Locationbased services an IETF perspective

1
Location-based services an IETF perspective

• Henning Schulzrinne
• ( Xiaotao Wu, Ron Shacham)
• Dept. of Computer Science
• Columbia University

2
Overview

• Taxonomy of location-based services
• transition custom ? Internet-based
• Privacy concerns
• Privacy mechanisms
• location object rules
• privacy rules and filters

3
Context

• context the interrelated conditions in which
  something exists or occurs
• anything known about the participants in the
  (potential) communication relationship
• both at caller and callee

4
Location information

• geospatial
• longitude, latitude, altitude
• civic
• time zone, country, city, street, room,

• descriptive
• type of location
• hotel, airport
• properties of location
• privacy (no audio privacy)
• suitability for different communication media

5
Who or what is being tracked?

• Objects
• containers, hospital equipment
• Vehicles
• flight tracker, bus subway
• ? aggregate person tracking
• Persons
• as individual Nurse Jane is in room 356
• as function some officer is on 5th Main

6
Location information in protocols

• Call routing based on location
• emergency calls
• AAA tow truck
• pizza delivery
• 311 (local government)

• Presence (buddy lists) and event notification
• control incoming calls (dont ring phone if in
  movie theater or giving lecture)
• fleet management
• family management
• mom stuck in traffic

7
Semi-voluntary location tracking

• Indoor
• medical equipment, nurses doctors in hospital
• nursing home patients
• Outdoor
• 911 callers
• parolees
• children (in malls amusement parks)
• cell phones with location-specific advertisement

8
Location determination

• End system based ? end system measures and
  conveys location
• GPS (outdoors)
• A-GPS (indoors outdoors)
• Bluetooth or 802.11 beacon

• Network-based
• limited user control
• disable only by turning off device
• NE measures location (e.g., TOA)
• Ethernet switch knows port user is connected to
• 802.11 access point

9
Location recipients

• Personally known to target
• family, company
• Known as function
• AAA, PizzaHut, 911 PSAP,
• Unknown to target
• cell phone company
• surveillance
• tracking by car rental company
• LoJack

10
Privacy concerns

• Location only
• no identification of individual
• location correlator
• MAC address 01-02-03-04-05-06 has visited these
  hotspots today
• may be able to correlate to identity (hotel room)
• location personal identity

11
Granular privacy controls

• Mechanically enforceable vs. indications
• show Bob only the country Im in vs.
• dear recipient, do not distribute this
  information
• Typically need to trust third party (service
  provider, server)
• Make it easy for target to determine who gets
  what type of information
• but limit rule complexity
• make rules portable across providers
• automatically derive rules from other information
• allow those in my address book to see my time
  zone

12
Challenges

• May be willing to divulge single location object,
  but not trajectory
• Ill be at your location in 30 minutes
• set of points ? traveling 10 mph above speed
  limit
• May be willing to divulge reduced-accuracy
  location
• Im in the PDT time zone (so dont call me
  before 10 am EDT)

13
GEOPRIV and SIMPLE architectures
rule maker
DHCP
XCAP (rules)
target
location server
location recipient
notification interface
publication interface
GEOPRIV
SUBSCRIBE
presentity
presence agent
watcher
SIP presence
PUBLISH
NOTIFY
caller
callee
SIP call
INVITE
INVITE
14
Privacy

• All presence data, particularly location, is
  highly sensitive
• Basic location object (PIDF-LO) describes
• distribution (binary)
• retention duration
• Policy rules for more detailed access control
• who can subscribe to my presence
• who can see what when

sg4326" 374630N
1222510W


no
on-allowed 2003-06-2
3T045729Z

2003-06-22T205729Z
e
15
Privacy policy relationships
common policy
geopriv-specific
presence-specific
future
RPID
CIPID
16
Privacy rules

• Conditions
• identity, sphere
• time of day
• current location
• identity as or
• Actions
• watcher confirmation
• Transformations
• include information
• reduced accuracy

• User gets maximum of permissions across all
  matching rules
• privacy-safe composition removal of a rule can
  only reduce privileges
• Extendable to new presence data
• rich presence
• biological sensors
• mood sensors

17
Example rules document

user_at_example.com

allow

sipvice-uri-scheme mailtorvice-uri-scheme sontrue true
bareovide-user-input


18
Creating and manipulating rules

• Uploaded in whole or part via XCAP
• XML not user-visible
• Web or application UI, similar to mail filtering
• Can also be location-dependent
• if at home, colleagues dont get presence
  information
• Possibly implementation-defined privacy levels

19
Conclusion

• Wide variety of location-based services emerging
• Both closed (long-term) user groups, incidental
  and public
• Need user-understandable rule sets as well as
  legal clarity