Heiner, Mobile phone users can be located by the operator they have a subscription with, not by third parties, unless they volunteery publish their location. That is different from everybody being able to track everybody else.....
Klaas [email protected] wrote: >Mobile phone users can already be located based on current technology - this >is a fact. >Although I appreciate all respective privacy concerns ( in Germany an >intensive pro/con-StreetView debate is still going on) I think that this >aspect doesn't impact >any of the discussed concepts. >Heiner > > > > > >-----Ursprüngliche Mitteilung----- >Von: Robin Whittle <[email protected]> >An: RRG <[email protected]> >Cc: Scott Brim <[email protected]> >Verschickt: Mo., 11. Okt. 2010, 7:15 >Thema: Re: [rrg] draft-brim-mobility-and-privacy-00 & TTR Mobility > > >Short version: More analysis of how various architectures meet or > do not meet the first requirement of this I-D. > > Also, some thoughts on the definition of privacy > and on the various roles people have, which will > be reflected in the way they configure their > mobile devices. Each mobile device might have 10 > or more network addresses (Identifiers and perhaps > Locators) - one for each of its owner's roles. > > So maybe scalable routing needs to cope with 10^11 > micronets, EID prefixes, Identifiers or whatever, > rather than the previously discussed 10^10. > >Hi Scott, > >Thanks for your message, in which you wrote: > >> Thank you. The main thing we wanted to do was to get protocol designers >> to make location privacy an explicit consideration. >> >>> I think that LISP Mobile or ILNP etc. are >>> incapable of meeting the first recommendation. >> >> I don't know if that's true at all. In fact I'm sure they can come up >> with a response, could answer the concern, and may have thought of the >> tradeoffs already. Let's not second-guess them. > >OK - it will be interesting to see what they write. > > >> I'll respond to the detailed parts of your message later. >> >> Thanks again ... Scott > >OK. Here is some more detailed analysis regarding how I think the >various architectures would meet your first requirement: > > http://tools.ietf.org/html/draft-brim-mobility-and-privacy-00#section-5 > > Architectural changes MUST avoid requiring exposing a mapping > between any of a node's identifiers and IP addresses/locators to > unknown observers. If they require exposure, they will > experience a head-on collision with basic principles of the > IETF and with privacy policies around the world. It will > simply not be acceptable to require the loss of this much > individual privacy. > >I am using "host" and "node" as interchangeable synonyms. > >I discuss LISP and the LISP approach to mobility - LISP-MN: > > http://tools.ietf.org/html/draft-meyer-lisp-mn-03 > >This is out of scope in the LISP WG, and hasn't been discussed much in >public, as far as I know. > >I discuss "ILNP etc." meaning ILNP specifically, but also any other >Loc/ID Separation (Core-Edge Elimination CEE) architecture. In these >architectures, the host stack (and perhaps application, though for >simplicity I assume not) is responsible for knowing the one or more >Locators of the other hosts it is sending packets to. > > >For simplicity I assume the MN has a single SPI address (Ivip), EID >address (LISP) or Identifier ILNP etc. > >There's nothing to stop a single physical device having multiple of >these, such as for different roles or even for the same role, to make >it difficult to track the device's use in these roles. > > >The simplest view of "roles" for a personal mobile device could mean >one for personal communications and one for business. This would be >closely analogous, or would include exactly, the idea of a cell-phone >having one number for personal calls and another for business. >Outgoing calls could be made with either number, and each number could >be turned on and off, with incoming calls going to one or separate >voice mail services, according to the user's choice. > >There could be multiple business roles, and multiple personal roles. > >People might work for different companies, or have quite differing >roles, within the one company. > >So in the future we can expect the mobile device to have a row of >buttons, one for each role - to enable or disable how the device >responds to the network addresses, identifiers etc. associated with >each role: > > Husband > Father > Employee > Consultant > >or > > Daughter (for purposes of parents and school) > Individual (friend group A) > Individual (friend group B) > Employee (part time job is frequently a PITA) > >I think everyone, at some time or other, feels one or more of our >roles are a PITA and it would be good to have voice mail, the email >Inbox etc. handle that stuff for the time being! There needs to be a >master "I am sleeping etc." button too, since mobile devices take so >long to power down and boot up. > >Adolescents will surely have one role their parent's know about and >any number of other roles kept well hidden from their parents. This >is a natural part of how people live, or try to live. It is essential >to health and happiness. We disclose different things to different >people according to our preferences, which may change from time to >time - and accept contact from people likewise. We may have a friend >relationship with someone we work with, and a work relationship - >these roles, and our contactabilty for each role, needs to be kept >reasonably separate. We don't want them calling us on Saturday >morning about some work matter, but if they are having a BBQ, then we >would probably be happy to hear from them. > >The idea that a cellphone has a single number is a technological >convenience for the network and the device itself, not one which suits >the way people actually want their communication systems to behave. > >By the way, one definition of privacy is: > > Ensuring each individual has full autonomy in managing their > personal boundaries. > >This is essential to our physical and mental health. > >The boundaries concern the influx and egress of information. They >also concern the attention we need to pay to other people and things, >and attention they pay to us. > >Telemarketing calls and spam violate the principle that the person >should control their attention and not have it distracted, at least in >a systematic manner for no purpose they care about, by other people. >Getting a call from the fire brigade that a bushfire is heading >towards your home would also be an intrusion, and a systematic and >impersonal one. However, it is the kind of intrusion an individual is >more likely to accept than telemarketing calls. > >Privacy is more than about the outflow of personal information to >other parties. It is also about being undisturbed. I think the >concept can also be extended to the person not having to know things >they really don't want or need to know. (Blind folks have an >advantage in that they never get to see - are never forced to see - >down the back of some people's pants which are deliberately slipping >half-way down the wearer's backside.) I would also extend it to >protecting children from unpleasant and unhealthy aspects of the adult >world (which is a highly subjective matter) - but that is probably >going beyond what most privacy advocates would mean by the term >"privacy". > >"Autonomy" can reasonably be considered as meaning "consent with full >knowledge and unpressured decision making". > >There are well-established legal limits to privacy, such as not being >able to drive when alcohol-affected, not being able to use a cellphone >etc. while driving, not being able to hide a disability like poor >eyesight when getting a driving licence etc. Other limits to privacy >are more contentious, such as being subject to police surveillance, >ideally with a variety of checks and balances against this being done >without "proper justification" and protection for whatever information >is gleaned by the surveillance. > > >Perhaps we need to add another factor of 10 into estimates of the >number of micronets (EID prefixes, in LISP) which the total system >must scale to. If there are 10 billion people, with one mobile device >each, and 10 roles each, we need 10^11 micronets . . . > >In principle, with TTR Mobility, the MN could treat each such role as >a different entity. For the SPI address it uses for the Father role, >it could tunnel to the nearest TTR, since security and privacy with >this role is regarded as not requiring a stable TTR. For some other >roles - and Scott and colleagues mentioned police informers - the MN >would surely be configured to tunnel to one fixed TTR no matter where >the MN was. So this raises a MN physical device behaving like >multiple separate "virtual MNs" from a networking point of view. Each >such "virtual MN" would have its own SPI address, EID address or -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. _______________________________________________ rrg mailing list [email protected] http://www.irtf.org/mailman/listinfo/rrg
