Presentation is loading. Please wait.

Presentation is loading. Please wait.

Geolocation Privacy Hannes Tschofenig International Working Group on Data Protection in Telecommunications Rome, March 2008.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Geolocation Privacy Hannes Tschofenig International Working Group on Data Protection in Telecommunications Rome, March 2008."— Presentation transcript:

1 Geolocation Privacy Hannes Tschofenig International Working Group on Data Protection in Telecommunications Rome, March 2008

2 2 Acknowledgements Thanks to Henning Schulzrinne, Jon Peterson, and Richard Barnes for their help with this slide set.

3 3 The IETF 110+ working groups in 8 areas; security & privacy relevant topics in all these groups Statistics about ongoing work: http://www.arkko.com/tools/docstats.htmlhttp://www.arkko.com/tools/docstats.html Applications Area General Area RAI Area Internet Area Routing Area Security Area Transport Area SIP SIPPING AVTGEOPRIV RAI SIMPLEMMUSIC … O & M Area

4 4 The GEOPRIV Working Group First BoF on Spatial Location held at 48 th IETF (July 2000) –IETF community had concerns that privacy was not sufficiently addressed GEOPRIV WG formed, met for the first time at 50 th IETF (August 2001) –Strong user privacy mandate in WG charter –Location determination methods are out of scope –Scope is on protecting the transmission of location information over the public Internet 2008: A number of RFCs associated already available. Participation from vendors, operators, standards professionals, policy experts, and academia Challenging group with interesting individuals that produces a lot of mails. More information: http://www.ietf.org/html.charters/geopriv-charter.html http://www.ietf.org/html.charters/geopriv-charter.html

5 5 Privacy Concerns Location –Many entities know your location today –In many cases, YOU do not control the systems that determines and stores your location –Example: NetGeo database (see RFC 1876) In many cases, location is only one data element in the larger presence context. Distribution of these other attributes also deserves privacy protection. To understand the work in GEOPRIV the presence work has to be considered.

6 6 Overview of Presence Presence emerged as a component of instant messaging applications Foremost, provides binary availability data –Online or offline? Closely tied to the concept of a friends list –Based on subscription, a persistent relationship Modern presence systems also provide a disposition towards communication –Not just am I online, but am I busy, away, etc Capability information –What kinds of communication can I accommodate with my endpoint? Customized responses – context dependent –Give different answers to different subscribers

7 7 Presence in the IETF Instant Messaging and Presence Protocol (IMPP) Working Group founded in 1999 Originally, hoped to arrive at a single, standard instant messaging and presence protocol –Instead, became a massive religious war –Surviving proposals today are SIMPLE and XMPP Eventually, created a toolset for interoperability of instant messaging and presence protocols –Assumes an pluralistic environment Among those tools, defined the “pres:” URI scheme and an XML-based format for presence –Presence Information Data Format (PIDF)

8 8 Basic Presence Model Presence Server Rule Maker Watcher (4) PUBLISH (5) NOTIFY (2) XCAP Simplified SIP exchanges (3) SUBSCRIBE Publication Notification Policy Presentity

9 9 Geolocation and Presence Geopriv –Real-time information, changing frequently –Requires subscription model –Use servers to enforce policy –Need to be able to share information selectively –Strong authentication & confidentiality model –Extensibility (XML) required Presence –Ditto

10 10 Basic GEOPRIV Architecture Location Server Location Generator Rule Maker Location Recipient PublicationNotification Shows only the network agents, not the human actors Policy Rules

11 11 GEOPRIV WG: Objectives Pick location information XML language Identify protocols conveying location information –Allow push model and subscription model Select document format for location information –Provide strong security measures to protect location information in transit –Insert policy directives along with location information Develop authorization policy language for restricting the distribution of location information –Third parties enforce policies on behalf of “rule maker” –Motivated by a concern that many producers of geolocation information will not be controlled by end users –Rule Maker may be the owner of the target device, or may not

12 12 GEOPRIV WG: Objectives Pick location information XML language

13 13 XML Language for Location Information The IETF did not want to define location information formats –Experts on these matters are largely elsewhere (Ignoring the work on DHCP geodetic location information…) Instead, the IETF is focusing on architectures and tools for the secure distribution of location information documents Defining an envelope to carry any XML-based location information format –Popular choice is Geographic Markup Language (GML) (from OCG) –http://www.opengeospatial.org/http://www.opengeospatial.org/ No suitable standardized format for civic location was available –Developed in Geopriv working group

14 14 GEOPRIV WG: Objectives Identify protocols conveying location information –Allow push model and subscription model

15 15 Conveyance Protocols Once you have a geolocation document, you need a protocol to carry it Traditional protocols are applicable (like HTTP, etc) –Anything that can carry MIME types works But a subscription model is ideal –Ability to track the location of a resource over time –Could use a polling model, but a subscription/notification model was deemed superior –Also, one-time fetch is desirable Most of the work on location conveyance using SIP: http://tools.ietf.org/html/draft-ietf-sip-location-conveyance-10 http://tools.ietf.org/html/draft-ietf-sip-location-conveyance-10 A tiny tutorial can be found at: http://www.shingou.info/twiki/pub/EmergencyServices/EswAgenda2007/IETF-Emergency-Services-Tutorial.ppt

16 16 Example: Vehicle Tracking http://transport.wspgroup.fi/hklkartta/

17 17 GEOPRIV WG: Objectives Select document format for location information –Provide strong security measures to protect location information in transit –Insert policy directives along with location information

18 18 PIDF-LO: RFC 4119 Presence Information Data Format (PIDF) is an XML-based format for presence (RFC 3863) Extends PIDF to accommodate two new elements: –Location-Info Encapsulates location information GML 3.0 schema (mandatory-to-implement) –Clarified by draft-ietf-geopriv-pdif-lo-profile Supports civic location format (optional-to-implement) –Clarified by RFC 5139 –Usage-rules Used to indicate privacy preferences

19 19 PIDF-LO: RFC 4119 Basic Ruleset = Usage Restriction MUST always be attached to a PIDF-LO document Retention expires (how long are you allowed to keep the object) Policy for retransmission of location information (Yes/No) Reference to an external ruleset (optional) A “note well” of free text, human readable privacy policy Specified in RFC 4119

20 20 What’s in an Location Object (LO)? LO encodes bindings between data elements Sighting bindings: (ID, Location, Time) “An entity with this identifier was at this location at this time” Rule bindings: (Tuple, Rule) “These are the rules for how this sighting should be handled”

21 21 Sighting Binding <presence xmlns="urn:ietf:params:xml:ns:pidf" xmlns:gp="urn:ietf:params:xml:ns:pidf:geopriv10" xmlns:gml="urn:opengis:specification:gml:schema-xsd:feature:v3.0" entity="pres:meaningless-F32AC8D@example.com"> 37:46:30N 122:25:10W no 2003-06-23T04:57:29Z sip:geotarget@example.com 2003-06-22T20:57:29Z

22 22 Rule Binding <presence xmlns="urn:ietf:params:xml:ns:pidf" xmlns:gp="urn:ietf:params:xml:ns:pidf:geopriv10" xmlns:gml="urn:opengis:specification:gml:schema-xsd:feature:v3.0" entity="pres:meaningless-F32AC8D@example.com"> 37:46:30N 122:25:10W no 2003-06-23T04:57:29Z sip:geotarget@example.com 2003-06-22T20:57:29Z

23 23 Integrity and authenticity High-level Threat: Corruption / falsification of bindings Sighting bindings –Location and time: Replay –Location and identity: Spoofing / swapping –Levels of identity: Swapping between layers Rule bindings: Removal of rules

24 24 Confidentiality Unauthorized disclosure of a location object or parts of a location object –Rules can express policy, but not enforce Eavesdropping –Whole LO or parts of it Anonymity is selective availability –Location, time authorized, but not identity –Identity, time, but only rough location

25 25 GEOPRIV WG: Objectives Develop authorization policy language for restricting the distribution of location information –Third parties enforce policies on behalf of “rule maker” –Motivated by a concern that many producers of geolocation information will not be controlled by end users –Rule Maker may be the owner of the target device, or may not

26 26 Authorization for Presence and Location Information RFC 4745 – Common Policy RFC 5020 -- Presence Authorization Policy draft-ietf-geopriv-policy-14.txt – Geolocation Policy Authorization Framework Basic Ruleset Extended Ruleset Common Policy Geopriv Policy PIDF-LO Presence Policy

27 27 Extended Ruleset Common Policy Design Goals: –Permit only –Additive permissions (“Minimal Disclosure”) –Upgradeable/Extensibility –Capability/Versioning support –No false assurance –Efficient implementation (no regular expressions) –Protocol-independent Supports pluralism of contexts Two Usage Models: –Attached (per-value or per-reference) to PIDF-LO document –Available at the Location/Presence Server Identity information needs to be instantiated based on the specific conveyance protocol

28 28 Extended Ruleset Common Policy Rule consists of: –conditions part –actions parts –transformations part Conditions: –Identity Conditions Matching One Entity Matching Multiple Entities Matching Any Authenticated Identity Matching Any Authenticated Identity Excepting Enumerated Domains/Identities –Sphere –Validity No actions & no transformations specified

29 29 Common Policy Example 2003-12-24T17:00:00+01:00 2003-12-24T19:00:00+01:00

30 30 Identity Handling Identity information depends on the selected conveyance protocol. Specification needs to indicate how the identity fields of Common Policy are populated. Functionality about identity management and privacy inherited from conveyance protocol (e.g., SIP) Examples in the SIP context: –P-Asserted ID (RFC 3325) –SIP Identity (RFC 4474) / Authenticated Identity Body (RFC 3893) –SIP SAML (draft-ietf-sip-saml-03.txt) –SIP CERTS (draft-ietf-sip-certs-05.txt) –Privacy in SIP: RFC 3323

31 31 Geopriv Policy Adds location-based authorization policies to the Common Policy framework Conditions: –IF **I am in the following area** THEN Transformations: –SET usage policies –REDUCE granularity of provided location information

32 32 Policy Example (1/2) DE Bavaria Munich Perlach Otto-Hahn-Ring 6 <gp:location profile="geodetic-condition"> <gs:Circle srsName="urn:ogc:def:crs:EPSG::4326"> -34.410649 150.87651 <gs:radius uom="urn:ogc:def:uom:EPSG::9001"> 1500

33 33 Policy Example (/2) false 86400 My privacy policy goes in here. false <gp:provide-location profile="civic-transformation"> building <gp:provide-location profile="geodetic-transformation">

34 34 Presence Policy Attributes mostly taken from Rich Presence Extensions to the Presence Information Data Format (RPID) Conditions –Details identity usage for SIP Actions –Subscription Handling (block, confirm, allow, polite block) Transformations –Providing Access to Data Component Elements (device, person, service) –Providing Access to Presence Attributes Provide Activities (e.g., appointment>,,,,,,,,, or ) Provide Class Provide DeviceID Provide Mood (e.g., happy, angry, etc.) Provide Place-is (e.g., noisy, quiet) Provide Place-type (e.g., bus, ship,..... RFC 4589) Provide Privacy (e.g., audio, text, video) Provide Relationship (e.g., family, friend) Provide Sphere Provide Status-Icon Provide Time-Offset Provide User-Input (e.g., idle) Provide Note Provide Unknown Attribute Provide All Attributes

35 35 Presence Policy Example <cr:ruleset xmlns="urn:ietf:params:xml:ns:pres-rules" xmlns:pr="urn:ietf:parmas:xml:ns:pres-rules" xmlns:cr="urn:ietf:params:xml:ns:common-policy"> allow sip mailto true bare <pr:provide-unknown-attribute ns="urn:vendor-specific:foo-namespace" name="foo">true

36 36 The E2E Story Recall the Basic Triangle Principals –Location ServerLS –Location RecipientLR –Rule HolderRH Location Generator (LG) is a special role of a LS. Entity that initially injects LO into the system. Viewer is the final consumer of location information. LSLR RH LO Dissemination Channel Rules [Request]

37 37 The E2E Story Connecting Triangles Triangles can be combined to store and forward LOs Logically forms a distribution tree –Branches when one LS provides same LO to multiple LRs –Root=LG, the entity that first determines the location of the target –Leaves=LRs, entities that consume location objects Potentially many rule holders along this path –Target will usually be one of the rule holders –LG will usually be one of the rule holders LRLH RH LRLH RH LRLH RH `LRLH RH LG Viewer LSLRLSLRLSLRLSLR

38 38 The E2E Story Assurances about the tree Critical parts of LO are unchanged End-to-end privacy policy communication and enforcement –Rules are communicated down the tree by RH adding them to LO LRLH RH LRLH RH LRLH RH `LRLH RH LG Viewer LSLRLSLRLSLRLSLR

39 39 Example Scenario (1) Endpoint discovers LIS Endpoint acquires LO reference (referred as ID(LO)) LIS Discovery = Dissemination Channel LIS = instance of LG Endpoint = LR LIS Discovery LIS End Point ID(LO) ID(LIS) Rules LR ID(LIS), ID(LO) (1) (2)

40 40 Endpoint sends reference to LR Endpoint sends rules to LIS LR dereferences reference Endpoint = RM LIS = LS LR = LR LIS Discovery LIS End Point ID(LO) ID(LIS) Rules LR ID(LIS), ID(LO) Example Scenario (2) (3) (4) (5) LO (1) (2)

41 41 Relevant IETF Work Creating, Modifying and Deleting XML Documents: –XCAP / WebDav http://www.jdrosen.net/papers/xcap-tutorial.ppt http://www.jdrosen.net/papers/xcap-tutorial.ppt Presence Server Performance –Partial Notifications / Event Throttling / Event Filters Session (dependent/independent) policies Mechanisms to obtain location information Discovering features of a Presence/Location Server Refinement and extensions of location formats

42 42 Not Accomplished in GEOPRIV Policy indication/negotiation in the style of P3P Usage restriction policy usage beyond location information. Make other SDOs to re-use usage restriction policies. Extensions beyond presence (such as generic web services) Presence Server Watcher OK. Based on your privacy policy you get access to X. Please give me access to your information. Here is my privacy policy!

43 43 Challenge: User Interface More work is necessary to develop user-friendly interfaces. Particularly important since authorization policies are an integral part of the solution A lot of today’s communication is still done without any policy handling. Paradigm change since we see user in the role of changing the privacy policies (“user control and consent”).

44 44 Outlook Increased usage of PUB/SUB usage and richer presence usage expected As deployment increases the problems with data retention and privacy will increase too GEOPRIV architecture unique among the standardization solutions. More implementation work is needed to determine better and extended policy handling Advertisement: Related area of interest is prevention of unwanted traffic. Identity management and authorization policies play an important role in this work as well. Will borrow a lot from the GEOPRIV concept. See http://www.shingou.info/bof-rucus.htmlhttp://www.shingou.info/bof-rucus.html

Download ppt "Geolocation Privacy Hannes Tschofenig International Working Group on Data Protection in Telecommunications Rome, March 2008."

Similar presentations

SIP, Presence and Instant Messaging

SIP, Presence and Instant Messaging
Presence and IM as SIP Services Jonathan Rosenberg Chief Scientist.

Presence and IM as SIP Services Jonathan Rosenberg Chief Scientist.
SIP and Instant Messaging. www.dynamicsoft.com SIP Summit 2001 5.01.01 SIP and Instant Messaging What Does Presence Have to Do With SIP? How to Deliver.

SIP and Instant Messaging. SIP Summit SIP and Instant Messaging What Does Presence Have to Do With SIP? How to Deliver.
www.dynamicsoft.com Fall IM 2000 Introduction to SIP Jonathan Rosenberg Chief Scientist.

Fall IM 2000 Introduction to SIP Jonathan Rosenberg Chief Scientist.
www.dynamicsoft.com VON Europe 2000 -- 06/19/00 SIP and the Future of VON Protocols SIP and the Future of VON Protocols: Presence and IM Jonathan Rosenberg.

VON Europe /19/00 SIP and the Future of VON Protocols SIP and the Future of VON Protocols: Presence and IM Jonathan Rosenberg.
www.dynamicsoft.com Fall VoN 2000 SIP for IP Communications Jonathan Rosenberg Chief Scientist.

Fall VoN 2000 SIP for IP Communications Jonathan Rosenberg Chief Scientist.
XCAP Tutorial Jonathan Rosenberg.

XCAP Tutorial Jonathan Rosenberg.
Yunling Wang VoIP Security COMS 4995 Nov 24, 2008 XCAP The Extensible Markup Language (XML) Configuration Access Protocol (XCAP)

Yunling Wang VoIP Security COMS 4995 Nov 24, 2008 XCAP The Extensible Markup Language (XML) Configuration Access Protocol (XCAP)
Web Service Ahmed Gamal Ahmed Nile University Bioinformatics Group

Web Service Ahmed Gamal Ahmed Nile University Bioinformatics Group
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
Origins of ECRIT IETF has been working on location since 2000 –Spatial BoF, eventually GEOPRIV chartered in 2001 GEOPRIV provides location information.

Origins of ECRIT IETF has been working on location since 2000 –Spatial BoF, eventually GEOPRIV chartered in 2001 GEOPRIV provides location information.
Using Presence Information to Develop Converged Telecom Services Standards and Challenges Parijat Garg Computer Science, IIT Bombay.

Using Presence Information to Develop Converged Telecom Services Standards and Challenges Parijat Garg Computer Science, IIT Bombay.
Sharmistha Chatterjee 82349D 82349D Helsinki University of Technology Instant Messaging and Presence with SIP.

Sharmistha Chatterjee 82349D 82349D Helsinki University of Technology Instant Messaging and Presence with SIP.
Requirements for Resource Priority Mechanisms for the Session Initiation Protocol draft-ietf-ieprep-sip-reqs-01 Henning Schulzrinne Columbia University.

Requirements for Resource Priority Mechanisms for the Session Initiation Protocol draft-ietf-ieprep-sip-reqs-01 Henning Schulzrinne Columbia University.
Identity, Spheres and Privacy Rules Henning Schulzrinne (with Hannes Tschofenig and Richard Barnes) Workshop on Identity, Information and Context October.

Identity, Spheres and Privacy Rules Henning Schulzrinne (with Hannes Tschofenig and Richard Barnes) Workshop on Identity, Information and Context October.
Presence Vishal Kumar Singh and Henning Schulzrinne Feb 10, 2006.

Presence Vishal Kumar Singh and Henning Schulzrinne Feb 10, 2006.
CFP 2005 (Seattle) -- April 2005 Location-based services – an IETF perspective Henning Schulzrinne (+ Xiaotao Wu, Ron Shacham) Dept. of Computer Science.

CFP 2005 (Seattle) -- April 2005 Location-based services – an IETF perspective Henning Schulzrinne (+ Xiaotao Wu, Ron Shacham) Dept. of Computer Science.
Carrying Location Objects in RADIUS Hannes Tschofenig, Farid Adrangi, Avi Lior, Mark Jones.

Carrying Location Objects in RADIUS Hannes Tschofenig, Farid Adrangi, Avi Lior, Mark Jones.
Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.

Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.
4 August 2005draft-burger-simple-imdn-011 Instant Message Delivery Notification (IMDN) for Presence and Instant Messaging (CPIM) Messages draft-burger-simple-imdn-01.

4 August 2005draft-burger-simple-imdn-011 Instant Message Delivery Notification (IMDN) for Presence and Instant Messaging (CPIM) Messages draft-burger-simple-imdn-01.

Similar presentations

Ads by Google