**Session Date/Time:** 05 Nov 2025 17:00

# DULT Session

## Summary

The DULT working group session focused primarily on two key areas: the Threat Model document and the challenging topic of remote disablement for location tracking tags. The discussion around the Threat Model document revolved around its structure and clarity, with proposals for reorganization to make it more actionable. For remote disablement, a proposed device-side implementation was presented, detailing conditions for disabling and re-enabling tags, alongside significant security concerns regarding potential mass disablement and the difficulty of enforcing intended safeguards. There was a general sense that device-side remote disablement presents substantial hurdles, leading to suggestions to explore server-side solutions and a broader discussion by the Chair about the working group's scope and the possibility of declaring "victory" by publishing existing work with modest improvements rather than trying to solve exceptionally hard, potentially intractable problems within the current framework.

## Key Discussion Points

*   **Threat Model Document (version 3):**
    *   The document has been adopted and is at version 3, covering a taxonomy of unwanted tracking, potential attacks, and design requirements/constraints.
    *   Recent changes include improved scenarios, recommendations for GPS trackers to include Bluetooth for unwanted tracking protections (optional), and enhanced clarity on terminology (e.g., "tag" vs. "device").
    *   **Proposed Reorganization:** A significant open issue is Watson's suggestion to reorganize the document's structure from "Taxonomy -> Attacks (with mitigations)" to "Attacks on DULT protocol -> Taxonomy of unwanted tracking scenarios -> Mitigations (as a separate section)." The goal is to enhance actionability and usefulness for readers and implementers.
    *   **Section Title "Security Considerations":** Feedback was requested on whether "Security Considerations" is an appropriate title for a core section of the document, given the entire document addresses security.
    *   **Privacy and Security Balance:** Participants emphasized that the privacy of tag holders is a paramount security requirement, not in opposition to security, and should be foregrounded in the document.

*   **Remote Disablement of Location Tracking Tags:**
    *   **Motivation:** To address scenarios where tracking tags are deeply hidden and cannot be physically retrieved by a target (e.g., in a vehicle), leading to extreme measures like selling a car.
    *   **Proposed Device-Side Implementation:**
        *   A tag would be "disabled" (its location no longer crowdsourced, but it still advertises for direct finding).
        *   **Conditions for disablement:** Tag is away from its owner, the user triggers the "play sound" command, and the disabling device has been in range of the tag for at least 10 minutes (as a proxy for proximity).
        *   An "off code" would be sent via the non-owner device protocol.
        *   **Re-enablement:** Tag re-enables if its owner returns into range, it is power-cycled, or potentially when directed by the crowdsourced network (e.g., via a court order, if practically implementable).
    *   **Technical Challenges:** Difficult to reliably enforce conditions like a device being "in range for 10 minutes" and ensuring the tag can verify the source of the disablement command to prevent abuse.
    *   **Abuse Concerns:** Non-conformant devices could bypass conditions to send disablement commands. Significant concern was raised about the potential for "mass disablement" in public spaces (e.g., airports), and whether the proposed safeguards adequately prevent this.
    *   **Rejected Approaches:** Restricting disablement to "suspected unwanted tracking" (tags lack necessary context/sensors), a "snooze" feature (could cause undue stress), or an opt-out from the crowdsource network (creates a false sense of security).
    *   **Consequences of Mass Disablement:** Discussion highlighted that the ability to easily disable a wide area of tags is unacceptable, regardless of anti-theft considerations (which the WG does not primarily focus on).
    *   **Server-Side Solution Exploration:** Due to the complex challenges and security implications of a device-side approach, the idea of exploring server-side solutions for remote disablement was suggested as potentially more amenable, even if it falls outside the current accessory protocol scope.

*   **Working Group Direction and Scope:**
    *   The Chair noted a general "low energy" and "thrashing" on very hard problems that haven't seen much progress (e.g., remote disablement, non-compliant devices).
    *   A suggestion was made to consider "declaring victory" by publishing the existing documents with modest improvements, focusing on codifying the properties of existing systems and basic unwanted tracking detection, rather than attempting to solve all complex issues (especially given the existence of dedicated stalking devices outside DULT's scope).
    *   Participants reiterated that the WG's goal is to limit opportunities for abuse and increase options for victims within this particular technology space, not to solve all tech-facilitated stalking.

## Decisions and Action Items

*   **Threat Model Document Reorganization:** The working group will consider the proposed reorganization to separate attacks, taxonomy, and mitigations, aiming for a more actionable document structure. Authors will incorporate minor, inconsequential changes first and then address larger structural changes.
*   **Threat Model Content:** The threat model document should clearly articulate which attacks the working group intends to address and which it will not.
*   **Remote Disablement:** No decision was made regarding the implementation of remote disablement. The proposal for a device-side solution faced significant security concerns, and further exploration of server-side approaches was suggested.

## Next Steps

*   **Feedback on Threat Model Document:** Participants are encouraged to provide further feedback on the threat model document, particularly concerning its organization and section naming.
*   **Server-Side Remote Disablement:** The DULT Chairs and group members will further consider the exploration of server-side solutions for remote disablement, acknowledging potential scope implications for the working group.
*   **Working Group Scope and Deliverables:** The Chairs will continue to assess the overall direction, energy, and scope of the working group, with a view towards potentially prioritizing the publication of current documents with modest improvements as a "small win."
*   **Integrate Perspectives:** Continue to ensure civil society, user rights, and service provider perspectives are integrated into the working group's documents and discussions.