Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy Policy, Law and Technology Carnegie Mellon University Fall 2007 Lorrie Cranor 1 Privacy Policy.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Privacy Policy, Law and Technology Carnegie Mellon University Fall 2007 Lorrie Cranor 1 Privacy Policy."— Presentation transcript:

1 Privacy Policy, Law and Technology Carnegie Mellon University Fall 2007 Lorrie Cranor http://cups.cs.cmu.edu/courses/privpolawtech-fa07/ 1 Privacy Policy Management October 11, 2007

2 Privacy Policy, Law and Technology Carnegie Mellon University Fall 2007 Lorrie Cranor http://cups.cs.cmu.edu/courses/privpolawtech-fa07/ 2 Privacy & security policy management http://projects.cerias.purdue.edu/ocrproj/ Today many organizations have ad hoc policies Difficult to enforce reliably Policy management frameworks promote consistent policy enforcement Components Policy authoring Policy conflict/gap detection/resolution Policy enforcement Policy communication Policy composition and comparison (combining multiple policies)

3 Privacy Policy, Law and Technology Carnegie Mellon University Fall 2007 Lorrie Cranor http://cups.cs.cmu.edu/courses/privpolawtech-fa07/ 3 Privacy languages serve many roles Specify organization’s privacy policy to end users and their agents Specify users’ privacy preferences to users’ agent Specify organization’s privacy policy to gatekeeper server that can approve or deny requests to access database Specify policy associated with particular data elements to parties that buy or rent data

4 Privacy Policy, Law and Technology Carnegie Mellon University Fall 2007 Lorrie Cranor http://cups.cs.cmu.edu/courses/privpolawtech-fa07/ 4 Can one privacy language do it all? Maybe… But so far none have emerged We’ve found over a dozen privacy languages (including several access control and rule languages used for privacy applications) Languages have different audiences, specify policies at different levels of granularity, and have different strengths and weaknesses

5 Privacy Policy, Law and Technology Carnegie Mellon University Fall 2007 Lorrie Cranor http://cups.cs.cmu.edu/courses/privpolawtech-fa07/ 5 Privacy Languages A P3P Preference Exchange Language (APPEL) Alliance Identity - Web Services Framework (ID - WSF) Customer Profile Exchange (CPExchange) Declarative Privacy Authorization Language (DPAL) Enterprise Privacy Authorization Language (EPAL) eXtensible Access Control Markup Language (XACML) GEOPRIV Platform for Enterprise Privacy Practices (E-P3P) Platform for Privacy Preferences (P3P) Privacy Rights Markup Language (PRML) Privacy Template Security Assertion Markup Language (SAML) XML Access Control Language (XACL) X-Path Based Preference Langauage (XPref)

6 Privacy Policy, Law and Technology Carnegie Mellon University Fall 2007 Lorrie Cranor http://cups.cs.cmu.edu/courses/privpolawtech-fa07/ 6 Genealogy of languages

7 Privacy Policy, Law and Technology Carnegie Mellon University Fall 2007 Lorrie Cranor http://cups.cs.cmu.edu/courses/privpolawtech-fa07/ 7 EPAL Enterprise Privacy Authorization Language Developed by IBM, submitted to W3C Allows enterprises to develop granular rules to check whether data access is authorized Similar to P3P syntax but not identical Includes Data-categories User-categories - administrators, doctors, etc. Purposes Actions - disclose, read, etc. Obligations - delete after 30 days, get consent, etc. Conditions - user category = doctor Allow and deny rules http://www.w3.org/Submission/2003/SUBM-EPAL-20031110/

8 Privacy Policy, Law and Technology Carnegie Mellon University Fall 2007 Lorrie Cranor http://cups.cs.cmu.edu/courses/privpolawtech-fa07/ 8 User privacy preferences P3P 1.0 agents may (optionally) take action based on user preferences Users should not have to trust privacy defaults set by software vendors User agents that can read APPEL (A P3P Preference Exchange Language) files can offer users a number of canned choices developed by trusted organizations Preference editors allow users to adapt existing preferences to suit own tastes, or create new preferences from scratch For more info on APPEL see http://www.w3.org/TR/WD-P3P-preferences or Chapter 13 in Web Privacy with P3P

9 Privacy Policy, Law and Technology Carnegie Mellon University Fall 2007 Lorrie Cranor http://cups.cs.cmu.edu/courses/privpolawtech-fa07/ 9 Microsoft privacy template language See Appendix D of Web Privacy with P3P http://msdn.microsoft.com/library/default.asp?url=/workshop/securi ty/privacy/overview/privacyimportxml.asp http://msdn.microsoft.com/library/default.asp?url=/workshop/securi ty/privacy/overview/privacyimportxml.asp Specifies rules for user agents to handle various types of cookies Based on P3P compact policy tokens Allows policies for specific web sites

10 Privacy Policy, Law and Technology Carnegie Mellon University Fall 2007 Lorrie Cranor http://cups.cs.cmu.edu/courses/privpolawtech-fa07/ 10 Microsoft example <site domain="www.BlueYonderAirlines.com" action="accept">

11 Privacy Policy, Law and Technology Carnegie Mellon University Fall 2007 Lorrie Cranor http://cups.cs.cmu.edu/courses/privpolawtech-fa07/ 11 APPEL rule <appel:RULE behavior="limited" prompt="yes" description="Warning! Data may be shared."> Behavior - request - block - limited description connective - or - and - non-or - non-and - and-exact - or-exact pattern

12 Privacy Policy, Law and Technology Carnegie Mellon University Fall 2007 Lorrie Cranor http://cups.cs.cmu.edu/courses/privpolawtech-fa07/ 12 What does this APPEL ruleset do? <appel:RULESET xmlns:appel="http://www.w3.org/2001/02/APPELv1" xmlns:p3p=http://www.w3.org/2000/12/P3Pv1 crtdby="Lorrie Cranor" >

13 Privacy Policy, Law and Technology Carnegie Mellon University Fall 2007 Lorrie Cranor http://cups.cs.cmu.edu/courses/privpolawtech-fa07/ 13 Creating APPEL rule sets Express your personal privacy preferences in English Example: "I don't want companies to share my data." Translate your rules into P3P vocabulary elements Example: "RECIPIENT=ours" Create an APPEL ruleset that represents your privacy preference rules (plus a catch- all rule)

14 Privacy Policy, Law and Technology Carnegie Mellon University Fall 2007 Lorrie Cranor http://cups.cs.cmu.edu/courses/privpolawtech-fa07/ 14 Using APPEL to analyze P3P policies Toolkit for Automated Privacy Policy Analysis (TAPPA) http://cups.cs.cmu.edu/tappa/

15 Privacy Policy, Law and Technology Carnegie Mellon University Fall 2007 Lorrie Cranor http://cups.cs.cmu.edu/courses/privpolawtech-fa07/ 15 Homework 3 Discussion http://cups.cs.cmu.edu/courses/privpolawte ch-fa07/hw/hw3.html http://cups.cs.cmu.edu/courses/privpolawte ch-fa07/hw/hw3.html Web bugs - What are they used for? Do these uses raise privacy concerns? P3P user agent critiques

Download ppt "Privacy Policy, Law and Technology Carnegie Mellon University Fall 2007 Lorrie Cranor 1 Privacy Policy."

Similar presentations

1 Long term changes to P3P Long Term Future of P3P Workshop Giles Hogben Joint Research Centre European Commission.

1 Long term changes to P3P Long Term Future of P3P Workshop Giles Hogben Joint Research Centre European Commission.
METALOGIC s o f t w a r e © Metalogic Software Corporation 2004-2006 DACS Developer Overview DACS – the Distributed Access Control System.

METALOGIC s o f t w a r e © Metalogic Software Corporation DACS Developer Overview DACS – the Distributed Access Control System.
Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.

Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.
1 Authorization XACML – a language for expressing policies and rules.

1 Authorization XACML – a language for expressing policies and rules.
Privacy Policy, Law and Technology Carnegie Mellon University Fall 2005 Lorrie Cranor 1 Privacy Authorization Languages.

Privacy Policy, Law and Technology Carnegie Mellon University Fall 2005 Lorrie Cranor 1 Privacy Authorization Languages.
U.S. Department of Commerce Web Advisory Group Implementing Machine Readable Privacy Requirements of the E-Gov Act.

U.S. Department of Commerce Web Advisory Group Implementing Machine Readable Privacy Requirements of the E-Gov Act.
IBM Zurich Research Lab © 2004 IBM Corporation PART 5 Enterprise Privacy Policies.

IBM Zurich Research Lab © 2004 IBM Corporation PART 5 Enterprise Privacy Policies.
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
Minding Your Own Business The Platform for Privacy Preferences Project and Privacy Minder Lorrie Faith Cranor AT&T Labs-Research

Minding Your Own Business The Platform for Privacy Preferences Project and Privacy Minder Lorrie Faith Cranor AT&T Labs-Research
The Platform for Privacy Preferences Project (P3P) Lorrie Faith Cranor AT&T Labs-Research P3P Interest Group Co-Chair October 1998.

The Platform for Privacy Preferences Project (P3P) Lorrie Faith Cranor AT&T Labs-Research P3P Interest Group Co-Chair October 1998.
1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.

1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.
PETs and ID Management Privacy & Security Workshop JC Cannon Privacy Strategist Corporate Privacy Group Microsoft Corporation.

PETs and ID Management Privacy & Security Workshop JC Cannon Privacy Strategist Corporate Privacy Group Microsoft Corporation.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
Enterprise Privacy Promises and Enforcement Adam Barth John C. Mitchell.

Enterprise Privacy Promises and Enforcement Adam Barth John C. Mitchell.
Implementing P3P Using Database Technology Rakesh Agrawal Jerry Kiernan Ramakrishnan Srikant Yirong Xu Presented by Yajie Zhu 03/24/2005.

Implementing P3P Using Database Technology Rakesh Agrawal Jerry Kiernan Ramakrishnan Srikant Yirong Xu Presented by Yajie Zhu 03/24/2005.
95-804 Applied Cryptography Week 13 SAML 1 95-804 Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
Privacy Policy, Law and Technology Carnegie Mellon University Fall 2007 Lorrie Cranor 1 Search Engines.

Privacy Policy, Law and Technology Carnegie Mellon University Fall 2007 Lorrie Cranor 1 Search Engines.
Institute of Information Systems, Humboldt University, 2006· Privacy Engineering Sarah Spiekermann & Lorrie Faith Cranor DIMACS Workshop, Rutgers University.

Institute of Information Systems, Humboldt University, 2006· Privacy Engineering Sarah Spiekermann & Lorrie Faith Cranor DIMACS Workshop, Rutgers University.
Identity, Spheres and Privacy Rules Henning Schulzrinne (with Hannes Tschofenig and Richard Barnes) Workshop on Identity, Information and Context October.

Identity, Spheres and Privacy Rules Henning Schulzrinne (with Hannes Tschofenig and Richard Barnes) Workshop on Identity, Information and Context October.

Similar presentations

Ads by Google