a service provisioning system for distributed personalization with private data protection

Available online at www.sciencedirect.com

www.elsevier.com/locate/jss

The Journal of Systems and Software 80 (2007) 2025–2038

A service provisioning system for distributed personalizationwith private data protection

Hiroyuki Kasai *, Wataru Uchida, Shoji Kurakake

NTT DoCoMo, Inc., 3-5, Hikarinooka, Yokosuka-shi, Kanagawa 239-8536, Japan

Available online 19 March 2007

Abstract

Personalized services can provide significant user benefits since they adapt their behavior to better support the user. Personalized ser-vices use a variety of data related to the user to decide their behavior. Thus personalized service needs a provisioning system that cancollect the data that impacts service behavior and allows selection of the most appropriate service. However, in the coming ubiquitousenvironment, some data necessary for determining service behavior might be unavailable due to two possible reasons. One is that thedata does not exit. The other is that the data exists but cannot be accessed. For example, users do not want to disclose their personalinformation, and service providers do not also want to expose data related to their knowhow in services. This paper describes a newservice provisioning system for distributed personalization with private data protection. Specifically, the system selects applicable servicesby assessing how well each candidate service behaves when some data is missing. It then executes those selected services while hiding theusers’ and providers’ private data in a distributed manner. We first summarize the requirements for a personalized service system, andintroduce our fundamental policies for the system. The two main components of our system are then described in detail. One componentis a service assessment mechanism that can judge if a service can work without data that can be used for adaptation. The second com-ponent is a service execution mechanism that can utilize private data while still ensuring privacy. This component divides service logicand executes divided logic where necessary data is available. The paper finally describes our prototype implementation and its perfor-mance evaluation results.� 2007 Elsevier Inc. All rights reserved.

Keywords: Personalized service; Service assessment; Privacy protection; Service rule; Bayesian network; Rule conversion

1. Introduction

With the recent advances in wireless communicationtechnologies such as cellular networks and WLAN, andnew technologies such as RF-ID tags and various sensors,the ubiquitous computing environment seems much closerthan ever to reality. Ubiquitous computing systems areable to adapt their operations to the user’s current situa-tion, personal information, and, as a result, can provideeffective personalized services without explicit user instruc-tion. This type of service has a rule, called ‘‘service rule’’which specifies what kind of data each service uses or refers

0164-1212/$ - see front matter � 2007 Elsevier Inc. All rights reserved.

doi:10.1016/j.jss.2007.03.011

* Corresponding author.E-mail address: [email protected] (H. Kasai).

to, and how the service should behave according to the val-ues of the data. In order to make services effective, suffi-cient data that determines how the service behaves shouldcollected for selecting the most appropriate service behav-ior. However, in the coming ubiquitous era, some dataneeded for the decision making process might be unavail-able due to its nonexistence or unavailability. This mightcause inappropriate decisions, and thus meaningless ser-vices might be offered to the user. Therefore, a service ruledescription that can allow for missing data is needed, and anew service assessment mechanism is required that canselect applicable services by taking account of the missingdata. Meanwhile, with an eye towards data access, users’private data or service providers’ private data, which areamong the most important data for implementing person-alized services, is likely to be hidden to others. Therefore, a

mailto:[email protected]

2026 H. Kasai et al. / The Journal of Systems and Software 80 (2007) 2025–2038

new service execution mechanism is needed that can ensurethat private data can be used while retaining privacy.

Addressing the problems mentioned above, this paperdescribes a new personalized system that includes twotools. The first one is a new assessment method that canselect applicable candidate services after a considerationof the data that is missing, and the second is a privacy pre-serving service execution method. These two methods arebased on service rules described by Bayesian decision net-works. As for service assessment, many conventional ser-vice discovery efforts utilized a service interface modelwith auto-configuration capability. However, no workhas focused on mechanisms that can determine whether acandidate service is applicable or not through a consider-ation of what data is missing or unobtainable. The serviceassessment method proposed estimates how well servicesbehave under such conditions. This yields a wider rangeof available services, and can remove meaningless servicesprior to execution. With regard to privacy preservation,although many technologies have been examined, fewworks addressed a service execution mechanism that keepsusers’ private data private from the service providers. Fur-thermore, the providers’ need to protect their private data,for example, their service rules, has not been addressed sofar. The mechanism proposed here can execute serviceswhile hiding the users’ and providers’ private data bydistributing the service procedures between the serviceprovider and the user.

The rest of this paper is structured as follows: Section 2overviews requirements, related works and our motiva-tions; Section 3 describes our fundamental policies, andoverviews a new personalized system. After a flexible ser-vice description based on Bayesian decision network isintroduced in Section 4, Section 5 describes a novel serviceassessment method. Section 6 describes a novel service pro-visioning mechanism that hides users’ and providers’ pri-vate data. Section 7 describes implementation details anda performance evaluation. Finally, Section 8 concludes thispaper.

2. Personalized services

2.1. Target service scenario

To illustrate the kind of situation envisioned here have,we present a hypothetical scenario. Bob is leaving to havelunch in the town center with his girl-friend Cathy; he is car-rying his cellular phone. His phone stores his personal datasuch as his profile (name, birthday, shop member’s cardinformation) and his preferences such as his favorite food,music, and movies. This phone also manages his belongingssuch as his wallet and bags and surrounding objects usingshort-range wireless channels such as Bluetooth and anRF-ID tag reader. Bob arrives at the restaurant town,where, at the main entrance, the center office delivers a listof recommended restaurants to each customer according toboth the pre-collected advertisements of twenty restaurants

and the users’ private data. Upon entering the mainentrance, the restaurants that suit Bob are shown on the dis-play of his mobile phone. Restaurant selection is based onhis personal information such as favorite food, his money,as well as his nationality and gender. At the top of the listis the ad ‘‘French Restaurant: Le Jardin is holding itsannual spring fair!’’ followed by ‘‘Would you like ItalianGelato on this hot day?’’ from Italian Gelato Shop Arancioand ‘‘Handmade Japanese noodles for Gourmets!’’ fromJapanese Noodle Shop Sarashina.

2.2. Requirements

These personalized services mentioned above are exe-cuted according to pre-determined ‘‘service rules’’ whichdescribe which data needs to be collected and how the ser-vice behaves according to the value of collected data. Toachieve this kind of service, the following requirementsshould be considered.

Requirement 1: The system has to select applicable ser-vices for users according to the service rules created by ser-vice creators or providers. Some services may, however, beuseless because not all of the data needed to satisfy the ser-vice rules may be available. For example, let us assume thatBob’s mobile phone holds his favorite food genre, vegeta-bles, and drinks while Cathy’s phone holds ONLY foodgenre information. If a particular service rule needs the tri-ple of user’s favorite food genre, vegetables, and favoritedrink, Bob can be a candidate user for personalization,while Cathy is not simply because not all data is available.In order to deal with the various combinations possible,independent service rules would need to be prepared. Thiswould impose an excessive burden on service creators orproviders, and prevent the adoption of this type of service.From this viewpoint, it is essential to develop a new servicerule description that is flexible enough to handle the omis-sion of data used for selecting appropriate servicesbehavior.

Requirement 2: It is a challenge to judge whether a ser-vice is truly applicable in each situation. Assume that awomen’s dress shop sends a clearance advertisement tothe users walking in front of the shop. One customer hasgender information as well as a favorite fashion style,and another has budget information in his/her wallet aswell as favorite fashion style. Even though the serviceexpects all three data, the former could be a target userfor service customization, while the latter is not. This isbecause gender information is essential for service selectionsince the advertisement would probably be annoying tomen. In this way, even if part of the data expected by a ser-vice rule is missing, one user or situation can be targetedfor service execution, while another is not. Therefore, it isimportant to judge whether available data are sufficientto select the appropriate service behavior. Consequently,a new service assessment mechanism is required that canjudge whether each candidate service is applicable in eachsituation by estimating the influence of non-available data.

H. Kasai et al. / The Journal of Systems and Software 80 (2007) 2025–2038 2027

This new technology would have two benefits. One is thatthe mechanism does not ignore services simply becausesome data are missing, and so gives us more opportunitiesto use them. The other is that meaningless services can beremoved prior to execution.

Requirement 3: To achieve personalized services, it isnecessary to disclose personal information to service pro-viders. Indeed, as ubiquitous computing services becomecommonplace, users will engage them throughout muchof their lives, releasing a stream of personal data accessibleby parties near and far. This emphasizes the crucial needfor end-user control over information disclosure. Conven-tional mechanisms can make our digital identities anony-mous, or provide location privacy. Complete anonymityis, however, not sufficient for effective personalized servicessince they frequently need precise personal data. Therefore,it is essential to achieve a service provisioning method thatconceals the user’s private data from service providers. Inaddition, from the viewpoint of service providers, they can-not reveal their service rules to others because their rulesinclude proprietary know-how for service provisioningsuch as which service should be provided in a certain con-dition, i.e. when and to whom the service is to be provided.Therefore, it is also essential to hide the provider’s servicerules from the user.

Requirement 4: The data that have influence servicebehavior might be dispersed and held in different placesor entities such as service providers and users. Centralizingthe whole decision process imposes high processing andcommunication overheads on one entity, and so degradessystem scalability. For example, a service provider wantsto provide a personalized service, but might want to reducethe cost in customization according to independent userinformation since the provider has to respond to everyuser. Therefore, a new process mechanism is needed thatallows each basic decision making process to be performedin an appropriate the place that minimizes data manage-ment, processing, and communication loads.

2.3. Related works and motivation

Regarding service assessment technologies, many mech-anisms have been investigated so far, especially thoserelated to applicable service discovery. They include, forexample, UPnP, SLP, and HAVi forum (Bettstetter andRenner, 2000). The UDDI directories and WSDL descrip-tion were developed for web services. Some of thoseapproach the problem related to the service interface, nego-tiation and spontaneous auto-configuration capability.Additionally, a new direction to resolve inconsistency inservice descriptions by interpreting semantics has beenstudied (Elenius and Ingmarsson, 2005). Preference-basedservice discovery were described in Balke and Wagner(2003). This work proposes a two level mechanism for sys-tem-assisted personalized selection and uses an ontology-based model of the service offerings, user preferences andtypical usage patterns. Wolf and Badii (2003) offers service

quality assessment for determining appropriateness in dif-ferent situations by considering not only quantitative pref-erences such as user’s price but also qualitative preferencesuch as user’s location. It is, however, true that no workhas considered a mechanism that can discover applicableservices by allowing for missing and unobtainable data.

Privacy issues have already begun to surface in the Inter-net. Previous research (Anonymizer; Reiter and Rubin,1998; Priyantha et al., 2000; Al-Muhtadi et al., 2002) on pri-vacy on the Internet has targeted the provision of anonym-ity for digital identities and locations, These solutions are,however, not useful in accessing effective personalized ser-vices that require various bits of users’ personal informationsince they provide only the anonymity of identity and loca-tion. P3P (Cranor et al., 2002a) can describe the privacypolicies of services, and APPEL (Cranor et al., 2002b) canprovide the means for sharing, communicating, or import-ing P3P rulesets among agents, engines, or other servers.PPNP (Tamaru et al., 2003) incorporates granularity forprivacy profiles by changing the granularity. Lederer et al.(2003) proposed a conceptual framework that allows foradjustment of the precision of the user’s disclosed informa-tion. These mechanisms might simplify the user’s actions inpolicy setting. It is, however, so not feasible to require theusers or machines to determine the policies properly dueto not only a lack of setting skills and experience for prac-tical use, but also the fact that policies should be valid forany possible, dynamic situation of the user. From the view-point of service providers, Cissee (2003) proposed a solutionthat balances the privacy needs of all participants involved;the result was an agent-based architecture for privacy-pre-serving information filtering. Although its goals parallelours, they assume a trusted secure host, and reliable processmonitoring functionality against internal processes such ascommunication and file access to counter malicious code. Itis essential, therefore, to realize a more general service pro-visioning method that conceals not only the user’s privatedata from service providers but also the service rules ownedby providers from users.

3. Personalized service provisioning system

3.1. Fundamental policies and features

The fundamental policies of the proposed method aresummarized as follows.

Policy 1. Service rule description based on Bayesian decision

network.

Many rule-based methods for decision making (Stewart,1992) has been created because of their ease of implemen-tation. However, Bayesian decision networks are widelyused for knowledge representation and reasoning for thefollowing features:

• BDNs can handle the uncertainty that inevitably accom-panies actual ubiquitous environments. Therefore, deci-


sions can be made even if some nodes are not availableby using various BN inference algorithms like ‘‘beliefpropagation’’ (Russell and Norvig, 1995) and ‘‘junctiontree’’ (Pearl, 1988).

• One large rule with expectable nodes can accommodatevarious other service rules. Therefore, since a large rulecan behave as several smaller rules, service rule manag-ers such as providers and creators do not have to pre-pare all service rules for all combinations of expectablenodes.

• BDNs can be semi-automatically created according tocollected data like POS data by using statistical structurealgorithms (Cooper and Herskovits, 1992).

Proposed service rule description has two parts; the Sub-

Service part covers the service rules for each service, andthe Behavior part describes how each service shouldbehave. This satisfies Requirement 1 and is stated in Sec-tion 4.

Policy 2. Service assessment based on executable probability.

The different bits of data listed in a service rule have dif-ferent levels of importance and influence on how the serviceshould behave as described in Section 2.2. Therefore, onemissing bit of data might trigger inappropriate servicebehavior, or might have virtually no impact. Our systemassesses how appropriate the service behavior is underthe condition that some data is missing. Namely, this esti-mates expected utility values in two cases: the service cancollect all expected data and no data. By using these twovalues, the executable probability is calculated based onhow much the utility value is degraded if some data is miss-ing. This probability is utilized to judge whether the ser-vices are appropriate for the actual situation. Tocalculate the expected utility values, the Bayesian decisionnetwork is the best approach since it infers the probabilitiesof each node. The advantages of this mechanism are asfollows:

• The range of available or executable services can beexpanded even if some data are missing. This gives usmore opportunities to use services.

• Meaningless services can be removed prior to execution.This can reduce unprofitable processing and/or datatransmission.

From these perspectives, this policy satisfies Require-ment 2.

Policy 3. Privacy preserving service execution control based

on service rule sharing.

We propose a novel privacy preserving service executionmethod based on collaboration between service users andproviders. The fundamental policies are (i) The all privatedata that a user wants to conceal are not revealed to others,and (ii) service rules owned by providers are concealedfrom users while admitting disclosure of portions of theservice rule. In order to achieve these policies, the basic

mechanism proposed is described as follows. The serviceprovider partially analyzes the candidate service rulesdescribed by the Bayesian decision networks. It then con-verts them into small rules that consist of ONLY attributesdata of the user’s private data. These converted rules arepassed to the user side who parses them and executes theremainder of them using the values of the user’s privatedata. Thus, the method can realize entire services whilekeeping the user’s and provider’s private data secure bysharing the service procedure. The advantages of thismechanism are as follows:

• Users can take advantage of service opportunities with-out disclosing their private data to service providers, andservice providers can offer their services to all users with-out revealing the complete set of service rules.

• BDN-based service rules enable us to convert and calcu-late service rules mathematically by utilizing existingprobabilistic inference algorithms. This is easier thanthat demanded by rule-base rule such as IF–Then rules.

• Original service rules can be protected more stronglyfrom others that is true with rule-base rules since remov-ing even one piece of data may propagate through a BNand change the original network structure and CPTs.

• The exchange of plain service rule descriptions betweenthe user side and the provider side needs no additionalcontrols. For example, if programs such as JAVAmobile codes are delivered to the user side, strict securitycontrols are needed to guard against malicious codes.The proposed mechanism does not exchange such codesand so does not require security controls.

This mechanism can satisfy not only Requirement 3 butalso Requirement 4 since each private data is processed atthe owner’s side.

3.2. System architecture and operation

The proposed system has two steps; the service assess-ment step and the privacy preserving service execution step.In the former, the system judges whether each candidateservice is applicable or not by considering how well theservice behaves if some data to be used is missing. In thelatter, the system executes those applicable services bykeeping the user’s and provider’s private data secure bysharing the service procedure. The proposed system isorganized into two functional entities. The Service ProviderServer manages service rules and offers practical services.The User Client manages user’s data and receives servicesprovided by the server. The Service Assessment Servercould be located outside of the server. Fig. 1 shows the sys-tem architecture. The system procedure is outlined asfollows.

The Service Provider Server manages own manageddata and service rules, and The User Client also managesuser’s personal data which is composed of values and attri-butes. All data is governed by a control policy which deter-

Service Provider Server

Service Rules

User Client

Personal Info. Service Assessment Server

Service RuleConverter

Service RuleCalculator

Provider Info.

Converted Service Rule

Service Rule

User’s Data(only Attribute)

Provider’sData

User’s Data(Attribute & Value)

User’sDataAttribute

Fig. 1. Proposal: basic procedure.


mines whether its value must be concealed from others orcan be disclosed. Firstly, the Service Assessment Server inthe server collects service rules and attributes from bothprovider side and user side. This is triggered by, for exam-ple, activation of the client terminal or its entry into acertain area. It then finds applicable services for each userby referring to all collected data. Details of this are given inSection 5. After finding executable services, the attributesof the user’s data and service rule identifiers are sent tothe Service Rule Converter. It first sets the conversion rule,which specifies not only nodes and arcs to be deleted, butalso methods of calculating the posterior probabilities ofthe new CPTs. It then calculates converted service rules,and sends them to the User Client. The algorithm for thisis detailed in Section 6. The User Client starts the serviceexecution procedure by parsing the Service Behavior part

in the rule. This might instruct the system to display a mes-sage according to the highest EU (expected utility) value,namely MEU. Finally, the client performs the service suchas displaying sorted messages on the mobile terminal ordisplaying a web page by accessing an indicated URL.

4. Bayesian decision network (BDN) based service rule

4.1. Bayesian decision network (BDN)

A Bayesian network (BN) is a directed acyclic graph(DAG) that encodes probabilistic relationships among net-work nodes. Each node, called a chance node (ovals), has aconditional probability table (CPT), which indicates theprobability of each possible state given the combinationof parent node states. The BDN, created for solving deci-sion problems, extends BN with two additional types ofnodes: decision nodes and utility nodes. A decision node(rectangle) defines the action alternatives considered bythe user. Every decision node has a finite number of alter-natives standing for the actions. A decision node is con-nected to chance nodes, which is defined utility connectnodes in this paper, whose probability distributions aredirectly affected by the decision. A utility node (diamond)is a random variable whose value is the utility of the out-come. A utility node holds a table of utility values calledutility table for all value configurations of its parent nodes.The value of each decision variable is not determined prob-abilistically but rather is imposed from the outside by thedecision maker (Jensen, 1995). Let knowledge be by one

variable called hypothesis H with exclusive states, each ofwhich has a probability value. Given a set of admissibleactions a 2 A = {a1, . . . ,an} and a utility table U(A,S)which describes the utility of each action to reduce theuncertainty if the state as 2 S = {s1, . . . , sm} is true, theexpected service utility (EU) for each action is calculatedusing Eq. (1). Here, P(SjE) is a probability distributionwith the condition that evidence E is available, and theoptimal action opt(A) is the argument that maximizes thevalue of EU(A), that is MEU(a):

optðAÞ ¼ arg max EUðAÞ¼ arg max

XP ðSjEÞUðA; SÞ ð1Þ

The algorithm that evaluates a Bayesian decision networkproceeds as follows: (1) set the evidence variables for thecurrent state, (2) for each possible value of the decisionnode, set the decision node to that value; (3) calculate theposterior probabilities for the parent nodes of the utilitynode using a standard probabilistic inference algorithm,and (4) calculate the resulting utility function for the actionand return the action with the highest utility.

Fig. 2 presents a Bayesian decision network that deter-mines whether an umbrella should be taken or not.‘‘Windy’’, ‘‘Humid’’ and ‘‘Rainy’’ are chance nodes con-taining probabilistic information. They have two discretestates, W ¼ fw; �wg, H ¼ fh; �hg and R ¼ fr;�rg, respectively.‘‘Utility’’ is a utility node, and ‘‘Umbrella’’ is a decisionnode, whose actions are U ¼ fu; �ug. In addition, the valuesof ‘‘Utility’’ for each combination of ‘‘Windy’’ and‘‘Humid’’ are also given. The objective is to maximizeexpected utility (EU) by appropriately selecting values of‘‘Umbrella’’ for each possible ‘‘Rainy’’ node.

4.2. BDN based service rule

The service rule description is based on the Bayesiandecision network. The description can handle multipleservice rules, which are, for example, recommendationservices from a couple of restaurants. These service rulesare described in Sub-service data part. Another importantpart is Service behavior part, which describes how to actbased on the EU values of the multiple services mentionedearlier. This might instruct the system to display themessage with the highest EU, namely MEU, or instruct itto sort and display multiple messages in order of EU like

Windy(W)

Umbrella(U)

Humid(H)

Rainy(R)

0.980.02dry ( )calm ( )

0.100.90humid ( )calm ( )

0.400.60dry ( )windy ( )

0.050.95humid ( )windy ( )

Sunny ( )Rainy ( )

Rainy (R)Humid

(H)

Windy

(W)

0.980.02dry ( )calm ( )

0.100.90humid ( )calm ( )

0.400.60dry ( )windy ( )

0.050.95humid ( )windy ( )

Sunny ( )Rainy ( )

Rainy (R)Humid

(H)

Windy

(W)

Sunny

Rainy

Sunny

Rainy

Rainy

Not-taking ( )

Not-taking ( )

Taking ( )

Taking ( )

Umbrella (U)

9

-7

6

10

Utility

Sunny

Rainy

Sunny

Rainy

Rainy

Not-taking ( )

Not-taking ( )

Taking ( )

Taking ( )

Umbrella (U)

9

-7

6

10

Utility

chance node

utility nodechance node(utility connect node)

decision node

Utility

Fig. 2. Bayesian decision network example.


the restaurant center scenario. An example of the servicerule description is shown in Fig. 3.

The service rule description in the ‘‘Restaurant CenterRecommendation Service’’ mentioned in Section 2.1 hasone Sub-service data. The BDN-based rule for the Frenchrestaurant is shown in Fig. 4. The BN has six chance nodes,five arcs, and two CPTs. The distribution of nodes is dis-crete and the number of states is two. Each chance node

Fig. 3. Service rule de

has owner attribute information, for example, ‘‘ProfessionðP ¼ fstudentðpÞ;workerð�pÞgÞ’’, ‘‘Age ðA ¼ fyoungðaÞ;oldð�aÞgÞ’’, ‘‘Sex ðS ¼ ffemaleðf Þ;maleð�f ÞgÞ’’, ‘‘BudgetðB ¼ flowðbÞ; highð�bÞgÞ’’, and ‘‘Favorite Food ðF ¼fasianðf Þ;westernð�f ÞgÞ’’. ‘‘Time of Day (T)’’ is serviceprovider side data, which is T ¼ fdaytimeðtÞ; eveningð�tÞg,and the others are input from user side data. ‘‘FavoriteFood’’ is a utility connect node.

scription example.

Fig. 4. Service rule example.


Meanwhile, the decision network has one decision node,named ‘‘Food Shop Recommendation’’ that has threeaction values; ‘‘Le Jardin (r1)’’, ‘‘Arancio (r2)’’ and‘‘Sarashina (r3)’’, and one utility node called ‘‘Utility’’.Each action value has a corresponding practical action(message). In the example, ‘‘Le Jardin’’ holds ‘‘French Res-taurant: Le Jardin holds its annual spring fair!’’ The utilitytable indicates the effect on users when each of the threeactions is executed under each ‘‘Asian’’ or ‘‘Western’’ state.The utility function for ‘‘Le Jardin’’ action is EUðr1Þ ¼pðaÞ � uðr1; aÞ þ pð�aÞ � uðr1; �aÞ. Similarly, the utility valuesfor the two other advertisement services from the Italiangelato shop ‘‘Arancio’’ and Japanese noodle shop ‘‘Sarash-ina’’ also can be calculated. For the Service behavior part,‘‘Advertisement Service’’ instructs the system to sort anddisplay all Sub-services according to their MEU values.

5. Service assessment based on execution probability

The proposed assessment enables us to find applicableservices even if some bits of data are missing. In addition,since we can detect inappropriate services prior to execu-tion, useless processes or communication events can bereduced. This algorithm calculates the service executableprobability of each candidate service by considering avail-able data, and determines whether each should be appliedor not. More specifically, the algorithm calculates the deg-radation in service utility due to missing data with bebenchmark being the value achieved when all necessarydata are available.

5.1. Algorithm details

First, the service utility denoted as EUcomp is calculatedusing Eq. (2) for the case that each candidate service has alldata for decision making.

EUcompðai; ecompm Þ ¼

XJ

j

pðsjjecompm Þ � Uðai; sjÞ ð2Þ

where m is the index number of the combinations of allavailable data; this is called evidence in BDN. If the total

number of available data is Mc and the number of discretestate is k, m is 0 6 m < (Mc)

k. If Mc = 3 and k = 2,(Mc)

k = 32 = 9. ecompm is the mth state set. J is the total dis-

crete number of utility connect nodes. pðsjjecompm Þ represents

the posterior possibility of the jth state under ecompm , and is

calculated by an inference algorithm and the input of allevidence nodes of ecomp

m in the Bayesian network. U(ai, sj)is derived by referring to the utility table. The maximumexpected utility, MEUcomp, is given by Eq. (3) consideringthe maximum expected utility of each action ai and theprobability of each state set ecomp

m :

MEUcomp ¼XðMcÞk

m

fpðecompm Þ � ðmax

AEUcompðai; ecomp

m ÞÞg ð3Þ

Next, the maximum expected utility, denoted as MEUno, iscalculated using Eq. (4) for the case that each candidateservice has no data for service decision making. In thiscase, since no data is available, the prior probability p(sj)is used instead of pðsjjecomp

m Þ in Eq. (2):

MEUno ¼ maxA

XJ

j

pðsjÞ � Uðai; sjÞ( )

ð4Þ

The calculation of the maximum expected utility, MEUpart,for the case that some data is missing is completelythe same as in the case of MEUcomp. The expected utilityEUpart for each action and the maximum value MEUpart

are given by Eqs. (5) and (6), respectively

EUpartðai; epartl Þ ¼

XJ

j

pðsjjepartl Þ � Uðai; sjÞ ð5Þ

MEUpart ¼XðLpÞk

l

fpðepartl Þ � ðmax

AEUpartðai; e

partl ÞÞg ð6Þ

where l is the index number of the combinations of allavailable data. If the total number of data items is Lp, l

is 0 6 l < (Lp)k. epartl is the lth state set.

Here, the service executable probability q is calculatedby considering the impact of the omission of data on ser-vice effectiveness as Eq. (7)

Profession Age

Favorite Food

New CPT for “Favorite Food”

?

UtilityFood ShopRecommendation

Fig. 5. Converted rule example for Fig. 2.


q ¼ MEUpart �MEUno

MEUcomp �MEUno

ð7Þ

Finally, by comparing q with a pre-determined threshold,the system can determine whether the service is applicableor not.

5.2. Numerical example

A numerical example of Fig. 4 is shown in this section.ecomp

m has four state sets: fecomp0 ; ecomp

1 ; ecomp2 ; ecomp

3 g ¼ fðw; hÞ;ðw; �hÞ; ð�w; hÞ; ð�w; �hÞg. Here, EUcomp(u,w,h) is shown by (8)based on Eq. (2):

EUcompðu;w; hÞ ¼ pðrjw; hÞ � uðu; rÞ þ pð�rjw; hÞ � uðu;�rÞ ð8Þ

From this equation, we get EUcomp(u,w,h) = 9.8 andEUcompð�u;w; hÞ ¼ �6:2, respectively. As a result, we getmaxA EUcomp(U,w,h) = 9.8. Similarly, we get maxA

EUcompðU ;w; �hÞ ¼ 8:4, maxAEUcompðU ; �w; hÞ ¼ 9:6 andmaxAEUcompðU ; �w; �hÞ ¼ 8:68.

Since ecomp0 is 0.02 according to the calculation of

p(s) · p(h), ecomp1 , ecomp

2 and ecomp3 are similarly calculated

as 0.08, 0.18 and 0.72, respectively. As a result, MEUcomp

is MEUcomp = 0.02 Æ 9.8 + 0.08 Æ 8.4 + 0.18 Æ 9.6 + 0.72 Æ8.68 = 8.8456.

Regarding MEUno, since no data is available, EUnoð�uÞcan be calculated based on the prior probability of Rainnode which is fpðrÞ; pð�rÞg ¼ f0:2134; 0:7866g. Conse-quently, EUno(u) is EUno(u) = 0.2134 Æ 10 + 0.7886 Æ 6 =6.8536. Similarly, MEUno is 6.8536 since EUnoð�uÞ is 5.5856.

This example has two cases under the data shortage,which are no Windy node (W) or no Humid node (H). Inthe former case, because and maxA EUpart(U,w) = 8.54and maxA EUpartðU ; �wÞ ¼ 7:272, MEUpart is MEUpart =0.2 Æ 8.54 + 0.8 Æ 7.272 = 7.5256. From all results, theservice executable probability q is q = (7.5256 � 6.8536)/(8.8456 � 6.8536) = 0.3373 by following Eq. (7). In thecase that only Windy node (W) is available, q = 0.1265.The results of this example suggest that Humidity node(H) has stronger influence than Humid node (H). If thepre-determined threshold is 0.3, we can conclude that theservice should be executed in the former case but not inthe latter.

6. Privacy preserving execution control based on service rule

sharing

The basic feature is that the service provider and the usershare converted service rules that are generated by the ser-vice provider. The key technology here is a service rule con-version. If the user has allowed public access to only‘‘Profession’’ and ‘‘Age’’ in his mobile phone in Fig. 2, theconverted service rule should be created as shown inFig. 5, which has ONLY the two pieces of user’s privatedata and one utility connect node, ‘‘Favorite Food’’.

As mentioned in Section 4, service rules are character-ized by the structure of their Bayesian networks, condi-

tional probability tables and utility tables. Therefore, ruleconversion is achieved by removing the chance nodes thata provider can fill with obtainable data, by re-drawingnew arcs between the remaining nodes and by calculatingnew CPTs among such nodes. Additionally, the modifica-tion of utility tables also alters the network. This enablesthe service provider to conceal the original networkbecause the converted network lacks some of the originalnodes, arcs and the values.

Since increasing the number of removed nodes makes itmore difficult to restore the original BN is, as many nodesas possible should be removed in the conversion. The can-didate nodes for elimination are the provider’s privatenodes and unavailable nodes in both the user and the pro-vider side. The conversion algorithm focuses on the singlyconnected graph. The conversion is composed of (i) Net-work Structure Conversion, (ii) CPT Conversion, and(iii) CPT Offset and UT Decomposition.

6.1. Network structure conversion

The conversion algorithm first finds the bounds thatdirectly influence the two types of nodes to be left, whichare the user’s private nodes and the utility connect nodes.The bounds are determined by the notion of ‘‘d-separa-tion’’ which is a graph theoretic criterion for detecting con-ditional independencies (Russell and Norvig, 1995). If twovariables are d-separated relative to a set of variables Z in adirected graph, they are independent conditional on Z inall probability distributions. Roughly speaking, variablesX and Y are independent conditional on Z if knowledgeabout X gives you no extra information about Y onceyou have knowledge of Z. In this paper, the provider’s datanodes, and user’s private nodes are equivalent to variableZ. The basic strategy is as follows:

Step 1. Select one utility connect node, or one user privatenode (called the focused node hereafter),

Step 2. Locate the user’s private data nodes and pro-vider’s private data nodes along all of the pathsthat flow into the nodes selected in Step 1,

Step 3. Remove from the nodes selected in Step 1 thenodes that connect to the focused node via user’sprivate data nodes or provider’s private datanodes selected in Step 2,

Step 4. Create new CPTs by calculating the new posteriorprobability of the focused node for all combina-

K

J

UserPrivate Data

ProviderPrivate Data

Non-available User Data

Non-available Provider Data.

Utility ConnectNode

Target nodes in the upperstream of “Node K”

All nodes in the upper streamof “Node K”

B

D

E

K

C

H

G

J

Utility

Utility

B

G

E

New parent nodesof “Node K”

Evidence node(Available data)

AF

d-separated boundary

I

Path (a)

Path (b) Path (c)

Fig. 6. Rule conversion example.


tions of user private nodes by inputting foundprovider’s private data (which is described in Sec-tion 6.2), and

Step 5. Return to Step 1 if there are utility connect nodes,or user private nodes, otherwise the procedureterminates.

The rest of this section details the algorithm for twocases with reference to Fig. 6. Regarding a utility connectnode (Node K in Fig. 6 falls into this category.), we firstselect user’s private nodes and provider’s nodes above thisnode. Here, we use NUi to refer to the ith utility connectnode and define a set of user private nodes as UpdþNUi

forNUi. The set of provider’s private nodes is similarly definedas PpdþNUi

.Focusing on Node K, candidates for UpdþNUi

, are NodesA, B, C, G and J. Next, the nodes that connect the focusednode via other user’s private data nodes or provider’s pri-vate data nodes are removed, which are Node A and NodeC. This is because Node B is located between Node A andNode K along Path (a) in Fig. 6, and Node E, a provider’snode, is located between Node C and Node E along Path

Fig. 7. Posterior probabilit

(b). Consequently, UpdþNU ihas Nodes B, G and J. The pro-

vider’s node PpdþNUican be selected in exactly the same way.

Although candidates for PpdþNUiare Node E and Node I,

Node I connects Node K via Node J on Path (c). That iswhy the final PpdþNU i

has only Node E.

6.2. CPT conversion

Given the above results, probabilities can be calculatedfor creating new CPTs for the utility connect nodes andthe remaining user’s private nodes (see Fig. 7).

Remember that the CPTs in a new BN represent theprobabilistic relationship between utility connect nodesand user’s private nodes. Therefore, each probability inthe CPTs should be calculated by all available data,namely, all of the provider’s node data PpdþNUi

in the upperstream. Hence, it follows that this probability is the poster-ior probability of the focused node, which equals the jointprobability composed of PpdþNUi

and one set of discretestate data of all nodes composed of UpdþNUi

. As a result,the posterior probability in the kth state of NUi is calcu-lated as follows for the case that the combination of states

y calculation example.

Fig. 8. CPT Offset and UT Decomposition.


in all nodes constructing UpdþNUiindicates the lth set. k is

0 6 k < K, and K is the number of discrete states of NUi.l is similarly 0 6 l < L, which indicates the total numberof combinations of all nodes constructing UpdþNU i

. L isequal to, for example, eight if UpdþNU i

has three nodes thathave two discrete states as shown in (9), where PpdþNUi

rep-resents the sets that are determined prior to the rule conver-sion based on the providers’ data:

P ðNU i;kjUpdþNUi ;lÞ ¼ PðNU i;kjUpdþNUi ;l

; PpdþNU iÞ ð9Þ

6.3. CPT offset and UT decomposition

The conversion mentioned above can alter the networkstructure and CPT values by removing unavailable nodesor available values in the server side. This prevents, as aresult, the disclosure of the original service rule networkto others. It is, however, impossible to protect the originalif the user can input every node of the network in the userside since no conversion is necessary, and the original net-work is revealed. That is why an additional mechanism isrequired for this type of situation.

The proposed mechanism focuses on the fact that thecalculation of EU value is based on the multiplication ofthe utility value in the utility table (UT) by the probabilityof the utility connect node (see Fig. 8). Here, a randomizedoffset is given to the probability, and an adjustment of util-ity values is performed by decomposing the utility valuecorresponding to the new probability with the offset. Thenetwork structure has ONE hierarchy, in other words,the utility connect node has parent nodes which have noparent nodes from the d-separation theory. Therefore, theproposed offset can provide complete protection in termsof completely preventing any disclosure of the original ser-vice rule network. In the following explanation, the num-

ber of discrete states in each node is two. However, thealgorithm can be easily extended to support more thantwo states. First, Eq. (1) is revised to yield Eq. (10):

EUðaÞ ¼X

wðP ðSÞÞ � /ðUðA; SÞÞ ð10Þ

where w(P(S)) and /(U(A,S)) provide offset functions tothe probabilities and utility values, respectively. Here, if adifferent (i.e. independent) offset is given to each probabil-ity having different parent nodes, the offset for the utilityvalue should be adjusted according to each offset for eachprobability since each utility value has one probability cor-responding to each state s. That is why the decompositionof the utility value is introduced here; Eq. (10) is revised toEq. (11)

EUðaÞ ¼Xs2S

wðpðsjparentsðsÞÞÞ � /ðuða; s; parentsðsÞÞÞ

ð11Þ

where parents(s) denotes the parent nodes of the state s. Inthis paper, the simple multiplication is applied to w(p(sjpar-

ents(s))) in Eq. (12).

wðpðsjparentsðsÞÞÞ ¼ aðparentsðsÞÞ � pðsjparentsðsÞÞwðpð�sjparentsð�sÞÞÞ ¼ 1� aðparentsðsÞÞ � pðsjparentsðsÞÞ

�ð12Þ

where a(parents(s)) is selected by considering thatw(p(sjparents(s))), which is a new probability, lies in therange [0.0,1.0]. Consequently, offset /(U(a, s,parents(s)))is calculated as shown in Eq. (13)

/ðuða; s; parentsðsÞÞÞ ¼ uða; sÞ � 1

aðparentsðsÞÞ

/ðuða;�s; parentsð�sÞÞÞ ¼ uða;�sÞ � pð�sjparentsð�sÞÞwðpð�sjparentsð�sÞÞÞ

8>><>>: ð13Þ


Although this decomposition demands a larger utility ta-ble, setting different CPT and UT values prevents the dis-closure of the original service rule.

6.4. Numerical example

A numerical example is given here for better under-standing of the algorithm by referring to Fig. 4. In thisexample, let us assume that user’s private data are ‘‘Profes-sion (P)’’ and ‘‘Age (A)’’, while provider’s data is ‘‘Time ofDay (T)’’. The converted network structure in this exampleis already depicted in Fig. 5. Focusing on ‘‘Favorite Food(F)’’ as NUi, ‘‘Profession (P)’’ and ‘‘Age (A)’’ are the user’sprivate nodes in the upper stream, that is UpdþNUi

. ‘‘Time ofDay (T)’’ is the provider’s node PpdþNUi

in the upper stream.Under this condition, one of the posterior probabilitiesconstructing the new CPT is calculated as follows. Thisnumerical calculation is for the case that NUi = ‘‘asian’’and UpdþNU i

¼ fProfessionðP Þ ¼ studentðsÞg, Age(A) =‘‘young(a)’’. Here, we set the prior probabilities of ‘‘Sex(S)’’ as fpðsÞ; pð�sÞg ¼ f0:7; 0:3g, and assume that ‘‘Timeof Day’’ is ‘‘daytime(t)’’ is input in the server side

P ðf jp; a; tÞ ¼ pðf jb; a; tÞ � pðbjpÞ þ pðf j�b; a; tÞ � pð�bjpÞ¼ pðf jb; a; tÞfpðbjp; sÞ � pðsÞ þ pðbjp;�sÞ � pð�sÞgþ pðf j�b; a; tÞfpð�bjp; sÞ � pðsÞþ pð�bjp;�sÞ � pð�sÞg ¼ 0:224 ð14Þ

Similarly, we get all values of the new CPT for ‘‘FavoriteFood (F)’’ node.

As to the CPT with randomized offset and UT decom-position described in Section 6.3, if a(parents(f)) is, forexample, 2.0, /(p(fjp,a)) = 2.0 · 0.24 = 0.48 from Eq.(13). Therefore, decomposed utility value is calculated inEq. (15) based on Eq. (12)

Fig. 9. Prototype sys

wðuðr1; f ; p; aÞÞ ¼ ð�2Þ=2:0 ¼ �1

wðuðr1; �f ; p; aÞÞ ¼ 10 � 0:76=ð1:0� 0:48Þ ¼ 14:6

�ð15Þ

Similarly, we can get all values of the new CPT with offsetsand decomposed utility values.

7. System implementation and evaluation

7.1. Prototype system details

The system has two parts, the Service Provider Serverand the User Client as shown in Fig. 9. Prior to start toprovisioning service, a user registers user’s private datawith the User Data and Policy Manager. This registrationis performed via the Policy Setting Interface. Service logicand the Server Data are also stored in the Server Dataand Policy Manager.

The service provisioning starts by sending the attributesof user’s private data to the User Data Receiver in the ser-ver from the User Data Sender in the client. This sending isinvoked by the user’s request. Upon receiving the requestmessage, the Provider Service Executor checks it andretrieves the service logic the Server Data and Policy Man-ager. The executor also retrieves provider’s data requiredto execute the service logic. After receiving the logic, avail-able data values, the Conversion Rule Creator checkswhich data values in the nodes of the service logic are avail-able, and whether they belong to user side or server side.Based on this investigation, the creator determines a con-version rule which specifies not only nodes and arcs to bedeleted, but also methods of calculating the posterior prob-abilities of the new CPTs. The Bayesian Network (BN)Inference Executor calculates those probabilities based onthe rule, and re-creates the service logic called a convertedservice logic. Finally, the request message in-structing

tem architecture.


service execution at the user side is sent to the User Clientwith the converted service logic.

Upon receiving the request from the server, the UserService Executor starts the service execution procedure byparsing the Service Behavior Part in the logic. This mightinstruct the system to sort and display multiple messagesin order of high MEU like the restaurant scenario. In eithercase, the MEU in each Sub-Service must be calculated. Foreach Sub-Service, the executor first retrieves user’s privatedata after parsing the nodes in the service logic. The Calcu-lation Rule Creator checks the mandatory data list in theRequired Node Lists, and terminates the procedure ifavailable data cannot satisfy the list. Checking the listinvokes the rule creating phase. This is performed likethe process in the Conversion Rule Creator in the server.The Bayesian Network (BN) Inference Executor performsprobabilistic inference and outputs posterior probabilitiesfor chance nodes directly connected to utility nodes. Theutility table and calculated probabilities give expected util-ity value (EU) for each action registered in the decisionnode using the utility function in the service logic. As a

Fig. 10. Screenshots. (a) Policy setting dialog. (b) Displayed message.

Fig. 11. Simulation s

result, the MEU is calculated in each Sub-Service. Finally,based on the instruction of Service Behavior Part, the UserService Executor instructs the Service Instance Executor toperform the service such as displaying sorted messages onthe client message display interface.

The service provider server is implemented on a Win-dows XP workstation (ntel Xeon 3.06 GHz, 4096MBRAM, 5400 rpm IDE disk). The user client is implementedusing C++ on a Ubiquitous IP Telephone produced byNet-2Com (WipCom1000) (Intel PXA273, 2.2 in. QVGAcolor LCD, IEEE 802.11b) running Windows CE.NET4.2. Supported BN inference algorithms for rule conversionare Polytree, Junction Tree and Loopy BP algorithms.TinyXML parser, a simple and small C++ XML parser,was used (TinyXML). Personalized messages are displayedin the client by utilizing the notification system that wasdeveloped for another project (Kasai et al., 2005). TheBayesian networks in each Sub-service are described usingthe PML (Open Source Probabilistic Netwroks Library)format. Screenshots of the client’s device are shown inFig. 10(a) and (b), which shows the policy setting dialogand the displayed message window, respectively.

7.2. Performance evaluation

In this section, we evaluate the performance of the ser-vice rule conversion described in Section 6. The metric isthe conversion load. For this evaluation, two original net-works are prepared. They have 7 and 15 nodes, respec-tively, and their all of nodes have two parents. Thenetwork structure with 7 nodes is shown in Fig. 11. Theremaining nodes, namely the user’s private data, in the con-verted file are selected from among the nodes with no par-ent. The number of remaining nodes, called RN, waschanged from 1 to 8. The inference algorithm used in thisevaluation was the Polytree algorithm.

Figs. 12 and 13 show the elapsed time (ms) for the prob-abilistic inference process, the file access process and otherprocesses in the two networks. This was measured for 1000conversions. From Figs. 12 and 13, the elapsed time is pro-portional to the number of inference execution instances.However, even if the RN of both networks are the same(for instance RN = 4), the elapsed time for the inferenceof the network with 15 nodes is more than double that ofthe network with 7 nodes. This is because the number ofbelief propagations dramatically increases as the networkstructure expands.

ettings (7 nodes).

Fig. 12. Result: 7 nodes.

Fig. 13. Result: 15 nodes.


As a result, the computation complexity increases as thenumber of the remaining node, namely user’s privatenodes, increases, and the network size of a service ruleincreases. Therefore, it follows that an original networkshould be converted into a smaller network from the view-point of reducing computation complexity in service pro-viders and preserving the privacy of service rules.

8. Conclusions

This paper presented a new approach to service person-alization that includes two tools. The first one is a newassessment method for selecting applicable candidate ser-vices based on missing and available data, and the secondis a privacy preserving service execution method. Bothtwo methods are based on the use of Bayesian decision net-works to describe service rules.

As for service assessment, our proposal has two benefits.One is that the mechanism does not ignore services simplybecause some data is missing, which give us more opportu-nities to use more services. The other is that meaninglessservices are deleted prior to execution. This raises overallefficiency. Meanwhile, the advantages of the privacy pre-serving method worthy of special mention are as follows.The exchange of plain service rule descriptions betweenthe sides needs no additional security control at the user

side such as process monitoring functionalities. In addition,the BDN-based description of service rules enables us toconvert and calculate service rules mathematically by utiliz-ing conventional BN probabilistic inference algorithms.The presented method surely has some limitations. It isunsuitable if the services send a huge amount of informa-tion to the user side for customization by using the user’sprivate data, which is, for example, an information filteringservice. These services are required to pass most of the rulesto the user side because necessary data exists only on theuser side. The mechanism presented here is, however, verysuitable for handling decision making services that involveonly a limited amount of information such as location-aware pinpoint advertisement services. These services areexpected to be the most popular services in the comingubiquitous world. In that sense, we can say that the pro-posed method is an effective and light-weight privacy pres-ervation mechanism. Future work includes an enhancedalgorithm to deal with more than three participants, asecure mechanism composed of multiple transactionsbetween a user and a service provider, and an efficient cal-culation scheme for BDN conversion.

References

Al-Muhtadi, J., Campbell, R., Kapadia, A., Mickunas, M.D., Yi, S., 2002.Routing through the mist: privacy preserving communication inubiquitous computing environments. In: Proceedings of the 22ndIEEE International Conference on Distributed Computing Systems(ICDCS 2002), Vienna, Austria, pp. 74–83.

Anonymizer. <http://www.anonymizer.com>.Balke, W.-T., Wagner, M., 2003. Towards personalized selection of web

services. In: Proceedings of the International World Wide WebConference (WWW).

Bettstetter, C., Renner, C., 2000. A comparison of service discoveryprotocols and implementation of the service location protocol. In:Proceedings EUNICE 2000, Sixth EUNICE Open European SummerSchool.

Cissee, R., 2003. An architecture for agent-based privacy-preservinginformation filtering. In: Sixth International Workshop on Trust,Privacy, Deception and Fraud in Agent Systems.

Cooper, G.F., Herskovits, E., 1992. A Bayesian method for the inductionof probabilistic networks from data. Machine Learning 9, 309–347.

Cranor, L., et al., 2002a. The platform for privacy preferences 1.0 (P3P1.0)specification, W3C Recommendation 16 April. Available from:<http://www.w3.org/TR/P3P/>.

Cranor, L., et al., 2002b. A P3P preference exchange language 1.0(APPEL1.0), W3C Working Draft 15 April. Available from: <http://www.w3.org/TR/P3P-preferences/>.

Elenius, Daniel, Ingmarsson, Magnus, 2005. Ontology-based servicediscovery in P2P networks. In: The Second International Workshopon Peer-to-Peer Knowledge Management (P2PKM).

Jensen, Finn V., Finn, V., 1995. Cautious propagation in Bayesiannetworks. Proceedings of the Eleventh Conference on Uncertainty inAI (UAI-95). Morgan Kaufman, San Mateo, CA, pp. 323–328.

Kasai, H., Yamazaki, K., Kurakake, S., 2005. Adaptive notificationsystem guaranteeing message reachability. In: IEEE InternationalConference on Pervasive Services 2005 (ICPS 2005).

Lederer, S., Mankoff, J., Dey, A.K., Beckmann, C.P., 2003. Managingpersonal information disclosure in ubiquitous computing environ-ments, Technical Report UCB-CSD-03-1257, Computer Science Divi-sion, University of California, Berkeley and Technical Report IRB-TR-03-015, Intel Research Berkeley.

http://www.anonymizer.com

http://www.w3.org/TR/P3P/

http://www.w3.org/TR/P3P-preferences/

http://www.w3.org/TR/P3P-preferences/


Intel’s Open Source Probabilistic Netwroks Library (PNL). Availablefrom: <http://www.intel.com/technology/computing/pnl/index.htm>.

Pearl, J., 1988. Probabilistic Reasoning in Intelligent Systems: Networksof Plausible Inference. Morgan Kaufmann Publishers, ISBN 1-55860-479-0.

Priyantha, N., Chakraborty, A., Balakrishnan, H., 2000. The cricketlocation-support system. In: Proceedings of the Sixth Annual Inter-national Conference on Mobile Computing and Networking (ACMMOBICOM), Boston, MA.

Reiter, M., Rubin, A.D., 1998. Crowds: anonymity for web transactions.ACM Transactions on Information and System Security (TISSEC) 1(1).

Russell, S.J., Norvig, P., 1995. Artificial Intelligence: Modern Approach.Prentice Hall.

Stewart, T.J., 1992. A critical survey on the status of multiple criteriadecision making theory and practice. OMEGA International.

Tamaru, S., Nakazawa, J., Takashio, K. Tokuda, H., 2003. PPNP: aprivacy profile negotiation protocol for services in public spaces. In:Fifth International Conference on Ubiquitous Computing (Ubi-Comp2003) First International Workshop on Ubiquitous Systemsfor Supporting Social Interaction and Face-to-Face Communication inPublic Spaces.

TinyXML. Available from: <http://www.grinninglizard.com/tinyxml/>.WipCom1000. Available from: <http://www.net-2com.co.jp/products/

wipcom1000.html>.Wolf, W.-T., Badii, A., 2003. Assessing Web services quality for call-by-

call outsourcing. Proceedings of the First Web Services QualityWorkshop (WQW 2003). IEEE Computer Society Press.

http://www.intel.com/technology/computing/pnl/index.htm

http://www.grinninglizard.com/tinyxml/

http://www.net-2com.co.jp/products/wipcom1000.html

http://www.net-2com.co.jp/products/wipcom1000.html

a service provisioning system for distributed personalization with private data protection

Documents