Internet DRAFT - draft-gogic-geopriv-concepts
draft-gogic-geopriv-concepts
Network Working Group A. Gogic
Internet Draft: IMAP ANNOTATE Extension QUALCOMM, Inc.
Document: draft-gogic-geopriv-concepts-00.txt June 2002
Location Information and Privacy Concepts
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. Internet-Drafts are
working documents of the Internet Engineering Task Force (IETF), its
areas, and its working groups. Note that other groups may also
distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as
reference material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-
Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Copyright Notice
Copyright (C) The Internet Society 2002. All Rights Reserved.
1 Abstract
This paper defines and explains some geographic location concepts of
interest to GeoPriv. Many of these are of particular interest in
mobile wireless systems and Internet applications involving those
systems and devices. The interaction between location service
architecture elements is briefly described. Methods of protecting
privacy by controlling the precision with which location information
is disclosed are elaborated.
Table of Contents
1 Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . 1
2 Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
3 Architecture Elements . . . . . . . . . . . . . . . . . . . . 3
3.1 Location Computation and Distribution Processes . . . . 3
3.1.1 Location Computation . . . . . . . . . . . . . . . . 3
3.1.2 Location Distribution . . . . . . . . . . . . . . . 4
3.2 Target Object . . . . . . . . . . . . . . . . . . . . . . 4
3.3 Target Object Privacy Profile . . . . . . . . . . . . . 4
3.4 Mobile Station . . . . . . . . . . . . . . . . . . . . . 4
3.5 Base Station . . . . . . . . . . . . . . . . . . . . . . 5
3.6 Location Computation Server . . . . . . . . . . . . . . . 5
3.7 Location Distribution Server and Policy Engine . . . . . 5
3.8 Location Client . . . . . . . . . . . . . . . . . . . . . 6
4 Definitions and Abbreviations . . . . . . . . . . . . . . . 6
5 Location Information Content . . . . . . . . . . . . . . . . 7
Gogic Expires December 2002 [Page 1]�
Internet Draft GeoPriv Concepts June 2002
6 Location Information Distribution . . . . . . . . . . . . . 8
6.1 Request/Requestor Authorization . . . . . . . . . . . . . 8
6.2 Location Precision Classes . . . . . . . . . . . . . . . 8
6.3 Rounding to Desired Location Precision and Return Data . 9
6.4 Speed Category and Precision Classes . . . . . . . . . . 11
6.5 Encryption . . . . . . . . . . . . . . . . . . . . . . . 11
7 Location Data Confidence . . . . . . . . . . . . . . . . . . 11
8 Security Considerations . . . . . . . . . . . . . . . . . . 12
9 References . . . . . . . . . . . . . . . . . . . . . . . . 12
10 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 12
11 Author's Address . . . . . . . . . . . . . . . . . . . . . . 13
12 Full Copyright Statement . . . . . . . . . . . . . . . . . . 13
2 Introduction
The primary motivating factor for the development of location
services in wireless system has been the implementation of emergency
services encompassed in the United States by the Federal
Communications Commission (FCC) mandate for the so-called "Enhanced
911" (E911) capability (see Ref. [2]). These services were
initially defined to supply location information to a public safety
operator in conjunction with an emergency call. Re-using the same
technology for services unrelated to voice calls in general and
emergency calls in particular, is viewed as a desirable development,
particularly if accomplished in the Internet environment, with the
potential of rapid development of a variety of commercially
desirable applications.
There are many examples of TCP/IP-based location applications that
are not related to emergency assistance. Many believe that these
applications are uniquely mobile, so-called "killer apps". A
prominent class of applications is TCP/IP-based tracking and
navigation/routing assistance. For example, a user might want to
obtain his or her own location and get route directions using
interactive maps. An application or a person might want to locate
someone else, e.g., family members or "buddies" in a closed user
group. Another example is geo-fencing, allowing users to define a
permitted location perimeter and causing an automatic notification
if a mobile moves outside of this perimeter.
Availability of simple and reliable location-based services might
open up an entirely new market for un-manned devices, such as fleet
management, dispatch optimization, law enforcement, even livestock
and wildlife management.
Location may be combined with other wireless telecommunication
services to provide enhanced services, such as location-based
commerce, service tiers, etc.
With some notable exceptions (such as livestock and wildlife
management), privacy of location objects is one of the key
Gogic Expires December 2002 [Page 2]�
Internet Draft GeoPriv Concepts June 2002
requirements in most of these location applications.
3 Architecture Elements
This section introduces some basic architecture elements for
location services that are applicable in the wireless domain,
illustrated in Figure 1.
BS-2
* |
d2 * |
d1 * |
BS-1 * * * * * MS |
| * |
| * | _________
| d3 * | | |
| * | | AAA |
| * | |_________|
| BS-3 | |
| | | ___|___ ________ ________
| | +----| | | LDS & | | Loc. |
| +---------+ LCS +---+ PE +---+ Client |
+----------------------------|_______| |________| |________|
Figure 1: Location Services Architecture
Legend:
BS Base Station
MS Mobile Station
LCS Location Computation Server
PE Policy Engine
LDS Location Distribution Server
Loc. Client Client requesting MS location
* * * * Wireless mobile connections between the MS and BSs
----- & | Fixed line connections between BSs and core
network elements, and among those network elements
d1, d2, d3 Distances from the MS to BS 1, 2, and 3 respectively
3.1 Location Computation and Distribution Processes
One can conceptually think of location services as consisting of two
distinct processes: Location computation, and location
distribution. Each is controlled by a separate logical entity shown
in figure 1 as Location Computation Server (LCS), and Location
Distribution Server (LDS). In practical implementations, these
servers may be combined in a single physical entity. This may be
desirable because there are close security trust considerations
among the two.
3.1.1 Location Computation
Gogic Expires December 2002 [Page 3]�
Internet Draft GeoPriv Concepts June 2002
Location computation is the process of computing the location of the
target. It consists of initiation of location measurements, and
their conversion into a meaningful set of location information, such
as latitude, longitude and altitude.
There are a number of location computation technologies available
today. Each contains specific location computation procedures. In
this document, the intent is not to elaborate on any of these
specific techniques, however, in the text below, some of the
techniques have been alluded to, primarily as background
information. In general, it can be stated that the GeoPriv task
does not depend on the vagaries of these techniques.
3.1.2 Location Distribution
Location distribution is the process of proving a target's location
to a requesting client, and consists of several sub-processes:
* Receiving location requests from the location client;
* Checking if the requester is authorized to receive location data
(e.g. verifying subscription status);
* Performing location client authentication, if required;
* Applying the privacy profile of the user to the raw unfiltered
location information, to convert it into a form that is allowed
for disclosure (for example by rounding to the time zone, or to
within the city boundary where the object is located)
* Transmitting filtered location data to the location client, with
encryption, if required.
3.2 Target Object
The target object is the object whose location information is
sought. The ability to control privacy for the target object is
required. In some cases, the user can authorize each individual
location client request for the object's location information.
3.3 Target Object Privacy Profile
The profile detailing the location privacy information (policy) for
the object (e.g., authorization class, location client exception
list, level of location precision disclosure for a given location
service client, etc.)
3.4 Mobile Station
A mobile station (MS) is a peripheral device, such as a wireless
telephone handset or a PDA, which is typically the location target.
The mobile station may contain a GPS (Globile Positioning System)
receiver, or may be able to make location computations by
triangulation from transmissions from three or more base stations.
Gogic Expires December 2002 [Page 4]�
Internet Draft GeoPriv Concepts June 2002
By transmitting a radio signal that is received by multiple base
stations, such triangulation may be possible by means of time of
arrival information available at the base stations, or by means of
round-trip delay involved in combining BS-MS and MS-BS transmission
timing. The mobile station may also play a location client role, as
is the case where user wants to find out where he or she is located.
3.5 Base Station
Base stations (BS) are relay points of communication between the
mobile station and the rest of the telecommunication system. Base
stations play an important role in location determination process.
In GPS-based technologies, base stations can be used as reference
locations in order to relay assistance information to the GPS
receiver in the mobile station, including satellite constellation
data, and Doppler shift due to satellite velocity relative to the
mobile station. Such assistance accelerates the GPS receiver's
ability to perform a location fix. Base station locations are known
by the system, and may be conveyed to the mobile station as well.
Using that knowledge, the mobile station location can be computed by
triangulation methods. In practical implementations, some of these
techniques can be combined to increase confidence, or to choose the
one that is most appropriate, e.g., depending on satellite
visibility in the mobile stations locale, or complexities of
multipath radio signal propagation, which may obscure actual
location.
Reference [1] can be used as an example of radio link signaling used
in location determination.
3.6 Location Computation Server
The location computation server (LCS) collects raw measurement data
related to location determination and computes the target's
location. Raw data may include latitude, longitude, and elevation
from the fix performed in the GPS based system, as well as the
number of satellites visible by the GPS receiver in the mobile
station, allowing it to ascertain measurement confidence. In
triangulation methods, the LCS uses known base station locations,
and any calibration information, such as base station transmission
timing offsets, or mobile station receive-transmit timing offset, to
make location computations.
3.7 Location Distribution Server and Policy Engine
The location distribution server (LDS) performs tasks listed in
section 3.1.2
The LDS acts as the proxy for location distribution. Requests for
location from Internet-based clients can be referred to the LDS
Gogic Expires December 2002 [Page 5]�
Internet Draft GeoPriv Concepts June 2002
first. The LDS can perform client authentication, and with the
assistance from the Policy Engine (PE) determine what privacy
policies are applicable, whether or not a new fix is required, etc.
It may then decide to order a new fix. In a typical implementation,
the LDS may use encrypted transmissions of location data either on
the wireless link, the Internet link, or both. The LDS also
communicates with an AAA server to verify authorization, convey
accounting data, and retrieve authentication information, such as
authentication and encryption keys.
LDS/PE and LCS are often incorporated in a single entity.
3.8 Location Client
A location client is an entity that interacts with the location
object or its proxy to obtain location information. The interaction
may be constrained by a set of specified parameters, such as
attributes of location precision. The location client may have to
subscribe first, before being allowed access to location
information. The location client is often responsible for
formatting and presenting data and managing the user interface. The
LCS Client may also reside in the target object.
4 Definitions and Abbreviations
In addition to the entities and concepts related to system
architecture defined in the previous section, we provide herein some
useful definitions and abbreviations.
Altitude
The geodetic location of the target object expressed as distance
above World Geodetic System 1984 (WGS-84) reference ellipsoid.
Confidence
Probability estimate that the location of a target object is
within the defined geographic shape (perimeter).
Last Known Location
The time stamped location estimate stored for the target object.
Location Client Personalization
A collection of attributes related parameters assigned to a
location client.
Location Estimate
The geographic location of a target expressed in the reference
World Geodetic System 1984 (WGS-84).
Location Precision
A set of attributes associated with a request for the geographic
location of a target. The attributes include the required
Gogic Expires December 2002 [Page 6]�
Internet Draft GeoPriv Concepts June 2002
horizontal accuracy, vertical accuracy, response time, and
maximum age of the target location estimate.
WGS-84
World Geodetic System -- 1984.
WGS-84 Ellipsoid
Worldwide reference system defining the surface of the Earth.
5 Location Information Content
Some examples of location information content types include:
* Geographic location (latitude, longitude, altitude, elevation)
* Time zone in which target is located
* Horizontal and vertical speed
* Heading
* Resolution and associated confidence level for each relevant
datum
* Address (Country, province or state, region, city, area such as
postal code, street, number, label)
* Time Stamp for relevant datum or a data set
In addition to the above descriptors, other location data types are
possible, but may be left out from the first release of GeoPriv work
in the interest of simplicity. An example is azimuth, which is
related, but distinct from heading, since it conveys the object's
orientation, not necessarily direction of travel.
Latitude and longitude are expressed in degrees, minutes, and
seconds from the Equator and Greenwich reference meridian
respectively. Altitude is expressed in meters above WGS-84
ellipsoid (mean sea level). Elevation is height of terrain above
mean sea level, also expressed in meters. Height above ground can
be computed by subtracting elevation from altitude.
Time zone is expressed as a number of hours and minutes relative to
the Greenwich Mean Time (Universal Coordinated Time or UTC). This
may also be accompanied with a descriptive reference, for example
Pacific Time Zone (GMT -8 hrs, Tijuana)
Horizontal and vertical velocity is expressed in meters per second.
Increasing altitude results in positive vertical velocity.
Heading is deviation from the True North of the tangential vector
along the trajectory of travel. Azimuth is the orientation of an
object relative to True North. Azimuth of a stationary object can
be defined. Azimuth may deviate from heading. For example, due to
wind direction relative to flight path, heading of a flying airplane
may deviate from its azimuth.
Gogic Expires December 2002 [Page 7]�
Internet Draft GeoPriv Concepts June 2002
Address of an object is the descriptive form of that object's
location. It is the description of location of the nearest
addressable object from a map database.
Time Stamp may be associated for each location datum or a set of
data. Time stamp is expressed in local time and an offset from the
local time to UTC.
Some of the described location information types are quite advanced,
and may not be incorporated in products or services in the first go.
To keep things simple, Geopriv should initially keep to a relatively
simple subset of these location objects.
6 Location Information Distribution
Controlling distribution of location information is one of the
pillars of privacy. Some of the issues associated with distribution
control involve authorization/authentication of location clients
(requestors) by the location target or its proxy, precision control
of the disclosed location data as a function of authorization class
and possibly application, and encryption of location data to protect
it against inadvertent disclosure (e.g., protection against
eavesdropping).
In the following sections we examine each of these distribution
issues in some detail.
6.1 Request/Requestor Authorization
The applicable policy should specify how a request for location
information is to be handled. Determination can be based on the
identity of the requestor, the use to which the information is to be
put, the time of day, and other factors. The result may be to
reject the request, approve it, or prompt the user. If approved,
the policy may limit the precision of the information. When
prompted, the user may approve or reject the request. Some
implementations may also allow the user to indicate how future
requests from the same source are to be handled (for example,
"reject current and all future requests from this source").
6.2 Location Precision Classes
In addition to authorization, the primary method for privacy control
in location services is the user's ability to allow disclosure to a
certain degree of precision.
For each authorization class a precision level attribute may be
defined. Levels of precision can exist for position (e.g., location
of a stationary object, or momentary location of a moving object),
Gogic Expires December 2002 [Page 8]�
Internet Draft GeoPriv Concepts June 2002
as well as for velocity and orientation of the object. These
classes are listed in the two tables below.
The user or user agent must have the capability to control the
precision (resolution) with which the location information is
conveyed to a location client. The precision category should be
indicated to the client. The following table outlines precision
categories associated with object's momentary location:
Location Precision Precision Precision
Class Descriptive (meters) (LAT) (LON)
A Very Fine 1 not bound not bound
B Fine 10 0.3" 0.3/cos(lat)
C Street Block 100 3.2" 3.2/cos(lat) sec
D City Quarter 1,000 32" 32/cos(lat) sec
E City 10,000 5' 24" 5' 24''/cos(lat)
F Province/State 100,000 54" 54/cos(lat) min
G Country 1,000,000 9 deg 9/cos(lat) deg
H Continent 10,000,000 90 deg 90 deg
I Time Zone N/A N/A ~15 deg
J Deg Latitude N/A 1 deg N/A
K Deg Longitude N/A N/A 1 deg
L - Y ... reserved reserved reserved
Z Barred N/A None None
Table 1: Location Precision Classes
Precision specifications provide the order of magnitude, and do not
indicate certifiable accuracy.
Average WGS-84 ellipsoid distance from the center of the Earth is R
= 6,367,445 meters. This figure can be used to compute latitude and
longitude arc measurements corresponding to the target precision for
each location precision class. While conversion from distance to
latitude arc is straightforward (lat_arc = d/R * 180/pi [deg]), for
distances along parallels, this conversion varies. It is inversely
proportional to cosine of latitude, with singularities at the North
and South Pole.
For example, the latitude precision for the class E (d=10,000 meters
-- "City") is d/R = 1.57 mili-radians, or 5 minutes and 24 seconds
of arc. The longitude precision depends on latitude. At latitude
of 42 degrees exactly, for class E case as above, the latitude
precision is 7 minutes and 16 seconds of arc.
6.3 Rounding to Desired Location Precision and Return Data
To implement precision control, the location information is rounded
before being returned to the location client. Values rounded to the
desired precision should be returned, accompanied by an indication
of the precision class. In principle, rounded data should have full
Gogic Expires December 2002 [Page 9]�
Internet Draft GeoPriv Concepts June 2002
integrity, i.e., provision of deceitful or misleading information
should be discouraged.
The same holds true for the case when a descriptive value is
returned to the location client. For example, for a location target
object located in Miami, willing to disclose its location only to
the precision level F (100,000 meters, or Province/State), rather
than returning deliberately wrong information, e.g., "Fort
Lauderdale", it would return "Florida".
When fine level of precision for location data is required, the most
universal method would be to return a latitude, longitude, altitude
triplet. Another possibility would be to return a descriptive
location of an object, such as a street address. In fact, street
address is the method used for emergency services ("911" in the
United States) when dialed from a fixed line phone. The emergency
service infrastructure looks up the database from the fixed line
phone number, which returns the address where the line is
terminated.
Descriptive value can also be returned as a response to a location
request to a mobile communication device. Once the lat/lon location
is known by the LCS, it performs a geographic database search to
find the description of the nearest addressable object, and returns
it to the requesting location client, assuming that no rounding is
required. Returning a descriptive value can be more meaningful to a
location application than the latitude longitude pair would be.
This becomes interesting when rounding is required before returning
descriptive location information. Probably the easiest way that
this can be accomplished is to display a map segment where the
target is located, and draw a perimeter corresponding to the
required precision.
It is also possible to return a rounded descriptive location without
having to return a graphic map segment. The precision figure for
the classes listed in Table 1 should be used as an order of
magnitude, not in any rigid fashion. For example, if class D (City
Quarter) is required, the return for a target located in New York
City might be "Manhattan", i.e., a locale that is bigger than the
1,000 meters order of magnitude for the precision class.
An opposite problem of having a number of small cities located
within a radius of 10,000 meters for Class E can be solved by
returning "In one of several cities", followed by a list of cities.
Another interesting example is precision class H (Continent).
Location rounding to 10,000,000 meters yields a large section of the
globe. If a descriptive location is desired, the response might be
"Africa", or "South Pacific Ocean", and need not strictly adhere to
segments of the globe given by the geodetic return option. E.g., a
target located in Morocco may round to a geodetic area that is in
Gogic Expires December 2002 [Page 10]�
Internet Draft GeoPriv Concepts June 2002
Europe. Yet, the descriptive form of the return will still be
correct -- "Africa", since the LDE knows the actual location, and
will return the correct descriptive answer, still preserving the
level of vagueness implied by the precision class H.
6.4 Speed Category and Precision Classes
The user must have the capability to control the precision
(resolution) with which the speed information is conveyed to a
location client. The speed precision category should be indicated
to the client. The following table outlines speed precision
categories:
Speed Precision Value Range
Class Descriptive (km/h) (km/h)
VA Fine 1 Any
VB Approximate 10 km/h Any
VC Surface transport 100 km/hr <100, 100-200, >200
VD Airborne transport 1,000 <500, 500-1000, >1,000
VE - VY ... reserved reserved
VZ Barred None None
Table 2: Speed Precision Categories and Classes
Table 2 lists both speed precision categories and classes of speed
by magnitude or range of values. The location client requests the
desired class depending on the nature of its interest. If it wants
the precise speed of the target, it requests VA, or for the
approximate speed of the target, VB. In order to find out if the
target is likely in a surface transport vehicle and class of vehicle
(slow car, fast car, bullet train, etc.) -- it would request VC, and
so on.
6.5 Encryption
Privacy protection generally requires encryption. This guards
against inadvertent disclosure of information, as well as
eavesdropping. The target may regard its location as very valuable
information, and may require that any location disclosure be sent
suitably encrypted. Encryption usually involves trusted entities
due to the necessity of exchanging encryption keys, or
computationaly expensive key exchange techniques.
7 Location Data Confidence
Location information is an estimate obtained by measurements, which
is subject to errors and deterioration of accuracy for a moving
object, e.g., due to age of available data. Confidence is an
attribute of location information that attempts to assess the
probability that the information provided is accurate within a
Gogic Expires December 2002 [Page 11]�
Internet Draft GeoPriv Concepts June 2002
specified perimeter. The confidence attribute can be affixed to any
location datum (for example velocity), however, it is most
meaningful for the point on or near the geodetic ellipsoid surface
as a descriptor of location, which we will call location datum. One
can think of the location datum as the place at which the confidence
reaches its peak. To convey location information uncertainty, the
location information may be provided to the client accompanied by
the degree of confidence. The perimeter for evaluation of
confidence is usually a circle with the center in the location
datum, but in principle, it can be any shape. For example, it may
be of interest to assess confidence that the object is within a city
block or within an irregularly shaped sports venue.
Two questions arise:
* What is the confidence that the object is within a given
perimeter?
* What is the perimeter within which location datum is provided
with a given degree of confidence?
The first requires that the client specifies the perimeter, and the
target returns the confidence. The other requires that the client
specifies the desired confidence, while the target returns the
perimeter, which may or may not be a circle.
8 Security Considerations
This document addresses manipulation and transport of the geographic
location of a target object. The target object may be closely
associated with a person, such is the case for a portable cellular
handset, or for a sensitive object. Inadvertent disclosure of
location information, particularly if the information is accurate,
can be damaging to the person's privacy, and possibly dangerous.
Security aspects are discussed in some detail throughout this
document.
9 References
[1] 3GPP2 C.S0022-0-1 (a.k.a. TIA/EIA/IS-801) Position
Determination Service Standard for Dual Mode Spread Spectrum
Systems, February 2001
[2] TIA/EIA/J-STD-036-A Enhanced Wireless 9-1-1 Phase 2, August 2000
(Rev. A March 2002)
[3] 3GPP TS 22.071V5.1.1, Location Services (LCS) Service
Description, Stage 1, March 2002
Gogic Expires December 2002 [Page 12]�
Internet Draft GeoPriv Concepts June 2002
10 Acknowledgments
The author would like to thank the following people who contributed
to the text and provided many ideas for this draft, as well as
participated in reviewing it. All are affiliated with QUALCOMM,
Incorporated.
* Suzanne Arcens, sarcens@qualcomm.com
* Randall Gellens, rg+ietf@qualcomm.com
* John W Noerenberg II, jwn2@qualcomm.com
* Len Sheynblat: lens@qualcomm.com
In addition, some of the topics discussed in this draft appear in
documents [1], [2], and [3].
11 Author's Address
Aleksandar M. Gogic
QUALCOMM, Incorporated
5775 Morehouse Drive
San Diego, CA 92121-1714
USA
e-mail: agogic@qualcomm.com
12 Full Copyright Statement
Copyright (C) The Internet Society 2002. All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph
are included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
Gogic Expires December 2002 [Page 13]�
Internet Draft GeoPriv Concepts June 2002
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Gogic Expires December 2002 [Page 14]
