Hi Randy,
Thanks for engaging, and I know I presented an "interesting" challenge.
8805 was, of course, an Independent Stream production. So I carry as much
responsibility as anyone else for the lack of privacy discussion. But, more
significantly, I am entirely responsible for not having noted section 4 of
RFC 8805 when I wrote my email - oops.
So perhaps modifying your paragraph to...
RFC8805 geofeed data may reveal the approximate location of an IP
address, which might in turn reveal the approximate location of an
individual user. As noted in section 4 of RFC8805, publishers of
geolocation feeds are advised to have fully considered any and all
privacy implications of the disclosure. Further, operators who publish
geolocation information are strongly encouraged to inform affected
users/customers of this fact and of the potential privacy-related
consequences and trade-offs. In publishing pointers to geofeed files
as described in this document the operator should be aware of these
privacy concerns and be cautious.
That would just leave me asking whether everyone was happy with the
normative reference to a non-IETF RFC. It seems a little odd that the IETF
didn't want to publish 8805, but is chipper about publishing this document.
But, I'm not bothered by this.
Cheers,
Adrian
-----Original Message-----
From: Randy Bush <ra...@psg.com>
Sent: 01 February 2021 19:28
To: Adrian Farrel <adr...@olddog.co.uk>
Cc: opsawg@ietf.org; opsawg-cha...@ietf.org;
draft-ietf-opsawg-finding-geofe...@ietf.org
Subject: Re: WG LC: draft-ietf-opsawg-finding-geofeeds
hey adrian,
> Is it too late to ask for some privacy considerations to be added to
> this document?
it is never too late to ask for privacy. as usual, the problem is how
to provide it :)
> My initial thought was that the authors would point me to 8805, but a
> quick look there doesn?t show any mention of privacy.
which is unfortunate. the authors have sworn under oath that they
considered it.
e.g. they told me that this is why postal codes are not in 8805 geofeed
files. they described places such as those isles to the west of europe
(on which i think you live) postal codes can locate an individual or
extremely small group.
> My concern here is that the end-user?s geographic locale is being
> exposed to the service provider without the agreement of the end-user,
> and without the end-user even knowing that it is happening.
i think we all share the concern that an end-user's locale might be
revealed. and i suspect at least you and i pretty much agree on the
core issues. but ...
tl;dr: that is an 8805 problem, water under someone else's bridge
unnecessary and pedantic details:
o in pretty much all cases i know, the user's locale is known by their
service provider. the issue would seem to be the provider's
revealing the user's locale to the public, which includes other
providers.
o my understanding is that 8805 was developed specifically to provide
a mechanism for the user's provider to publish the user's locale to
other providers, with the major goal being content customization.
o whether we believe that content should be customized by locale,
while an interesting discussion, is probably best held in another
locale.
o luckily, the folk who want to customize content by locale seem happy
with fairly low resolution.
o though clearly agencies such as law enforcement and my mother, would
love one's precise locale at all times; i do not think they were the
intended customer for 8805, and they are definitely not the intended
customer for this draft.
> I know that this information has great value for a number of aspects
> of service provision (not least geographic licensing), and I am not
> opposed to its availability. I do object, however, to the concept that
> a user?s locale is generally available. A user should have the option
> of not revealing their locale (in the knowledge that this may exclude
> them from accessing some services).
let's remember that even 8805 does not directly reveal the location of
users. it reveals low resolution location of ip address spaces. but of
course we know ip addresses can be attributed to users.
> Now, I doubt that this document is the right place to fix these
> privacy concerns. But it might be a good place to add a short
> paragraph on the privacy issues raised by using geo feeds.
to paraphrase the immortal words of vince perriello, send text :)
but, as a first idea, how about something such as this in the Geofeed
Files section?
RFC8805 geofeed data may reveal the approximate location of an IP
address, which might in turn reveal the approximate location of an
individual user. Unfortunately, RFC8805 provides no privacy
guidance on avoiding or ameliorating possible damage due to this
exposure of the user. In publishing pointers to geofeed files as
described in this document the operator should be aware of this
exposure in geofeed data and be cautious.
sad to say, i can not think of more useful guidance than caution.
randy
_______________________________________________
OPSAWG mailing list
OPSAWG@ietf.org
https://www.ietf.org/mailman/listinfo/opsawg
