Upload
doreen-randall
View
215
Download
0
Tags:
Embed Size (px)
Citation preview
Pranam Kolari – Policy 2005
Enhancing Web Privacy Protection Through Declarative
Policies
Pranam Kolari1
Li Ding1, Lalana Kagal2, Shashi Ganjugunte1, Anupam Joshi1, Tim Finin1
1
2
Pranam Kolari – Policy 2005
Outline
• P3P/APPEL• Motivation and Problem Description• User Trust• Rei Policy Language• System Design• Privacy Policy Specification• Conclusion
Pranam Kolari – Policy 2005
P3P
• P3P is Platform for Privacy Preferences• P3P defines protocols and specifies
languages• P3P Schema for Websites, APPEL
Schema for Clients
Pranam Kolari – Policy 2005
P3P Sample Policy<POLICIES xmlns="http://www.w3.org/2002/01/P3Pv1"><POLICY discuri="http://p3pbook.com/privacy.html" name="policy"> <ENTITY> <DATA-GROUP> <DATA ref="#business.contact-info.online.email">[email protected] </DATA> <DATA ref="#business.contact-info.online.uri">http://p3pbook.com/ </DATA> <DATA ref="#business.name">Web Privacy With P3P</DATA> </DATA-GROUP> </ENTITY> <ACCESS><nonident/></ACCESS> <STATEMENT> <CONSEQUENCE>We keep standard web server logs.</CONSEQUENCE> <PURPOSE><admin/><current/><develop/></PURPOSE> <RECIPIENT><ours/></RECIPIENT> <RETENTION><indefinitely/></RETENTION> <DATA-GROUP> <DATA ref="#dynamic.clickstream"/> <DATA ref="#dynamic.http"/> </DATA-GROUP> </STATEMENT></POLICY></POLICIES>
Site’s nameandcontactinfo
Access disclosure
Sta
tem
en
t
Human-readableexplanation
How data maybe used
Data recipients
Data retention policy
Types of data collected
Slide Courtesy: Lorrie Cranor
Pranam Kolari – Policy 2005
APPEL
• APPEL is A P3P Preference Exchange Language
• Users specify their preference in APPEL
• W3C working draft in April 2002. • Insignificant deployment (Cranor 2003)
• Expressiveness of APPEL extensively debated (Agrawal 2003)
Pranam Kolari – Policy 2005
P3P/APPEL
…<STATEMENT><PURPOSE>< individual-decision /></PURPOSE><RECIPIENT><ours/></RECIPIENT> </STATEMENT>…
<RULESET><RULE behavior=“request”><POLICY><STATEMENT><PURPOSE><individual-decision/></PURPOSE><RECIPIENT><ours/></RECIPIENT> </STATEMENT></POLICY></RULE>…</RULESET>
Website P3P Policy APPEL User Preference
Pranam Kolari – Policy 2005
Trusting Websites
• 56% of consumers don’t believe businesses keep promises
• 63% believe independent verification is important
• 62% believe existing laws and organizational practices are insufficient
Consumer Confidence
Consumer Trust - Published Privacy Policy
Consumer Trust - Published Privacy Policy
Trust website policies
Distrust website policies
Source : (Ernst and Young report 2004)
Pranam Kolari – Policy 2005
P3P/XPref
…<STATEMENT><PURPOSE>< individual-decision /></PURPOSE><RECIPIENT><ours/></RECIPIENT> </STATEMENT>…
Website P3P Policy XPref User Preference
<RULESET> <RULE behavior=“request” condition=“/POLICY[ every $pname in STATEMENT/PURPOSE/* satisfies name($panme)=“individual-decision” and every $rname in STATEMENT/RECIPIENT/* satisfies name($rname)= “ours”
]”/> <RULE behavior=“block” condition=“true”/></RULESET>
Pranam Kolari – Policy 2005
Problem Description
P3P policies published by websites are not trusted by users – (i)
The languages available to describe user privacy preferences are not sufficiently expressive and – (ii)
P3P framework does not provide a coherent view of available privacy protection mechanisms to the user. - (iii)
Pranam Kolari – Policy 2005
Website Evaluation Ontology (i)
• Modeling User Perspective of Trust
• Populating ontology with instance data– BizRate– Services for users to explicitly
specify preferences
• Share using existing social network mechanisms (Ding 2003)
www.slashdot.orgwww.slashdot.org
DiscussionGroupDiscussionGroup
serviceType
99
URIURI ----
----
popularity
hasP3P
hasTextPolicy
hasPrivacyCertifier
subDomainOf
isBasedOutOf
hasPolicyEnforcement
lawEnforcedBy
URIURI
USAUSA
YesYes USUS
OSDNOSDN
OSDNOSDN
policySimilarTo
owner
Website Evaluation Ontology
Pranam Kolari – Policy 2005
Rei Policy Language (ii)(iii)
• Rei, a policy specification language developed by Lalana Kagal at UMBC (lkagal 2003)
• Encoded in (1) Prolog, (2) OWL• Models deontic concepts of permissions,
prohibitions, obligations and dispensations• Uses meta policies for conflict resolution• Uses speech acts for dynamic policy
modification• We used it as a policy specification language
– RDF specification capability (matches that of P3P)– Dynamic Policies as future extension to our work
Part content Courtesy: Lalana Kagal
Pranam Kolari – Policy 2005
Rei Policy Language (ii)(iii)
PolicyPolicy GrantingGranting
EntityEntity
DeonticObjectDeonticObject
ConstraintConstraint
ActionAction
BooleanBoolean SimpleSimple
DomainActionDomainActionSpeechActSpeechAct
grants
to
deontic
requirement
context
actor, target
action
precondition, effect
Pranam Kolari – Policy 2005
Rei Policy Modeling (ii)(iii)
• Two actors– Website– Webbrowser
• Multiple context– P3P RDF published by websites– User Context– Trust Recommendations
• Multiple actions with priorities– Right, Prohibition, Obligation*
*(not enforced)
Pranam Kolari – Policy 2005
System Design
# FOAF, Golbeck, Li ideas of Trust
Trusted Agent Network#
FOAF
Website Recommender
Network
Ontologies, Trust rulesPersonal agents
Web Server
Clients publish
publish (optionally)
XSLT Transformer
JRC Privacy Proxy*
Rei Engine
Privacy Expert
Rei Privacy Policy(RDF based, enhancements over APPEL)
P3P Policy
Key Points
Web Sites optionally publish P3P policies Clients specify privacy preferences using a policy language - Rei Privacy Expert is the privacy enhancement enabler by binding together entities of the system Rei Engine evaluates policies of users against website attributes Website Recommender Network propagates and builds a model of websites based on reputation FOAF – Enables the creation of the website recommender network
Pranam Kolari – Policy 2005
Example Policy [1] - Template
<policy:Policy rdf:about="&wwwpolicy;comprehensive“ policy:desc="Sample policy"> <policy:grants rdf:resource="&wwwpolicy;grantingPermission" />
..</policy:Policy><!– Granting Objects --><policy:Granting rdf:about="&wwwpolicy;grantingPermission"> <policy:desc>Current policy allows access to a website</policy:desc> <policy:to rdf:resource="&wwwpolicy;var1"/> <policy:deontic rdf:resource="&wwwpolicy;right1"/></policy:Granting>…<!– Deontic Objects --><deontic:Permission rdf:about="&wwwpolicy;right1"> <deontic:actor rdf:resource="&wwwpolicy;var1"/> <deontic:action rdf:resource="&wwwpolicy;request"/> <deontic:constraint rdf:resource="&wwwpolicy;complexconstraint" /> …</deontic:Permission>
Policy Rule
Rule Actor
Policy Constraint
Rule Desc.
Rule Action
Pranam Kolari – Policy 2005
Example Policy [1] - Constraints
<constraint:SimpleConstraint rdf:about=“&wwwpolicy;domainOfServiceConstraint” constraint:subject =“&wwwpolicy;var1” constraint:predicate=“&wwwpolicy;domainOfServiceConstraint” constraint:object=“&weo;travel” /><constraint:SimpleConstraint rdf:about=“&wwwpolicy;trustedDomainGOVconstraint” constraint:subject =“&wwwpolicy;var1” constraint:predicate=“&weo;domainSuffix” constraint:object=“&weo;gov” />…<constraint:Or rdf:about=“&wwwpolicy;complexconstraint”> <constraint:first rdf:resource=“&wwwpolicy;trustedDomainGOVconstraint” /> <constraint:second rdf:resource=“&wwwpolicy;domainOfServiceConstraint” /></constraint:Or>
Policy Constraint
Policy Constraint
Policy Constraint
Pranam Kolari – Policy 2005
Example Policy [2] - Obligation
<policy:Policy rdf:about="&wwwpolicy;obligationexample"<policy:grants rdf:resource="&wwwpolicy;grantingRight" /><policy:grants rdf:resource="&wwwpolicy;grantingObligation"/>…
</policy:Policy><policy:Granting rdf:about="&wwwpolicy;grantingRight">
<policy:deontic rdf:resource="&wwwpolicy;right1"/>…
</policy:Granting><policy:Granting rdf:about="&wwwpolicy;grantingObligation">
<policy:to rdf:resource="&wwwpolicy;webbrowser"/><policy:deontic rdf:resource="&wwwpolicy;obligation1"/>..
</policy:Granting><deontic:Permission rdf:about="&wwwpolicy;right1"> <deontic:actor rdf:resource="&wwwpolicy;website"/> <deontic:action rdf:resource="&wwwpolicy;request"/> …</deontic:Permission>
<deontic:Obligation rdf:about="&wwwpolicy;obligation1"> <deontic:actor rdf:resource="&wwwpolicy;webbrowser"/> <deontic:action rdf:resource="&wwwpolicy;tunnelRequest"/></deontic:Obligation>…
Obligation
Right
Pranam Kolari – Policy 2005
Example Policy [3] - Priority
<policy:Policy rdf:about="&wwwpolicy;rulepriorityexample“> <policy:defaultModality rdf:resource=”&metapolicy;NegativeModalityPrecedence/> <policy:grants rdf:resource="&wwwpolicy;grantingRight1" /> <policy:grants rdf:resource="&wwwpolicy;grantingRight2" /> <policy:grants rdf:resource="&wwwpolicy;grantingProhibition" /> <metapolicy:rulePriority rdf:resource="&wwwpolicy;rulepriority1"/> …</policy:Policy> …<metapolicy:RulePriority rdf:about=“&wwwpolicy;rulepriority1”> <metapolicy:ruleOfGreaterPriority rdf:resource=“&wwwpolicy;grantingRight1” /> <metapolicy:ruleOfLesserPriority rdf:resource=“&wwwpolicy;grantingProhibition” /></metapolicy:RulePriority>
Default
Explicit
Rules
Pranam Kolari – Policy 2005
Conclusion• We have contributed to showing the utility of an
existing policy language in a highly complex policy engineering domain
• While we will continue to pursue this area, policy engineering and enforcement in Web Privacy offers many future challenges.– Enforcing Obligations– Engineering Delegation Logic using Speech Acts and
subsequent enforcement– Browser support for a comprehensive web privacy
framework