pranam kolari – policy 2005 enhancing web privacy protection through declarative policies pranam...

Pranam Kolari – Policy 2005

Enhancing Web Privacy Protection Through Declarative

Policies

Pranam Kolari1

Li Ding1, Lalana Kagal2, Shashi Ganjugunte1, Anupam Joshi1, Tim Finin1

1

2


Outline

• P3P/APPEL• Motivation and Problem Description• User Trust• Rei Policy Language• System Design• Privacy Policy Specification• Conclusion


P3P

• P3P is Platform for Privacy Preferences• P3P defines protocols and specifies

languages• P3P Schema for Websites, APPEL

Schema for Clients


P3P Sample Policy<POLICIES xmlns="http://www.w3.org/2002/01/P3Pv1"><POLICY discuri="http://p3pbook.com/privacy.html" name="policy"> <ENTITY> <DATA-GROUP> <DATA ref="#business.contact-info.online.email">[email protected] </DATA> <DATA ref="#business.contact-info.online.uri">http://p3pbook.com/ </DATA> <DATA ref="#business.name">Web Privacy With P3P</DATA> </DATA-GROUP> </ENTITY> <ACCESS><nonident/></ACCESS> <STATEMENT> <CONSEQUENCE>We keep standard web server logs.</CONSEQUENCE> <PURPOSE><admin/><current/><develop/></PURPOSE> <RECIPIENT><ours/></RECIPIENT> <RETENTION><indefinitely/></RETENTION> <DATA-GROUP> <DATA ref="#dynamic.clickstream"/> <DATA ref="#dynamic.http"/> </DATA-GROUP> </STATEMENT></POLICY></POLICIES>

Site’s nameandcontactinfo

Access disclosure

Sta

tem

en

t

Human-readableexplanation

How data maybe used

Data recipients

Data retention policy

Types of data collected

Slide Courtesy: Lorrie Cranor


APPEL

• APPEL is A P3P Preference Exchange Language

• Users specify their preference in APPEL

• W3C working draft in April 2002. • Insignificant deployment (Cranor 2003)

• Expressiveness of APPEL extensively debated (Agrawal 2003)


P3P/APPEL

…<STATEMENT><PURPOSE>< individual-decision /></PURPOSE><RECIPIENT><ours/></RECIPIENT> </STATEMENT>…

<RULESET><RULE behavior=“request”><POLICY><STATEMENT><PURPOSE><individual-decision/></PURPOSE><RECIPIENT><ours/></RECIPIENT> </STATEMENT></POLICY></RULE>…</RULESET>

Website P3P Policy APPEL User Preference


Cathy


The problem …


Trusting Websites

• 56% of consumers don’t believe businesses keep promises

• 63% believe independent verification is important

• 62% believe existing laws and organizational practices are insufficient

Consumer Confidence

Consumer Trust - Published Privacy Policy

Consumer Trust - Published Privacy Policy

Trust website policies

Distrust website policies

Source : (Ernst and Young report 2004)


Existing Mechanisms

A4Proxy


P3P/XPref

…<STATEMENT><PURPOSE>< individual-decision /></PURPOSE><RECIPIENT><ours/></RECIPIENT> </STATEMENT>…

Website P3P Policy XPref User Preference

<RULESET> <RULE behavior=“request” condition=“/POLICY[ every $pname in STATEMENT/PURPOSE/* satisfies name($panme)=“individual-decision” and every $rname in STATEMENT/RECIPIENT/* satisfies name($rname)= “ours”

]”/> <RULE behavior=“block” condition=“true”/></RULESET>


P3P AdoptionExisting problems have resulted in low P3P adoption…


Problem Description

P3P policies published by websites are not trusted by users – (i)

The languages available to describe user privacy preferences are not sufficiently expressive and – (ii)

P3P framework does not provide a coherent view of available privacy protection mechanisms to the user. - (iii)


Our approach …


Social Recommendations (i)


Website Evaluation Ontology (i)

• Modeling User Perspective of Trust

• Populating ontology with instance data– BizRate– Services for users to explicitly

specify preferences

• Share using existing social network mechanisms (Ding 2003)

www.slashdot.orgwww.slashdot.org

DiscussionGroupDiscussionGroup

serviceType

99

URIURI ----

----

popularity

hasP3P

hasTextPolicy

hasPrivacyCertifier

subDomainOf

isBasedOutOf

hasPolicyEnforcement

lawEnforcedBy

URIURI

USAUSA

YesYes USUS

OSDNOSDN

OSDNOSDN

policySimilarTo

owner

Website Evaluation Ontology


Rei Policy Language (ii)(iii)

• Rei, a policy specification language developed by Lalana Kagal at UMBC (lkagal 2003)

• Encoded in (1) Prolog, (2) OWL• Models deontic concepts of permissions,

prohibitions, obligations and dispensations• Uses meta policies for conflict resolution• Uses speech acts for dynamic policy

modification• We used it as a policy specification language

– RDF specification capability (matches that of P3P)– Dynamic Policies as future extension to our work

Part content Courtesy: Lalana Kagal


Rei Policy Language (ii)(iii)

PolicyPolicy GrantingGranting

EntityEntity

DeonticObjectDeonticObject

ConstraintConstraint

ActionAction

BooleanBoolean SimpleSimple

DomainActionDomainActionSpeechActSpeechAct

grants

to

deontic

requirement

context

actor, target

action

precondition, effect


Rei Policy Modeling (ii)(iii)

• Two actors– Website– Webbrowser

• Multiple context– P3P RDF published by websites– User Context– Trust Recommendations

• Multiple actions with priorities– Right, Prohibition, Obligation*

*(not enforced)


System Design

# FOAF, Golbeck, Li ideas of Trust

Trusted Agent Network#

FOAF

Website Recommender

Network

Ontologies, Trust rulesPersonal agents

Web Server

Clients publish

publish (optionally)

XSLT Transformer

JRC Privacy Proxy*

Rei Engine

Privacy Expert

Rei Privacy Policy(RDF based, enhancements over APPEL)

P3P Policy

Key Points

Web Sites optionally publish P3P policies Clients specify privacy preferences using a policy language - Rei Privacy Expert is the privacy enhancement enabler by binding together entities of the system Rei Engine evaluates policies of users against website attributes Website Recommender Network propagates and builds a model of websites based on reputation FOAF – Enables the creation of the website recommender network


Example Policy [1] - Template

<policy:Policy rdf:about="&wwwpolicy;comprehensive“ policy:desc="Sample policy"> <policy:grants rdf:resource="&wwwpolicy;grantingPermission" />

..</policy:Policy><!– Granting Objects --><policy:Granting rdf:about="&wwwpolicy;grantingPermission"> <policy:desc>Current policy allows access to a website</policy:desc> <policy:to rdf:resource="&wwwpolicy;var1"/> <policy:deontic rdf:resource="&wwwpolicy;right1"/></policy:Granting>…<!– Deontic Objects --><deontic:Permission rdf:about="&wwwpolicy;right1"> <deontic:actor rdf:resource="&wwwpolicy;var1"/> <deontic:action rdf:resource="&wwwpolicy;request"/> <deontic:constraint rdf:resource="&wwwpolicy;complexconstraint" /> …</deontic:Permission>

Policy Rule

Rule Actor

Policy Constraint

Rule Desc.

Rule Action


Example Policy [1] - Constraints

<constraint:SimpleConstraint rdf:about=“&wwwpolicy;domainOfServiceConstraint” constraint:subject =“&wwwpolicy;var1” constraint:predicate=“&wwwpolicy;domainOfServiceConstraint” constraint:object=“&weo;travel” /><constraint:SimpleConstraint rdf:about=“&wwwpolicy;trustedDomainGOVconstraint” constraint:subject =“&wwwpolicy;var1” constraint:predicate=“&weo;domainSuffix” constraint:object=“&weo;gov” />…<constraint:Or rdf:about=“&wwwpolicy;complexconstraint”> <constraint:first rdf:resource=“&wwwpolicy;trustedDomainGOVconstraint” /> <constraint:second rdf:resource=“&wwwpolicy;domainOfServiceConstraint” /></constraint:Or>

Policy Constraint

Policy Constraint

Policy Constraint


Example Policy [2] - Obligation

<policy:Policy rdf:about="&wwwpolicy;obligationexample"<policy:grants rdf:resource="&wwwpolicy;grantingRight" /><policy:grants rdf:resource="&wwwpolicy;grantingObligation"/>…

</policy:Policy><policy:Granting rdf:about="&wwwpolicy;grantingRight">

<policy:deontic rdf:resource="&wwwpolicy;right1"/>…

</policy:Granting><policy:Granting rdf:about="&wwwpolicy;grantingObligation">

<policy:to rdf:resource="&wwwpolicy;webbrowser"/><policy:deontic rdf:resource="&wwwpolicy;obligation1"/>..

</policy:Granting><deontic:Permission rdf:about="&wwwpolicy;right1"> <deontic:actor rdf:resource="&wwwpolicy;website"/> <deontic:action rdf:resource="&wwwpolicy;request"/> …</deontic:Permission>

<deontic:Obligation rdf:about="&wwwpolicy;obligation1"> <deontic:actor rdf:resource="&wwwpolicy;webbrowser"/> <deontic:action rdf:resource="&wwwpolicy;tunnelRequest"/></deontic:Obligation>…

Obligation

Right


Example Policy [3] - Priority

<policy:Policy rdf:about="&wwwpolicy;rulepriorityexample“> <policy:defaultModality rdf:resource=”&metapolicy;NegativeModalityPrecedence/> <policy:grants rdf:resource="&wwwpolicy;grantingRight1" /> <policy:grants rdf:resource="&wwwpolicy;grantingRight2" /> <policy:grants rdf:resource="&wwwpolicy;grantingProhibition" /> <metapolicy:rulePriority rdf:resource="&wwwpolicy;rulepriority1"/> …</policy:Policy> …<metapolicy:RulePriority rdf:about=“&wwwpolicy;rulepriority1”> <metapolicy:ruleOfGreaterPriority rdf:resource=“&wwwpolicy;grantingRight1” /> <metapolicy:ruleOfLesserPriority rdf:resource=“&wwwpolicy;grantingProhibition” /></metapolicy:RulePriority>

Default

Explicit

Rules


Conclusion• We have contributed to showing the utility of an

existing policy language in a highly complex policy engineering domain

• While we will continue to pursue this area, policy engineering and enforcement in Web Privacy offers many future challenges.– Enforcing Obligations– Engineering Delegation Logic using Speech Acts and

subsequent enforcement– Browser support for a comprehensive web privacy

framework


Questions ??Paper and Presentation Available at:http://ebiquity.umbc.edu/v2.1/paper/html/id/213/

pranam kolari – policy 2005 enhancing web privacy protection through declarative policies pranam...

Documents

p3p p3p

p3p sample policy

problem slide

slide courtesy

cathy slide

approach slide

low p3p adoption slide

privacy preferences