IETF developers call for privacy rules for the W3C's geodata API
At the Internet Engineering Task Force (IETF) meeting in Minneapolis, the standards organisation's developers warned about potential data protection weaknesses in a new standard developed by their sister organisation, the World Wide Web Consortium (W3C). A W3C working group plans to release the first complete draft proposal for a Geolocation Application Interface before the end of the week. The specification defines a programming interface which gives access to the geodata – geographical information – stored on a host.
Proposed areas of use are the determination of the user's position for orientation purposes, for up-to-date local information, or for the automatic inclusion of geodata in forms.
According to members of the IETF's Geopriv working group, users should not just have a yes/no option for disclosing their location data, but should also be able to restrict access – for example, by stipulating a time limit. Together with representatives of the US Center for Democracy and Technology, the Secretary of the Geopriv working group, Richard Barnes, advocated the integration of a stricter data protection model into the W3C standard. The Secretary especially pointed out the standards developed by Geopriv, particularly RFC 4119. He said that without the integration of privacy options in the W3C API, the IETF standard's data protection rules would effectively be disregarded.
The Secretary also criticised the method of determining locations based exclusively on latitude and longitude co-ordinates, which in his opinion often doesn't result in a precise location. The IETF also uses civic addresses and is working on incorporating the various international address formats. However, according to Mr Barnes, the question of incorporating civic addresses is the lesser problem.
The W3C working group has so far responded with a clear notice in the standard proposal: geolocation data can only be retrieved with the user's explicit approval. Many working group members object to stricter privacy rules in the API and warn that a solution like the one suggested by the Geopriv standard would be too complex. They said it would overburden the Geolocation API and would also contradict already existing applications. The topic is still being discussed.