towards end-to-end privacy control in the outsourcing of marketing activities: a web service...
TRANSCRIPT
Towards End-to-End Privacy Control in the Outsourcing of
Marketing Activities: A Web Service Integration
Patrick C. K. Hung Dickson K.W. Chiu
W.W. Fung William K. CheungRaymond Wong Samuel P.M. ChoiEleanna Kafeza James KwokJousha C.C. Pun Vivying S.Y. Cheng
1BSIM0012
RECORDS MANAGEMENT
1. Introduction2. Background Information3. Towards End-to-End Privacy Control4. Conclusions and Future Works
AgendaAgenda
RECORDS MANAGEMENT
IntroductionIntroduction Marketing is a strategy for selling products more
efficiently.◦ sales promotion strategies for making consumers
recognize a product’s existence ◦ persuading them to take purchase actions◦ circulation strategies for efficiently delivering the desired
product◦ continuation strategies such as after-sales service and
claim processing. Outsourcing of marketing activities widely
adopted ◦ raises the concern of privacy issues.
RECORDS MANAGEMENT
PrivacyPrivacy Privacy is a state or condition of limited
access to a person.◦ Ref: SCHOEMAN, E. D. 1984. Philosophical Dimensions of Privacy: An
Anthology. New York, NY, Cambridge Univ. Press.
Information privacy relates to an individual’s right to determine how, when, and to what extent information about the self will be released to another person or to an organization.
RECORDS MANAGEMENT
Example ScenarioExample Scenario A bank performs a marketing campaign by calling
its credit card holders. Outsource the calling activity to a third-party
service provider◦ resource problems / other economic reasons
Personal information required◦ name, credit card number, gender, age group, salary
range, and even addresses activity Under current practices, all the necessary credit
card holders’ data are transferred in bulk from the bank to the marketing company.◦ large amount of personal information.
RECORDS MANAGEMENT
Example Process with Example Process with Web Service Solution Web Service Solution
Logon Select compaign
Dial another customer
Ask customer if interested
Tell details and pursuate customer
Bank Web service 1:get phone number
Bank Web service 2: surname, salutation
Bank Web service 3: more demographic data
Confirm transaction
Bank Web service 4: card number, perso...
Record and housekeeping
[ get through ]
[ fail ]
[ customer interested ]
[ fail ]
[ customer agree ][ fail ]
[ logout ]
[ more customer ]
RECORDS MANAGEMENT
What is Web ServiceWhat is Web Service
Web Services Clients
Web Server
Web Services
XML Messages/HTTP Binding
W3C definition of a Web Service◦ has a unique Uniform Resource Identifier (URI)
URI are commonly in the form of URL◦ can be defined, described, and discovered using
XML◦ supports exchange of XML messages via
Internet-based protocols◦ http://www.w3.org/2002/ws/
Supported by all major computing companies, e.g., IBM, Microsoft, Sun, and etc.
RECORDS MANAGEMENT
Access Control ConceptsAccess Control Concepts
Retention
Access Control
Role Based Access Control
RequestPurpose Recipient
Obligation
PermissionRetentionObligation
Input Output
RECORDS MANAGEMENT
Access Control LanguagesAccess Control Languages Enterprise Privacy Authorization Language
(EPAL) ◦ By IBM -
www.zurich.ibm.com/security/enterprise-privacy/◦ encode an enterprise’s privacy-related data-
handling policies and practices. ◦ An EPAL policy defines lists of hierarchies of data-
categories, data-users, and purposes, and sets of actions, obligations, and conditions.
Platform for Privacy Preferences (P3P)◦ Current W3C standard◦ http://www.w3.org/P3P/
RECORDS MANAGEMENT
A Layered Framework for A Layered Framework for Tackling Privacy ProtectionTackling Privacy Protection
RECORDS MANAGEMENT
Conceptual Model of Web-Service Conceptual Model of Web-Service Based Privacy Access ControlBased Privacy Access Control
PersonnelRole
Customer
Response Record
Marketing Process
Transactionbring
Data ViewMarketing
Task
peform
EPAL specification
authorize
+purposecontrol
Bank Web Service access
return via
call
controlspecify
RECORDS MANAGEMENT
Implementation Implementation ArchitectureArchitecture
Bank
MarketingCompany
Credit Card User Data
Credit Card Data Ontology
Organizational Structure Ontology
Privacy Access Control Policy
Privacy Access Control Preferences
Persons
Step 1
Step 1
Step 2
Step 2
Step 3 Step 3Step 4
Web Service
Web Service
Customer
RECORDS MANAGEMENT
ConclusionConclusion A layered architecture and methodology for the facilitation
of privacy control based-on Web services. A conceptual model of Web-service-based privacy access
control to facilitate the design of an implementation architecture.
Outsourced marketing companies can be integrated with adequate control and auditing.
Practicability showing how the call center software for a typical marketing activity can be integrated effectively with the banks’ Web service
Only the required part of a customer record is retrieved through the appropriate data views and sent one at a time to achieve strict end-to-end privacy.
RECORDS MANAGEMENT
Future WorkFuture Work Use P3P instead of EPAL Ontology: Adopt OWL vocabularies for
classifications Critical success factors Cost and technical requirements Implementation issues Extending the framework to other applicable
scenarios such as credit reference agencies.