> With the idea that we want -geopriv-policy finished sometime this millennium, here's my first, rough attempt at describing constraints and goals for location obscuring.
We have all contributed our share to the delay.
> ----
>
> The purpose of a location obscuring algorithm is to provide a location recipient (LR) with location information of reduced quality. The intent is to provide an LR with location information that is correct, but insufficient to identify the known location without a chosen amount of uncertainty.
>
> The obscuring algorithm takes a series of _known locations_, which might have greater accuracy than the recipient is permitted to receive. The obscuring process produces a series of _reported locations_.
>
> Algorithm Constraints
>
> Each algorithm MUST be assigned a label. This label is used to identify the algorithm. Algorithm labels are added to the location obscuring algorithm registry (see Section x.x).
>
I wonder why it is important to indicate that. It would sound that a registry is a super new thing but we are using algorithm registries already forever.
I would drop this.
> The algorithm MUST accept known locations with uncertainty and produce reported locations with uncertainty that encloses the known location at that time. That is, the reported location is no less correct than the known location.
See my other mail. I would at maximum go as far as saying "SHOULD" here.
>
> Any obscuring algorithm MUST accept a single input parameter of a distance in meters. Any other tuning parameters for the algorithm MUST be fixed in the definition of the algorithm.
>
I am not sure why this is a useful requirement as well. I believe what you really want to express with this requirement is that the algorithm has to be simple to use for the end user. When we came up with the idea that the user would be presenting only a single value (in the form of distance in meters) we thought that this would be simple enough. However, none of us is a user interface expert. Hence, I believe it is not useful to put artificial constraints on the algorithm. Imagine that someone comes up with a super great user interface but unfortunately that algorithm would require more parameters then this should still be allowed.
> Algorithm Goals
>
> In assessing any algorithm, the information that a recipient can recover determines how effective that algorithm is. When a recipient (or adversary) makes assumptions [Duckham05] about the movement of the target, they may be able to recover more information than is intended.
>
> The assumptions that a recipient is forced to make to recover information determines how effective an algorithm is. The more assumptions that are necessary, the more difficult it is to reliably recover the known location. While it cannot be assumed that the complexity of applying multiple assumptions would prevent a recipient from applying those assumptions, the probability that a given set of assumptions is incorrect increases with number.
>
> The following assumptions are considered important for the development of an algorithm that obscures location. These assumptions are considered to have a high probability of being correct and are therefore the most important assumptions to protect against.
>
> Stationary assumption:
> An algorithm SHOULD obscure the location of a stationary target. More specifically, when a target does not move, a location recipient should be unable to determine the known location using only the reported locations that are output from the algorithm.
>
> Continuous movement assumption:
> An algorithm SHOULD obscure the location of a moving target. More specifically, when a target moves, a location recipient should be unable to determine the known location of the target at any point in time using only the reported locations that are output from the algorithm.
While the adversary will be unable to determine the exact information about the location of the target it will learn that the target moves and in which direction (if we additionally assume that the algorithm does not lie).
Then, with additional information (which is quite likely to be available) there is information about which path the target may have taken.
>
> Frequent destination assumption:
> An algorithm SHOULD obscure the details of a frequently visited location or path. For a destination that is regularly visited, the algorithm cannot provide the precise location of the frequented location.
>
> Any description SHOULD indicate whether the algorithm prevents a recipient from identifying whether different reported locations correspond to the same known location, and under what circumstances. This would permit a recipient to learn that the same location is being visited, even if the identity of that location is obscured.
>
I am not sure whether I fully understand the purpose of these two requirements.
If a grid is large enough then there will be no path visible. In the other case it will be. Since the grid is a configurable parameter every algorithm will fail to fulfill this requirement.
I would exclude these further requirements below from the current discussion. We should only work on these once we get a base algorithm finished. I have my doubt that the industry is asking us to work on these given the deployment status of the location obfuscation today. From your description it seems that they fall under the same category as all other requirements. I disagree with that. This is also a more advanced requirement that should be labelled as a MAY, if at all listed.
> High accuracy assumption:
> An algorithm SHOULD obscure location when the known location has low uncertainty or a high frequency update rate. A theoretical analysis of the algorithm based on a continuous series of perfect known locations is desirable.
>
> An algorithm may also provide protection for the speed or velocity of a target. It is desirable that the precise speed of a target cannot be easily learned. The following assumptions are also important in assessing an algorithm:
>
> Constant velocity assumption:
> An algorithm SHOULD obscure the speed of a target under the assumption of constant velocity or constant speed along a predefined path (such as a road).
>
> Other assumptions that a location recipient might use to improve their ability to recover a known location might include: upper and lower bounds to speed or acceleration, constrained movement along specific thoroughfares, or inability to be located in areas that are designated inaccessible.
>
Ciao
Hannes
> Discussion of any additional assumptions that are either rendered ineffective or especially effective is useful in evaluating an algorithm.
>
> _______________________________________________
> Geopriv mailing list
> Geopriv@ietf.org
> https://www.ietf.org/mailman/listinfo/geopriv
_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv
