01:49:42 RRSAgent has joined #geolocation-and-privacy 01:49:46 logging to https://www.w3.org/2025/11/12-geolocation-and-privacy-irc 01:49:46 RRSAgent, do not leave 01:49:47 RRSAgent, this meeting spans midnight 01:49:47 RRSAgent, make logs public 01:49:49 Meeting: Geolocation and Privacy 01:49:49 Chair: Matthew Reynolds 01:49:49 Agenda: https://github.com/w3c/tpac2025-breakouts/issues/29 01:49:49 Zakim has joined #geolocation-and-privacy 01:49:50 Zakim, clear agenda 01:49:50 agenda cleared 01:49:50 Zakim, agenda+ Pick a scribe 01:49:51 agendum 1 added 01:49:51 Zakim, agenda+ Reminders: code of conduct, health policies, recorded session policy 01:49:51 agendum 2 added 01:49:51 Zakim, agenda+ Goal of this session 01:49:53 agendum 3 added 01:49:53 Zakim, agenda+ Discussion 01:49:53 agendum 4 added 01:49:53 Zakim, agenda+ Next steps / where discussion continues 01:49:54 agendum 5 added 01:49:54 Zakim, agenda+ Adjourn / Use IRC command: Zakim, end meeting 01:49:54 agendum 6 added 01:49:54 breakout-bot has left #geolocation-and-privacy 02:10:42 dveditz has joined #geolocation-and-privacy 02:11:05 Yasu has joined #geolocation-and-privacy 02:16:16 tara has joined #geolocation-and-privacy 02:16:25 mkwst has joined #geolocation-and-privacy 02:16:32 tmaruha4 has joined #geolocation-and-privacy 02:16:52 AramZS has joined #geolocation-and-privacy 02:17:02 present+ 02:18:40 npdoty6 has joined #geolocation-and-privacy 02:18:45 scribe+ 02:18:51 wschildbach has joined #geolocation-and-privacy 02:19:00 npdoty has joined #geolocation-and-privacy 02:19:04 present+ 02:19:12 alexmt has joined #geolocation-and-privacy 02:19:19 xiaoqian has joined #geolocation-and-privacy 02:19:29 MarianH has joined #geolocation-and-privacy 02:19:44 Matthew Reynolds is chairing 02:19:58 q? 02:20:05 mattreynolds has joined #geolocation-and-privacy 02:20:07 gkok has joined #geolocation-and-privacy 02:20:09 present+ 02:20:14 Andante has joined #geolocation-and-privacy 02:20:14 Slides: https://docs.google.com/presentation/d/1bwtIGafSj2oBeXRT1vjI0e9HexW1l-Tcsb_svKPrETQ/edit?slide=id.p#slide=id.p 02:20:17 miketaylr has joined #geolocation-and-privacy 02:20:25 pascoe has joined #geolocation-and-privacy 02:20:25 present+ 02:20:26 Alvin has joined #geolocation-and-privacy 02:20:30 present+ 02:20:30 present+ 02:20:33 Gerhard has joined #geolocation-and-privacy 02:20:33 present+ 02:20:35 present+ 02:20:36 present+ 02:20:39 present+ 02:20:42 present+ 02:20:45 present+ 02:21:21 atsushi has joined #geolocation-and-privacy 02:21:40 mattreynolds: A lot here but I care more about some of these than others. 02:22:01 antosart has joined #geolocation-and-privacy 02:22:11 let's review the immediate history of this starting all the way back in the 1998 mobile web access workshop 02:22:22 8 years ago we formed the geolocation working group to get the API working. 02:22:29 questions I'm still thinking about from our last breakout conversation: 02:22:29 why not civic address/administrative category? 02:22:29 how are we going to convince developers not to use centroids or assume the lat/lon is precise? 02:22:50 GML group has been developing ways to represent geolocation data. 02:23:05 PIDF format is used to represent geo information and has been worked on by a few groups 02:23:44 [slide] At the joint workshop in 2000 for WAP-W3c - user and subscriber privacy were different things. And locational privacy was not well domained yet 02:23:58 Agnostic about legal and policy issues in 2000 but that is changing now. 02:24:44 tako has joined #geolocation-and-privacy 02:24:48 Who owns location information was an important topic. These days we think about it as being the user. But devices may have different properties at different times and the employer owns your location data in specific contexts. 02:25:03 [slide] IETF GeoPriv group 02:25:03 present+ 02:25:37 Location estimates will often have to travel through multiple parties to create a location estimate. How are privacy concerns passed through these different entities who handle the data. 02:26:49 element would have locaiton info and usage rules that contain the policy requirements with different flags 02:27:21 Zakim, this is geolocation and privacy 02:27:21 got it, AramZS 02:27:28 dveditz has joined #geolocation-and-privacy 02:27:36 There is also notes that are human facing. 02:28:07 [slide] A process for obscuring location in IETF GeoPriv 02:28:07 usage rules! a "policy aware web" they called it. 02:28:39 Generally agreed: Withholding location data entirely is the only way to really ensure it is not recovered 02:29:06 [slide] Civic Location at IETF GeoPriv 02:29:25 Civic Address seems better than lat/long for understanding what is going on and is easier to approx 02:29:37 You can just delete things off the bottom of. this object to reduce accuracy. 02:30:00 [slide] GeoXACML from the Open Geospatial Consortium 02:30:38 Precision and allowing transformation are interesting privacy considerations but not super relevant. 02:31:03 [slide] Geolocation on the early web 02:31:08 IP table always possible. 02:31:24 Google had a clientLocation via ajax and a Gears browser add-on 02:31:47 Gears used Wi-Fi APs and cellular nodes 02:31:49 I'm loving this blast from the past history. Skyhook! Google Gears! 02:32:04 Mozilla did something similar with Geode but paired with site permissions to determine emitted accuracy. 02:32:13 Tatsuya has joined #geolocation-and-privacy 02:32:15 [slide] Gear Geolocation API 2008-2011 02:32:43 [slide] Mozilla Geode (2008-2009) 02:33:08 Mozilla had a fuzzing algorithm but did not bring that into the final version in firefox, determined it was not effective. 02:33:17 [slide] 2008 spec discussions 02:34:10 Who is responsible for privacy is a big discussion. Who gets to handle it. Does it get delegated? Must we concern ourselves with it in the API. Eventually the user agent is decided to take responsibility 02:34:23 Can browsers leverage geopriv? 02:34:51 If we build it into the API maybe the gov't can enforce laws for this? 02:35:03 We decided not to do that. 02:35:19 [slide] Location accuracy / uncertainty 02:35:41 Instead of giving a point and uncertainty value, give a boundary ? 02:36:07 it was rather a heated, controversial decision when the Geolocation WG finally decided to reject all the policy/rules approach 02:36:10 enableHighAccuracy did end up making it into the spec 02:36:15 tantek-projector has joined #geolocation-and-privacy 02:36:19 RRSAgent, pointer 02:36:19 See https://www.w3.org/2025/11/12-geolocation-and-privacy-irc#T02-36-19 02:36:48 [slide] Civic location 02:37:04 Considered a civic object and rules but didn't happen 02:37:16 my long ago predecessors at the Center for Democracy & Technology spent a lot of time and effort, but browser implementers refused not just the geopriv ruleset, but also anything similar 02:37:35 If the civic address were part of the spec the web dev would not have to create their own lat/long civic address lookup. Unclear that there was actually a use case. 02:38:06 [slide] W3C actual location APIs 02:38:25 Geolocation WG - Geolocation API and attempted a geofencing API 02:38:37 Geolocation WG ended 2017 02:38:56 Device and Sensors WG picked it up. In 2018 took up the Geolocation Sensor API 02:39:17 Current proposals - element & approx geolocation 02:39:44 [slide] Geofencing API 02:40:07 Approximate location as a boundary but abandoned 02:40:21 [slide] Geolocation Sensor API 02:40:39 Goal: Geolocation API with better ergonomics and consistency 02:40:55 But privacy considerations don't seem to address the location specific concerns effectively in this proposal. 02:41:03 [slide] Geolocation Sensor API 02:41:06 antosart has joined #geolocation-and-privacy 02:41:14 Better integrated with permissions API and has promises 02:41:26 q? 02:42:02 The security and privacy considerations for the geolocation sensor API seems like it doesn't have a lot there 02:42:11 [slide] element 02:42:24 Make permissions more accessible, secure, less ui spam 02:42:39 PEPC privacy considerations. 02:43:05 User interaction is required to reuse a one-shot element - we can set watch to false when you just need to get location once. 02:43:34 Autolocate use case - user agent can choose how to handle the requests with a different UI for instance. 02:44:08 [slide] Approximate geolocation 02:44:35 Goal: Reduce risk associated with sharing precise location information. This is what most sites likely want and users would want to downgrade. 02:45:18 Most location providers already support obfuscation. iOS/MacOS, Windows, Android, 02:45:41 The problem is we can't enforce privacy constraints on the existing tools from the browser perspective 02:46:02 and also each platform makes its own rules about location "corsening" and when new locations are generated. 02:46:26 If you have too many locations you can reduce accuracy but get a bunch of locations and narrow down your element 02:46:45 This sort of fuzzing is not always useful in securing users' locations 02:46:52 [slide] Future work? 02:47:12 Location APIs that don't expose coordinates - Civic location API, location-based chooser API. 02:47:37 Chooser that doesn't actually reveal the user's location, just the closest object from a set of geo located objects. This might be useful. 02:47:54 Location sources without a third party - GNSS, IP geolocation Database, Network geolocation database. 02:48:49 A database on your own device about nearby networks that approx location might be useful. 02:48:52 I think the threat was that if you request location using multiple platforms at once and they don't use the same fuzzing algorithm, then you can average the results to figure out where the user is. I think potentially we could integrate with OS APIs to make sure that any consumer of the location uses the same fuzzed result, with the same frequency 02:48:52 limits. 02:49:08 q? 02:49:13 Queue open 02:49:15 q+ 02:49:28 q+ 02:50:00 John Wilander from Apple Webkit: We might want to allow the user to lie intentionally about their location 02:50:17 https://w3ctag.github.io/privacy-principles/#support-choosing-info 02:50:17 mattreynolds: Have heard this before, just give the user a chooser 02:50:39 The user should be in charge of their location and obfuscate it at will is implied by the privacy principles. 02:50:51 Fake location for testing might be an opportunity. 02:51:27 Thomas from Criteo: Is there an implementation that can provide specific fake locations is there a legal concern? 02:51:57 Wilander: The site may pressure you if it is aware of how coarse the user is making their data 02:51:58 s/Is there an/If there is an/ 02:52:14 some people would like it to be illegal for the user to provide non-current location information. that would be an extreme violation of privacy and free expression, and I don't know of any such laws today. 02:52:15 mattreynolds: the permission estimate we're looking at will tell you what the accuracy mode is 02:52:30 Wilander: users may need to be able to lie about that too 02:52:48 Gerhard: A flawed use case we are struggling with - the user as an attacker 02:53:20 Someone has phished credentials and is now attacking you. and I want to log in as you as an attacker. 02:53:35 Now a lot more attacks with social engineering - someone calls you, asks that you are you, using security information and using app consent to get you to say yes. 02:53:48 We see 'you are trying to log in from Wherever' and the user can see that 02:53:57 and potentially counter social engineering attacks. 02:54:23 The person approving it vs logging in locations can be used to prevent attacks. 02:54:43 Potentially place a location cookie? I want to set a cookie that says I am logged in from X location successfully. 02:55:09 When the request comes in to say 'user does not have the successful location cookie' we can trigger enhanced security. 02:55:32 Looking to see just that he is at a location where previous ceremonies have been successful 02:55:42 banking app / site might be a way to think about it. 02:55:47 An attacker of this type doesn't have to be using a legitimate browser; they could use a VPN to change their IP address and a hacked browser that lies about location. 02:55:57 Trying to make sure that it is a new location, not that there is a specific location 02:56:09 attackers are extremely unlikely to voluntarily report that they are in a new and unusual location 02:56:17 Logged in at this location is the context interested in. 02:56:50 q+ 02:56:51 mattreynolds: Not so sure about this but user agent should be a location from the user and if the user wants to fake a location than they should be able to do so. 02:57:03 Gerhard ack 02:57:07 ack Gerhard 02:57:13 ack npdoty 02:58:22 npdoty: what we have written in the privacy principles is that APIs we design should not purport to be promises about a truthful position. If the site wants a position from the user and the user wants to give their current location based on geo location then the user is not making a promise to the website that 'i swear I'm here' and sites should not expect that when planning on dealing with attackers. 02:58:33 Otherwise we'd end up with very invasive technology. 02:59:03 We just don't want to give promises that we are doing that. It locks away some things but opens up a lot more possibility like 'I want to search for things where I'm traveling tomorrow' etc... 02:59:31 Support using the information that the user wants to present. Don't trust the user that they are giving you an accurate location. If you want definitive accuracy - ask someone other than the user. 02:59:35 q? 03:00:06 ack gkok 03:00:19 mkwst has joined #geolocation-and-privacy 03:00:54 gkok: From netflix. Just a question to better understand - the user can eventually set their own location? Netflix and many other companies are obligated by contract to gate content to geo. Does this means that the ability to do this via browser is going away b/c user can say they are in another country? The location is the thing the user sets? Even through this is possible through a VPN right now, is this something the browser 03:00:55 supports natrually? 03:01:09 mattreynolds: this is already a thing. But not a fake IP address. 03:01:26 gkok: Is this dealing with obfuscating the IP address? 03:01:30 q+ to consider problems where the site doesn't understand precision 03:01:35 mattreynolds: there are other efforts for that 03:01:56 Gerhard: Apple does this already down the the specific city. 03:02:06 pascoe has joined #geolocation-and-privacy 03:02:35 gkok: If this obfuscation happens and the IP happens then you don't need a VPN anymore to change your location from your real one. 03:02:41 Apple's private relay feature (and some others) which choose a different IP address try to use an IP address from a similar city or region 03:02:54 mattreynolds: often it is not possible to obfuscate past a particular level 03:03:01 q+ Wilander 03:03:32 ack npdoty 03:03:32 npdoty, you wanted to consider problems where the site doesn't understand precision 03:04:24 npdoty: one of the problems that comes up is that sometimes the site - the recipient of the information - is not well prepared to handle inaccuracy. They get a lat/long back and they can put a dot on the map and don't think much about it. 03:04:38 Precision field in the current API isn't well considered by sites / devs 03:04:54 Do we have ideas for how we can help the site developer to understand that the precise looking data is not precise. 03:05:22 We shouldn't send back rough data and make it look precise if possible, even the best meaning developer will hurt the user experience by trying to give them precise data 03:05:29 I don't have a good answer on this 03:05:30 Gerhard has joined #geolocation-and-privacy 03:05:32 mattreynolds: me either 03:05:37 q+ 03:05:53 Apple as an example snaps to a location near you. That seems pretty good. 03:06:56 Wilander: iCloud relay will, by default, maintain general location - general city. It can also say 'use country and time zone' which makes it much less accurate, but for the Netflix use-case works 03:07:09 Gerhard: attackers often come from other countries so that is still better. 03:07:16 ack Wilander 03:07:21 ack Gerhard 03:07:49 Gerhard: when we started looking at the same time we'd see that the locations that are city-wide seem specific but they are not, they are mapped to specific public spaces. 03:08:06 Kashmir Hill did great reporting on this, about a lat/lon that's in the centroid 03:08:14 We've all heard about the misconceptions about geolocation and lat/long like the tale of the farm 03:08:16 q+ on civic address 03:08:34 q+ mkwst 03:08:38 https://www.kashmirhill.com/stories/internet-mapping 03:08:46 ack npdoty 03:08:46 npdoty, you wanted to comment on civic address 03:09:08 npdoty: If the data just came back atlanta instead of the city hall in atlanta you'd be less likely to think you are getting an exact location 03:09:24 I wonder if we could do something like Civic address 03:09:40 or just change what is returned to the app to use a subobject that makes it clear it is an approx location 03:10:39 Gerhard has joined #geolocation-and-privacy 03:10:46 mkwst: Mike from Google - making locations approx has different implications in different places. In cities the approx of location means less because there is a lot of people. With sparser population areas there are less places to put it up against as the 'fake' location. 03:11:04 mattreynolds: Apple considers this with larger grid cells for rural areas then cities. 03:11:32 some legal regulations have also tried to include this: no more precise than X distance, or only in a place where there are at least 10,000 people 03:11:38 This relies on pop density that isn't public information right now, but it could be, and the device could use it to do similar coarseness on-device without checking in with a server 03:11:44 q? 03:11:51 ack mkwst 03:11:54 s/Apple considers/Android considers/ 03:12:14 Another thing might only fuzz one of the lat/long pair. 03:12:30 mkwst: political regions might have different regulations and some of those are very small. 03:12:42 mattreynolds: that's a big risk too, state of RI is very different from state of CA 03:12:53 we should be wary b/c it is only as approx as the size of the region. 03:12:58 q? 03:13:17 npdoty: on the user side - people know that about their admin regions. 03:13:34 If you are in a small country the user knows that there are implications. 03:13:39 q+ 03:13:54 Anonymity can be complicated by that but we should think the user understands this 03:14:50 Gerhard: The attractiveness of the population density of millions is attractive from a familiar location standpoint. That is fine to hide in a larger group. We want to aid the client in making a risk decision and EU vs Vatican City is very different in that regard. 03:14:55 ack Gerhard 03:15:02 q+ 03:15:25 Aram: it would be great as a developer to not have to resolve (reverse geocode) lat/lon myself 03:15:26 AramZS: it would be great to not have to deal with resolving lat/long to a location myself as a dev 03:15:37 ack gkok 03:16:13 gkok: knowing that this is likely much less precise and if you need high precision the developer might build a prompt to suggest higher precision in exchange for a better user experience 03:16:45 mattreynolds: IP geolocation sometimes is not good enough for even basic stuff like restaurants near you 03:17:03 User being able to give accurate enough location data for the right context is important. 03:17:18 Tomorrow in the Joint Session between webapps and device sensors group will discuss this more. 03:17:34 RSSAgent, make minutes 03:18:01 Zakim, make minutes 03:18:01 I don't understand 'make minutes', AramZS 03:19:54 RSSAgent end this meeting 03:21:04 Zakim pointer 03:21:16 RRSAgent, pointer 03:21:16 See https://www.w3.org/2025/11/12-geolocation-and-privacy-irc#T03-21-16 03:22:20 RSSAgent, end this meeting 03:25:20 xiaoqian has joined #geolocation-and-privacy 04:19:21 AramZS has joined #geolocation-and-privacy 04:46:32 xiaoqian has joined #geolocation-and-privacy 04:49:17 xiaoqian has joined #geolocation-and-privacy 05:09:39 Zakim, end meeting 05:09:39 As of this point the attendees have been AramZS, npdoty, mattreynolds, wschildbach, pascoe, miketaylr, Andante, tara, Mek, Gerhard, xiaoqian, alexmt, MarianH 05:09:42 RRSAgent, please draft minutes 05:09:44 I have made the request to generate https://www.w3.org/2025/11/12-geolocation-and-privacy-minutes.html Zakim 05:09:55 I am happy to have been of service, Mek; please remember to excuse RRSAgent. Goodbye 05:09:55 Zakim has left #geolocation-and-privacy 05:30:58 xiaoqian has joined #geolocation-and-privacy 05:35:44 xiaoqian has joined #geolocation-and-privacy 05:41:26 AramZS has joined #geolocation-and-privacy 06:40:02 xiaoqian has joined #geolocation-and-privacy 07:03:08 AramZS has joined #geolocation-and-privacy 07:07:51 tantek-projector has left #geolocation-and-privacy 07:15:45 xiaoqian has joined #geolocation-and-privacy 07:19:03 AramZS has joined #geolocation-and-privacy 08:10:17 AramZS has joined #geolocation-and-privacy 08:20:45 xiaoqian has joined #geolocation-and-privacy 08:29:07 xiaoqian has joined #geolocation-and-privacy 08:37:10 AramZS has joined #geolocation-and-privacy 13:39:02 tidoust has joined #geolocation-and-privacy 13:39:05 RRSAgent, bye 13:39:05 I see no action items