Geopriv Location Object Markup Language and Geopriv Authorization Policies are two of (at least) six new Internet Drafts published in June 2003 as candidate work by members of the IETF Geographic Location/Privacy (GEOPRIV) Working Group. This IETF WG was chartered to "assess the authorization, integrity, and privacy requirements that must be met in order to transfer such information, or authorize the release or representation of such information through an agent. Its goal is to produce a specification that has broad applicablity and will become mandatory to implement for IETF protocols that are location-aware."

The draft Geopriv Location Object Markup Language document "presents a foundational version of a markup language suitable for representing the Geopriv Location Object (LO); this language is defined by means of a W3C XML schema." The Authorization Policies draft proposes the use of the XML-based XACML (Extensible Access Control Markup Language) standard to express policies for access to location information. The GEOPRIV Working Group is beginning a new phase of activity to formally define the Geopriv Location Object.

Overview

A May 2002 article in the CDT Standards Bulletin summarizes the motivation for the IETF's GEOPRIV activity: "Significant privacy and security concerns are raised by [the increasing popularity of] location-based services. Although many location-based services will be optional and fully user-controlled, in some cases users will have little choice but to reveal sensitive location information. Even with user-approved services, there is a significant need to protect and limit the dissemination of location information... In essence, the [IETF] working group will create a specific format for the expression of location privacy and security preferences. The way those preferences are expressed and enforced will likely have a broad impact on user privacy and control. Although this effort has similarities to the P3P protocol of the World Wide Web Consortium, it will be tailored to some unique characteristics of location information. Critically, the new platform is expected to include default privacy requirements to be applied in the absence of any privacy rules created by a user..."

The lead paragraphs of the v03 Geopriv Requirements document also summarize the IETF Geopriv WG problem domain: "Location-based services, navigation applications, emergency services, management of equipment in the field, and other location-dependent services need geographic location information about a Target (such as a user, resource or other entity). There is a need to securely gather and transfer location information for location services, while at the same time protecting the privacy of the individuals involved... This [Geopriv Requirements] document focuses on the authorization, security and privacy requirements for such location-dependent services. Specifically, it describes the requirements for the Geopriv Location Object (LO) and for the protocols that use this Location Object. This LO is envisioned to be the main object defined by the Geopriv WG, used in all Geopriv exchanges and in particular used to securely transfer location data."

From the Geopriv Location Object Markup Language Draft

"This draft aims at providing a foundation for a markup language that is suitable for representing all data fields of the Geopriv Location Object (LO) as required in the Geopriv Requirements document. We present and illustrate an XML schema defining such a markup language. Up to now, [the Geopriv Working Group members] have concentrated on the question of how to represent the required data by means of an XML language, only touching the security and privacy issues concerning the Location Object..."

An outline of the Geopriv Location Object Markup Language is provided in the descriptions of top-level XML elements, presented in the "Overview" (and defined formally in the XML schema):

• LO: comprises all of the subsequent elements, the only mandatory of which is the Target element while all other elements are optional.
• Target: contains an identifier for the Target which can be of non- anonymous, anonymous or of undetermined type.
• Device: contains an identifier for the Device which can be a phone number, an IP address, or of anonymous or undetermined type.
• RM: contains an identifier for the Rule Maker (RM) which can be of non-anonymous, anonymous or of undetermined type.
• LR: contains an identifier of the Location Recipient (LR) which can be of non-anonymous, anonymous or of undetermined type; can also provide the information whether this identifier is a single or multi cast identifier.
• LR Credential: contains a credential of the Location Recipient (LR).
• LR Proof of Possession of Credential: contains the data that allows for verifying that the Location Recipient (LR) is in fact in possession of a certain credential.
• Rule: contains an URI of an Applicable Rule, a Limited Rule or both.
• Location: contains one or more Location Information child elements each of which can be composed of one or more Location Representation child elements and a Sighting Time element. Motion and Direction Vector as well as Precision and Confidence elements are also included here.
• Time to Live: contains the point of time until when Location Information can be considered current.

"Even at this early stage of developing a suitable Geopriv Location Object data format, it has become very clear that the Geopriv Working Group has to arrive at more explicit descriptions of the content of required data fields in order to allow for precise definitions of appropriate LO data formats. To give just one example, the Geopriv Working Group should explicitly determine which types of Location Recipient (LR) Credentials are to be supported. Therefore, we shall also utilize this draft to compile a list of general open issues that must be solved by the Geopriv Working Group in order to be able to complete its work successfully."

"These general open issues are entirely independent of a particular LO data format (such as XML in case of this draft), but their solution is simply a prerequisite to any sensible definition of such a data format. Additionally, we shall collect open issues that are related to the definition of an XML LO."

"Based on the solutions of the general and XML related open issues, future versions of this draft will make the LO markup language introduced in this draft more precise in terms of representing identity, privacy policy and location information. We will investigate how security and privacy requirements on the LO can be satisfied by means of, for instance, the XML Signature and XML Encryption languages, the Extensible Access Control Markup Language (XACML), and the XML Key Management Specification (XKMS). In addition, we will make proposals how this XML LO can be bound to different 'Using Protocols'."

From the Geopriv Authorization Policies Draft

"Geopriv provides Location Information in a secure and private way. A critical role is played by user-controlled Privacy Rules, which describe the restrictions imposed or permissions given by the Rule Maker. The Privacy Rules specify the necessary conditions that allow a Location Server to forward Location Information to a Location Recipient, and the conditions under which and purposes for which the Location Information can be used."

"One type of Privacy Rules specify in particular how location information should be filtered, depending on who the recipient is. Filtering is the process of reducing the precision or resolution of the data. A typical rule may be of the form: 'my location can only be disclosed to the owner of such credentials in such precision or resolution' (e.g., 'my co-workers can be told the city I am currently in')."

"The Location Object should be able to carry a limited but core set of Privacy Rules."

"The access to location information (as XML objects) can be controlled by XACML policies. The same is true for writing and deleting Geopriv rules themselves. The Geopriv working group can benefit from reusing existing work on access control..."

IETF GEOPRIV (Geographic Location/Privacy) Working Group Description

[Excerpted from the Charter:] "As more and more resources become available on the Internet, some applications need to acquire geographic location information about certain resources or entities. These applications include navigation, emergency services, management of equipment in the field, and other location-based services.

But while the formatting and transfer of such information is in some sense a straightforward process, the implications of doing it, especially in regards to privacy and security, are anything but.

The primary task of this working group will be to assess the the authorization, integrity and privacy requirements that must be met in order to transfer such information, or authorize the release or representation of such information through an agent.

In addition, the working group will select an already standardized format to recommend for use in representing location per se. A key task will be to enhance this format and protocol approaches using the enhanced format, to ensure that the security and privacy methods are available to diverse location-aware applications. Approaches to be considered will include (among others) data formats incorporating fields directing the privacy handling of the location information and possible methods of specifying variable precision of location.

Also to be considered will be: authorization of requestors and responders; authorization of proxies (for instance, the ability to authorize a carrier to reveal what timezone one is in, but not what city. An approach to the taxonomy of requestors, as well as to the resolution or precision of information given them, will be part of this deliverable.

The combination of these elements should provide a service capable of transferring geographic location information in a private and secure fashion (including the option of denying transfer)..." [adapted from the Charter]

IETF GEOPRIV WG (Candidate Work) Internet Drafts: Bibliographic Information

Note: Most of these Internet Drafts represent technology submissions to the IETF Working Group, and are not IETF approved standards. Four I-Ds as of 2003-06-25 are official GEOPRIV WG deliverables, and are identified by the draft-ietf-geopriv- substring in the reference/URL. For each of the thirteen (13) I-D references, a local (permanent) URL is given as the primary locator. The ephemeral IETF source URLs are also noted, but they will break quickly: IETF I-D documents regularly go AWOL because of IETF policy that equates "expiration [date]" with physical document disappearance and URL abandonment, which regularly results in worldwide hypertext link breakage (WHLB).

Geopriv Location Object Markup Language. By Jorge R. Cuellar and Christian Guenther (Siemens AG, Corporate Technology, Munich, Germany). Internet Engineering Task Force Internet Draft. Reference: 'draft-cuellar-geopriv-lo-ml-00.txt'. June 2003, expires December 2003. 23 pages. Section 3 provides the XML Schema Listing; Section 4 supplies a sample XML LO Instance. "This draft presents a foundational version of a markup language suitable for representing the Geopriv Location Object (LO). This language is defined by means of an XML schema." [text version, ephemeral IETF source URL]

Geopriv Authorization Policies. By Hannes Tschofenig and Jorge R Cuellar (Siemens AG, Corporate Technology, Munich, Germany). Internet Engineering Task Force Internet Draft. Reference: 'draft-tschofenig-geopriv-authz-policies-00.txt'. June 2003, expires December 2003. 16 pages. "This document describes authorization policies for usage with Geopriv. It suggests using the eXtensible Access Control Markup Language (XACML). XACML provides functionality required to express policies for access to location information." [ephemeral IETF source URL]

A Presence-based GEOPRIV Location Object Format. By Jon Peterson (NeuStar, Inc). IETF GEOPRIV Working Group. Internet Draft (Last Call Proposed Standard). Reference: 'draft-ietf-geopriv-pidf-lo-02'. May 2004, expires October 30, 2004. 24 pages. "Geographical location information describes a physical position in the world that may correspond to the past, present or future location of a person, event or device. Numerous applications used in the Internet today benefit from sharing location information (including mapping/navigation applications, 'friend finders' on cell phones, and so on). However, such applications may disclose the whereabouts of a person in a manner contrary to the user's preferences. Privacy lapses may result from poor protocol security (which permits eavesdroppers to capture location information), inability to articulate or accommodate user preferences, or similar defects common in existing systems. The privacy concerns surrounding the unwanted disclosure of a person's physical location are among the more serious that confront users on the Internet. This location object extends the XML-based Presence Information Data Format (PIDF), which was designed for communicating privacy-sensitive presence information and which has similar properties. It allows for the encapsulation of location information within a presence document..."

[See updated version, preceding] A Presence-Based GEOPRIV Location Object Format. By Jon Peterson (NeuStar, Inc). IETF GEOPRIV WG Internet Draft. Reference: 'draft-peterson-geopriv-pidf-lo-00'. June 22, 2003, expires: December 21, 2003. 15 pages. "This document describes a object format for carrying geographical information on the Internet. This location object extends the Presence Information Data Format (PIDF), which was designed for communicating privacy-sensitive presence information and has similar properties... A need has been identified to convey geographical location information within an object that includes a user's privacy and disclosure preferences and which is protected by strong cryptographic security. Previous work has observed that this problem bears some resembles to the general problem of communicating and securing presence information on the Internet. Presence (which is defined in RFC 2778) provides a real-time communications disposition to a user that have similar requirements for selective distribution and security. Therefore, this document extends the XML-based Presence Information Data Format (PIDF) to allow the encapsulation of location information within a presence document..." [ephemeral IETF source URL]

Location Objects and Location Privacy Information for Presence Information. By Henning Schulzrinne (Columbia University, Department of Computer Science). IETF Network Working Group, Internet Draft. Reference: 'draft-schulzrinne-geopriv-presence-lo-00'. June 22, 2003, expires: December 21, 2003. 19 pages. "Location information is a natural extension of presence information. This document describes how the Presence Information Data Format (PIDF) can be extended to deliver geospatial and civil location information, as well as privacy policy information. The privacy policy information can be used both within the presence agent (PA) as well as the presence document..." [ephemeral IETF source URL]

DHC Location Object Within GEOPRIV. By James M. Polk, John Schnizlein, and Marc Linsner (Cisco Systems). Internet Engineering Task Force Internet Draft. Reference: 'draft-ietf-geopriv-dhcp-lo-option-00.txt'. January 17, 2003, expires July 17, 2003. 12 pages. "This document specifies a Dynamic Host Configuration Protocol Option for the geographic location of the client. The location object includes latitude, longitude, and altitude, with resolution indicators for each." [ephemeral IETF source URL]

Geopriv Requirements. By Jorge Cuellar (Siemens AG), John B. Morris, Jr. (Director, Internet Standards, Technology and Privacy Project, Center for Democracy and Technology), Deirdre Mulligan (Samuelson Law, Technology, and Public Privacy Clinic), Jon Peterson (NeuStar), and James Polk (Cisco Systems). IETF Internet Draft. Reference: 'draft-ietf-geopriv-reqs-03.txt'. March 2003, expires September 2003. 27 pages. "Location-based services, navigation applications, emergency services, management of equipment in the field, and other location- dependent services need geographic location information about a Target (such as a user, resource or other entity). There is a need to securely gather and transfer location information for location services, while at the same time protecting the privacy of the individuals involved. This document focuses on the authorization, security and privacy requirements for such location-dependent services. Specifically, it describes the requirements for the Geopriv Location Object (LO) and for the protocols that use this Location Object. This LO is envisioned to be the main object defined by the Geopriv WG, used in all Geopriv exchanges and in particular used to securely transfer location data... Location-based services (applications that require geographic location information as input) are becoming increasingly common. The collection and transfer of location information about a particular Target can have important privacy implications. A key goal of the protocol described in this document is to facilitate the protection of privacy pursuant to Privacy Rules set by the 'user/owner of the Target'... The ability to gather and generate a Target's location, and access to the derived or computed location, are key elements of the location-based services privacy equation. Central to a Target's privacy are (a) the identity of entities that have access to raw location data, derive or compute location, and/or have access to derived or computed location information, and (b) whether those entities can be trusted to know and follow the Privacy Rules of the user..." [ephemeral IETF source URL]

Core Privacy Protections for Geopriv Location Object. By John B. Morris, Jr. (Director, Internet Standards, Technology and Privacy Project, Center for Democracy and Technology), Deirdre Mulligan (Samuelson Law, Technology, and Public Privacy Clinic), and Jorge Cuellar (Siemens AG). IETF Internet Draft. Reference: 'draft-morris-geopriv-core-02.txt'. June 2003, expires December 2003. 10 pages. "The [GEOPRIV] working group has generally agreed that the Geopriv Location Object must be able to contain a limited set of Privacy Rules. This Internet Draft suggests the set of Privacy Rules that the authors believe should be includable in the Location Object..." Author's note: "There are two main revisions from the prior [version 'core-01'] draft: (1) the proposed ability to be able to set privacy rules for specific individuals (instead of specific credential holders) has been eliminated, in response to concerns that Henning and others raised. (2) the distinction between 'machine-to-machine' and 'human readable' rules has been rephrased, to make clear that some rules will only go between Location Servers, but other rules may be distributed more broadly, including possibly to end users. One point that has not changed but raised some concern on the list is the proposal that one can make a privacy rule applicable to a specific or repeating time window. The point was made that this can be very challenging to express, but others suggested ways that it might be accomplished. So this time window issue is still an open question..." See also the following reference. [ephemeral IETF source URL]

[See 2003-07-02 update in preceding entry] Core Privacy Protections for Geopriv Location Object. By John B. Morris, Jr. (Director, Internet Standards, Technology and Privacy Project, Center for Democracy and Technology), Deirdre Mulligan (Samuelson Law, Technology, and Public Privacy Clinic), and Jorge Cuellar (Siemens AG). IETF Internet Draft. Reference: 'draft-morris-geopriv-core-01.txt'. March 2003, expires September 2003. 10 pages. "The working group has generally agreed that the Geopriv Location Object MUST be able to contain a limited set of Privacy Rules. This Internet-Draft suggests the set of Privacy Rules that the authors believe should be includable in the Location Object." Covers Privacy Rules to be Includable in a Geopriv Location Object (both Human- and Machine-Readable Privacy Elements and Rules as well Machine-Readable Privacy Elements and Rules), Additional Discussion of Proposed Privacy Elements and Rules, Reasons to Include Privacy Rules in Location Object. [ephemeral IETF source URL]

Geopriv Scenarios and Use Cases. By Jorge Cuellar (Siemens AG), John B. Morris, Jr. (Director, Internet Standards, Technology and Privacy Project, Center for Democracy and Technology), and Tsuyoshi Go Kanai (Fujitsu Laboratories, Ltd.. Japan). IETF Internet Draft. Reference: 'draft-cuellar-geopriv-scenarios-03.txt'. March 2003, expires September 2003. 34 pages. "This document describes location-based service scenarios for Geopriv. It complements the Geopriv Requirements document by providing a set of examples in which the Geopriv Location Object (LO) may be used. Thus this documents serves as a basis to discuss and analyze the security (authentication, authorization, integrity and confidentiality) and privacy issues and requirements associated with location-based services. To be useful, these scenarios include details of location computation, which helps to identify the entities involved on an abstract level and where privacy issues like control, consent, access, and security arise..." [ephemeral IETF source URL]

Threat Analysis of the geopriv Protocol. By Michelle Engelhardt Danley (Samuelson Law, Technology and Public Rule Clinic, Boalt Hall School of Law), Deirdre Mulligan (Samuelson Law, Technology, and Public Privacy Clinic), John B. Morris, Jr. (Director, Internet Standards, Technology and Privacy Project, Center for Democracy and Technology), and Jon Peterson (NeuStar). IETF GEOPRIV WG, Internet Draft. Reference: 'draft-ietf-geopriv-threat-analysis-00'. February 20, 2003, expires: August 21, 2003. 18 pages. "This document provides some analysis of threats against the geopriv protocol architecture. It focuses on protocol threats, threats that result from the storage of data by entities in the architecture, and threats posed by the abuse of information yielded by geopriv. Some security properties that meet these threats are enumerated as a reference for geopriv requirements." [ephemeral IETF source URL]

A Presence Architecture for the Distribution of Geopriv Location Objects. By Jon Peterson (NeuStar). IETF GEOPRIV WG, Internet Draft. Reference: 'draft-peterson-geopriv-pres-00'. February 24, 2003, expires: August 25, 2003. 9 pages. "Geopriv defines the concept of a 'using protocol', a protocol that carries geopriv location objects. Geopriv also defines various scenarios for the distribution of location objects that require the concept of subscriptions and asynchronous notifications. This document examines some existing IETF work on the concept of presence, shows how presence architectures map onto geopriv architectures, and presents one pre-existing using presence protocol that might carry location objects... PIDF is an XML format that provides presence information about a presentity - primarily, this consists of status information, but also optionally includes contact addresses (a way of reaching the presentity), timestamps, and textual notes with arbitrary content... Many of the requirements of geopriv objects map well onto the capabilities of PIDF. Today, geopriv has not yet settled on a format for location objects. However, it is likely that a format satisfying the current geopriv requirements (especially the requirement for a rich policy language) will either use XML, or be able to be carried by XML..." [ephemeral IETF source URL]

DHCP Option for Civil Location. By Henning Schulzrinne (Columbia University, Department of Computer Science). IETF Network Working Group, Internet Draft. Reference: 'draft-ietf-geopriv-dhcp-civil-00.txt'. June 27, 2003, expires December 2003. 8 pages. "This document specifies a Dynamic Host Configuration Protocol option for the civil (country, street and community) location of the client... Many end system services can benefit by knowing the approximate location of the end device. In particular, IP telephony devices need to know their location to contact the appropriate emergency response agency and to be found by emergency responders. There are two common ways to identify the location of an object, either through geospatial coordinates or by so-called civil coordinates. Geospatial coordinates indicate longitude, latitude and altitude, while civil coordinates indicate a street address. Civil information is useful since it often provides additional, human-usable information particularly within buildings. Also, compared to geospatial information, it is readily obtained for most occupied structures and can often be interpreted even if incomplete. For example, for many large university or corporate campuses, geocoding information to building and room granularity may not be readily available. Unlike geospatial information, the format for civil information differs from country to country. Thus, this draft establishes an IANA registry for civil location data fields. The initial set of data fields is derived from standards published by the United States National Emergency Numbering Association (NENA)..." [ephemeral IETF source URL]

[See 2003-07-02 update in preceding entry] DHCP Option for Civil Location. By Henning Schulzrinne (Columbia University, Department of Computer Science). IETF Network Working Group, Internet Draft. Reference: 'draft-schulzrinne-geopriv-dhcp-civil-01.txt'. February 19, 2003, expires: August 2003. 8 pages. "This document specifies a Dynamic Host Configuration Protocol option for the civil (country, street and community) location of the client." [ephemeral IETF source URL]

Location Configuration Information for GEOPRIV. By James M. Polk, John Schnizlein, and Marc Linsner (Cisco Systems). Internet Engineering Task Force Internet Draft. Reference: 'draft-ietf-geopriv-dhcp-lci-option-01.txt'. June 16, 2003, expires December 16, 2003. 13 pages. "This document specifies a Dynamic Host Configuration Protocol Option for the geographic location of the client. The Location Configuration Information (LCI) includes latitude, longitude, and altitude, with resolution indicators for each, as well as for the datum of the location." [ephemeral IETF source URL]

Semantics for DHC Location Object within GEOPRIV. By James M. Polk, John Schnizlein, and Marc Linsner (Cisco Systems). Internet Engineering Task Force Internet Draft. Reference: 'draft-polk-geopriv-loc-object-semantics-00.txt'. October 25, 2002, expires April 25, 2003. 11 pages. "This document describes the semantic intent of the proposed Location Object (LO) within DHC ID [DHCP Option for Geographic Location] for use by the GEOPRIV Protocol. proposes no expression (which is GEOPRIV's charter), but merely defines a LO format with its elements and a mechanism to download that LO to the IP Device for other uses, with GEOPRIV being the most obvious. This LO format could be considered a subset of a larger GEOPRIV LO. Achieving a core set of LO elements is desired across multiple Protocols which can convey location information. An important feature is that DHC ID places the LO completely under control of the end device rather than storing the object in an outside service for retrieval by the end device during times of emergency when an outbound transaction can fail to provide necessary results. Another important feature of the LO is its inclusion of a resolution parameter for each of the dimensions of location..." [ephemeral IETF source URL]