Through GPS or cell tower triangulation, carriers have access to subscriber location on a continuous basis.
Imagine having a car accident and feeling secure in the knowledge that an emergency unit will find you thanks to GPS technology in your cell phone. Then imagine that at the same time you’re waiting for emergency services your phone rings and it’s a retail store manager calling to tell you that you are just down the road from a clearance sale. It is a scenario such as this, that is raising public concern. People are also concerned about how much private information could be opened up to law enforcement or government agencies and under whose control such decisions are made.
“In the rush to get providers to adhere to E911 regulations, provisions were made so that carriers could take advantage of commercial opportunities around location information,” says Bell Lab’s Allison Mankin, transport area director for the Internet Engineering Task Force (IETF). She notes that data protection regulations in Europe are somewhat more stringent about the dissemination of an individual’s information. “We thought U.S. subscribers should have similar controls as their European peers over what carriers reveal about their customers,” says Mankin, citing lawsuits in Europe, which are burgeoning as VoIP and wireless applications pick up momentum.
Privacy Policy
Because emerging “friend-finder” services, navigation, emergency, and equipment management applications could lead to exploitation of personal information, the IETF is working closely with the Center for Democracy and Technology (CDT) and the National Emergency Number Association (NENA) to publish a set of core requirements that will enable subscribers to control access. Those requirements have been published by the Geographic Location/Privacy (GEOPRIV) Working Group under the IETF. The aim is to devise privacy requirements analogous to, but more stringent than, those applying to the Internet. “Internet privacy standards are voluntary; we would like to see location data protection become mandatory,” says Mankin.
The GEOPRIV Working Group has devised authorization, integrity and privacy requirements for transferring geographic location data in a secure manner. In the final approval stages, the requirements would be adopted by the 3rd Generation Partnership Project (3GPP) and 3GPP2.
The regulatory environment will play an important role as CDT and NENA work to balance support for E911 with that of the interests of GEOPRIV. “GEOPRIV could become more effective if government agencies mandate that carriers protect information in emergency services,” says Mankin.
As nascent VoIP services face hurdles because of lack of support for E911, NENA and other government agencies are devising VoIP task forces to balance the need for personal information for emergency services as well as that for carriers to generate new revenue.
“GEOPRIV is a strong candidate for next-generation iterations of E911 because of the tremendous work done by NENA members on GEOPRIV and because of the number of IETF members involved with NENA,” says Neustar’s Jon Peterson, an IETF transport area director.
Commonality does exist between NENA and GEOPRIV, as SIP is at the core of 3GPP and 3GPP2 networks. “Because push-to-talk and presence technologies are enabled through SIP, GEOPRIV components will work on any device using SIP,” adds Peterson.
Because location of an object is identified through either geospatial coordinates (indicating longitude, latitude and altitude) or by civic addresses (indicating street addresses), GEOPRIV is determining how end systems could obtain location information via either mechanism and how they can use other protocol mechanisms to communicate data to emergency call centers or to convey data as part of presence information.
Civic information provides additional, usable information—particularly within buildings—and is readily obtained and interpreted, even if incomplete. However, the format for civic information differs from country to country.
The GEOPRIV Working Group has developed a draft that establishes an Internet Assigned Numbers Authority (IANA) registry for civic location data fields—derived from standards published by NENA. The IETF anticipates that other countries can reuse many of the data elements in the IANA register, as new Dynamic Host Configuration Protocols (DHCPv4 and DHCPv6) provide option code for civic addresses, so that country, community and street locations can be shared and controlled.
“If geospatial and civic information are both used simultaneously, the chance to deliver accurate and timely location information to emergency responders increases,” according to Qualcomm’s Randall Gellens, one of GEOPRIV’s co-chairs. He explains that end systems that obtain location information via these mechanisms can use other protocol mechanisms to communicate data to emergency call centers or to convey data as part of presence information.
“We did not invent any format for location information itself,” says Gellens, noting the existence of numerous formats based on civil location and geographic coordinates. “Those have been developed by other forums, so we are just defining an object that is suitable for both identifying and encapsulating pre-existing location information formats and for providing adequate security and policy controls to regulate the distribution of location information over the Internet.”
How It Works
A combination of elements is being worked out to provide a service capable of transferring (or denying transfer) geographic location information in a private and secure fashion. GEOPRIV started by separating the transmission of location information from the specification and enforcement of policy and preferences: “The group realized early on that one’s policy is also sensitive and confidential. Revealing whom I have authorized to know my location potentially could be as serious as revealing exactly where I am,” says Gellens.
For that reason, GEOPRIV is working to authorize requestors and responders, as well as proxies. “That would mean the ability to authorize a carrier to reveal to one requestor someone’s time zone, but not what city, while another requestor may be permitted to know one’s precise location, and a third can only learn the ZIP code,” says Gellens.
The group also recognized that there were a small number of rules that absolutely needed to be carried along with the location. Specifically, the group determined that two flags, or rules, be part of the location object: a “do not retain” flag and a “do not distribute” flag, explains Gellens. A subscriber’s policy or preference would include rules that would set or not set either or both of these flags, allowing a clear, unambiguous directive to accompany the location. “That way, a recipient can’t claim to have been unaware of such a rule,” adds Gellens.
In other words, it is recognized that subscribers want to allow specific people to know when they are on line for instant messaging—a concept that extends naturally to location information, according to Gellens. “If you haven’t authorized me to know where you are, then I don’t get to know.”
The full set of rules (which specify which persons or entities are authorized to know one’s location, and to what degree of precision) are kept separate from the location, since they are not to be disclosed. The core rules (the do not retain and do not distribute flags) are carried along with the location since the recipient is required to obey them.
The usage of the GEOPRIV location object format would not be limited to presence-using protocols; rather, the object format could be used by any protocol that carries XML. The IETF has proposed that the existing XML-based PIDF (Presence Information Data Formats) used for securing presence data on the Internet be extended to allow the encapsulation of location information within a presence document. “Because all the presence formats in IETF are XML based, the data drops into larger programs for distributing presence information,” notes Gellens.
In order to convey geographical location information within an object that includes a user’s privacy and disclosure preferences, data would also have to be protected by strong cryptographic security. “Carriers don’t necessary like when people use encryption, as it makes them harder to see what is in their traffic, but subscribers should have the ability to scramble their location data so unauthorized people can’t see it,” says Mankin. She believes the onus is on organizations like the CDT to inform the public about the ability to have personal data encrypted. “Often, there are capabilities that exist in the devices and services that sit latent because people are not aware of their existence.”
It is a goal of the GEOPRIV WG that the specification is simple enough that it can be readily understood and implemented in many protocols while providing sufficient security and extensibility.
In order to ensure interoperability of GEOPRIV implementations, Geography Markup Language (GML) 3.0 is cited as a “mandatory format” for all PIDF implementations supporting GEOPRIV elements. GML is used for modeling all manners of geographic object types, topologies, metadata, coordinate reference systems and units of measurement. “It was developed by experts in the field to meet diverse needs. What we’re doing is specifying how it can be used within an object carried by various protocols, in a secure and safe way,” says Gellens.
The GEOPRIV group also coordinates with other working groups developing general privacy and location-aware functions such as the SIP Working Group.
“All of this work we hope fosters an environment of mandatory user-controlled privacy requirements,” says Mankin. “Then, it would be possible that cell phone subscribers would not have to endure egregious levels of intrusion.”
Email this article
Add a comment
Printer version
Order reprints
RSS Feed
Bookmark article