Internet Engineering Task Force (IETF)                         R. Barnes
Request for Comments: 6280                                   M. Lepinski
BCP: 160                                                BBN Technologies
Updates: 3693, 3694                                            A. Cooper
Category: Best Current Practice                                J. Morris
ISSN: 2070-1721                        Center for Democracy & Technology
                                                           H. Tschofenig
                                                  Nokia Siemens Networks
                                                          H. Schulzrinne
                                                     Columbia University
                                                               July 2011
        
Internet Engineering Task Force (IETF)                         R. Barnes
Request for Comments: 6280                                   M. Lepinski
BCP: 160                                                BBN Technologies
Updates: 3693, 3694                                            A. Cooper
Category: Best Current Practice                                J. Morris
ISSN: 2070-1721                        Center for Democracy & Technology
                                                           H. Tschofenig
                                                  Nokia Siemens Networks
                                                          H. Schulzrinne
                                                     Columbia University
                                                               July 2011
        

An Architecture for Location and Location Privacy in Internet Applications

Internet应用中的位置和位置隐私体系结构

Abstract

摘要

Location-based services (such as navigation applications, emergency services, and management of equipment in the field) need geographic location information about Internet hosts, their users, and other related entities. These applications need to securely gather and transfer location information for location services, and at the same time protect the privacy of the individuals involved. This document describes an architecture for privacy-preserving location-based services in the Internet, focusing on authorization, security, and privacy requirements for the data formats and protocols used by these services.

基于位置的服务(如导航应用程序、应急服务和现场设备管理)需要有关互联网主机、其用户和其他相关实体的地理位置信息。这些应用程序需要为定位服务安全地收集和传输位置信息,同时保护相关个人的隐私。本文档描述了Internet中保护隐私的基于位置的服务的体系结构,重点介绍了这些服务所使用的数据格式和协议的授权、安全和隐私要求。

Status of This Memo

关于下段备忘

This memo documents an Internet Best Current Practice.

本备忘录记录了互联网最佳实践。

This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on BCPs is available in Section 2 of RFC 5741.

本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关BCP的更多信息,请参见RFC 5741第2节。

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6280.

有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc6280.

Copyright Notice

版权公告

Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved.

版权所有(c)2011 IETF信托基金和确定为文件作者的人员。版权所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。

Table of Contents

目录

   1. Introduction ....................................................3
      1.1. Binding Rules to Data ......................................4
      1.2. Location-Specific Privacy Risks ............................5
      1.3. Privacy Paradigms ..........................................6
   2. Terminology Conventions .........................................7
   3. Overview of the Architecture ....................................7
      3.1. Basic Geopriv Scenario .....................................8
      3.2. Roles and Data Formats ....................................10
   4. The Location Life Cycle ........................................12
      4.1. Positioning ...............................................13
           4.1.1. Determination Mechanisms and Protocols .............14
           4.1.2. Privacy Considerations for Positioning .............16
           4.1.3. Security Considerations for Positioning ............16
      4.2. Location Distribution .....................................17
           4.2.1. Privacy Rules ......................................17
           4.2.2. Location Configuration .............................19
           4.2.3. Location References ................................20
           4.2.4. Privacy Considerations for Distribution ............21
           4.2.5. Security Considerations for Distribution ...........23
      4.3. Location Use ..............................................24
           4.3.1. Privacy Considerations for Use .....................25
           4.3.2. Security Considerations for Use ....................25
   5. Security Considerations ........................................25
   6. Example Scenarios ..............................................28
      6.1. Minimal Scenario ..........................................28
      6.2. Location-Based Web Services ...............................29
      6.3. Emergency Calling .........................................31
      6.4. Combination of Services ...................................32
   7. Glossary .......................................................35
   8. Acknowledgements ...............................................38
   9. References .....................................................38
      9.1. Normative References ......................................38
      9.2. Informative References ....................................38
        
   1. Introduction ....................................................3
      1.1. Binding Rules to Data ......................................4
      1.2. Location-Specific Privacy Risks ............................5
      1.3. Privacy Paradigms ..........................................6
   2. Terminology Conventions .........................................7
   3. Overview of the Architecture ....................................7
      3.1. Basic Geopriv Scenario .....................................8
      3.2. Roles and Data Formats ....................................10
   4. The Location Life Cycle ........................................12
      4.1. Positioning ...............................................13
           4.1.1. Determination Mechanisms and Protocols .............14
           4.1.2. Privacy Considerations for Positioning .............16
           4.1.3. Security Considerations for Positioning ............16
      4.2. Location Distribution .....................................17
           4.2.1. Privacy Rules ......................................17
           4.2.2. Location Configuration .............................19
           4.2.3. Location References ................................20
           4.2.4. Privacy Considerations for Distribution ............21
           4.2.5. Security Considerations for Distribution ...........23
      4.3. Location Use ..............................................24
           4.3.1. Privacy Considerations for Use .....................25
           4.3.2. Security Considerations for Use ....................25
   5. Security Considerations ........................................25
   6. Example Scenarios ..............................................28
      6.1. Minimal Scenario ..........................................28
      6.2. Location-Based Web Services ...............................29
      6.3. Emergency Calling .........................................31
      6.4. Combination of Services ...................................32
   7. Glossary .......................................................35
   8. Acknowledgements ...............................................38
   9. References .....................................................38
      9.1. Normative References ......................................38
      9.2. Informative References ....................................38
        
1. Introduction
1. 介绍

Location-based services (applications that require information about the geographic location of an individual or device) are becoming increasingly common on the Internet. Navigation and direction services, emergency services, friend finders, management of equipment in the field, and many other applications require geographic location information about Internet hosts, their users, and other related entities. As the accuracy of location information improves and the expense of calculating and obtaining it declines, the distribution and use of location information in Internet-based services will likely become increasingly pervasive. Ensuring that location

基于位置的服务(需要个人或设备地理位置信息的应用)在互联网上越来越普遍。导航和方向服务、紧急服务、好友查找、现场设备管理以及许多其他应用程序需要有关互联网主机、其用户和其他相关实体的地理位置信息。随着位置信息准确性的提高以及计算和获取位置信息的费用的下降,基于互联网的服务中位置信息的分发和使用可能会变得越来越普遍。确保该位置

information is transmitted and accessed in a secure and privacy-protective way is essential to the future success of these services, as well as the minimization of the privacy harms that could flow from their wide deployment and use.

以安全和隐私保护的方式传输和访问信息对于这些服务的未来成功以及将其广泛部署和使用可能带来的隐私危害降至最低至关重要。

Standards for communicating location information over the Internet have an important role to play in providing a technical basis for privacy and security protection. This document describes a standardized privacy- and security-focused architecture for location-based services in the Internet: the Geopriv architecture. The central component of the Geopriv architecture is the location object, which is used to convey both location information about an individual or device and user-specified privacy rules governing that location information. As location information moves through its life cycle -- positioning, distribution, and use by its ultimate recipient(s) -- Geopriv provides mechanisms to secure the integrity and confidentiality of location objects and to ensure that location information is only transmitted in compliance with the user's privacy rules.

通过互联网传播位置信息的标准在为隐私和安全保护提供技术基础方面发挥着重要作用。本文档描述了互联网中基于位置的服务的标准化隐私和安全体系结构:Geopriv体系结构。Geopriv体系结构的核心组件是location对象,它用于传递有关个人或设备的位置信息以及管理该位置信息的用户指定隐私规则。随着位置信息在其生命周期中的移动(定位、分发和最终接收者的使用),Geopriv提供了保护位置对象完整性和机密性的机制,并确保位置信息的传输仅符合用户的隐私规则。

The goals of this document are two-fold: First, the architecture described revises and expands on the basic Geopriv Requirements [2] [3], in order to clarify how these privacy concerns and the Geopriv architecture apply to use cases that have arisen since the publication of those documents. Second, this document provides a general introduction to Geopriv and Internet location-based services, and is useful as a good first document for readers new to Geopriv.

本文件的目标有两个方面:首先,所描述的体系结构修改并扩展了Geopriv的基本要求[2][3],以澄清这些隐私问题和Geopriv体系结构如何应用于自这些文件发布以来出现的用例。其次,本文档对Geopriv和基于互联网位置的服务进行了总体介绍,对于刚接触Geopriv的读者来说,本文档是很有用的第一篇文档。

1.1. Binding Rules to Data
1.1. 将规则绑定到数据

A central feature of the Geopriv architecture is that location information is always bound to privacy rules to ensure that entities that receive location information are informed of how they may use it. These rules can convey simple directives ("do not share my location with others"), or more robust preferences ("allow my spouse to know my exact location all of the time, but only allow my boss to know it during work hours"). By creating a structure to convey the user's preferences along with location information, the likelihood that those preferences will be honored necessarily increases. In particular, no recipient of the location information can disavow knowledge of users' preferences for how their location may be used. The binding of privacy rules to location information can convey users' desire for and expectations of privacy, which in turn helps to bolster social and legal systems' protection of those expectations.

Geopriv体系结构的一个中心特征是位置信息始终与隐私规则相绑定,以确保接收位置信息的实体了解如何使用位置信息。这些规则可以传达简单的指令(“不要与他人分享我的位置”),或更强烈的偏好(“允许我的配偶随时知道我的确切位置,但只允许我的老板在工作时间知道我的位置”)。通过创建一个结构来传达用户的偏好和位置信息,这些偏好得到满足的可能性必然增加。特别地,位置信息的接收者不能否认用户对于如何使用其位置的偏好的知识。将隐私规则与位置信息绑定可以传达用户对隐私的渴望和期望,这反过来有助于加强社会和法律系统对这些期望的保护。

Binding of usage rules to sensitive information is a common way of protecting information. Several emerging schemes for expressing copyright information provide for rules to be transmitted together with copyrighted works. The Creative Commons [28] model is the most prominent example, allowing an owner of a work to set four types of rules ("Attribution", "Noncommercial", "No Derivative Works", and "ShareAlike") governing the subsequent use of the work. After the author sets these rules, the rules are conveyed together with the work itself, so that every recipient is aware of the copyright terms.

将使用规则绑定到敏感信息是保护信息的常用方法。一些新兴的版权信息表达方案规定了与版权作品一起传输的规则。知识共享[28]模式是最突出的例子,允许作品所有者设定四种类型的规则(“归属”、“非商业性”、“无衍生作品”和“类似共享”)来管理作品的后续使用。在作者制定这些规则后,这些规则将与作品本身一起传达,以便每个接收者都知道版权条款。

Classification systems for controlling sensitive documents within an organization are another example. In these systems, when a document is created, it is marked with a classification such as "SECRET" or "PROPRIETARY". Each recipient of the document knows from this marking that the document should only be shared with other people who are authorized to access documents with that marking. Classification markings can also convey other sorts of rules, such as a specification for how long the marking is valid (a declassification date). The United States Department of Defense guidelines for classification [4] provide one example.

另一个例子是用于控制组织内敏感文档的分类系统。在这些系统中,创建文档时,文档会标记为“机密”或“专有”等分类。文件的每个接收人都知道,文件只能与有权访问带有该标记的文件的其他人共享。分类标记还可以传达其他种类的规则,例如标记有效期的说明(解密日期)。美国国防部分类指南[4]提供了一个例子。

1.2. Location-Specific Privacy Risks
1.2. 特定位置的隐私风险

While location-based services raise some privacy concerns that are common to all forms of personal information, many of them are heightened, and others are uniquely applicable in the context of location information.

虽然基于位置的服务引起了一些隐私问题,这些问题对于所有形式的个人信息都是常见的,但其中许多问题得到了加强,而其他一些问题则特别适用于位置信息。

Location information is frequently generated on or by mobile devices. Because individuals often carry their mobile devices with them, location data may be collected everywhere and at any time, often without user interaction, and it may potentially describe both what a person is doing and where he or she is doing it. For example, location data can reveal the fact that an individual was at a particular medical clinic at a particular time. The ubiquity of location information may also increase the risks of stalking and domestic violence if perpetrators are able to use (or abuse) location-based services to gain access to location information about their victims.

位置信息通常在移动设备上或由移动设备生成。由于个人经常随身携带移动设备,因此位置数据可以随时随地收集,通常不需要用户交互,并且可能描述一个人正在做什么以及他或她在哪里做。例如,位置数据可以揭示个人在特定时间在特定医疗诊所的事实。如果犯罪者能够使用(或滥用)基于位置的服务获取受害者的位置信息,那么位置信息的无处不在也可能增加跟踪和家庭暴力的风险。

Location information is also of particular interest to governments and law enforcers around the world. The existence of detailed records of individuals' movements should not automatically facilitate the ability for governments to track their citizens, but in some jurisdictions, laws dictating what government agents must do to obtain location data are either non-existent or out of date.

世界各国政府和执法人员对位置信息也特别感兴趣。个人移动详细记录的存在不应自动促进政府追踪其公民的能力,但在某些管辖区,规定政府机构必须采取哪些行动以获取位置数据的法律要么不存在,要么已经过时。

1.3. Privacy Paradigms
1.3. 隐私范式

Traditionally, the extent to which data about individuals enjoys privacy protections on the Internet has largely been decided by the recipients of the data. Internet users may or may not be aware of the privacy practices of the entities with whom they share data. Even if they are aware, they have generally been limited to making a binary choice between sharing data with a particular entity or not sharing it. Internet users have not historically been granted the opportunity to express their own privacy preferences to the recipients of their data and to have those preferences honored.

传统上,个人数据在互联网上享有隐私保护的程度在很大程度上取决于数据的接收者。互联网用户可能知道也可能不知道与其共享数据的实体的隐私做法。即使他们知道,他们通常也只能在与特定实体共享数据或不共享数据之间做出二进制选择。从历史上看,互联网用户没有机会向数据接收者表达自己的隐私偏好,也没有机会尊重这些偏好。

This paradigm is problematic because the interests of data recipients are often not aligned with the interests of data subjects. While both parties may agree that data should be collected, used, disclosed, and retained as necessary to deliver a particular service to the data subject, they may not agree about how the data should otherwise be used. For example, an Internet user may gladly provide his email address on a Web site to receive a newsletter, but he may not want the Web site to share his email address with marketers, whereas the Web site may profit from such sharing. Neither providing the address for both purposes nor deciding not to provide it is an optimal option from the Internet user's perspective.

这种范式是有问题的,因为数据接收者的兴趣往往与数据主体的兴趣不一致。虽然双方可能同意应收集、使用、披露和保留数据,以向数据主体提供特定服务,但可能不同意以其他方式使用数据。例如,互联网用户可能乐意在网站上提供其电子邮件地址以接收时事通讯,但他可能不希望网站与营销人员共享其电子邮件地址,而网站可能会从此类共享中获益。从互联网用户的角度来看,无论是出于两个目的提供地址,还是决定不提供地址,都不是最佳选择。

The Geopriv model departs from this paradigm for privacy protection. As explained above, location information can be uniquely sensitive. And as location-based services emerge and proliferate, they increasingly require standardized protocols for communicating location information between services and entities. Recognizing both of these dynamics, Geopriv gives data subjects the ability to express their choices with respect to their own location information, rather than allowing the recipients of the information to define how it will be used. The combination of heightened privacy risk and the need for standardization compelled the Geopriv designers to shift away from the prevailing Internet privacy model, instead empowering users to express their privacy preferences about the use of their location information.

Geopriv模型背离了这种隐私保护模式。如上所述,位置信息可能是唯一敏感的。随着基于位置的服务的出现和普及,它们越来越需要在服务和实体之间传输位置信息的标准化协议。认识到这两种动态,Geopriv让数据主体能够表达他们对自己位置信息的选择,而不是让信息接收者定义如何使用信息。隐私风险的增加和标准化的需要迫使Geopriv设计师改变了流行的互联网隐私模型,转而授权用户表达他们对位置信息使用的隐私偏好。

Geopriv does not, by itself, provide technical means through which it can be guaranteed that users' location privacy rules will be honored by recipients. The privacy protections in the Geopriv architecture are largely provided by virtue of the fact that recipients of location information are informed of relevant privacy rules, and are expected to only use location information in accordance with those rules. The distributed nature of the architecture inherently limits the degree to which compliance can be guaranteed and verified by technical means. Section 5 describes how some security mechanisms can address this to a limited extent.

Geopriv本身并没有提供技术手段来保证接收者遵守用户的位置隐私规则。Geopriv体系结构中的隐私保护在很大程度上是通过以下事实提供的:位置信息的接收者被告知相关的隐私规则,并且期望仅根据这些规则使用位置信息。体系结构的分布式本质固有地限制了通过技术手段保证和验证法规遵从性的程度。第5节描述了一些安全机制如何在有限的范围内解决这一问题。

By binding privacy rules to location information, however, Geopriv provides valuable information about users' privacy preferences, so that non-technical forces such as legal contracts, governmental consumer protection authorities, and marketplace feedback can better enforce those privacy preferences. If a commercial recipient of location information, for example, violates the location rules bound to the information, the recipient can in a growing number of countries be charged with violating consumer or data protection laws. In the absence of a binding of rules with location information, consumer protection authorities would be less able to protect individuals whose location information has been abused.

然而,通过将隐私规则与位置信息绑定,Geopriv提供了有关用户隐私偏好的宝贵信息,因此法律合同、政府消费者保护机构和市场反馈等非技术力量可以更好地实施这些隐私偏好。例如,如果位置信息的商业接收者违反了与信息相关的位置规则,那么在越来越多的国家,接收者可能会被指控违反消费者或数据保护法。如果没有对位置信息具有约束力的规则,消费者保护机构将无法保护位置信息被滥用的个人。

2. Terminology Conventions
2. 术语惯例

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [1].

本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照RFC 2119[1]中所述进行解释。

Throughout the remainder of this document, capitalized terms defined in Section 7 refer to Geopriv-specific roles and formats; the same terms used in all lowercase refer generically to those terms.

在本文件其余部分中,第7节中定义的大写术语指Geopriv的特定角色和格式;所有小写字母中使用的相同术语通常指这些术语。

3. Overview of the Architecture
3. 架构概述

This section provides an overview of the Geopriv architecture for the secure and private distribution of location information on the Internet. We describe the three phases of the "location life cycle" -- positioning, distribution, and use -- and discuss how the components of the architecture fit within each phase. The next section provides additional detail about how each phase can be achieved in a private and secure manner.

本节概述了Geopriv体系结构,该体系结构用于在互联网上安全和私有地分发位置信息。我们描述了“位置生命周期”的三个阶段——定位、分发和使用——并讨论了架构的组件如何适应每个阶段。下一节将提供有关如何以私有和安全的方式实现每个阶段的更多详细信息。

The risks discussed in the previous section all arise from unauthorized disclosure or usage of location information. Thus, the Geopriv architecture has two fundamental privacy goals:

上一节讨论的风险都来自未经授权的位置信息披露或使用。因此,Geopriv体系结构有两个基本的隐私目标:

1. Ensure that location information is distributed only to authorized entities, and

1. 确保位置信息仅分发给授权实体,以及

2. Provide information to those entities about how they are authorized to use the location information.

2. 向这些实体提供有关其如何被授权使用位置信息的信息。

If these two goals are met, all parties that receive location information will also receive directives about how they can use that information. Privacy-preserving entities will only engage in authorized uses, and entities that violate privacy will do so knowingly, since they have been informed of what is authorized (and thus, implicitly, of what is not).

如果满足这两个目标,所有接收位置信息的各方也将收到关于如何使用该信息的指令。保护隐私的实体只会进行授权使用,侵犯隐私的实体会在知情的情况下这样做,因为他们已经被告知哪些是授权的(因此,隐含地说,哪些不是授权的)。

Privacy rules and their distribution are thus the central technical components of the privacy system, since they inform location recipients about how they are authorized to use that information. The two goals in the preceding paragraph are enabled by two classes of rules:

因此,隐私规则及其发布是隐私系统的核心技术组成部分,因为它们告知位置接收者他们如何被授权使用该信息。上段中的两个目标由两类规则实现:

1. Access control rules: Rules that describe which entities may receive location information and in what form

1. 访问控制规则:描述哪些实体可以接收位置信息以及以何种形式接收位置信息的规则

2. Usage rules: Rules that describe what uses of location information are authorized

2. 使用规则:描述授权使用位置信息的规则

Within this framework for privacy, security mechanisms provide support for the application of privacy rules. For example, authentication mechanisms validate the identities of entities requesting a location (so that authorization and access-control policies can be applied), and confidentiality mechanisms protect location information en route between privacy-preserving entities. Security mechanisms can also provide assurances that are outside the purview of privacy by, for example, assuring location recipients that location information has been faithfully transmitted to them by its creator.

在此隐私框架内,安全机制为隐私规则的应用提供支持。例如,身份验证机制验证请求位置的实体的身份(以便可以应用授权和访问控制策略),保密机制保护隐私保护实体之间路由的位置信息。安全机制还可以提供隐私权范围之外的保证,例如,通过向位置接收者保证位置信息已由其创建者忠实地传输给他们。

3.1. Basic Geopriv Scenario
3.1. 基本Geopriv情景

As location information is transmitted among Internet hosts, it goes through a "location life cycle": first, the location is computed based on some external information (positioning), and then it is transmitted from one host to another (distribution) until finally it is used by a recipient (use).

当位置信息在Internet主机之间传输时,它会经历一个“位置生命周期”:首先,根据一些外部信息(定位)计算位置,然后从一个主机传输到另一个主机(分发),直到最终被接收者使用(使用)。

For example, suppose Alice is using a mobile device, she learns of her location from a wireless location service, and she wishes to share her location privately with her friends by way of a presence service. Alice clearly needs to provide the presence server with her location and rules about which friends can be provided with her location. To enable Alice's friends to preserve her privacy, they need to be provided with privacy rules. Alice may tell some of her friends the rules directly, or she can have the presence server provide the rules to her friends when it provides them with her location. In this way, every friend who receives Alice's location is authorized by Alice to receive it, and every friend who receives it knows the rules. Good friends will obey the rules. If a bad friend breaks them and Alice finds out, the bad friend cannot claim that he was unaware of the rules.

例如,假设Alice正在使用移动设备,她通过无线定位服务了解自己的位置,并希望通过状态信息服务与朋友私下分享自己的位置。Alice显然需要向状态服务器提供她的位置以及可以向哪些朋友提供她的位置的规则。为了使Alice的朋友能够保护她的隐私,需要为他们提供隐私规则。Alice可以直接告诉她的一些朋友规则,或者她可以让状态服务器在向朋友提供她的位置时向他们提供规则。通过这种方式,每个收到Alice地址的朋友都被Alice授权接收它,并且每个收到它的朋友都知道规则。好朋友会遵守规则。如果一个坏朋友打破了规则,爱丽丝发现了,那么这个坏朋友就不能声称他不知道规则。

Some of Alice's friends will be interested in using Alice's location only for their own purposes, for example, to meet up with her or plot her location over time. The usage rules that they receive direct them as to what they can or cannot do (for example, Alice might not want them keeping her location for more than, say, two weeks).

Alice的一些朋友只会出于自己的目的而使用Alice的位置,例如,与她会面或随着时间的推移规划她的位置。他们收到的使用规则指导他们可以做什么或不能做什么(例如,Alice可能不希望他们将她的位置保留超过两周)。

Consider one friend, Bob, who wants to send Alice's location to some of his friends. To operate in a privacy-protective way, Bob needs not only usage rules for himself, but also access control rules that describe who he can send information to and rules to give to the recipients. If the rules he received from the presence server authorize him to give Alice's location to others, he may do so; otherwise, he will require additional rules from Alice before he is authorized to distribute her location. If recipients who receive Alice's location from Bob want to distribute the location information further, they must go through the same process as Bob.

想想一个朋友鲍伯,他想把爱丽丝的位置寄给他的一些朋友。为了以保护隐私的方式进行操作,Bob不仅需要自己的使用规则,还需要描述他可以向谁发送信息的访问控制规则以及向接收者提供信息的规则。如果他从状态服务器收到的规则授权他将Alice的位置提供给其他人,他可以这样做;否则,在获得授权分发Alice的位置之前,他将要求Alice提供额外的规则。如果从Bob处接收Alice位置的收件人希望进一步分发位置信息,则他们必须经历与Bob相同的过程。

The whole example is illustrated in the following figure:

整个示例如下图所示:

   +----------+
   | Wireless |
   | Location |
   | Service  |                          Retrieve
   +----------+                      Access Control Rules
       |                      +--------------------------------+
       |                      | +--------------------------+   |
    Location                  | |        Access            |   |