Hi Randy, Thanks for engaging, and I know I presented an "interesting" challenge.
8805 was, of course, an Independent Stream production. So I carry as much responsibility as anyone else for the lack of privacy discussion. But, more significantly, I am entirely responsible for not having noted section 4 of RFC 8805 when I wrote my email - oops. So perhaps modifying your paragraph to... RFC8805 geofeed data may reveal the approximate location of an IP address, which might in turn reveal the approximate location of an individual user. As noted in section 4 of RFC8805, publishers of geolocation feeds are advised to have fully considered any and all privacy implications of the disclosure. Further, operators who publish geolocation information are strongly encouraged to inform affected users/customers of this fact and of the potential privacy-related consequences and trade-offs. In publishing pointers to geofeed files as described in this document the operator should be aware of these privacy concerns and be cautious. That would just leave me asking whether everyone was happy with the normative reference to a non-IETF RFC. It seems a little odd that the IETF didn't want to publish 8805, but is chipper about publishing this document. But, I'm not bothered by this. Cheers, Adrian -----Original Message----- From: Randy Bush <ra...@psg.com> Sent: 01 February 2021 19:28 To: Adrian Farrel <adr...@olddog.co.uk> Cc: opsawg@ietf.org; opsawg-cha...@ietf.org; draft-ietf-opsawg-finding-geofe...@ietf.org Subject: Re: WG LC: draft-ietf-opsawg-finding-geofeeds hey adrian, > Is it too late to ask for some privacy considerations to be added to > this document? it is never too late to ask for privacy. as usual, the problem is how to provide it :) > My initial thought was that the authors would point me to 8805, but a > quick look there doesn?t show any mention of privacy. which is unfortunate. the authors have sworn under oath that they considered it. e.g. they told me that this is why postal codes are not in 8805 geofeed files. they described places such as those isles to the west of europe (on which i think you live) postal codes can locate an individual or extremely small group. > My concern here is that the end-user?s geographic locale is being > exposed to the service provider without the agreement of the end-user, > and without the end-user even knowing that it is happening. i think we all share the concern that an end-user's locale might be revealed. and i suspect at least you and i pretty much agree on the core issues. but ... tl;dr: that is an 8805 problem, water under someone else's bridge unnecessary and pedantic details: o in pretty much all cases i know, the user's locale is known by their service provider. the issue would seem to be the provider's revealing the user's locale to the public, which includes other providers. o my understanding is that 8805 was developed specifically to provide a mechanism for the user's provider to publish the user's locale to other providers, with the major goal being content customization. o whether we believe that content should be customized by locale, while an interesting discussion, is probably best held in another locale. o luckily, the folk who want to customize content by locale seem happy with fairly low resolution. o though clearly agencies such as law enforcement and my mother, would love one's precise locale at all times; i do not think they were the intended customer for 8805, and they are definitely not the intended customer for this draft. > I know that this information has great value for a number of aspects > of service provision (not least geographic licensing), and I am not > opposed to its availability. I do object, however, to the concept that > a user?s locale is generally available. A user should have the option > of not revealing their locale (in the knowledge that this may exclude > them from accessing some services). let's remember that even 8805 does not directly reveal the location of users. it reveals low resolution location of ip address spaces. but of course we know ip addresses can be attributed to users. > Now, I doubt that this document is the right place to fix these > privacy concerns. But it might be a good place to add a short > paragraph on the privacy issues raised by using geo feeds. to paraphrase the immortal words of vince perriello, send text :) but, as a first idea, how about something such as this in the Geofeed Files section? RFC8805 geofeed data may reveal the approximate location of an IP address, which might in turn reveal the approximate location of an individual user. Unfortunately, RFC8805 provides no privacy guidance on avoiding or ameliorating possible damage due to this exposure of the user. In publishing pointers to geofeed files as described in this document the operator should be aware of this exposure in geofeed data and be cautious. sad to say, i can not think of more useful guidance than caution. randy _______________________________________________ OPSAWG mailing list OPSAWG@ietf.org https://www.ietf.org/mailman/listinfo/opsawg