Geolocation Privacy

Embed Size (px)

DESCRIPTION

Geolocation Privacy. Hannes Tschofenig. International Working Group on Data Protection in Telecommunications Rome, March 2008. Acknowledgements. Thanks to Henning Schulzrinne, Jon Peterson, and Richard Barnes for their help with this slide set. The IETF. - PowerPoint PPT Presentation

Text of Geolocation Privacy

  • Geolocation Privacy

    Hannes TschofenigInternational Working Group on Data Protection in TelecommunicationsRome, March 2008

  • AcknowledgementsThanks to Henning Schulzrinne, Jon Peterson, and Richard Barnes for their help with this slide set.

  • The IETF110+ working groups in 8 areas; security & privacy relevant topics in all these groupsStatistics about ongoing work: http://www.arkko.com/tools/docstats.html

    Applications AreaGeneral AreaRAI AreaInternetAreaRoutingAreaSecurityAreaTransportAreaSIPSIPPINGAVTGEOPRIVRAISIMPLEMMUSICO & M Area

  • The GEOPRIV Working GroupFirst BoF on Spatial Location held at 48th IETF (July 2000)IETF community had concerns that privacy was not sufficiently addressedGEOPRIV WG formed, met for the first time at 50th IETF (August 2001)Strong user privacy mandate in WG charterLocation determination methods are out of scopeScope is on protecting the transmission of location information over the public Internet2008: A number of RFCs associated already available.Participation from vendors, operators, standards professionals, policy experts, and academiaChallenging group with interesting individuals that produces a lot of mails.More information: http://www.ietf.org/html.charters/geopriv-charter.html

  • Privacy ConcernsLocationMany entities know your location todayIn many cases, YOU do not control the systems that determines and stores your locationExample: NetGeo database (see RFC 1876) In many cases, location is only one data element in the larger presence context. Distribution of these other attributes also deserves privacy protection.To understand the work in GEOPRIV the presence work has to be considered.

  • Overview of PresencePresence emerged as a component of instant messaging applicationsForemost, provides binary availability dataOnline or offline?Closely tied to the concept of a friends listBased on subscription, a persistent relationshipModern presence systems also provide a disposition towards communicationNot just am I online, but am I busy, away, etcCapability informationWhat kinds of communication can I accommodate with my endpoint?Customized responses context dependentGive different answers to different subscribers

  • Presence in the IETFInstant Messaging and Presence Protocol (IMPP) Working Group founded in 1999Originally, hoped to arrive at a single, standard instant messaging and presence protocolInstead, became a massive religious warSurviving proposals today are SIMPLE and XMPPEventually, created a toolset for interoperability of instant messaging and presence protocolsAssumes an pluralistic environmentAmong those tools, defined the pres: URI scheme and an XML-based format for presencePresence Information Data Format (PIDF)

  • Basic Presence Model PresenceServerRule MakerWatcher(4) PUBLISH(5) NOTIFY(2) XCAPSimplified SIPexchanges(3) SUBSCRIBEPublicationNotificationPolicyPresentity

  • Geolocation and PresenceGeoprivReal-time information, changing frequently

    Requires subscription model

    Use servers to enforce policy

    Need to be able to share information selectively

    Strong authentication & confidentiality model

    Extensibility (XML) requiredPresenceDitto

    Ditto

    Ditto

    Ditto

    Ditto

    Ditto

  • Basic GEOPRIV ArchitectureLocationServerLocationGeneratorRuleMakerLocationRecipientPublicationNotificationShows only the networkagents, not the human actorsPolicyRules

  • GEOPRIV WG: ObjectivesPick location information XML languageIdentify protocols conveying location informationAllow push model and subscription modelSelect document format for location informationProvide strong security measures to protect location information in transitInsert policy directives along with location informationDevelop authorization policy language for restricting the distribution of location informationThird parties enforce policies on behalf of rule makerMotivated by a concern that many producers of geolocation information will not be controlled by end usersRule Maker may be the owner of the target device, or may not

  • GEOPRIV WG: ObjectivesPick location information XML language

  • XML Language for Location InformationThe IETF did not want to define location information formatsExperts on these matters are largely elsewhere(Ignoring the work on DHCP geodetic location information)Instead, the IETF is focusing on architectures and tools for the secure distribution of location information documentsDefining an envelope to carry any XML-based location information formatPopular choice is Geographic Markup Language (GML) (from OCG)http://www.opengeospatial.org/No suitable standardized format for civic location was availableDeveloped in Geopriv working group

  • GEOPRIV WG: Objectives

    Identify protocols conveying location informationAllow push model and subscription model

  • Conveyance ProtocolsOnce you have a geolocation document, you need a protocol to carry itTraditional protocols are applicable (like HTTP, etc)Anything that can carry MIME types worksBut a subscription model is idealAbility to track the location of a resource over timeCould use a polling model, but a subscription/notification model was deemed superiorAlso, one-time fetch is desirableMost of the work on location conveyance using SIP: http://tools.ietf.org/html/draft-ietf-sip-location-conveyance-10A tiny tutorial can be found at: http://www.shingou.info/twiki/pub/EmergencyServices/EswAgenda2007/IETF-Emergency-Services-Tutorial.ppt

  • Example: Vehicle Trackinghttp://transport.wspgroup.fi/hklkartta/

  • GEOPRIV WG: Objectives

    Select document format for location informationProvide strong security measures to protect location information in transitInsert policy directives along with location information

  • PIDF-LO: RFC 4119Presence Information Data Format (PIDF) is an XML-based format for presence (RFC 3863)

    Extends PIDF to accommodate two new elements:Location-InfoEncapsulates location informationGML 3.0 schema (mandatory-to-implement)Clarified by draft-ietf-geopriv-pdif-lo-profileSupports civic location format (optional-to-implement)Clarified by RFC 5139Usage-rulesUsed to indicate privacy preferences

  • PIDF-LO: RFC 4119Basic Ruleset = Usage RestrictionMUST always be attached to a PIDF-LO documentRetention expires (how long are you allowed to keep the object)Policy for retransmission of location information (Yes/No)Reference to an external ruleset (optional) A note well of free text, human readable privacy policySpecified in RFC 4119

  • Whats in an Location Object (LO)?LO encodes bindings between data elementsSighting bindings: (ID, Location, Time) An entity with this identifier was at this location at this timeRule bindings: (Tuple, Rule) These are the rules for how this sighting should be handled

  • Sighting Binding 37:46:30N 122:25:10W no 2003-06-23T04:57:29Z sip:geotarget@example.com 2003-06-22T20:57:29Z

  • Rule Binding 37:46:30N 122:25:10W no 2003-06-23T04:57:29Z sip:geotarget@example.com 2003-06-22T20:57:29Z

  • Integrity and authenticityHigh-level Threat: Corruption / falsification of bindings Sighting bindingsLocation and time: ReplayLocation and identity: Spoofing / swappingLevels of identity: Swapping between layersRule bindings: Removal of rules

  • ConfidentialityUnauthorized disclosure of a location object or parts of a location objectRules can express policy, but not enforceEavesdroppingWhole LO or parts of itAnonymity is selective availabilityLocation, time authorized, but not identityIdentity, time, but only rough location

  • GEOPRIV WG: ObjectivesDevelop authorization policy language for restricting the distribution of location informationThird parties enforce policies on behalf of rule makerMotivated by a concern that many producers of geolocation information will not be controlled by end usersRule Maker may be the owner of the target device, or may not

  • Authorization for Presence and Location InformationRFC 4745 Common PolicyRFC 5020 -- Presence Authorization Policydraft-ietf-geopriv-policy-14.txt Geolocation PolicyAuthorization FrameworkBasic RulesetExtended RulesetCommon PolicyGeopriv PolicyPIDF-LOPresence Policy

  • Extended RulesetCommon PolicyDesign Goals:Permit onlyAdditive permissions (Minimal Disclosure)Upgradeable/ExtensibilityCapability/Versioning supportNo false assuranceEfficient implementation (no regular expressions)Protocol-independentSupports pluralism of contextsTwo Usage Models: Attached (per-value or per-reference) to PIDF-LO documentAvailable at the Location/Presence ServerIdentity information needs to be instantiated based on the specific conveyance protocol

  • Extended Ruleset Common PolicyRule consists of: conditions partactions partstransformations partConditions:Identity ConditionsMatching One EntityMatching Multiple Entities Matching Any Authenticated Identity Matching Any Authenticated Identity Excepting Enumerated Domains/Identities SphereValidityNo actions & no transformations specified

  • Common PolicyExample 2003-12-24T17:00:00+01:00 2003-12-24T19:00:00+01:00

  • Identity HandlingIdentity information depends on the selected conveyance proto