1. CFP 2005 (Seattle) -- April 2005 Location-based services – an IETF perspective Henning Schulzrinne (+ Xiaotao Wu, Ron Shacham) Dept. of Computer Science Columbia University

2. CFP 2005 (Seattle) -- April 2005 Overview Taxonomy of location-based services transition custom  Internet-based Privacy concerns Privacy mechanisms location object rules privacy rules and filters

3. CFP 2005 (Seattle) -- April 2005 Context context = “the interrelated conditions in which something exists or occurs” anything known about the participants in the (potential) communication relationship both at caller and callee timeCPL capabilitiescaller preferences locationlocation-based call routing location events activity/availabilitypresence sensor data (mood, bio)not yet, but similar in many aspects to location data

4. CFP 2005 (Seattle) -- April 2005 Location information geospatial longitude, latitude, altitude civic time zone, country, city, street, room, … descriptive type of location “hotel”, “airport” properties of location privacy (“no audio privacy”) suitability for different communication media

5. CFP 2005 (Seattle) -- April 2005 Who or what is being tracked? Objects containers, hospital equipment Vehicles flight tracker, bus & subway  aggregate person tracking Persons as individual: “Nurse Jane is in room 356” as function: “some officer is on 5 th & Main”

6. CFP 2005 (Seattle) -- April 2005 Location information in protocols Call routing based on location emergency calls AAA tow truck pizza delivery 311 (local government) Presence (“buddy lists”) and event notification control incoming calls (“don’t ring phone if in movie theater or giving lecture”) fleet management family management “mom stuck in traffic”

7. CFP 2005 (Seattle) -- April 2005 Semi-voluntary location tracking Indoor medical equipment, nurses & doctors in hospital nursing home patients Outdoor 911 callers parolees children (in malls & amusement parks) cell phones with location-specific advertisement

8. CFP 2005 (Seattle) -- April 2005 Location determination End system based  end system measures and conveys location GPS (outdoors) A-GPS (indoors + outdoors) Bluetooth or 802.11 beacon Network-based limited user control disable only by turning off device NE measures location (e.g., TOA) Ethernet switch knows port user is connected to 802.11 access point

9. CFP 2005 (Seattle) -- April 2005 Location recipients Personally known to target family, company Known as function AAA, PizzaHut, 911 PSAP, … Unknown to target cell phone company surveillance tracking by car rental company LoJack

10. CFP 2005 (Seattle) -- April 2005 Privacy concerns Location only no identification of individual location + correlator MAC address 01-02-03-04-05-06 has visited these hotspots today may be able to correlate to identity (hotel room) location + personal identity

11. CFP 2005 (Seattle) -- April 2005 Granular privacy controls Mechanically enforceable vs. indications “show Bob only the country I’m in” vs. “dear recipient, do not distribute this information” Typically need to trust third party (service provider, server) Make it easy for target to determine who gets what type of information but limit rule complexity make rules portable across providers automatically derive rules from other information “allow those in my address book to see my time zone”

12. CFP 2005 (Seattle) -- April 2005 Challenges May be willing to divulge single location object, but not trajectory “I’ll be at your location in 30 minutes” set of points  “traveling 10 mph above speed limit” May be willing to divulge reduced- accuracy location “I’m in the PDT time zone” (so don’t call me before 10 am EDT)

13. CFP 2005 (Seattle) -- April 2005 GEOPRIV and SIMPLE architectures target location server location recipient rule maker presentity caller presence agent watcher callee GEOPRIV SIP presence SIP call PUBLISH NOTIFY SUBSCRIBE INVITE publication interface notification interface XCAP (rules) INVITE DHCP

14. CFP 2005 (Seattle) -- April 2005 Privacy All presence data, particularly location, is highly sensitive Basic location object (PIDF-LO) describes distribution (binary) retention duration Policy rules for more detailed access control who can subscribe to my presence who can see what when <gml:Point gml:id="point1“ srsName="epsg:4326"> 37:46:30N 122:25:10W no 2003-06-23T04:57:29Z 2003-06-22T20:57:29Z

15. CFP 2005 (Seattle) -- April 2005 Privacy policy relationships geopriv-specificpresence-specific common policy RPIDCIPID future

16. CFP 2005 (Seattle) -- April 2005 Privacy rules Conditions identity, sphere time of day current location identity as or + Actions watcher confirmation Transformations include information reduced accuracy User gets maximum of permissions across all matching rules privacy-safe composition: removal of a rule can only reduce privileges Extendable to new presence data rich presence biological sensors mood sensors

17. CFP 2005 (Seattle) -- April 2005 Example rules document user@example.com allow sip mailto true bare

18. CFP 2005 (Seattle) -- April 2005 Creating and manipulating rules Uploaded in whole or part via XCAP XML not user-visible Web or application UI, similar to mail filtering Can also be location-dependent “if at home, colleagues don’t get presence information” Possibly implementation-defined “privacy levels”

19. CFP 2005 (Seattle) -- April 2005 Conclusion Wide variety of location-based services emerging Both closed (long-term) user groups, incidental and “public” Need user-understandable rule sets as well as legal clarity