Geolocation Privacy Hannes Tschofenig International Working Group on Data Protection in Telecommunications Rome, March 2008.

Slides:



Advertisements
Similar presentations
SIP, Presence and Instant Messaging
Advertisements

Presence and IM as SIP Services Jonathan Rosenberg Chief Scientist.
SIP and Instant Messaging. SIP Summit SIP and Instant Messaging What Does Presence Have to Do With SIP? How to Deliver.
Fall IM 2000 Introduction to SIP Jonathan Rosenberg Chief Scientist.
VON Europe /19/00 SIP and the Future of VON Protocols SIP and the Future of VON Protocols: Presence and IM Jonathan Rosenberg.
Fall VoN 2000 SIP for IP Communications Jonathan Rosenberg Chief Scientist.
XCAP Tutorial Jonathan Rosenberg.
Yunling Wang VoIP Security COMS 4995 Nov 24, 2008 XCAP The Extensible Markup Language (XML) Configuration Access Protocol (XCAP)
Web Service Ahmed Gamal Ahmed Nile University Bioinformatics Group
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
Origins of ECRIT IETF has been working on location since 2000 –Spatial BoF, eventually GEOPRIV chartered in 2001 GEOPRIV provides location information.
Using Presence Information to Develop Converged Telecom Services Standards and Challenges Parijat Garg Computer Science, IIT Bombay.
Sharmistha Chatterjee 82349D 82349D Helsinki University of Technology Instant Messaging and Presence with SIP.
Requirements for Resource Priority Mechanisms for the Session Initiation Protocol draft-ietf-ieprep-sip-reqs-01 Henning Schulzrinne Columbia University.
Identity, Spheres and Privacy Rules Henning Schulzrinne (with Hannes Tschofenig and Richard Barnes) Workshop on Identity, Information and Context October.
Presence Vishal Kumar Singh and Henning Schulzrinne Feb 10, 2006.
CFP 2005 (Seattle) -- April 2005 Location-based services – an IETF perspective Henning Schulzrinne (+ Xiaotao Wu, Ron Shacham) Dept. of Computer Science.
Carrying Location Objects in RADIUS Hannes Tschofenig, Farid Adrangi, Avi Lior, Mark Jones.
Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.
4 August 2005draft-burger-simple-imdn-011 Instant Message Delivery Notification (IMDN) for Presence and Instant Messaging (CPIM) Messages draft-burger-simple-imdn-01.
A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.
P2PSIP Charter Proposal Many people helped write this charter…
© 2010, Telcordia Technologies Inc. Location in SIP/IP Core (LOCSIP) Location Conveyance with IMS: the OMA LOCSIP Service Enabler Don Lukacs Telcordia.
RPIDS - Rich Presence Information Data Format for Presence Based on the Session Initiation Protocol (SIP) Henning Schulzrinne (ed.) Vijay Gurbani Krisztian.
Architectural Considerations for GEOPRIV/ECRIT Presentation given by Hannes Tschofenig.
International Telecommunication Union Geneva, 9(pm)-10 February 2009 ITU-T Security Standardization on Mobile Web Services Lee, Jae Seung Special Fellow,
Abierman-nanog-30may03 1 XML Router Configs BOF Operator Involvement Andy Bierman
Composing Presence Information Henning Schulzrinne Ron Shacham Wolfgang Kellerer Srisakul Thakolsri (ID-schulzrinne-simple-composition-02) IETF 66 SIMPLE.
Web Services Based on SOA: Concepts, Technology, Design by Thomas Erl MIS 181.9: Service Oriented Architecture 2 nd Semester,
Web Services Standards. Introduction A web service is a type of component that is available on the web and can be incorporated in applications or used.
Russ Housley IETF Chair Internet2 Spring Member Meeting 28 April 2009 Successful Protocol Development.
Real-time Flow Management 2 BOF: Remote Packet Capture Extensions Jürgen Quittek NEC Europe Ltd, Heidelberg, Germany Georg Carle GMD.
(we need your advice!) Jon Peterson MIT– December 2010 IETF & Privacy.
Doc.: IEEE /0691r0 Submission May 2011 Dorothy Stanley, Aruba NetworksSlide 1 IEEE IETF Liaison Report Date: Authors:
IETF GEOPRIV Status Richard L. Barnes BBN Technologies GEOPRIV Secretary Emergency Services Workshop October 2008.
Carrying Location Objects in RADIUS Hannes Tschofenig, Farid Adrangi, Avi Lior, Mark Jones.
ATOCA IETF 79, Beijing Martin Thomson; Scott Bradner.
XCAP Jonathan Rosenberg dynamicsoft. Changes in Main Spec Removed POST usage Clarified the meaning of PUT for inserts vs. modifies Added AUID grammar.
Peering: A Minimalist Approach Rohan Mahy IETF 66 — Speermint WG.
Andrew Allen Communication Service Identifier.
IETF 69 SIPPING WG Meeting Mohammad Vakil Microsoft An Extension to Session Initiation Protocol (SIP) Events for Pausing and Resuming.
SIP PUBLISH draft-ietf-simple-publish-01 Aki Niemi
SAML for SIP Hannes Tschofenig, Jon Peterson, James Polk, Douglas Sicker, Marcus Tegnander.
March 2004GEOPRIV - IETF 59 (Seoul)1 GEOPRIV Policy draft-ietf-geopriv-policy draft-ietf-geopriv-common-policy Henning Schulzrinne Columbia University.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.
OMA Presence 1.0 Presence attribute, composition issues Krisztián Kiss
Policy Rules for Disclosure and Modification of Geographic Information ( draft-ietf-geopriv-policy-00.txt ) Authors: H. Schulzrinne J. Morris H. Tschofenig.
SIP file directory draft-garcia-sipping-file-sharing-framework-00.txt draft-garcia-sipping-file-event-package-00.txt draft-garcia-sipping-file-desc-pidf-00.txt.
W3C Workshop on Languages for Privacy Policy Negotiation and Semantics- Driven Enforcement Report Hannes Tschofenig IETF 67, San Diego, November 2006.
1 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential XCAP Usage for Publishing Presence Information draft-isomaki-simple-xcap-publish-usage-00.
SIPPING Drafts Jonathan Rosenberg dynamicsoft. Conferencing Package Issues Only one – scope Depends on broader work in conferencing May include –Participant.
MODERN BoF Managing, Ordering, Distributing, Exposing, and Registering telephone Numbers IETF 92.
User Application Control (Keypress Events) SIPPING WG - IETF 53 Robert Fairlie-Cuninghame, Bert Culpepper, Jean-François Mulé.
K. Salah1 Security Protocols in the Internet IPSec.
Jonathan Rosenberg dynamicsoft
XCON WG IETF-64 Meeting XCON Framework Overview & Issues
Phil Hunt, Hannes Tschofenig
RELO: Retrieving End System Location Information draft-schulzrinne-geopriv-relo-03 Henning Schulzrinne March 2007 IETF68 - GEOPRIV.
Carrying Location Objects in RADIUS
Markus Isomäki Eva Leppänen
S/MIME T ANANDHAN.
draft-ietf-geopriv-lbyr-requirements-02 status update
HTTP Enabled Location Delivery (HELD)
RELO: Retrieving End System Location Information draft-schulzrinne-geopriv-relo-03 Henning Schulzrinne March 2007 IETF68 - GEOPRIV.
Charles Shen, Henning Schulzrinne, Arata Koike
Jonathan Rosenberg dynamicsoft
Geolocation Privacy Hannes Tschofenig International Working Group on
WEB SERVICES From Chapter 19, Distributed Systems
Henning Schulzrinne Columbia University
Policy enforcement and filtering for geospatial information
Presentation transcript:

Geolocation Privacy Hannes Tschofenig International Working Group on Data Protection in Telecommunications Rome, March 2008

2 Acknowledgements Thanks to Henning Schulzrinne, Jon Peterson, and Richard Barnes for their help with this slide set.

3 The IETF 110+ working groups in 8 areas; security & privacy relevant topics in all these groups Statistics about ongoing work: Applications Area General Area RAI Area Internet Area Routing Area Security Area Transport Area SIP SIPPING AVTGEOPRIV RAI SIMPLEMMUSIC … O & M Area

4 The GEOPRIV Working Group First BoF on Spatial Location held at 48 th IETF (July 2000) –IETF community had concerns that privacy was not sufficiently addressed GEOPRIV WG formed, met for the first time at 50 th IETF (August 2001) –Strong user privacy mandate in WG charter –Location determination methods are out of scope –Scope is on protecting the transmission of location information over the public Internet 2008: A number of RFCs associated already available. Participation from vendors, operators, standards professionals, policy experts, and academia Challenging group with interesting individuals that produces a lot of mails. More information:

5 Privacy Concerns Location –Many entities know your location today –In many cases, YOU do not control the systems that determines and stores your location –Example: NetGeo database (see RFC 1876) In many cases, location is only one data element in the larger presence context. Distribution of these other attributes also deserves privacy protection. To understand the work in GEOPRIV the presence work has to be considered.

6 Overview of Presence Presence emerged as a component of instant messaging applications Foremost, provides binary availability data –Online or offline? Closely tied to the concept of a friends list –Based on subscription, a persistent relationship Modern presence systems also provide a disposition towards communication –Not just am I online, but am I busy, away, etc Capability information –What kinds of communication can I accommodate with my endpoint? Customized responses – context dependent –Give different answers to different subscribers

7 Presence in the IETF Instant Messaging and Presence Protocol (IMPP) Working Group founded in 1999 Originally, hoped to arrive at a single, standard instant messaging and presence protocol –Instead, became a massive religious war –Surviving proposals today are SIMPLE and XMPP Eventually, created a toolset for interoperability of instant messaging and presence protocols –Assumes an pluralistic environment Among those tools, defined the “pres:” URI scheme and an XML-based format for presence –Presence Information Data Format (PIDF)

8 Basic Presence Model Presence Server Rule Maker Watcher (4) PUBLISH (5) NOTIFY (2) XCAP Simplified SIP exchanges (3) SUBSCRIBE Publication Notification Policy Presentity

9 Geolocation and Presence Geopriv –Real-time information, changing frequently –Requires subscription model –Use servers to enforce policy –Need to be able to share information selectively –Strong authentication & confidentiality model –Extensibility (XML) required Presence –Ditto

10 Basic GEOPRIV Architecture Location Server Location Generator Rule Maker Location Recipient PublicationNotification Shows only the network agents, not the human actors Policy Rules

11 GEOPRIV WG: Objectives Pick location information XML language Identify protocols conveying location information –Allow push model and subscription model Select document format for location information –Provide strong security measures to protect location information in transit –Insert policy directives along with location information Develop authorization policy language for restricting the distribution of location information –Third parties enforce policies on behalf of “rule maker” –Motivated by a concern that many producers of geolocation information will not be controlled by end users –Rule Maker may be the owner of the target device, or may not

12 GEOPRIV WG: Objectives Pick location information XML language

13 XML Language for Location Information The IETF did not want to define location information formats –Experts on these matters are largely elsewhere (Ignoring the work on DHCP geodetic location information…) Instead, the IETF is focusing on architectures and tools for the secure distribution of location information documents Defining an envelope to carry any XML-based location information format –Popular choice is Geographic Markup Language (GML) (from OCG) – No suitable standardized format for civic location was available –Developed in Geopriv working group

14 GEOPRIV WG: Objectives Identify protocols conveying location information –Allow push model and subscription model

15 Conveyance Protocols Once you have a geolocation document, you need a protocol to carry it Traditional protocols are applicable (like HTTP, etc) –Anything that can carry MIME types works But a subscription model is ideal –Ability to track the location of a resource over time –Could use a polling model, but a subscription/notification model was deemed superior –Also, one-time fetch is desirable Most of the work on location conveyance using SIP: A tiny tutorial can be found at:

16 Example: Vehicle Tracking

17 GEOPRIV WG: Objectives Select document format for location information –Provide strong security measures to protect location information in transit –Insert policy directives along with location information

18 PIDF-LO: RFC 4119 Presence Information Data Format (PIDF) is an XML-based format for presence (RFC 3863) Extends PIDF to accommodate two new elements: –Location-Info Encapsulates location information GML 3.0 schema (mandatory-to-implement) –Clarified by draft-ietf-geopriv-pdif-lo-profile Supports civic location format (optional-to-implement) –Clarified by RFC 5139 –Usage-rules Used to indicate privacy preferences

19 PIDF-LO: RFC 4119 Basic Ruleset = Usage Restriction MUST always be attached to a PIDF-LO document Retention expires (how long are you allowed to keep the object) Policy for retransmission of location information (Yes/No) Reference to an external ruleset (optional) A “note well” of free text, human readable privacy policy Specified in RFC 4119

20 What’s in an Location Object (LO)? LO encodes bindings between data elements Sighting bindings: (ID, Location, Time) “An entity with this identifier was at this location at this time” Rule bindings: (Tuple, Rule) “These are the rules for how this sighting should be handled”

21 Sighting Binding <presence xmlns="urn:ietf:params:xml:ns:pidf" xmlns:gp="urn:ietf:params:xml:ns:pidf:geopriv10" xmlns:gml="urn:opengis:specification:gml:schema-xsd:feature:v3.0" 37:46:30N 122:25:10W no T04:57:29Z T20:57:29Z

22 Rule Binding <presence xmlns="urn:ietf:params:xml:ns:pidf" xmlns:gp="urn:ietf:params:xml:ns:pidf:geopriv10" xmlns:gml="urn:opengis:specification:gml:schema-xsd:feature:v3.0" 37:46:30N 122:25:10W no T04:57:29Z T20:57:29Z

23 Integrity and authenticity High-level Threat: Corruption / falsification of bindings Sighting bindings –Location and time: Replay –Location and identity: Spoofing / swapping –Levels of identity: Swapping between layers Rule bindings: Removal of rules

24 Confidentiality Unauthorized disclosure of a location object or parts of a location object –Rules can express policy, but not enforce Eavesdropping –Whole LO or parts of it Anonymity is selective availability –Location, time authorized, but not identity –Identity, time, but only rough location

25 GEOPRIV WG: Objectives Develop authorization policy language for restricting the distribution of location information –Third parties enforce policies on behalf of “rule maker” –Motivated by a concern that many producers of geolocation information will not be controlled by end users –Rule Maker may be the owner of the target device, or may not

26 Authorization for Presence and Location Information RFC 4745 – Common Policy RFC Presence Authorization Policy draft-ietf-geopriv-policy-14.txt – Geolocation Policy Authorization Framework Basic Ruleset Extended Ruleset Common Policy Geopriv Policy PIDF-LO Presence Policy

27 Extended Ruleset Common Policy Design Goals: –Permit only –Additive permissions (“Minimal Disclosure”) –Upgradeable/Extensibility –Capability/Versioning support –No false assurance –Efficient implementation (no regular expressions) –Protocol-independent Supports pluralism of contexts Two Usage Models: –Attached (per-value or per-reference) to PIDF-LO document –Available at the Location/Presence Server Identity information needs to be instantiated based on the specific conveyance protocol

28 Extended Ruleset Common Policy Rule consists of: –conditions part –actions parts –transformations part Conditions: –Identity Conditions Matching One Entity Matching Multiple Entities Matching Any Authenticated Identity Matching Any Authenticated Identity Excepting Enumerated Domains/Identities –Sphere –Validity No actions & no transformations specified

29 Common Policy Example T17:00:00+01: T19:00:00+01:00

30 Identity Handling Identity information depends on the selected conveyance protocol. Specification needs to indicate how the identity fields of Common Policy are populated. Functionality about identity management and privacy inherited from conveyance protocol (e.g., SIP) Examples in the SIP context: –P-Asserted ID (RFC 3325) –SIP Identity (RFC 4474) / Authenticated Identity Body (RFC 3893) –SIP SAML (draft-ietf-sip-saml-03.txt) –SIP CERTS (draft-ietf-sip-certs-05.txt) –Privacy in SIP: RFC 3323

31 Geopriv Policy Adds location-based authorization policies to the Common Policy framework Conditions: –IF **I am in the following area** THEN Transformations: –SET usage policies –REDUCE granularity of provided location information

32 Policy Example (1/2) DE Bavaria Munich Perlach Otto-Hahn-Ring 6 <gp:location profile="geodetic-condition"> <gs:Circle srsName="urn:ogc:def:crs:EPSG::4326"> <gs:radius uom="urn:ogc:def:uom:EPSG::9001"> 1500

33 Policy Example (/2) false My privacy policy goes in here. false <gp:provide-location profile="civic-transformation"> building <gp:provide-location profile="geodetic-transformation">

34 Presence Policy Attributes mostly taken from Rich Presence Extensions to the Presence Information Data Format (RPID) Conditions –Details identity usage for SIP Actions –Subscription Handling (block, confirm, allow, polite block) Transformations –Providing Access to Data Component Elements (device, person, service) –Providing Access to Presence Attributes Provide Activities (e.g., appointment>,,,,,,,,, or ) Provide Class Provide DeviceID Provide Mood (e.g., happy, angry, etc.) Provide Place-is (e.g., noisy, quiet) Provide Place-type (e.g., bus, ship,..... RFC 4589) Provide Privacy (e.g., audio, text, video) Provide Relationship (e.g., family, friend) Provide Sphere Provide Status-Icon Provide Time-Offset Provide User-Input (e.g., idle) Provide Note Provide Unknown Attribute Provide All Attributes

35 Presence Policy Example <cr:ruleset xmlns="urn:ietf:params:xml:ns:pres-rules" xmlns:pr="urn:ietf:parmas:xml:ns:pres-rules" xmlns:cr="urn:ietf:params:xml:ns:common-policy"> allow sip mailto true bare <pr:provide-unknown-attribute ns="urn:vendor-specific:foo-namespace" name="foo">true

36 The E2E Story Recall the Basic Triangle Principals –Location ServerLS –Location RecipientLR –Rule HolderRH Location Generator (LG) is a special role of a LS. Entity that initially injects LO into the system. Viewer is the final consumer of location information. LSLR RH LO Dissemination Channel Rules [Request]

37 The E2E Story Connecting Triangles Triangles can be combined to store and forward LOs Logically forms a distribution tree –Branches when one LS provides same LO to multiple LRs –Root=LG, the entity that first determines the location of the target –Leaves=LRs, entities that consume location objects Potentially many rule holders along this path –Target will usually be one of the rule holders –LG will usually be one of the rule holders LRLH RH LRLH RH LRLH RH `LRLH RH LG Viewer LSLRLSLRLSLRLSLR

38 The E2E Story Assurances about the tree Critical parts of LO are unchanged End-to-end privacy policy communication and enforcement –Rules are communicated down the tree by RH adding them to LO LRLH RH LRLH RH LRLH RH `LRLH RH LG Viewer LSLRLSLRLSLRLSLR

39 Example Scenario (1) Endpoint discovers LIS Endpoint acquires LO reference (referred as ID(LO)) LIS Discovery = Dissemination Channel LIS = instance of LG Endpoint = LR LIS Discovery LIS End Point ID(LO) ID(LIS) Rules LR ID(LIS), ID(LO) (1) (2)

40 Endpoint sends reference to LR Endpoint sends rules to LIS LR dereferences reference Endpoint = RM LIS = LS LR = LR LIS Discovery LIS End Point ID(LO) ID(LIS) Rules LR ID(LIS), ID(LO) Example Scenario (2) (3) (4) (5) LO (1) (2)

41 Relevant IETF Work Creating, Modifying and Deleting XML Documents: –XCAP / WebDav Presence Server Performance –Partial Notifications / Event Throttling / Event Filters Session (dependent/independent) policies Mechanisms to obtain location information Discovering features of a Presence/Location Server Refinement and extensions of location formats

42 Not Accomplished in GEOPRIV Policy indication/negotiation in the style of P3P Usage restriction policy usage beyond location information. Make other SDOs to re-use usage restriction policies. Extensions beyond presence (such as generic web services) Presence Server Watcher OK. Based on your privacy policy you get access to X. Please give me access to your information. Here is my privacy policy!

43 Challenge: User Interface More work is necessary to develop user-friendly interfaces. Particularly important since authorization policies are an integral part of the solution A lot of today’s communication is still done without any policy handling. Paradigm change since we see user in the role of changing the privacy policies (“user control and consent”).

44 Outlook Increased usage of PUB/SUB usage and richer presence usage expected As deployment increases the problems with data retention and privacy will increase too GEOPRIV architecture unique among the standardization solutions. More implementation work is needed to determine better and extended policy handling Advertisement: Related area of interest is prevention of unwanted traffic. Identity management and authorization policies play an important role in this work as well. Will borrow a lot from the GEOPRIV concept. See