Activity 7 Ontologies and Privacy Principles

Activity 7Ontologies and Privacy Principles

Giles Hogben

Joint Research Centre

Email: giles.hogben at jrc.it

Guide to this presentation

• Goals and deliverables within PRIME• Privacy Principles• Ontologies• Policy and Rule Editors• Research Challenges• Interfaces With Other Activities• Other experience

Privacy Policies and Preference Architecture

Activity 7: Ontologies & Privacy Principles

• Contributes vocabulary terms and semantics to machine readable languages

• Facilitates agreement on fundamental Privacy and IDM concepts

• Defines alignment between Legal, Developer and User models.

• Separates programme logic, business logic and knowledge (core vocabulary) in architecture.

• Contributes Policy and Rule Editors

Goals in PRIME Privacy Principles Ontologies Policy Editors Interfaces Other Experience

Deliverables

• Reports on conceptual consensus and privacy principles

• Prototype of ontology based architecture• Policy and Rule editor code• Specification of machine-readable vocabulary

and semantics for policies and rule bases • Other ontologies according to requirements• Contribution to Integrated Prototype


Activity 7 and Privacy Principles

• Agreement on meaning and priority of fundamental concepts and principles of privacy

• Importance of collective conceptual model in PRIME

• Concepts from fundamental principles populate top level of ontologies (e.g. purpose, recipient, jurisdiction).

• Higher level principles give most stable concept


Example of definition of fundamental concepts: Identity and Identification

1. "an identifiable person is one who can be identified directly or indirectly by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.“

2. “to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used ... to identify the said person”

EU Data Protection Directive 95/46/EC

E.g. Database – two people (John and Mike), Aggregate data, one has AIDS – Is the fact “Mike does not have aids” part of the “socialidentity” of John?


Identification

Based on Leibniz’ Rule, a fact or set of factsidentifies a NYM (individual) if based on a new set ofFACTs, the number of NYMs in the CANDIDATESET Decreases.


Identity: Unexpected Result

• Any (non-tautologous) FACT may in some context identify a NYM

• The concept of an IDENTITY as a fixed set of

FACTs is only useful in contexts where both the

ANONYMITY SET and existing knowledge are also fixed and stable

• In Ambient Intelligence environments, the concept of an identity as a fixed set of facts is no longer valid


EU Legislation: Data protection principles

• Transparency– Provide the individual with information regarding datacollection– Give individual choice/consent regarding use of their data

• Purpose Limitation– Collection/Use limitation of personal data to what is necessary– Keep in identifiable form no longer necessary for original purpose– Primary and Secondary Purposes

• Sensitive data– Health data, religion, etc…: special status, consent

• Security and data quality– Provide adequate security against improper use

• Anonymity and Pseudonymity


Ontologies: What is an Ontology?

Ornithology: the study of birds

Oncology: the study of cancer

Onychology: study of fingernails and toenails.

Ontology: a formal specification of terms and their

relationships in a specific domain.


What is an ontology?

Formal machine-readable description and semantics of concepts in a

Domain It contains: - Concepts Classes and Subclasses- E.g. Data, health data, data controller

- Properties Describe features and attributes- E.g. is Collected by

- Restrictions on Properties and Concepts- E.g. PERSONAL only applied to Living Persons, health Data is a subclass of Data

- Set of statements using ontological concepts constitute a Knowledge Base

- E.g. [Pulse (instance of jrc:health data) is Collected by Provider X (instance of jrc:data controller) ]


What are semantics?

• Semantics specify the connection between terms and the world (an interpretation)

• Most of the work in creating ontologies is in achieving consensus on the semantics.


Ontology Consensus Processes

• The most important factor in the success of an ontology is the consensus process which leads to its specification

• Use methods from Psychology and cognitive science– Scenario based elicitation– Conflict resolution methodologies– Alignment of ontologies– User groups– Textual analysis techniques (including automated)

• “Traditional” methods from W3C and actual W3C processes (e.g. formal specifications, telephone conferences, working groups on concept resolution)

• Building on existing work e.g. P3P


Formal and Informal Ontologies

• XML languages such as P3P are Informal Ontologies

-Semantics of terms is informally defined

E.g. P3P: <purpose><ours/></purpose>= current purpose with human readable definition

-XML does not provide a rigorous or complete framework for semantics but it has a high adoption level

• Informal ontologies such as P3P represent a huge body of work towards conceptual consensus.


How is an ontology used?

• Most important advantages for PRIME partners: Restricts use/expression of concepts within an application/user interface so that they are understood by machines, end-users and lawyers. Similar to strict type discipline in programming or XML schema.

• E.g. <PURPOSE rdf:type=“http://www.prime-eu.org/primeontology.owl”><DIAGNOSIS rdf:type=“http://www.prime-eu.org/primeontology.owl#medical” /></PURPOSE>

• Other uses:– Reasoning – see next slide– Language independence (Privacy==Riservatezza==Concept112301)– Standardized descriptions for user interfaces.


Reasoning example

3.. Ability to reason about relationships between devices. Example:

• 1. M(Heart Rate,T1,X) :A heart rate measurement will be made for anonymous individual Xl at time T1

• 2.M(Weight,T2,X):A weight measurement will be made for the same anonymous individual at time T2 (T2-T1 <1min)

• 3. M(Heart Rate,T1,X) ^ M(Weight,T2,X) K(Fitness rating,X):• If we know Heart Rate and weight for X within 1 minute of each other,

we know their fitness.• 4. Fitness rating Unique Identifiers:Fitness is classed as

a unique identifier.• 5. Unique Identifiers Personal Information:Unique Identifiers

consitute personal information.• (1. ^ 2. ^ 3. ^ 4. ^ 5. ^ 6.) K(personal information,X):Statements 1-

5 together entail personal information is captured


Ontology

Rule System

Program LogicDevelopers

End-Users

Legal

Alignment of Legal, User and Technical Models


Example Concepts: Ontology of Identification

OntoEdit


Example Relations: Ontology of Identification


Ontologies as graphs


Formal modelling of Privacy Concepts

Fig. 5. Preliminary model of identity using concepts from RDF, RDFS and OWL


Ontology Usage Example: Agent to Agent Contracts


Example Contract Engine

ECA RulesRule 1.• Event: Contract detected and downloaded• Condition: Run the following rule on the contract (Notation: N3[12]):

Log:forAll :x, :y (CSO:end user :x CSO:may resell (CSO:return value :y where :y CSO:return value of :web service :z))

• Action: Behavior:Assent• In plain English, this means: On discovery of the contract, if the

agreement states that all end-users may resell the return values of the service then assent to the agreement.

Rule 2. (A catch all rule)• Event: Contract detected and downloaded• Condition:(*)wildcard• Behavior:Do Not Assent• In plain English:If all other rules do not fire, do not assent


Ontology based Architecture

• Separates – the business/legal logic (when to sign contracts)

from the – program logic (how to download a contract) and the – knowledge (what can be in a contract)

• Provides easy alignment of diverse conceptual schemes (e.g. legal and user)

• These architectural principles are key to PRIME’s success.


Ontology based Architecture

FROM THE PRIME PROJECT PLAN

“Principle 2, Explicit privacy rules govern system usage: … rulesystems, i.e., technical policies, determine how to use the system:policies for trust establishment and reputation; privacy preferences andprivacy authorization policies; delegation policies; and QoS-type policiesfor selecting among security and privacy options.”

“Principle 5, Users need easy and intuitive abstractions of privacy: Thetechnology listed so far allows the construction a system that is capable of givingstrong privacy guarantees. But experience shows that such technology is not

directlyusable by normal users. Instead, normal users need intuitive – metaphors and

mentalmodels that hide technicalities like pseudonyms and privacy policies.”


Ontology

Rule System

Software Components

Developers

End-Users

Legal

Ontology Based Architecture


Ontology Alignment

No Spam Please Restrict Posting on Public Fora

Forbid transmission to

3rd-Party Recipients

USERS APPLICATIONS REGULATORS


Ontologies and XML

XMLProvides informal ontological semantics (e.g. tag nesting==sub-classing

etc…)Existing software can parse and search XMLEasy for the techie to be readMany informal ontologies exist in XML (e.g. P3P)Not all ontological concepts can be expressed (e.g.sameindividualas)No formal semanticsNot suited to reasoning

OWL/RDF (became W3C Official Spec on Feb 10th)Much Richer Syntax (e.g. disjoint, complete,sameas etc…)Formal Semantics – more suited to reasoningAlmost impossible to read by eye even for techies.No parsers incorporated in current software


Policy and Rule Editors:JRC Privacy Policy Editor

• Open Source Java P3P Policy Editor• Complete solution for enabling a web site with

automated privacy• Easily configurable to other policy formats• Modular and expandable• Extensible data typing schemas• Legal hints mechanism• Code written for slot-in of ontology mechanisms

and different types of policy• (Code still under development)


JRC Privacy Policy Editor Screenshot 1










Research Challenges

• Achieving consensus• Privacy ontologies contain ontological primitives

(e.g. identity, set of individuals etc..)• Easing change of ontological models in

architecture.• Creating good user interfaces to policy

languages.


Interfaces with other activities

• Authorization models– Activity 7 captures vocabulary elements and

relationships for policy languages.– Activity 7 works on integration of ontologies into rule-

ontology-application code architecture.– Provision of alignment mechanisms between user

metaphors, legal language, machine-readable languages

– Policy/rule editor applications – JRC has a lot of existing Java code.



• HCI

-Standardization of verbal expression of concepts within user interfaces by reference to ontologies/schemae (similar to P3P’s “user agent guidelines”)

-Alignment of verbal expression with legal and technical requirements.

• User/Server IDM- Work on IDM metaphors and concepts- Policy Editors?



• Application Prototypes

-Input to architecture models

-Analysis of new architectural paradigms within AMI

• Legal Socio Economic

-Capture of legal concepts

-Work on definition of high level concepts and priorities.



• Standardization and W3C

-Standardization of ontologies

-Integration of P3P and EPAL work


What else do we bring to the project? P3P

• Open source implementation of fully compliant P3P user agent

• Decision engine• Http proxy shell• Developer-friendly API just released (

http://p3p.jrc.it/downloadP3P.php )• Experience in standardization process for policy

language.


What else do we bring to the project? AMI

• New information collection paradigm• Much more hidden data collection – no choice

for the user• Exponentially increased power of inference• “Spatial privacy” becomes more important

(SPAMI)• See Act 3 Presentation http://www.-----


Questions

?

Documents

Activity 7 Ontologies and Privacy Principles