Thread Links Date Links
Thread Prev Thread Next Thread Index Date Prev Date Next Date Index

Re: [STDS-802-11] ranging privacy presentation 11-19-0898r0



--- This message came from the IEEE 802.11 Working Group Reflector ---
Hi Chris,

Thanks for sharing this presentation. If you are interested in the topic of privacy, I would like to encourage you to join the 802E group, that works on recommendations for privacy in 802 protocols. Dan is an active contributor, and all inputs and exchanges are welcome. We are about to start a new ballot, and will meet again in Vienna.

In general, there is no user at layer 2, there are MAC addresses. Stating that a layer 2 exchanges violates user privacy is a bit of a short-cut. For this reason (and for example), GDPR is not concerned with layer 2 information. However: 
1. If the MAC belongs to a 'personal device' (this can be an endpoint or an infrastructure device)
2. If the MAC can be associated with that device with high enough probability or consistency
3. And if a correlation can be established between the device and an individual user
Then that MAC address can become a PII and affect user privacy. It is commonly understood that the privacy gets affected by the combination of 2. and 3., not by the fact that there is a MAC address, or by the fact that this MAC address exchanges frames. The exception of course is if the frame directly exposes user identification and user personal information (at L2), which would be uncommon (usually, these elements are carried in the payload, and upper layers determine what is okay or not okay to carry at L2).

However, the correlation between a device and its frames is achievable when specific elements can separate these frames from other frames sent by other devices. 802 protocols contain hundreds of cases where this can be true, in 802.11 and other groups, such case is not specific to 802.11az (if 802.11az presents this case, as your presentation states). This exposure is often inherent to the exchanges required to perform this or that function, for example to express specific capabilities or characteristics. We think that it is important to document them, for awareness, conscious network design, and also allow actors to decide scenarios where such correlation is acceptable, and when it is not. There are exchanges for which exposure is unavoidable. If the location of a MAC address is in the category of exchanges where such exposure happens, then correlation between that MAC and a personal device, and between that personal device and the user, must be achieved too. This can be the case for an ISTA and an RSTA (therefore if there is exposure risk for the ISTA, there is the same exposure risk, with the same importance, for the RSTA). It seems to me that this is possible for stable MAC addresses already associated to a network (but then there are other terms of exchanges that were established too). It is less obvious that this would affect temporal MAC addresses. But in all cases, if such exposure is linked to an exchange, it is important to allow the exposed side to decline the exchange.

Hope this helps

Jerome


---- On Wed, 15 May 2019 12:30:33 -0400 Chris Hartman <00000da8c189cf4b-dmarc-request@xxxxxxxx> wrote ----

--- This message came from the IEEE 802.11 Working Group Reflector ---

All,

Even though we did not get a chance to present at the mid-week plenary, we request you to read the document 11-19-0898-r0, and we invite you to participate in the discussion in TGaz.

The next TGaz session will be today, PM1 in Highland Ballroom IV/V – lobby level. There are additional sessions on Thursday AM1, Highland Ballroom I/II – lobby level, and Thursday PM2, Highland Ballroom I/II – lobby level.

Regards,

Qi and Chris

_______________________________________________________________________________

If you wish to be removed from this reflector, do not send your request to this reflector - it will have no effect.

Instead, go to http://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11 and then press the LEAVE button.

If there is no LEAVE button here, try http://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-RO.

Further information can be found at: http://www.ieee802.org/11/Email_Subscribe.html
_______________________________________________________________________________



To unsubscribe from the STDS-802-11 list, click the following link: https://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11&A=1