIFY
Watcher
Presentity
(2) XCAP
Policy
Simplified SIP exchanges
Rule Maker
9Geolocation and Presence
- Presence
- Ditto
- Ditto
- Ditto
- Ditto
- Ditto
- Ditto
- Geopriv
- Real-time information, changing frequently
- Requires subscription model
- Use servers to enforce policy
- Need to be able to share information selectively
- Strong authentication confidentiality model
- Extensibility (XML) required
10Basic GEOPRIV Architecture
Publication
Notification
Location Server
Location Recipient
Location Generator
Policy Rules
Rule Maker
Shows only the network agents, not the human
actors
11GEOPRIV WG Objectives
- Pick location information XML language
- Identify protocols conveying location information
- Allow push model and subscription model
- Select document format for location information
- Provide strong security measures to protect
location information in transit - Insert policy directives along with location
information - Develop authorization policy language for
restricting the distribution of location
information - Third parties enforce policies on behalf of rule
maker - Motivated by a concern that many producers of
geolocation information will not be controlled by
end users - Rule Maker may be the owner of the target device,
or may not
12GEOPRIV WG Objectives
- Pick location information XML language
13XML Language for Location Information
- The IETF did not want to define location
information formats - Experts on these matters are largely elsewhere
- (Ignoring the work on DHCP geodetic location
information) - Instead, the IETF is focusing on architectures
and tools for the secure distribution of location
information documents - Defining an envelope to carry any XML-based
location information format - Popular choice is Geographic Markup Language
(GML) (from OCG) - http//www.opengeospatial.org/
- No suitable standardized format for civic
location was available - Developed in Geopriv working group
14GEOPRIV WG Objectives
- Identify protocols conveying location information
- Allow push model and subscription model
15Conveyance Protocols
- Once you have a geolocation document, you need a
protocol to carry it - Traditional protocols are applicable (like HTTP,
etc) - Anything that can carry MIME types works
- But a subscription model is ideal
- Ability to track the location of a resource over
time - Could use a polling model, but a
subscription/notification model was deemed
superior - Also, one-time fetch is desirable
- Most of the work on location conveyance using
SIPhttp//tools.ietf.org/html/draft-ietf-sip-loc
ation-conveyance-10
A tiny tutorial can be found at
http//www.shingou.info/twiki/pub/EmergencyServic
es/EswAgenda2007/IETF-Emergency-Services-Tutorial.
ppt
16Example Vehicle Tracking
http//transport.wspgroup.fi/hklkartta/
17GEOPRIV WG Objectives
- Select document format for location information
- Provide strong security measures to protect
location information in transit - Insert policy directives along with location
information
18PIDF-LO RFC 4119
- Presence Information Data Format (PIDF) is an
XML-based format for presence (RFC 3863) - Extends PIDF to accommodate two new elements
- Location-Info
- Encapsulates location information
- GML 3.0 ltfeature.xsdgt schema (mandatory-to-impleme
nt) - Clarified by draft-ietf-geopriv-pdif-lo-profile
- Supports civic location format (optional-to-implem
ent) - Clarified by RFC 5139
- Usage-rules
- Used to indicate privacy preferences
19PIDF-LO RFC 4119Basic Ruleset Usage
Restriction
- MUST always be attached to a PIDF-LO document
- Retention expires (how long are you allowed to
keep the object) - Policy for retransmission of location information
(Yes/No) - Reference to an external ruleset (optional)
- A note well of free text, human readable
privacy policy - Specified in RFC 4119
20Whats in an Location Object (LO)?
- LO encodes bindings between data elements
- Sighting bindings (ID, Location, Time)An
entity with this identifier was at this location
at this time - Rule bindings (Tuple, Rule)These are the rules
for how this sighting should be handled
21Sighting Binding
- lt?xml version"1.0" encoding"UTF-8"?gt
- ltpresence xmlns"urnietfparamsxmlnspidf"
- xmlnsgp"urnietfparamsxmlnspidfgeopriv
10" - xmlnsgml"urnopengisspecificationgmlsche
ma-xsdfeaturev3.0" - entity"presmeaningless-F32AC8D_at_example.com"
gt - lttuple id"sg89ae"gt
- ltstatusgt
- ltgpgeoprivgt
- ltgplocation-infogt
- ltgmllocationgt
- ltgmlPoint gmlid"point1"
srsName"epsg4326"gt - ltgmlcoordinatesgt374630N
1222510Wlt/gmlcoordinatesgt - lt/gmlPointgt
- lt/gmllocationgt
- lt/gplocation-infogt
- ltgpusage-rulesgt
- ltgpretransmission-allowedgtnolt/gpretrans
mission-allowedgt - ltgpretention-expirygt2003-06-23T045729Z
lt/gpretention-expirygt - lt/gpusage-rulesgt
22Rule Binding
- lt?xml version"1.0" encoding"UTF-8"?gt
- ltpresence xmlns"urnietfparamsxmlnspidf"
- xmlnsgp"urnietfparamsxmlnspidfgeopriv
10" - xmlnsgml"urnopengisspecificationgmlsche
ma-xsdfeaturev3.0" - entity"presmeaningless-F32AC8D_at_example.com"
gt - lttuple id"sg89ae"gt
- ltstatusgt
- ltgpgeoprivgt
- ltgplocation-infogt
- ltgmllocationgt
- ltgmlPoint gmlid"point1"
srsName"epsg4326"gt - ltgmlcoordinatesgt374630N
1222510Wlt/gmlcoordinatesgt - lt/gmlPointgt
- lt/gmllocationgt
- lt/gplocation-infogt
- ltgpusage-rulesgt
- ltgpretransmission-allowedgtnolt/gpretrans
mission-allowedgt - ltgpretention-expirygt2003-06-23T045729Z
lt/gpretention-expirygt - lt/gpusage-rulesgt
23Integrity and authenticity
- High-level Threat Corruption / falsification of
bindings - Sighting bindings
- Location and time Replay
- Location and identity Spoofing / swapping
- Levels of identity Swapping between layers
- Rule bindings Removal of rules
24Confidentiality
- Unauthorized disclosure of a location object or
parts of a location object - Rules can express policy, but not enforce
- Eavesdropping
- Whole LO or parts of it
- Anonymity is selective availability
- Location, time authorized, but not identity
- Identity, time, but only rough location
25GEOPRIV WG Objectives
- Develop authorization policy language for
restricting the distribution of location
information - Third parties enforce policies on behalf of rule
maker - Motivated by a concern that many producers of
geolocation information will not be controlled by
end users - Rule Maker may be the owner of the target device,
or may not
26Authorization for Presence and Location
Information
Authorization Framework
Basic Ruleset
Extended Ruleset
Common Policy
PIDF-LO
Geopriv Policy
Presence Policy
RFC 4745 Common Policy
RFC 5020 -- Presence Authorization Policy
draft-ietf-geopriv-policy-14.txt Geolocation
Policy
27Extended RulesetCommon Policy
- Design Goals
- Permit only
- Additive permissions (Minimal Disclosure)
- Upgradeable/Extensibility
- Capability/Versioning support
- No false assurance
- Efficient implementation (no regular expressions)
- Protocol-independent
- Supports pluralism of contexts
- Two Usage Models
- Attached (per-value or per-reference) to PIDF-LO
document - Available at the Location/Presence Server
- Identity information needs to be instantiated
based on the specific conveyance protocol
28Extended Ruleset Common Policy
- Rule consists of
- conditions part
- actions parts
- transformations part
- Conditions
- Identity Conditions
- Matching One Entity
- Matching Multiple Entities
- Matching Any Authenticated Identity
- Matching Any Authenticated Identity Excepting
Enumerated Domains/Identities - Sphere
- Validity
- No actions no transformations specified
29Common PolicyExample
- lt?xml version"1.0" encoding"UTF-8"?gt
- ltruleset xmlns"urnietfparamsxmlnscommon-p
olicy"gt - ltrule id"f3g44r1"gt
- ltconditionsgt
- ltidentitygt
- ltone id"sipalice_at_example.com"
/gt - ltone id"tel1-212-555-1234"
/gt - ltone id"mailtobob_at_example.net
" /gt - ltmany domain"example.com"/gt
- lt/identitygt
- ltsphere value"work"/gt
- ltvaliditygt
- ltfromgt2003-12-24T1700000100
lt/fromgt - ltuntilgt2003-12-24T190000010
0lt/untilgt - lt/validitygt
- lt/conditionsgt
- ltactions/gt
- lttransformations/gt
- lt/rulegt
30Identity Handling
- Identity information depends on the selected
conveyance protocol. - Specification needs to indicate how the identity
fields of Common Policy are populated. - Functionality about identity management and
privacy inherited from conveyance protocol (e.g.,
SIP) - Examples in the SIP context
- P-Asserted ID (RFC 3325)
- SIP Identity (RFC 4474) / Authenticated Identity
Body (RFC 3893) - SIP SAML (draft-ietf-sip-saml-03.txt)
- SIP CERTS (draft-ietf-sip-certs-05.txt)
- Privacy in SIP RFC 3323
31Geopriv Policy
- Adds location-based authorization policies to the
Common Policy framework - Conditions
- IF I am in the following area THEN
- Transformations
- SET usage policies
- REDUCE granularity of provided location
information
32PolicyExample (1/2)
ltrule id"BB56A19"gt ltconditionsgt
ltgplocation-conditiongt ltgplocation
profile"geodetic-condition"gt
ltgsCircle
srsName"urnogcdefcrsEPSG4326"gt
ltgmlposgt
-34.410649 150.87651
lt/gmlposgt ltgsradius
uom"urnogcdefuomEPSG9001"gt
1500
lt/gsradiusgt lt/gsCirclegt
lt/gplocationgt lt/gplocation-conditio
ngt lt/conditionsgt lttransformations/gt lt/rule
gt
- ltcprule id"AA56i09"gt
- ltcpconditionsgt
- ltgpcivic-loc-conditiongt
- ltcountrygtDElt/countrygt
- ltA1gtBavarialt/A1gt
- ltA3gtMunichlt/A3gt
- ltA4gtPerlachlt/A4gt
- ltA6gtOtto-Hahn-Ringlt/A6gt
- ltHNOgt6lt/HNOgt
- lt/gpcivic-loc-conditiongt
- lt/cpconditionsgt
33PolicyExample (/2)
- ltrule id"AA56i09"gt
- ltconditions/gt
- ltactions/gt
- lttransformationsgt
- ltgpset-retransmission-allowedgt
- false
- lt/gpset-retransmission-allowedgt
- ltgpset-retention-expirygt
- 86400
- lt/gpset-retention-expirygt
- ltgpset-note-well xmllang"en"gt
- My privacy policy goes in here.
- lt/gpset-note-wellgt
- ltgpkeep-rule-referencegt
- false
- lt/gpkeep-rule-referencegt
- ltgpprovide-location
- profile"civic-transformation"gt
34Presence Policy
- Attributes mostly taken from Rich Presence
Extensions to the Presence Information Data
Format (RPID) - Conditions
- Details identity usage for SIP
- Actions
- Subscription Handling (block, confirm, allow,
polite block) - Transformations
- Providing Access to Data Component Elements
(device, person, service) - Providing Access to Presence Attributes
- Provide Activities (e.g., appointmentgt,
ltbreakfastgt, ltdinnergt, ltholidaygt, ltlunchgt,
ltmealgt, ltmeetinggt, ltperformancegt, lttravelgt, or
ltvacationgt) - Provide Class
- Provide DeviceID
- Provide Mood (e.g., happy, angry, etc.)
- Provide Place-is (e.g., noisy, quiet)
- Provide Place-type (e.g., bus, ship, ..... RFC
4589) - Provide Privacy (e.g., audio, text, video)
- Provide Relationship (e.g., family, friend)
- Provide Sphere
- Provide Status-Icon
- Provide Time-Offset
35Presence PolicyExample
- lt?xml version"1.0" encoding"UTF-8"?gt
- ltcrruleset xmlns"urnietfparamsxmlnspres-
rules" - xmlnspr"urnietfparmasxmlnspres-rules"
- xmlnscr"urnietfparamsxmlnscommon-policy
"gt - ltcrrule id"a"gt
- ltcrconditionsgt
- ltcridentitygt
- ltcrone id"sipuser_at_example.com"/gt
- lt/cridentitygt
- lt/crconditionsgt
- ltcractionsgt
- ltprsub-handlinggtallowlt/prsub-handlinggt
- lt/cractionsgt
- ltcrtransformationsgt
- ltprprovide-servicesgt
- ltprservice-uri-schemegtsiplt/prservice-uri
-schemegt - ltprservice-uri-schemegtmailtolt/prservice-
uri-schemegt - lt/prprovide-servicesgt
- ltprprovide-personsgt
36The E2E StoryRecall the Basic Triangle
- Principals
- Location Server LS
- Location Recipient LR
- Rule Holder RH
- Location Generator (LG) is a special role of a
LS. Entity that initially injects LO into the
system. - Viewer is the final consumer of location
information.
Dissemination Channel
Request
LS
LR
LO
Rules
RH
37The E2E Story Connecting Triangles
LG
Viewer
LR
LH
LR
LH
LR
LH
LR
LH
LS
LR
LS
LR
LS
LR
LS
LR
RH
RH
RH
RH
- Triangles can be combined to store and forward
LOs - Logically forms a distribution tree
- Branches when one LS provides same LO to multiple
LRs - RootLG, the entity that first determines the
location of the target - LeavesLRs, entities that consume location
objects - Potentially many rule holders along this path
- Target will usually be one of the rule holders
- LG will usually be one of the rule holders
38The E2E Story Assurances about the tree
LG
Viewer
LR
LH
LR
LH
LR
LH
LR
LH
LS
LR
LS
LR
LS
LR
LS
LR
RH
RH
RH
RH
- Critical parts of LO are unchanged
- End-to-end privacy policy communication and
enforcement - Rules are communicated down the tree by RH adding
them to LO
39Example Scenario (1)
- Endpoint discovers LIS
- Endpoint acquires LO reference (referred as
ID(LO)) - LIS Discovery Dissemination Channel
- LIS instance of LG
- Endpoint LR
LIS Discovery
(1)
ID(LIS)
LIS
(2)
End Point
ID(LO)
ID(LIS), ID(LO)
Rules
LR
40Example Scenario (2)
- Endpoint sends reference to LR
- Endpoint sends rules to LIS
- LR dereferences reference
- Endpoint RM
- LIS LS
- LR LR
LIS Discovery
(1)
ID(LIS)
(2)
LIS
End Point
ID(LO)
(4)
(3)
ID(LIS), ID(LO)
Rules
(5)
LR
LO
41Relevant IETF Work
- Creating, Modifying and Deleting XML Documents
- XCAP / WebDavhttp//www.jdrosen.net/papers/xcap-t
utorial.ppt - Presence Server Performance
- Partial Notifications / Event Throttling / Event
Filters - Session (dependent/independent) policies
- Mechanisms to obtain location information
- Discovering features of a Presence/Location
Server - Refinement and extensions of location formats
42Not Accomplished in GEOPRIV
- Policy indication/negotiation in the style of P3P
- Usage restriction policy usage beyond location
information. - Make other SDOs to re-use usage restriction
policies. - Extensions beyond presence (such as generic web
services)
Please give me access to your information. Here
is my privacy policy!
Presence Server
OK. Based on your privacy policy you get access
to X.
Watcher
43Challenge User Interface
- More work is necessary to develop user-friendly
interfaces. - Particularly important since authorization
policies are an integral part of the solution - A lot of todays communication is still done
without any policy handling. - Paradigm change since we see user in the role of
changing the privacy policies (user control and
consent).
44Outlook
- Increased usage of PUB/SUB usage and richer
presence usage expected - As deployment increases the problems with data
retention and privacy will increase too - GEOPRIV architecture unique among the
standardization solutions. - More implementation work is needed to determine
better and extended policy handling - Advertisement Related area of interest is
prevention of unwanted traffic. Identity
management and authorization policies play an
important role in this work as well. Will borrow
a lot from the GEOPRIV concept. See
http//www.shingou.info/bof-rucus.html