Internet Draft J. Cuellar Document: draft-cuellar-geopriv-scenarios-03.txt Siemens AG J. Morris Center for Democracy & Technology T. Kanai Fujitsu Laboratories Expires in six months Mar 2003 Geopriv Scenarios and Use Cases Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Copyright Notice Copyright (C) The Internet Society (2002). All Rights Reserved. Abstract This document describes location-based service scenarios for Geopriv. It complements the Geopriv Requirements document by providing a set of examples in which the Geopriv Location Object (LO) may be used. Thus this documents serves as a basis to discuss and analyze the security (authentication, authorization, integrity and confidentiality) and privacy issues and requirements associated with location-based services. To be useful, these scenarios include details of location computation, which helps to identify the entities involved on an abstract level and where privacy issues like control, consent, access, and security arise. Cuellar, Morris, Kanai Geopriv Scenarios 1 Expires in six months Mar 2003 Table of Contents 1. Overview........................................................3 2. Conventions used in this document...............................4 3. Terminology.....................................................4 3.1. Foundational Definitions...................................4 3.1.1. Location Information (LI) and Sighting................4 3.1.2. The Location Object...................................5 3.1.3. Location Object vs. Using Protocol....................6 3.1.4. Trusted vs. Non-trusted Data Flows....................6 3.2. Geopriv Entities and Functions.............................7 3.2.1. Primary Geopriv Entities..............................7 3.2.2. Secondary Geopriv Entities............................8 3.2.3. Geopriv Data Storage Functions........................9 3.3. Privacy Rules..............................................9 3.4. Identifiers, Authentication and Authorization.............10 3.4.1. Identifiers..........................................11 3.4.2. Authentication.......................................11 3.4.3. Authorization........................................12 4. Three Frameworks to Classify Use Cases and Scenarios...........12 4.1. Classifications "Push", "Pull", and "Translate/Query".....13 4.1.1. Push Model...........................................13 4.1.2. Pull Model...........................................13 4.1.3. Translate/Query Model................................14 4.2. Overlap of Geopriv Roles (Classif. A-1 through A-9).......15 4.3. Initial Location Computation (Classif. B-1 through B-12)..15 5. Services From a User Point of View.............................17 5.1. Network Management and Computer Services..................18 5.1.1. Location Based Charging or Billing...................18 5.1.2. Enhanced Call Routing................................18 5.1.3. Ubiquitous computing applications....................19 5.2. Emergency and Security Services...........................19 5.2.1. Emergency Call Services..............................19 5.2.2. Emergency Alert and other Public Safety Services.....19 5.2.3. Evacuation navigation service........................19 5.2.4. Location-based services to drivers...................19 5.2.5. Tracking services for Security.......................20 5.3. Resource Management Services..............................20 5.3.1. Tracking services for Resource Management............20 5.3.2. Package Tracking.....................................20 5.3.3. Taxi dispatch system - location of the customer......20 5.3.4. Taxi dispatch system - location of the taxi..........21 5.4. Geographic Based Content Services.........................21 5.4.1. Navigation...........................................21 5.4.2. City Sightseeing.....................................22 5.4.3. Mobile Yellow Pages..................................22 Cuellar, Morris, Kanai Geopriv Scenarios 2 Expires in six months Mar 2003 5.4.4. Traffic Monitoring...................................22 5.4.5. Traffic jam information..............................22 5.5. Content Provider-Initiated Information Services...........23 5.5.1. Location Dependent Content Broadcast.................23 5.6. Entertainment and Community Services......................23 The services in this subsection could arise with either the Push, Pull, or Translate/Query Models, and conceivably in almost any of the classifications A-1 through A-9...........23 5.6.1. Mobile Communities or Locate a Person................23 5.6.2. Gaming...............................................23 5.6.3. Rendezvous service...................................23 6. Scenarios......................................................23 6.1. Scenario 1................................................24 6.2. Scenario 2................................................24 6.3. Scenario 3................................................25 6.4. Scenario 4................................................26 6.5. Scenario 5................................................27 6.6. Scenario 6................................................28 6.7. Scenario 7................................................29 6.8. Scenario 8................................................31 7. Implications and Conclusions...................................32 8. Security Considerations........................................32 9. Acknowledgements...............................................32 10. References....................................................32 11. Author's Addresses............................................33 12. Full Copyright Statement......................................33 1. Overview Location based systems are an emerging field, and all possible services or relationships cannot be identified or even imagined today. Over the next few years, location based services and applications are likely to come in a huge array of shapes, sizes, structures, paradigms, and approaches. This document attempts to articulate the range and types of applications that are possible using location services, although the use cases and scenarios below are unavoidably incomplete. This document includes 4 main sections below. Section 3 contains terminology and definitions, largely drawn from the similar section in the Geopriv Requirements draft. Section 4 advances three different and incomplete (individually or collectively) analytical frameworks with which to consider Geopriv uses and scenarios. Section 5 lists, and briefly discusses, a range of possible use cases. Section 6 looks at a subset of these use cases diagrammatically, in an effort to identify the entities and data flows involved. Cuellar, Morris, Kanai Geopriv Scenarios 3 Expires in six months Mar 2003 2. Conventions used in this document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC-2119]. 3. Terminology The terminology and definitions detailed below include both (1) primary or essential terms used in the Requirements document, and (2) secondary terms that provide additional detail about the usage model envisioned for the Geopriv Location Object. Most of the definitions below are drawn directly from the Requirements Document. The focus of that document, however, is on the requirements for the Geopriv Location Object. This document, in contrast, looks more broadly at Geopriv scenarios and data flows. It thus uses some additional terms not used in the Requirements Document. These additional terms are indicated by a "Not in Requirements Document" designation. 3.1. Foundational Definitions 3.1.1. Location Information (LI) and Sighting The focus of the Geopriv working group is on information about a Target's location that is NOT based on generally or publicly available sources, but instead on private information provided or created by a Target, a Target's Device, or a Target's network or service provider. Notwithstanding this focus on private location information, the Geopriv Location Object could certainly be used to convey location information from publicly available sources. Location Information (LI): A relatively specific way of describing where a Device is located. In general, Location Information is (a) derived or computed from information generally not available to the general public (such as information mainly available to a network or service provider), (b) determined by a Device that may be not generally publicly addressable or accessible, or (c) input or otherwise provided by a Target. As examples, LI could include (a) information calculated by triangulating on a wireless signal with respect to cell phone towers, (b) longitude and latitude information determined by a Device with GPS (global positioning satellite) capabilities, (c) information manually entered into a cell phone or laptop by a Target in response to a query, or (d) automatically delivered by some other IP protocol, such as at device configuration via DHCP. Cuellar, Morris, Kanai Geopriv Scenarios 4 Expires in six months Mar 2003 Excluded from this definition is the determination of location information wholly without the knowledge or consent of the Target (or the Target's network or access service provider), based on generally available information such as an IP or e-mail address. In some cases information like IP address can enable someone to estimate (at least roughly) a location. Commercial services exist that offer to provide rough location information based on IP address. Currently, this type of location information is typically less precise and has a coarser granularity than the type of location information addressed in this document. Although this type of location computation still raises significant potential privacy and public Policy concerns, such scenarios are generally outside the scope of this document. Within any given location-based transaction, the INITIAL determination of location (and thus the initial creation of Location Information) is termed a Sighting: Sighting: The initial determination of location based on non-public information (as discussed in the definition of Location Information), and the initial creation of Location Information. Some variant of the sighting information is included in the Location Object. Abstractly, it consists of two separate data fields: (Identifier, Location) where Identifier is the identifier assigned to a Target being sighted, and Location is the current position of that Target being sighted. Not all entities may have access to exactly the same piece of sighting information. A sighting may be transformed to a new sighting pair: (Identifier-1, Location-1) before it is provided by a Location Generator or Location Server to another Location Recipient (for instance, another Location Server). In this case, Identifier-1 may be Pseudonym, and Location-1 may have less accuracy or granularity than the original value. 3.1.2. The Location Object A main goal of the Geopriv working group is to define a Location Object (LO), to be used to convey both Location Information and basic privacy-protecting instructions: Location Object (LO): This data contains the Location Information of the Target, and other fields including an identity or pseudonym of the Target, time information, core Privacy Rules, authenticators, etc. Most of the fields are optional, including the Location Information itself. Cuellar, Morris, Kanai Geopriv Scenarios 5 Expires in six months Mar 2003 Nothing is said about the semantics of a missing field. For instance, a partially filled object MAY be understood implicitly as the request to complete it. Or, if no time information is included, this MAY implicitly mean "at the current time" or "at a very recent time", but it could be interpreted in a different way, depending on the context. 3.1.3. Location Object vs. Using Protocol The security and privacy enhancing mechanisms used to protect the LO are of two types: First, the Location Object definition MUST include (optional) fields or mechanisms used to secure the LO as such. The LO MAY be secured, for example, using cryptographic checksums or encryption as part of the LO itself. Second, the "using protocol" (that is, the protocol that uses the Location Object) may also provide security mechanisms to securely transport the Location Object. The "using protocol" is the protocol that uses (creates, reads or modifies) the Location Object. A protocol that just transports the LO as a string of bits, without looking at them (like an IP storage protocol could do), is not a using protocol, but only a transport protocol. Nevertheless, the entity or protocol that caused the transport protocol to move the LO is responsible of the appropriate distribution, protection, usage, retention, and storage of the LO based on the rules that apply to that LO. The security mechanisms of the Location Object itself are to be preferred. The using protocol has to obey the privacy and security instructions coded in the Location Object and in the corresponding Privacy Rules regarding the transmission and storage of the LO in order to ensure that the rules established by the Rule-Maker are observed. Other requirements on the using protocol are out of the scope of this document. . 3.1.4. Trusted vs. Non-trusted Data Flows Location information can be used in very different environments. In some cases the participants will have longstanding relationships, while in others participants may have discrete interactions with no prior contractual or other contact. The different relationships raise different concerns for the implementation of Privacy Rules, including the need to communicate Privacy Rules. A public Rule Holder, for example, may be unnecessary in a trusted environment where more efficient methods of addressing privacy issues exist. The following terms distinguish between the two basic types of data flows: Cuellar, Morris, Kanai Geopriv Scenarios 6 Expires in six months Mar 2003 Trusted Data Flow: A data flow that is governed by a pre-existing contractual relationship that addresses location privacy. Non-trusted Data Flow: The data flow is not governed by a pre-existing contractual relationship that addresses location privacy. 3.2. Geopriv Entities and Functions The entities of a Geopriv application or transaction may be given explicit roles: 3.2.1. Primary Geopriv Entities Certain entities and roles are involved in most (and in some cases all) Geopriv transactions: Target: The entity whose location is desired by the Location Recipient. In many cases the Target will be the human "user" of a Device or an object such as a vehicle or shipping container to which the Device is attached. In some instances the Target will be the Device itself. Device: The technical device the location of which is tracked as a proxy for the location of a Target. A Device might, for example, be a cell phone, a Global Positioning Satellite (GPS) receiver, a laptop equipped with a wireless access Device, or a transmitter that emits a signal that can be tracked or located. In some situations, such as when a Target manually inputs location information (perhaps with a web browser), the Target is effectively performing the function of a Device. Rule Maker (RM): The individual or entity that has the authorization to set the applicable Privacy Rules for a potential Geopriv Target. In many cases this will be the owner of the Device, and in other cases this may be the user who is in possession of the Device. For example, parents may control what happens to the location information derived from a child's cell phone. A company, in contrast, may own and provide a cell phone to an employee but permit the employee to set the Privacy Rules. Location Recipient (LR): An individual or entity who seeks to receive location data about a Target. Cuellar, Morris, Kanai Geopriv Scenarios 7 Expires in six months Mar 2003 A Location Recipient may act in one or more of the following more specialized roles: as the Location Generator, a Location Server, or as a Viewer: Location Generator (LG): The LG is an element responsible for creating the Location Object for a specific Target. LGs publish Location Objects to Location Servers. The manner in which the Location Generator learns of Location Information is outside the scope of the Geopriv protocol. Location Server (LS): The LS is an element that receives publications of Location Objects from Location Generators and may receive subscriptions from Location Recipients. The LS applies the rules (which it learns from the Rule Holder) to LOs it receives from LGs, and then notifies LRs of resulting LOs as necessary. Some location tracking scenarios may involve a Target, Device, or Device user performing the function of a Location Server. Viewer (Viewer): An individual or entity who receives location data about a Target and does not transmit the location information or information based on the Target's location (such as driving directions to or from the Target) to any party OTHER than the Target or the Rule Maker. 3.2.2. Secondary Geopriv Entities Certain entities and functions are present or involved in only a subset of Geopriv transactions: Unintended Target [Not in Requirements Document]: A person or object tracked by proximity to the Target. This special case most frequently occurs if the Target is not a person. For example, the Target may be a rental car equipped with a GPS Device, used to track car inventory. The rental company may not care about the driver's location, but the driver's privacy is implicitly affected. Geopriv may or may not protect or affect the privacy of Unintended Targets, but the impact on Unintended Targets should be acknowledged. Data Transporter: An entity or network that receives and forwards data without processing or altering it. A Data Transporter could theoretically be involved in almost any transmission between a Device and a Location Server, a Location Server and a second Location Server, or a Location Server and a Viewer. Some location tracking scenarios may not involve a Data Transporter. Access Provider (AP): The domain that provides the initial network access or other Cuellar, Morris, Kanai Geopriv Scenarios 8 Expires in six months Mar 2003 data communications services essential for the operation of communications functions of the Device or computer equipment in which the Device operates. Often, the AP -- which will be a wireless carrier, an Internet Service Provider, or an internal corporate network -- contains the LG. Sometimes the AP has a "dumb" LG, one that transmits Geopriv LOs but does not use any part of the Geopriv Location Object. Other cases may not involve any AP, or the AP may only act as a Data Transporter. Service Initiator [Not in Requirements Document]: Entity that initiates the service and submits a request to disclose the Location Information to the Location Recipient. In most cases, this entity will overlap with one of the other Geopriv entities, such as the Target, the Rule Maker, or the Location Recipient. 3.2.3. Geopriv Data Storage Functions Within the Geopriv framework, certain data may be stored in various functional entities: Rule Holder (RH): The RH is an element that houses Privacy Rules for receiving, filtering and distributing Location Objects for specific Targets. A LS may query an RH for a set of rules, or rules may be pushed from the RH to an LS. The rules in the Rule Holder are populated by the Rule Maker. Private Rule Holder [Not in Requirements Document]: A non-public Rule Holder used to store private (authenticated, but not signed) or public (signed) Rules, identifiers, keys, and perhaps also requests. A Private Rule Holder could be operated by a Device, a Location Server, or a third party service provider. Public Rule Holder [Not in Requirements Document]: A public repository where signed Rules are stored. Location Storage: A Device or entity that stores raw or processed Location Information, such as a database, for any period of time longer than the duration necessary to complete an immediate transaction regarding the LI. The existence and data storage practices of Location Storage is crucial to privacy considerations, because this may influence what Location Information could eventually be revealed (through later distribution, technical breach, or legal processes). 3.3. Privacy Rules Cuellar, Morris, Kanai Geopriv Scenarios 9 Expires in six months Mar 2003 Privacy Rules are rules that regulate an entity's activities with respect to location and other information, including, but not limited to, the collection, use, disclosure, and retention of location information. Such rules are generally based on fair information practices, as detailed in (for example) the OECD Guidelines on the Protection of Privacy and Transporter Flows of Personal Data [OECD]. Privacy Rule: A rule or set of rules that regulate an entity's activities with respect to location information, including the collection, use, disclosure, and retention of location information. In particular, the Rule describes how location information may be used by an entity and which transformed location information may be released to which entities under which conditions. Rules must be obeyed; they are not advisory. A full set of Privacy Rules will likely include both rules that have only one possible technical meaning, and rules that will be affected by a locality's prevailing laws and customs. For example, a distribution rule of the form "my location can only be disclosed to the owner of such credentials and in such accuracy" has clear-cut implications for the protocol that uses the LO. But other rules, like retention or usage Rules, may have unclear technical consequences for the protocol or for the involved entities. For example, the precise scope of a retention rule stating "you may not store my location for more than 2 days" may in part turn on local laws or customs. The Privacy Rules of the Rule Maker regarding the location of the Target may be accessible to a Location Server in Private or Public Rules Repositories, or they may be carried by the Location Object, or they may be presented by the Location Recipient as capabilities or tokens: Public Rule [Not in Requirements Document]: A Rule, digitally signed by the Rule Maker, and stored in a Rule Holder for the use of one or several Location Servers. Private Rule [Not in Requirements Document]: An authenticated Rule, consented by the Rule Maker, and stored in Private Rule Storage for the private use of a limited set of Location Servers. Geopriv Token [Not in Requirements Document]: A token or ticket issued and secured (authenticated or signed) by the Rule Maker to a Location Recipient, expressing the explicit consent of the Rule Maker to access his location information. This Geopriv Token is thus, logically, a rule of the Rule Maker. 3.4. Identifiers, Authentication and Authorization Cuellar, Morris, Kanai Geopriv Scenarios 10 Expires in six months Mar 2003 This subsection introduces terms and concepts used in the Requirements Section. 3.4.1. Identifiers Anonymity is the property of being not identifiable (within a set of subjects). Anonymity serves as the base case for privacy: without the ability to remain anonymous, individuals may be unable to control their own privacy. Unlinkability ensures that a user may make multiple uses of resources or services without others being able to link these uses together. Unlinkability requires that entities are unable to determine whether the same user caused certain specific operations in the system. [ISO99]: A pseudonym is simply a bit string which is unique as ID and is suitable to be used for end-point authentication. Unlinked Pseudonym: A pseudonym where the linking between the pseudonym and its holder is, at least initially, not known to anybody with the possible exception of the holder himself or a trusted server of the user. See [Pfi01] (there the term is called Initially Unlinked Pseudonym) The use of Unlinked Pseudonyms is necessary to obtain anonymity. But also it is necessary to change the used pseudonyms regularly, because identifying the user behind an unlinked pseudonym can be very simple. In order to remain anonymous, an entity may use private identifiers. Private identifiers convey less information than public identities, because they are meaningful to a smaller number of entities and in use for a shorter duration. Thus if A discloses a private identifier to B, B is less likely to associate this information with a known individual or entity than if a public identifier was disclosed. Short-lived Identifier [Not in Requirements Document]: An identifier that is used only for one or a limited number of "sessions". Using protocols should be able to handle LOs with identifiers, LOs without identifiers, and LOs with pseudonyms. The identity of the requester may be irrelevant in some cases, whereas the identity of the Target may be irrelevant in others. Entity-Identifier [Not in Requirements Document]: The names used by the Geopriv entities to identify, authenticate or authorize themselves to other entities. Rules also use entity-identifiers to express which Location Recipients may receive which transformed sighting information. 3.4.2. Authentication Cuellar, Morris, Kanai Geopriv Scenarios 11 Expires in six months Mar 2003 The word authentication is used in different meanings. Some assert that authentication associates an entity with a more or less well- known identity. This basically means that if A authenticates another entity B as being "id-B", then the label "id-B" is not a pseudonym, but a persistent or at least linkable identity of the entity. In this case, the label "id-B" is called a publicly known identifier, and the authentication is "explicit": Explicit Authentication: The act of verifying a claimed identity as the sole originator of a message (message authentication) or as the end-point of a channel (entity authentication). Moreover, this identity is easily linked back to the real identity of the entity in question, for instance being a pre-existing static label from a predefined name space (telephone number, name, etc.). 3.4.3. Authorization Authorization The act of determining if a particular right, such as access to some resource, can be granted to the presenter of a particular credential. Depending on the type of credential, authorization may imply Explicit Authentication or not. 4. Three Frameworks to Classify Use Cases and Scenarios There are many different ways to conceptualize or classify the possible Geopriv scenarios. Among the possible approaches can be: A. How is the location information transaction being triggered: is it a "push" or a "pull" model, or a "query" to translate a location or find a location in a context? B. What are the relevant entities, devices, and roles, and how do they interrelate and (often) overlap? C. What entity first has control over the initial sighted data, and over the initial computation and distribution of the location information? These three classifications are discussed briefly in this section. A fourth approach to considering the full range of possible Geopriv scenarios is to analyze the use cases from the user's perspective, looking at what service is bring provided from the point of view of the user. A range of these use cases are described in Section 5, with references back to the three classification schemes discussed in this section. Cuellar, Morris, Kanai Geopriv Scenarios 12 Expires in six months Mar 2003 None of these classifications alone is fully sufficient to identify the full range of possible location services. Other ways to consider the possible uses and scenarios are discussed in Section 7. 4.1. Classifications "Push", "Pull", and "Translate/Query" One classification of scenarios is according to who is the Service Initiator and whether the service triggering is done on demand or on subscription mode, and if the Rule Maker is granted positioning consent or not. A Target, Rule Maker, Location Recipient, or another party may trigger the actions, depending on the service being provided. They may be triggered on demand or as a periodical subscription (periodical updates). Also it is possible for location services to support conditional positioning. Under these conditions, an application that is granted conditional positioning authorization must notify and obtain positioning authorization from the Rule Maker of the Target prior to performing the positioning process. The Rule Maker is able to accept or reject the positioning attempt. In Japan for instance, all major mobile carriers provide the following types of well-known commercial services: 1. "Here I am!" (Subscribers may send their location information to other subscribers or to Internet users via e-mail or other means.) 2. "Where is he/she?" (Carriers tell users where someone is located.) 3. "Where am I?" service (Carriers tell subscribers where they are located on a map.) Those three correspond roughly to 3 query modes described below: Push Model, Pull Model, and Translate/Query Model. Note than many scenarios will involve both Push and Translate, or both Pull and Translate. 4.1.1. Push Model In the Push Model, the Target typically acts as the Location Initiator (instead of responding to a request). For example, after locating himself, the Target may send his location to the Viewer or another Location Recipient. Similarly, the Target may ask a Location Generator to locate the Target and transmit the location to a Viewer or other Location Recipient. 4.1.2. Pull Model In the Pull Model, a Viewer or other Location Recipient wants to know where a given Target is, and thus is the Service Initiator. As one example of the Pull Model, a Location Server: Cuellar, Morris, Kanai Geopriv Scenarios 13 Expires in six months Mar 2003 1. receives Location Information from the Location Generator or from another Location Server, 2. receives, directly or through a repository or a trusted third party, the Privacy Rules associated with the Target, 3. accepts services requests from Location Recipients (including other Location Servers), 4. matches the location request to the Rules for the Target and processes the Location Information accordingly, and 5. returns Location Information (sometimes filtered) of the Target. 4.1.3. Translate/Query Model Those are services where some entity (such as a Target or other Location Recipient) provides Location Information and obtains a function of that information as response. For instance, he may want to translate a location from one format to another (say from coordinates to civil), or to see in a map where certain coordinates are, or given the distance from a point to 2 or more fixed locations, to find the possible locations of the point. This service may be invoked by a mobile Target that knows where he is, or where he plans to be this afternoon, but needs additional information about the location or needs the location in a different format. In one example, a Target knows his location (say, using a GPS chip), but not in the form that he needs it (say, as a street address). In this case, the Target asks an external Location Server to translate the information to a street address or position on a map. The Location Server obtains the location from the Location Generator (which is the Target itself), converts the Location Information to the requested form, and sends it back to the Location Recipient (also the Target). Cuellar, Morris, Kanai Geopriv Scenarios 14 Expires in six months Mar 2003 4.2. Overlap of Geopriv Roles (Classif. A-1 through A-9). In many Geopriv scenarios the different entities can overlap. Sometimes a Device is a proxy for a Target, and sometimes the Device is the Target. In some cases, the Rule Maker and the Target are the same individual or entity; in other cases, they are different. If the Target/Device knows his location (through GPS, for example), the Target/Device may also be the Location Generator. If the Target's Device has the capabilities and bandwidth, that Device may serve as the Location Server, or may rely on an external Location Server. The following is an admittedly incomplete breakdown of different overlaps among the Geopriv roles (where LS stands for Location Server, LG for Location Generator, and Sinitiator for Service Initiator): A-1: LS = RM = Target = LG / Viewer = SInitiator A-2: LS = RM = Target / LG / Viewer = Sinitiator A-3: LS / RM = Target = LG = Viewer = SInitiator A-4: LS / RM = Target = LG / Viewer = SInitiator A-5: LS / RM = Target / LG / Viewer = SInitiator A-6: LS / RM / Target / LG / Viewer / SInitiator A-7: LS / RM = Viewer = SInitiator / Target = LG A-8: LS = RM = Target = SInitiator / LG / Viewer A-9: LS = LG / RM = SInitiator / Target = Viewer For instance in group A-1 there are 2 physical entities (one entity is the Location Server, Rule Maker, Target and Location Generator, while the other entity has the roles of Viewer and Service Initiator). In A-5 there are 4 different physical entities (only the Rule Maker and the Target are the same). The A-6 group has different entities playing the 6 roles. Where possible in the use cases and scenarios in Sections 5 and 6 below, the classifications A-1 through A-9 will be given for each use case or scenario. 4.3. Initial Location Computation (Classif. B-1 through B-12) The location computation process contains two steps: 1) obtaining raw data about the Target's location, and 2) deriving or computing the Target's location using this raw data. One example of such a location computation process is signal triangulation. The raw data (Step 1) includes the direction a cell phone is from certain cell towers and where those cell towers are located. Given this information, one can compute the cell phone's location (Step 2). Thus two important questions raised by the initial location computation scenarios are (a) which entity has control over the raw data, and (b) the site of the location computation. On the first question (who has control over the raw data), there are two main Cuellar, Morris, Kanai Geopriv Scenarios 15 Expires in six months Mar 2003 likely answers: the Target's Device or the Target's (wired or wireless) Access Provider (AP). In this framework, if the Target cannot control the dissemination of the raw data (such as with a cell phone that transmits information from a GPS chip to the wireless carrier without regard to the user's preferences), then the correct value would be the AP. For the second question (the site of the initial location computation), there are three main likely answers: the Target's Device, the AP of the Target's Device, or a third party who is neither the Target nor the AP. In considering the use cases and scenarios set out later in this document, it is important to consider which entities have access to the raw data, to ensure that those entities comply with the relevant Privacy Rules. In addition to the two questions raised in this classification, there is value in noting a third question: whether the scenario involves a a Device (and Target) that are mobile or fixed. Although in many (perhaps most) the functioning of the Geopriv Location Object will not depend on whether a scenario if fixed or mobile, in considering the scenarios it is instructive to acknowledge the existence of the fixed scenarios. The three questions and their possible values yield a total of 12 basic scenarios, as illustrated below: mobility - mobility of the Device raw data - who controls or has access to raw location data computation - who performs the location computation AP - Access Provider for the Target's Device Target - the Target or the Target's Device > - direction of raw data flow >> - direction of processed location data flow Cuellar, Morris, Kanai Geopriv Scenarios 16 Expires in six months Mar 2003 [Class] [mobility] [raw data] [computation] B-1 fixed target -->-+-- target ------->> | B-2 fixed +-- AP ----------->> | B-3 fixed +-- third party -->> B-4 fixed AP ------>-+-- target ------->> | B-5 fixed +-- AP ----------->> | B-6 fixed +-- third party -->> B-7 mobile target -->-+-- target ------->> | B-8 mobile +-- AP ----------->> | B-9 mobile +-- third party -->> B-10 mobile AP ------>-+-- target ------->> | B-11 mobile +-- AP ----------->> | B-12 mobile +-- third party -->> In general, classifications B-1 through B-6 could apply in any use case or scenario involving a fixed location, and B-7 through B-12 could apply whenever a mobile location is involved. Thus, these classifications are not useful for distinguishing between different use cases and scenarions. Instead, these classifications are important to consider when assessing the security and privacy of the initial stages of any Geopriv transaction. In designing the Geopriv protocol, it is important that it be effective in all of these cases under this classification scheme. 5. Services From a User Point of View There is a huge diversity of possible location based services that may be offered. This section describes a sample of the possible location services, grouping them into rough and somewhat arbitrary categories. Many of the services listed below will be commercial services offered by network access providers or third parties. Where possible, the most appropriate classification designations from Section 4 above are offered for each use case. In some cases, the classifications offered are not the only possible classification for Cuellar, Morris, Kanai Geopriv Scenarios 17 Expires in six months Mar 2003 the service. 5.1. Network Management and Computer Services Most wireless service providers (which act as the Access Providers in the Geopriv context) already use extensive location based services for internal operations, such as location assisted handover, traffic and coverage measurement, O&M related tasks, network planning, network QoS improvements, improved radio resource management, etc. Assuming that the information is entirely internal within a single network, privacy implications are likely governed by laws or contract, and many of the location services would be outside of the scope of Geopriv. 5.1.1. Location Based Charging or Billing This location based service can be used to charge users (for example, for wireless access) depending on the their location. Different rates may be applied at country clubs, golf courses, or shopping malls. This service may apply also for instance to business groups, which obtain preferential rates within corporate campuses. In many cases, subscribers should be notified of the zone or billing rate currently applicable, and be notified when the rate changes. Depending on implementation, this type of service may or may not come within the scope of Geopriv. This service could arise with either the Push or Pull Models, and most likely in classifications A-1, 2, 4, 5, or 8. 5.1.2. Enhanced Call Routing This service allows user calls to be routed to the closest service client based on the location of the originating and terminating point of the call. The user may for instance dial a feature or service code to invoke the service (*GAS for closest gas station, etc). ECR services may be offered, for example, through menu driven access that allows users to interactively select from a variety of services. If the implementation of the location based aspects of this service is entirely within a single wireless network provider, then this service may not utilize Geopriv. Even within one network, however, Geopriv may offer an effective way to implement this type of service. Similar forms of this service offered by third parties are discussed below. This service could arise with either the Push or Pull Models, and most likely in classification A-8. Cuellar, Morris, Kanai Geopriv Scenarios 18 Expires in six months Mar 2003 5.1.3. Ubiquitous computing applications The determination of access to bandwidth, devices and information sources and sinks can utilize location information. The location can provide information about the devices that are available to the user, which allows determination of what will be an effective means of communicating with him/her. This service could arise with either the Push or Pull Models, and most likely in classification A-8. 5.2. Emergency and Security Services 5.2.1. Emergency Call Services This location based service supplies location information to an emergency service provider to assist them in their response. This service is mandatory in some jurisdictions, for instance in the United States for mobile voice providers (E911 service). This service could arise with either the Push or Pull Models, and conceivably in almost any of the classifications A-1 through A-9. 5.2.2. Emergency Alert and other Public Safety Services Emergency Alert Services are used to notify subscribers within a specific geographic location of emergency alerts, including tornado or flooding warnings, evacuation instructions, police information broadcast, etc. This service could arise with either the Push or Pull Models, and conceivably in almost any of the classifications A-1 through A-9. 5.2.3. Evacuation navigation service In case of an emergency in a hotel, such as fire, the hotel initiates a navigation service to tell its customers about the evacuation routes. Each room has a mobile Device, similar to a PDA, with positioning functionality. A customer leaves his room along with the PDA. The system obtains customer's current location through the PDA and displays the safest evacuation route on it. The hotel is the Service Initiator, and both the Target and Viewer are the Device. This service could arise with either the Push or Pull Models, and most likely in classification A-9. 5.2.4. Location-based services to drivers Assistance for vehicle breakdown (Emergency Roadside Service) and personalized information on traffic conditions. This service may be Cuellar, Morris, Kanai Geopriv Scenarios 19 Expires in six months Mar 2003 used in complement to an enhanced call routing service, which calls the nearest Emergency Roadside Service of a certain type and delivers the location information of the Target to the Roadside Service. This could be used for the purpose of dispatching service agents. This service could arise with either the Push or Pull Models, and most likely in classification A-8. 5.2.5. Tracking services for Security The Rule Maker wants to protect his car with a location provider anti-theft device or to track the position of his children (or a pet). The network may provide the last known location and timestamp. If information is unavailable in real-time, a reason may be provided. This service could arise most likely under the Pull Model, but most probably under scenarios other than classifications A-1 through A-9. 5.3. Resource Management Services 5.3.1. Tracking services for Resource Management This service allows the tracking of location and status of specific service group users. One example is a supervisor in the role of Rule Maker and main Location Recipient who manages a delivery service and needs to know the location and status of employees. The supervisor may also be able to relay messages to the employees or other people involved in the service (for instance, customers). Another example is an enterprise tracking the location of vehicles (cars, trucks, etc.) and use location information to optimize services (Fleet Management). This service could arise most likely under the Pull Model, and most likely in classification A-6. 5.3.2. Package Tracking A delivery company (Rule Maker) launches a service to notify a customer 'C' (Viewer) about a package 'B' (Target) that it is now at the closest hub. The sighting might be triggered by an employee of the delivery company, or by the sender or the receiver of the package. This service could arise with either the Push or Pull Models, and most likely in classification A-6. 5.3.3. Taxi dispatch system - location of the customer Cuellar, Morris, Kanai Geopriv Scenarios 20 Expires in six months Mar 2003 A customer calls a taxi company for a taxi by his cellular. A dispatch operator initiates their taxi dispatch system to find the most appropriate taxi. First, the system obtains customer's current location from a Location Generator (maybe a cellular carrier). Then it searches the closest and available taxi based on location information that he has. When it finds one, it displays a map around the customer to the taxi driver. This service could arise most likely under the Pull Model, and most likely in classifications A-1, 2, 4, or 5. 5.3.4. Taxi dispatch system - location of the taxi After a customer calls a taxi company for a taxi and the dispatch operator already knows his location, it searches the closest and available taxi based on location information. This is an particular example of a Target Information Disclosure Service. This kind of service inputs Location Information and outputs a Target ID (or processed information). In our case the Location Server should have a functionality to obtain a Target ID (a taxi) by using the Location Information of the customer. When it finds a taxi, it displays a map around the customer to the taxi driver Note: the location of the customer is sent or the taxi, but the location of the taxi is sent (by LG) to the Operator, the taxi knows his own location. This service could arise most likely under the Pull Model, and most likely in classifications A-1, 2, 4, 5, or 7. 5.4. Geographic Based Content Services Location based information services allow subscribers to access information for which the information is filtered and tailored based on the location of the requesting user. Subscribers will likely initiate service requests on demand, but such services may be triggered automatically when certain user-set conditions are met. 5.4.1. Navigation The purpose of the navigation application is to provide directions to guide the target to his/her destination. Depending on the context this could be driving or walking directions, traffic update, public transport services, or others. The information may be in the form of plain text, SMS messages, symbols with text information (e.g. distances and turns), voice, or symbols on a map display. For example, a user is driving a car with a navigation Device which can access to the Internet. He initiates an online navigation service from the Device to get the fastest route to his destination. Cuellar, Morris, Kanai Geopriv Scenarios 21 Expires in six months Mar 2003 The online system obtains his location with the Device. Then searches traffic information around him and finds the fastest route. And it shows a direction on his Device. This service could arise most likely under the Translate/Query Model, and most likely in classification A-3. 5.4.2. City Sightseeing City Sightseeing would enable the delivery of location specific information to a tourist. Such information might describe historical sites, providing navigation directions between sites, facilitate finding the nearest museum, bank, airport, bus terminal, restroom facility, etc. This service could arise most likely under the Translate/Query Model, and most likely in classification A-3. 5.4.3. Mobile Yellow Pages Mobile Yellow Pages services provide the user with the address and phone number of the nearest location of a certain type or all locations within a chosen area (e.g. all Chinese restaurants within three kilometers). The information can be provided to the users in text format (e.g. name of the restaurant, address and telephone number) or in graphical format (map showing the location of the user and the restaurants). This service could arise most likely under the Translate/Query Model, and most likely in classification A-3. 5.4.4. Traffic Monitoring Mobiles in automobiles on freeways may be sampled to determine average velocity of vehicles. This service could arise most likely under the Pull Model, and most likely in classifications A-1, 2, 4, or 5. 5.4.5. Traffic jam information This is a particular case of an Area Information Disclosure Service. This service type, a variant of the Target Information Disclosure Services, comprehends services which input Area information, instead of Location, and output a Target ID (or processed information). A traffic information system inputs area information (e.g. location with range) to a Location Server. Then the Location Server returns number of targets which are within the area right now. This service could arise most likely under the Pull Model, but most probably under scenarios other than classifications A-1 through A-9. Cuellar, Morris, Kanai Geopriv Scenarios 22 Expires in six months Mar 2003 5.5. Content Provider-Initiated Information Services Another form of location based information services can transmit information to users based on their location, but at the request or initiation of entities other than the user. Users will likely need to subscribe or opt in to the services (and thus the services are in some ways user initiated). The delivery of such services may be triggered automatically when certain user-set conditions are met. 5.5.1. Location Dependent Content Broadcast The main characteristic of this service category is that the network automatically broadcasts information to terminals in a certain geographical area. The information may be broadcast to all terminals in a given area, or only to members of specific group (perhaps only to members of a specific organization). The user may disable the functionality totally from the terminal or select only the information categories that the user is interested in. An example of such a service may be localized advertising; merchants could broadcast coupons and advertisements to people passing by. This service could arise most likely under the Push Model, but most probably under scenarios other than classifications A-1 through A-9. 5.6. Entertainment and Community Services The services in this subsection could arise with either the Push, Pull, or Translate/Query Models, and conceivably in almost any of the classifications A-1 through A-9. 5.6.1. Mobile Communities or Locate a Person Find friends or share my position with my friends and interact 5.6.2. Gaming Play games based on playersÆ location. 5.6.3. Rendezvous service A user initiates a rendezvous service from his cellular. The system obtains his current location from a Location Generator, maybe a cellular carrier. The system sends his friend an e-mail to describe how to reach him. 6. Scenarios Cuellar, Morris, Kanai Geopriv Scenarios 23 Expires in six months Mar 2003 6.1. Scenario 1 Target Seeks Own Location with GPS Device with Computing Power In this very simple example, the Target wishes to know his/her location using GPS, and has a device that is capable of processing the raw data to determine a useful location. The location is derived as follows: the device receives transmissions from GPS satellites, and internally computes and displays the location. This is a wholly closed system. One Way GPS Satellites | V +---------------------------------------------+ | GPS Device with processing power: | | | | Rule Maker = Target = Location Recipient | | = Viewer | | | +---------------------------------------------+ In this closed system no external entity is granted access to location information. This minimizes the privacy concerns. But, because the device can be lost, stolen or accessed through legal process, questions about data retention and data security remain. What information is stored on the device? For how long? What security protects it? This scenario could arise most likely under the Translate/Query Model, but most probably under scenarios other than classifications A-1 through A-9. 6.2. Scenario 2 Target Seeks Own Location with GPS Device with No Computing Power In this example (an instance of B-8 or B-9), usable Location Information is computed by an outside entity based on GPS data. In this example, the outside entity is NOT the wireless carrier providing network access, but is instead a third party. The location is derived as follows: the Device receives GPS transmissions, and sends (using the wireless carriers network, which acts as a simple Data Transporter) the raw data to a third party Location Server. That server processes the data and sends it back to the Device. The third party Location Server may or may not store the Location Information for later use in accordance with the Privacy Rules set by the Rule Maker. Cuellar, Morris, Kanai Geopriv Scenarios 24 Expires in six months Mar 2003 One Way GPS Satellites | V +--------------------------+ +-----------+ | GPS Device: | 1. Raw GPS Data | Wireless | | | ---------------------> | Carrier: | | Rule Maker = Target = | | | | Location Recipient | | Data | | = Viewer | <--------------------- | Trans- | | | 4. Location Inform. | porter | +--------------------------+ +-----------+ 2. Raw | ^ 3. Data | | Loc. | | Inf. V | +-------------------------------+ | Third Party Service Provider: | | | | Location Server | | | +-------------------------------+ The same concerns raised in Scenario 6.1 (about the security of information contained in the Device) remain. A host of additional concerns are raised, including about the security of information as it passes through the Data Transporter. The most significant additional concerns are about the third party Location Server, including the length of data retention, the ability to reuse and disclose, and the security of any data storage. This scenario could arise most likely under the Translate/Query Model, but most probably under scenarios other than classifications A-1 through A-9. 6.3. Scenario 3 Fleet Owner Seeks Location of Rental Cars with GPS Device In this example (an instance of classification B-9), a rental car company wants to track its vehicles using GPS, solely for purposes of fleet management (and not as a service to the rental customer). The Target is the rental car and the Unintended Target is the driver. The location of the Target (and the Unintended Target as well) is derived as follows: the rental car receives GPS transmissions, and on a regular basis transmits the raw GPS data via a wireless network to a third party Location Server, which in turn determines the Location Information in a useful format and forwards that LI to the car rental company. Cuellar, Morris, Kanai Geopriv Scenarios 25 Expires in six months Mar 2003 One Way GPS Satellites | V +--------------------------+ +-----------+ | GPS Device: | 1. Raw GPS Data | Wireless | | | ---------------------> | Carrier: | | Rental Car = Target | | | | | | Data | | Driver = Unintended | | Trans- | | Target | | porter | +--------------------------+ +-----------+ 2. Raw | Data | | V +-----------------------+ +-----------------------+ | Rental Car Company | 3. Location | Third Party | | | Information | Service Provider: | | Rule Maker = Viewer |<--------------| | | | | Location Server | +-----------------------+ +-----------------------+ All of the same concerns raised in Scenario 6.2 are raised here, plus additional concerns (in particular concerning the threat to the privacy of the Unintended Target, the car rental customer driving the rental car). That threat is reduced (but far from eliminated) if the information transmitted to the third party Location Server does not carry any identifier related to the customer/driver. In general, the threats to the Unintended Target are outside the scope of Geopriv, but the risk to the Unintended Target nevertheless warrants note. This scenario could arise most likely under the Pull Model, and most likely in classification A-6. 6.4. Scenario 4 Target in Fixed Location Purchases Regionally Restricted Content In this example (an instance of classification B-5), the Target has in his or her home a desktop computer continuously connected to the Internet over a wire-line DSL connection. The Target seeks to purchase certain audio or video content from a World Wide Web based content provider. For contractual or legal reasons, the content provider will only sell the content to users located in a particular country or region. The content provider (as the Location Recipient) requests that the Target's Access Provider (the Target's DSL ISP) provide the Target's Location to the content provider. Cuellar, Morris, Kanai Geopriv Scenarios 26 Expires in six months Mar 2003 +------------------------+ +-----------+ | Home Computer: | 1. Content Request | DSL | | | ------------------>| Provider | | Rule Maker = Target | | | | | | Location | | | <----------------- | Server | | | 6. Content | | +------------------------+ +-----------+ | ^ | ^ | | | | | | | | +---------------------+ 2. Content Request | | | | | Content Provider: | <-----------------------/ | | | | | 3. Location Request | | | | Location Recipient | ---------------------------/ | | | Location | 4. Location Information | | | Recipient | <-----------------------------/ | | | 5. Content | | | ---------------------------------/ +---------------------+ This scenario could arise with either the Push or Pull Models, and most likely in classifications A-1, 2, 4, 5, or 8. 6.5. Scenario 5 Third Party Seeks Location of Target with Device with Computing Power and Location Awareness In this case, a mobile node (laptop or handheld) is at the same time is the Target, Rule Maker, Location Server, and Location Generator. The mobile node knows or discovers its own position using a GPS mechanism, a manual input from the user, or a co-located sensor that recognizes the relative position of some active badges or other reference points. An application running in the mobile node delivers its location to some Viewers. A Viewer that wants to know the position of the mobile node sends a Location Requests to the application running on the mobile node. After authenticating the Location Recipient, the application checks which Rule rule matches, translates the location information to the appropriate form and sends back this Filtered Location Information to the Viewer. Cuellar, Morris, Kanai Geopriv Scenarios 27 Expires in six months Mar 2003 +--------------------------+ +-----------+ | Smart Mobile Device: | 2. Location Request | Wireless | | | <--------------------- | Carrier: | | Rule Maker = Target = | | | | Location Generator = | | Data | | Location Server | ---------------------> | Trans- | | | 3. Location Inform. | porter | +--------------------------+ +-----------+ 4. Loc. | ^ 1. Inf. | | Loc. | | Req. V | +-------------------------------+ | Requesting entity: | | | | Location Recipient = | | Viewer | | | +-------------------------------+ Notice that in this case the Rules are only for internal use of the mobile node and as such do not have to be standardized. Only the interface to the Viewers has to be standardized. The Location Recipient, however, must obey the Rule Maker's Privacy Rules, which are either conveyed or referenced in the Location Object This scenario could arise most likely under the Pull Model, and most likely in classifications A-1 or 4. 6.6. Scenario 6 Third Party Seeks Location of Target with Device with Computing Power But No Location Awareness This scenario is very similar to the prior one, but instead of the mobile node discovering his position by himself, it requests its wireless carrier (its Access Provider) to determine the location of the mobile note (the Device), and send it back to the mobile node for service to the Viewer. Cuellar, Morris, Kanai Geopriv Scenarios 28 Expires in six months Mar 2003 +------------------+ +---------------------+ | Mobile Device: | 2. Location Request | Wireless Carrier | | | <--------------------- | | | | 3. Location Request | Data Transporter | | Rule Maker = | ---------------------> | for 1-2, 5-6 | | Target = | 4. Location Inform. | | | Location | <--------------------- | Location Gen. & | | Server | 5. Location Inform. | Server for 3-4 | | | ---------------------> | | +------------------+ +---------------------+ 6. Loc. | ^ 1. Inf. | | Loc. | | Req. V | +-------------------------------+ | Requesting entity: | | | | Location Recipient = | | Viewer | | | +-------------------------------+ Notice that in this scenario no Location Recipient exists, besides the Rule Maker and the Viewers served by the Rule Maker. Thus, the Rule Maker is in full control of its private information. There is a significant privacy concern raised by the uncertainty of how the Rule Maker makes sure that the Location Generator (here, the Access Provider) does not provide location information to other location recipients. Either the AP is aware of the full Rules of the owner, or a default (set by law, contract, or protocol design) prohibits disclosure. A precise requirement should be formulated to guarantee this privacy protection. Another concern is that, depending on the sensing infrastructure and its trusts relationships to the user, authenticating the supplied location information is difficult for the following reasons: o some sensor systems only detect active badges that can be removed from the mobile object they represent. o sensor systems are not equipped with proper keys or key distribution software. This scenario could arise most likely under the Pull Model, and most likely in classifications A-2 or 5. 6.7. Scenario 7 Target with Location Aware Device Using Third Party Location Server to Obtain Location Based Service From a Fourth Party Service Provider Cuellar, Morris, Kanai Geopriv Scenarios 29 Expires in six months Mar 2003 In this case, a mobile node (laptop or handheld) is at the same time is the Target, Rule Maker, Location Server, and Location Generator. The mobile node knows or discovers its own position using a GPS mechanism, a manual input from the user, etc., and periodically sends that location to a third party Location Server with which the Rule Maker has a prior contractual arrangement. The Target sends the Location Server its Privacy Rules in advance. When the Target then seeks a location service, it requests the service from the service provider. The service provider requests the Target's location from the Location Server, and then fills the Target's request for a service. +----------------------+ Periodically Sent +-----------------+ | Mobile Device: | b. Location Inform. | Wireless | | | ---------------------> | Carrier: | | Rule Maker = Target | | | | | 1. Service Request | Data | | | ---------------------> | Transporter | | | 6. Location Service | | | | <--------------------- | | +----------------------+ +-----------------+ | | | | | a. Privacy Rules | | | | (sent external to | | | | and in advance of | | | | location service | | | | transaction) Periodically | | | V Sent Location| | | +--------------------------+ c. Information | | | | Third Party Location | <---------------/ | | | Server: | | | | | | | | Location Server | | | | | | | +--------------------------+ | | ^ | | | 3. Location | | 4. Location | | Request | | Information | | | V | | +---------------------+ | | | Location Service | 2. Service Request | | | Provider | <-----------------------/ | | | | | Location Recipient | 5. Location Service | | = Viewer | ---------------------------/ +---------------------+ This scenario could arise most likely under the Pull Model, but most probably under scenarios other than classifications A-1 through A-9. Cuellar, Morris, Kanai Geopriv Scenarios 30 Expires in six months Mar 2003 6.8. Scenario 8 Target with Non-Aware Device Using Third Party Location Server to Obtain Location Based Service From a Fourth Party Service Provider This final scenario is the same as the prior scenario except that the Target's Device does NOT know its location and must instead have its Location Server ask for its location from the Target's Access Provider: +----------------------+ +-----------------+ | Mobile Device: | | Wireless | | | | Carrier: | | Rule Maker = Target | | Data Transport | | | 1. Service Request | for 1-2,7-8 | | | ---------------------> | Location Gen. | | | 8. Location Service | Server for 4-5 | | | <--------------------- | | +----------------------+ +-----------------+ | ^ | | ^ | a. Privacy Rules | | | | | (sent external to | | | | | and in advance of | | | | | location service | | | | | transaction) | | | | V | | | | +--------------------------+ 4. Loc. Request | | | | | Third Party Location | ----------------/ | | | | Server: | | | | | | 5. Location | | | | Location Server | Information | | | | | <------------------/ | | +--------------------------+ | | ^ | | | 3. Location | | 6. Location | | Request | | Information | | | V | | +---------------------+ | | | Location Service | 2. Service Request | | | Provider | <--------------------------/ | | | | | Location Recipient | 7. Location Service | | = Viewer | ------------------------------/ +---------------------+ Note that the Access Provider also acts as a Location Server to provide the initial Location Sighting to the third party Location Server, which then in turn fills the request for location. This scenario could arise most likely under the Pull Model, but most probably under scenarios other than classifications A-1 through A-9. Cuellar, Morris, Kanai Geopriv Scenarios 31 Expires in six months Mar 2003 7. Implications and Conclusions Critical privacy issues illustrated by the location computation scenarios are who controls the data and how, who computes or derives the location information, and who stores uses and discloses the data. All examples apart from the closed system represented by Scenario 1 present many privacy issues. The more entities involved, the more difficult it is to make sure the Privacy Rules of the Rule Maker are implemented. In cases where there is a pre-existing relationship, technology may not be necessary to transmit Privacy Rules. Instead, the Rule Maker and AP might reach a contractual agreement about privacy. But, the Rule Maker will not always have a contractual relationship with the AP or all involved entities. In some instances the Target will have no choice but to use a single AP. Sometimes "a chain" from the AP to other entities to enforce the Privacy Rules may work. Therefore, technologies that address these issues must be developed. Entities may be constrained by national or local laws regarding how they handle information. For example, in some relevant situations within some countries, "Customer Proprietary Network Information" (CPNI) rules require that telecommunications carriers obtain customer approval before using, disclosing, or permitting access to individually identifiable CPNI. 8. Security Considerations The purpose of the Geopriv Location Object is to allow a Rule- controlled disclosure of location information for location services. The information carried within the Location Object is secured in a way compliant with the privacy and security Rules of the Rule Maker, but other information, carried in other objects or headers are in general not secured in the same way. The scenarios included in this draft can serve to illustrate security concerns that must be addressed by Geopriv. 9. Acknowledgements Important elements of this draft were inspired by a prior scenarios draft by Kenji Takahashi and his colleagues. 10. References [ISO99] ISO99: ISO IS 15408, 1999, http://www.commoncriteria.org/. [OECD] OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, http://www.oecd.org. Cuellar, Morris, Kanai Geopriv Scenarios 32 Expires in six months Mar 2003 [Pfi01] Pfitzmann, Andreas; K÷hntopp, Marit: Anonymity, Unobservability, and Pseudonymity - A Proposal for Terminology; in: H Federrath (Ed.): Designing Privacy Enhancing Technologies; Proc. Workshop on Design Issues in Anonymity and Unobservability; LNCS 2009; 2001; 1-9. Newer versions available at http://www.koehntopp.de/marit/pub/anon [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997 11. Author's Addresses Jorge R. Cuellar Siemens AG Otto-Hahn Ring 6 81730 Munich Email: jorge.cuellar@mchp.siemens.de Germany John B. Morris, Jr. Director, Internet Standards, Technology & Policy Project Center for Democracy and Technology 1634 I Street NW, Suite 1100 Washington, DC 20006 Email: jmorris@cdt.org USA Tsuyoshi Go Kanai Fujitsu Laboratories, Ltd. 64 Nishiwaki, Okubo-cho, Akashi 674-8555 Email: kanai.go@jp.fujitsu.com Japan 12. Full Copyright Statement Copyright (C) The Internet Society (date). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. Cuellar, Morris, Kanai Geopriv Scenarios 33 Expires in six months Mar 2003 The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Cuellar, Morris, Kanai Geopriv Scenarios 34